We run a reverse proxy in front of our application tier and I'm wondering where the "best practice" place for handling the IP restriction is. Currently, we use the application security to restrict access to specific resources by IP address but this has caused some issues when we moved to running behind a reverse proxy. It's quite easy t...
I'm starting to use ASP.NET Ajax. Following Eric Pascarello's recommendations, I always operate under the assumption that anything can come from the client side (including fake requests). One matter which I have a hard time accounting for is user authentication. Since we use .NET's built-in session state management mechanism, I'm a ...
Howdy, We are looking to publish a ClickOnce application to a large Active Directory network which has to abide by the FDCC (Federal Desktop Core Configuration) which is an OMB-mandated security configuration. Does anyone have experience with this security configuration and ClickOnce applications? The application requires the ability t...
Through acquisition we have a number of products that require authentication and authorisation. The products include web sites and client side applications, the client side applications use some web services. We are a .Net shop and servers will be running Server 2008, clients will be running XP SP?? and later. Users of the products are ...
Hi All, I have a click tracker for a client. The tracker is nothing but a javascript snippet which writes an iframe(a different domain) into the page. If I have a normal iframe I am able to track clicks more accuratley(I compare the data from another tracking solution) than when the iframe is secure(the site is accessed over ssl). Wh...
I am trying to figure out how to accomplish the following task: Create a network share on a remote computer using .NET The target computer is on the same network. The target computer's admin username and password are known. Your thoughts? How would you go about to accomplish this? ...
My boss wants me to encrypt some information used during data transfer. The individual strings to be encrypted are between eight and twenty characters long. A single password must be used to encrypt and decrypt so I need a symmetric alogrithm. I don't want to roll my own - I want to use one built into .NET from C#. So, which algorithm i...
I'm currently trying to write a Windows Media Center Application (Vista) that can restart a service with UAC enabled. Everything works fine when UAC is disabled but as soon as UAC is enabled I get an Access is Denied error. I believe this is because the Window Media Center applications are running under the Windows Media Center process ...
If we consider Man In the Middle Attack; Can such an attack occur if symmetric keys are used? ...
Been reading up on MitB attacks and some things worry me about this. From WIKI: The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. One of the most effective methods in combating a MitB attack is through an Out-of-Ba...
I have a NT server application running in background on Windows Vista, and I want the server to lanuch Notepad.exe when server received a specific command, BUT it doesn't work, I have tried with shellexec, winexec and createprocess functions, all are failed. Notepad always runs on the server desktop, Vista will show a message to ask me t...
I am implementing a simple directory listing script in PHP. I want to ensure that the passed path is safe before opening directory handles and echoing the results willy-nilly. $f = $_GET["f"]; if(! $f) { $f = "/"; } // make sure $f is safe $farr = explode("/",$f); $unsafe = false; foreach($farr as $farre) { // protect against d...
I am developing an application in which I am displaying products in a grid. In the grid there is a column which have a disable/enable icon and on click of that icon I am firing a request through AJAX to my page manageProduct.aspx for enabling/disabling that particular product. In my ajax request I am passing productID as parameter, so t...
I am writing a very simple web service for my iPhone app. Let's say this is a http page that returns a random number at http://mysite/getRand. How do I ensure that this page can only be accessed from my iPhone app and not from other clients? I've thought of doing some simple password mechanism but that can easily be sniffed by capturing ...
How can I prevent that forms can be scanned with a sort of massive vulnerability scanners like XSSME, SQLinjectMe (those two are free Firefox add-ons), Accunetix Web Scanner and others? These "web vulnerability scanners" work catching a copy of a form with all its fields and sending thousands of tests in minutes, introducing all kind o...
Is the generated aspnetdb.mdf ever meant to be used online? It has been a while since I looked at it, but from what I remember the generated username database could only be configured and maintained locally within your visual studio environment. Is this still true? Does anyone use this online for big apps? EDIT: I ask because all th...
Besides what it comes with in 2.0 (the generated aspnetdb.mdf), is there a standard login authorization authentication system for asp.net Internet websites? One that can plug into a website. ...
I have read everywhere that unsigned Java applets are not allowed to make network connections to any server but the one which originated the applet. This is OK for my application since my applet only needs to talk to the server. However, when I wrote a test applet to try opening a socket to communicate with a process on my development ma...
Hi, I have a subscription based website (with a monthly fee) and I would like to prevent users from sharing accounts in order to avoid paying the monthly fee. Is there a way this can be done? Cheers, Mike ...
I'm having trouble understanding why java secure coding is important. For example, why is it important to declare variables private? I mean I get that it will make it impossible to access those variables from outside the class, but I could simply decompile the class to get the value. Similarly, defining a class as final will make it impo...