I'm thinking about creating an application for the iPhone and Android that will need to access a common backend to retrieve account information. Can both access a web service over https? What other way would allow me to have one interface to the backend that is accessible by both? ...
I need to prevent the characters that cause vulnerablities in the url My sample url http://localhost/add.aspx?id=4;req=4 Please give the list of characters that I need block. I am using ASP.net web page. I am binding the information from sql server database. I just want to list the characters to stay away from Hackers to enter unwant...
I'm currently researching methods for storing user roles and permissions for .NET based projects. Some of these projects are web based, some are not. I'm currently struggling to find the best method to achieve what I'm looking for in a consistent, portable way across project types. Where I'm at, we're looking to leverage Active Director...
I'm writing a small program (a twitter client) in Java, aimed at Mac OS X. As part of its functionality, it needs to have a place to store the twitter username/password. The natural place would be the mac keychain, but I can't find any way of accessing it. Is there any way of accessing the mac keychain from Java, or failing that, what i...
I'm looking at generating pseudo-random one-time-passwords that are time sensitive. To send a message, the user enters their password which gets hashed together with the message. The resultant hash is sent with the message to the server for verification. The server performs the same hash and compares its value to the one provided. ve...
I am trying to execut a script from shared folder that I trust: powershell -file "\\server\scripts\my.ps1" But get security warning, and have to press 'R' Security Warning Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your computer. Do you want to run \s...
How do you store a password entered by the user in memory and erase it securely after it is no longer need? To elaborate, currently we have the following code: username = raw_input('User name: ') password = getpass.getpass() mail = imaplib.IMAP4(MAIL_HOST) mail.login(username, password) After calling the login method, what do we need...
I'm developing a system that allows developers to upload custom groovy scripts and freemarker templates. I can provide a certain level of security at a very high level with the default Java security infrastructure - i.e. prevent code from accessing the filesystem or network, however I have a need to restrict access to specific methods. ...
Hi I have to do some secure communication between a windows service and an asp.net website. In the asp.net website I am generating a key pair, sending my public key to my windows service and then receiving the encrypted message from my service and decrypting with asp.net. The first problem is this.. The user profile is not created in a...
I just read this article on tdwtf.com. Generally, it describes an archiving bot destroying things because it ignores headers. I then realized that I don't know how to do security in a page WITHOUT headers. Therefore my question is: What security measures can i take besides using headers? I develop mostly in php, so I'm familiar with he...
I'm a full time software developer, but on the side I'm teaching a university course on web services. I'm going over security right now and was wondering if any of you all have had any security breaches that you could tell about (details obscured as needed) that I could share with my students. Real life stories are a lot more meaningfu...
I have a C# application the performs some runtime compilation of source files containing calculations into dynamic assemblies. Obviously this presents a serious security issue. From the following 'formula', the code below would be generated, and a dynamic assembly created: Formula: Int32 _index = value.LastIndexOf('.'); String _retVal...
I'm trying to implement manual self-signed SSL certificate validation to a WinINet client. I tried to approach it by calling InternetQueryOption with INTERNET_OPTION_SECURITY_CERTIFICATE or INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT parameters, but both return some internal interpretation of server's certificate, none allows accessing ...
There's a comment in another question that says the following: "When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping functions such as mysql_real_escape_string." Source So, what i want to ask is: Why...
I am displaying the session id in the asp page. But it is vulnerable. How can I show the session id by encoding or some other way. I cant avoid displaying session id in web screen ...
I have an applet which have to read a file from server. But I receive the following exception java.security.AccessControlException: access denied (java.io.FilePermission \kb1.xml read) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.Secu...
Hello, I've got google conversion tracking code (small bit of javascript) on a confirmation page on my site which is displayed after user completes a transaction. It is displayed on my wordpay callback page which is pulling data from the regular site (http) to the worldpay site (https) so IE 7/8 asks "do you want to display non-secure...
4060 "Server rejected the connection; Access to selected database has been denied". How can I troubleshoot this error? ...
I have 2 ssh servers behind a nat firewall at a location that changes its wan IP every day. They are always at the same wan IP address on a given time but on different ports. I am connecting to server A this way: ssh -p 22001 [email protected] and to server B: ssh -p 22002 [email protected] So I get 2 different host keys for t...
I'm not even sure if this is possible, but is it feasible to secure, end-to-end runtime data on an uncontrolled client? Specifically, is there any functionality in Java to take in encrypted data, process it and send it back out encrypted, all without exposing the data in plaintext to a curious 3rd party that has full access to the clien...