Hi everyone, I have written a simple .NET webservice, which I will be hosted on a different server may be on different continent. I don't really know. Now, I only had its URL and I tried to use webrequest and webresponse method to access that web service vai HTTP POST. Now, I want to know is there any way to secure the webservice access...
An article that I stumbled upon here in SO provided links to other articles which in turn provided links to even more articles etc. And in the end I was left completely stumped - so what is the best way to store passwords in the DB? From what I can put together you should: Use a long (at least 128 fully random bits) salt, which is sto...
A colleague and I had a heated debate yesterday whether it is safe to send login credentials via URL parameters as a means of authentication. He correctly pointed out that HTTPS encrypts all non-hostname/port characters in a URL before sending a request to the server side. However, I still think there are edge cases here where it is po...
Greetings all, My hosting company says it is possible to fill an HTML form text input field with just the right amount of garbage bytes to cause a buffer overflow/resource problem when used with Apache/HTTP POST to a CGI-Bin Perl script (such as NMS FormMail). They say a core dump occurs at which point an arbitrary script (stored as p...
I was wondering what security issues appear when the end user of a website can upload files to the server. For instance if my website allows the users to upload a profile picture, and one user uploads something harmful instead, what could happen? What kind of security should I set up to prevent attacks like this? I'm talking here about...
I saw an interesting blank page today titled "saml post profile intersite transit." What is SAML? What was it created for? What is it commonly used for? What was the page I mentioned above all about? What functions does it provide that it's rarely used for but are otherwise interesting? Is there something better or other technology tha...
I have alot of experience writing internal Intranet applications, but very little when it comes to writing public facing web applications where it is likely that a certain percentage of people will try and be malicious. The app is written with MVC.net, JQuery and Subsonic. What steps can I take to project my application, to make it rea...
So I'm trying to get a WSE 2.0 SP3 client to work with a WSE 3.0 server. I'm running into an issue with this line of code on the client: transaction.RequestSoapContext.Security.Elements.Add(new MessageSignature(token)); I'm wondering how important is this line if the client is already using the following line of code: transaction.Req...
Hello All, I'm building a couple of ucercontrols. These usercontrols will be hosted within the return of the smartpart. The problem i'm facing is that my assembly that goes with them, is not properly provided with sufficient rights. To achive this you've (basically) got three options; 1. set the site to full trust level (do not want t...
Hi guys, i have a mdb access which is password protected but that can be easily cracked by a free tool found in google within like 1second. Besides paying for some expensive tools, is there a good way in how to protect a ms access databse file? I'm thinking of encrypting it then via a dll to decrypt it, get some data, and pass it to a th...
Hi All, I want to know how can I detect if the user is already logged in or not? using a cookie. I am not using any log-in control. I have a db which checks the ID and PWD. Also pls let me know if it can be done without using cookies. Any code or links will help. web.config: <authentication mode="Forms"> <forms name="myForm" loginUr...
I've just started working on implementing my first public-facing website. Since I'm new to this, I think if a list of common pitfalls, what they are, and how to avoid them is warranted. I'm looking for things like: SQL injection (I know this one, but if anyone knows of tools to analyse a website for injection vulnerabilities, that'd b...
I'm rewriting an internal application, which currently uses its own username/password combination. People are forever forgetting it, or not changing their password from the default, so I want to use single sign on and make use of our domain. I am using .Net2.0 and I cannot find any ways of doing this outside of 3.5. How can get the lo...
Anyone know how can we moniter file /folder permission on windows. Suppose a user can change the folder permission, the application can log the user, timing and other details. If neone know third party tool/script for the same, plz suggest. -Thanks ...
I am building an ASP.NET 3.5 (C#) application and I plan to use the membership and roles security. I want to set this up on my SQL Server 2008 standard edition and not the default express setting. How would I go about this? ...
I have created a WPF browser application that I wish to connect to a WCF service. The service is in the same solution as the WPF application. It is the default service that Visual Studio creates with a method called GetData (int) I am attempting to call this service with the following code: var client = new Service1.Service1Client();...
Suppose you are designing a PC game that keeps track of high scores. In addition to keeping local scores, a global high score server is set up that is accessed by the game over the internet. Players should be able to submit their high scores to the global high score list right after they have completed a game, or later, from their local ...
Hello Just looking for clarification on the above topics. There are a number of domains with their own AD The domain where my ASP.NET application is running hosts the ADFS server (the root domain) there are TRUSTs established between each domain and the root domain Then there shouldn't be a problem? I don't use Forms authentication...
I'm planning to build a set of web services which are going to use geneva-based custom STS to authenticate users. Both STS and relying services will belong to the same party, so the whole goal of going to federated security is providing Single Sign-On point and retrieving all the authorization information only once. Both STS and relying ...
Background: This is really a general best-practices question, but some background about the specific situation might be helpful: We are developing a "connected" application for the iPhone. It will communicate with the backend application via REST services. In order to not have to prompt the user for a username and password every time...