I have implemented an application a few years ago using both kerberos functions and GSSAPI to authenticate to a kerberos server but when I look back at the code, it always took time to understand what those calls do (I think I need to put comments on my comments). What is the best way to understand how kerberos works and how to effecti...
Hello, I am trying to understand gmail's authentication mechanism. I know it uses https for transporting the user credentials during login and then the rest of the communication happens over http. How is this achieved? Is some kind of key exchanged during the initial session over https and used in subsequent requests? if yes, Isn't some...
Duplicate of: What common web exploits should I know about? This is a security question. What should I look for in URL that prevents hacking? Is there a way to execute javascript by passing it inside a URL? As you can see I'm pretty new to this concept. Any good posts on this stuff? ...
I'm writing a PHP script to grab text box data from a submitted form. These are simple text boxes and I don't want to accept any HTML tags. I think I should at least use strip_tags() and addslashes(). Anything else? I wouldn't mind restricting the input to alphanumerics, should I use a regular expression to seek out nonstandard characte...
I'm trying to setup Hudson in an environment where all the users use certificates. I looked around the archives here, on nabble, and on google, but if this is documented somewhere, i think I'm missing it. I'm sure part of the answer to this will be related to Hudson, and some will be specific to my servlet container. Under Security, I...
Hi all.. Been reading up on various injection-type attacks, and it seems like the best way to get rid of these vulnurabilities is to encode all user input to remove / replace some characters with others (< > ; etc). What's my best bet here? Are there any nice libraries out there to aid me with this? Or something that could help me spot...
I'm interested to know what methods people use to secure their webservices from unauthorized web service consumers. ...
Given a domain, is it possible for an attacker to discover one or many of the pages/resources that exist under that domain? And what could an attacker do/use to discover resources in a domain? I have never seen the issue addressed in any security material (because it's a solved problem?) so I'm interested in ideas, theories, best-guess...
The man page did not clearly specify this. But looking at openssl's apps implementations, SSL_CTX_use_PrivateKey* calls are usually made after SSL_CTX_use_certificate_file succeeded. I assume this is mostly used at the server side. I recently confused the above function with SSL_CTX_load_verify_locations wherein you could specify a CA c...
I'm writing a system where, as usual, the client is asking for a convenience "remember your credit card details" option. I've told them that this is in all likelihood a no-go. However, I did have a good idea (tm) just now, and seeing that Good Ideas in Encryption(tm) are actually Bad Ideas (tm), I thought I'd put it up for review here a...
Is there an easy way or online tool for checking a site's SSL vulnerability issues? From the PCI standards I see that a site has to force SSLv3 or TLSv1 protocols and high security encryption algorithms. And I need to check if my site is compliant with those PCI DSS standards. ...
Lots of sites appear to support https but don't use secure cookies. I want to make my site use secure cookies but to allow for some content to be accessed using http instead. A sensible way to do this appears to be to have a secure cookie for the real session, and a non-secure cookie which is just a flag to say if the user is logged in...
We are using MediaWiki inhouse for our software and hardware documentation. It looks like granting / revoking "read access" to parts of the documentation for our external users - customers, project partners - is not easy to achieve. How could we control read access to some areas of the documentation based on user or role access rights? ...
Might be the same issue as this previuos question: WCF Proxy but not sure... I have an HTTPS service connfigured to use transport security and, I hope, Windows credentials. The service is only accessed internally (i.e. within the intranet). The configuration is as follows: <configuration> <system.serviceModel> <services> ...
On my Apache 2.x server at home, I have a number of virtual directories. I've set up my router so that I can access Apache from the internet. I need to keep one of those virtual dirs (/private) from being accessed outside my home network LAN. So given /private, how do I configure Apache to only serve requests to /private from 192.168...
Hello, We have a dll that is a plug-in for a asp.net shopping cart software that customers can purchase. However, we want to lock that dll to a particular domain for security reasons and we don't want them to be able to read that dll or use that dll in another domain they may have. How can we do this? ...
This question has always troubled me. On Linux, when asked for a password, if your input is the correct one, it checks right away, with almost no delay. But, on the other hand, if you type the wrong password, it takes longer to check. Why is that? I observed this in all Linux distributions I've ever tried. ...
I'm building an app that will store some of our clients details, things like usernames / passwords, information that we need to remember and keep secure. What's the best method for storing this information securely? ...
Hello. I have a couple of questions regarding security mechanisms in asp.net (2.0). I have always been using Forms authentication + Page.User for validating permissions. Now I need to send some data from client side javaScript (jQuery) to a WCF service. Will my IPrincipal be still accessible from HttpContext of WCF service (I'm hosti...
I understand the need for putting a web server in a DMZ and blocking inbound traffic to all ports except 80 and 443. I can also see why you should probably also block most outbound traffic in case the server is compromised. But is it necessary to block outbound HTTP traffic over port 80? If so, why? A lot of web applications these days ...