Hi, I want to prevent users from signing up with a password = login for security reasons. I tried something like this: validates_each :password do |record, attr, value| if(value == self.login) record.errors.add(attr) end end But I always get the following error: undefined method login for self. It has something to d...
Assume I have a form with some disabled checkboxes because the user as logged in shouldn't be able to check them. Where should I add some sanitization security to make sure they didn't hack the checkbox and cause a postback? In the page? Database layer? In the database? I realize it's most likely a pretty broad question. thanks, Mark...
I understand the general idea of how vulnerabilities are exploited. Buffer overflows and stuff like that, but I guess I don't REALLY get it. Are there useful sources of information that explain this area well? Maybe case studies about how particular vulnerabilities were exploited? Even more interesting would be how projects you have ...
From a usability perspective, is it better to integrate admin section on the main website or have a separate section to manage content? Any thoughts are greatly appreciated. EDIT: the application is a CMS for very non-techno friendly staff. ...
I have a number of services that will be running under the security context of NT Authority\System as a Windows service (the services are NetTCP-based). There are six groups stored in Active Directory that will be allowed to access these services: Users Agents Approvers Administrators (three levels of admins) I know I can get the user ...
I'm currently investigating alternative solutions to the standard page authorization configuration in asp.net. The location tag works ok if you have directories of files that need the same access policy but if you have lots of individual access policies the location tag is a pain. I could roll my own custom auth system but if it can be ...
Please help me understand how the process goes. I understand that web browsers contain root certificates for certificate authorities (CAs) like verisign, Entrust, Comodo .. etc, but what exactly happens when a user accesses a secure page? Does the web browser send a request to the server of the CA to verify the ceriticate or it just uses...
Is a php/mysql web application secure in a password protected folder on a (reputable) hosted server? Thanks for any insight you can provide! ...
Update: I've found the Spring 2.x annotation-based Controllers are horrible for AOP security because you can't make assumptions about the method prototype due to the increased freedom in params and return values. Before 2.x you could intercept handleRequest and know the first param was an HttpServletRequest and the return value was a Mod...
In every large application there is an ADMIN section. In such cases, when not using ZF, I usually put all the admin stuff in a separate directory with extra security measures (like adding .htaccess based authentication and/or a second login etc). This also makes it pretty obvious in the file tree what file is what. How can I achieve the...
What is the correct way to call unmanaged code such as a COM API through .Net interop from a code that is being executed in a partially trusted environment? While developing an ASP.Net WebPart for Microsoft SharePoint I had to communicate with another system through its COM API. I solved this issue temporarily by changing SharePoint's p...
In my online store, users are allowed to change certain properties of their orders (e.g., their billing address), but not others (e.g., the origination ip address). Administrators, on the other hand, are allowed to modify all order properties. Given, this, how can I use :attr_accessible to properly secure my Order model? Or will I have ...
Community Wiki Question Every time I work on a project involving passwords or securing data I get mired down into obscenely complex APIs and issues. I have not had much formal training in developing secure applications but I have not had much formal training in database, GUI, and build processes either. Many other areas of programming...
I have a couple of NSString objects that represent an RSA public-private keypair (not generated by SecKeyCreatePair, but by an external crypto library). How can I create SecKeyRef objects (which are required for the SecKeyDecrypt/Encrypt methods) from these NSString objects? Do I need to import them into the Keychain first? If so, how? ...
On the current website I'm working on, I've got a directory of files for users to download which would be really nice to have some security method other than obscurity ;) I was wondering if there's any way to supply login information via PHP to htaccess as though a user were entering it. Alternately, if anyone knows a better way to sec...
I want to make a web service that run other people code locally... Naturally, I want to limit their code access to certain "sandbox" directory, and that they wont be able to connect to other parts of my server (DB, main webserver, etc) Whats the best way to do it? Run VMware/Virtualbox: (+) I guess it's as secure as it gets.. even if ...
Hi, I am trying to learn how to secure a web form. Take a simple example, a contact form, name, phone, email. I found this: Secure Email Techniques But I don't know if it is the correct way to go. It is not shared hosting, if it matters, and I have full access to everything. I am tied to IIS 6 and Windows 2000 at the moment, so I w...
I have never developed an application outside my companies system where we just rely on windows authentication from our domain, but I want to learn how to develop a secure application that I can connect to a remote database. I know it is easier if I use ASP .Net because the data connections will be on server side, but I want to have a ...
How secure are popular open source web frameworks? I am particularly interested in popular frameworks like Rails and DJango. If I am building a site which is going to do heavy e-commerce, is it Ok to use frameworks like DJango and Satchmo? Is security compromised because their open architecture ? I know being OS does not mean being...
For example I've often wanted to search stackoverflow with SELECT whatever FROM questions WHERE views * N + votes * M > answers AND NOT(answered) ORDER BY views; or something like that. Is there any reasonable way to allow users to use SQL as a search/filter language? I see a few problems with it: Accessing/changing stuff (a c...