What's the size of an ASP.NET 3.5 session ID?
Is it 32 bit, or 64 bit or 128 bit or bigger? ...
security
Is SecureString secure?
Is there any guidance on actually using the SecureString in a secure manner? I don't see there being any way to even create the secure string in the first place, as you are going to need it to be typed in from a textbox at some point. ...
Accessing private static methods from a public static context
Consider this sample class, class TargetClass { private static String SENSITIVE_DATA = "sw0rdfish"; private static String getSensitiveData() { return SENSITIVE_DATA; } } When I do this, import java.lang.reflect.Method; public class ClassPiercing { public static void main(String... args) throws Exception { ...
Why do people post their captchas publicly? Captcha: somerandomword
I'm implementing a website with a CAPTCHA on the registration form; my first. I've read dozens of posts on the arguments for and against, and of all the various implementations out there. I'm happy with all that but it's a necessary evil in my case. What I don't understand is why people post the random captcha characters in their posts,...
Security Application Block in ASP.NET Application
I'm considering using the Microsoft Security Application Block in my ASP.NET application but am struggling to find any real world examples. Could anyone point me towards some real life examples, proofs of concepts and so on. ...
controllable memory swapping in Java?
Is it possible to prevent Java from swapping out certain objects? This would be relevent if I cache a password inside a client Application for subsequent logins into a remote Service or for decrypting data from the local disk. Unless the user does not encrypt his swap space, the password would appear as clear text in the swap space. I...
Access denied when trying to copy file Windows Vista
I have this batch that needs to run that the user has to execute that will copy a simple xml file. However, everything works fine on windows 2000/XP. However, on windows Vista I get an error 'Access Denied". Even when I try and copy the file just using windows explorer on Vista I get the same error. Is there anything I can do to make...
read client certificate from httprequest C#
I am trying to read an X509 certificate using Request.ClientCertificate but nothing is returned. The certificate is definitely being attached to the request because I can get the certificate information from the page sending the request. I have tried reading the certificate from several different places but cannot seem to get it to work...
Loading a keystore without checking its integrity
This question is in the specific context of the Java class java.security.KeyStore and its load(InputStream stream, char[] password) method which can accept null values for password to bypass integrity checking. What are the risks involved with loading and querying a keystore without checking its integrity? The keystore will be queried ...
Is protecting a website directory with a .htaccess file secure?
I was wondering if protecting a web directory with an .htaccess file (with the .htpasswd file outside the public apache webroot) is a secure way to protect a directory (and its contents). Could someone explain the Do's and Don'ts of this kind of protection? ...
Is EnableHeaderChecking=true enough to prevent Http Header Injection attacks?
Is it sufficient to have System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking set to true (default) to fully prevent Http Header Injection attacks like Response Splitting etc.? I'm asking because a white box penetration testing tool (fortify) reports exploitable http header injection issues with HttpResponse.Redirect and coo...
Memcpy() in secure programming?
I recently stumbled across an article that claims Microsoft is banning the memcpy() function in its secure programming shops. I understand the vulnerabilities inherent in the function, but is it necessary to ban its use entirely? Should programs I write be avoiding memcpy() entirely, or just ensuring that it's used safely? What alternat...
Using PowerShell and WMI to read Security log
Hi, I'm building a script to read the Security Log from several computers. I can read the Security log from my local machine with no problem when using the Get-EventLog command, but the problem with it is that I can't run it against a remote machine (the script is for powershell v1). The command below never returns any results, although ...
Security risk when store private data.
I have to handle some sensitive data in my application, such as passwords, credit card information, etc. What are possible security risks I could have and how can I avoid them? ...
How to make sure about the ip of the visitor?
I have a blog aggregation website the stories are ordered by the number of visits I think I am facing a spam of visits because some blogs' stories receive a lot of visits in the same second with efferent ip address my website does not allow visits from the same ip; however, my visitors somehow changing their ips. is their any soluti...
Good Way to Secure File Uploads in PHP
Writing a small app that (among other things) lets users upload a file (like an image, a .doc or a text file) as part of their posting/submission. Our current prototype just dumps the file into /{app_root}/files/, but of course, anyone can get to that even if they are not logged in or using the system. The goal is to only grant access ...
How do I make it difficult for users to save mp3 files from my site to their hard drives?
I want users to be able to upload mp3s and also be able to play them through a player embedded on a page. I know it's impossible to stop dedicated users from copying the audio by directly recording it from the computers output but I want to make it difficult or impossible for a user to just copy a URL and paste it which will allow them d...
What security practices should I implement for my gambling website?
Is it enough to use secure coding practices such as the OWASP Top Ten? What techniques should I use to detect tampering? ...
Does open-source gambling software exist, and should it?
Is there such a thing as open source gambling software? Would making the source code transparent help increase security over the long haul? ...
Do you know of any open source fileupload servlets that are integrated with the ICAP protocol?
Do you know of any open source fileupload servlets that are integrated with the ICAP protocol? I believe it is important to virus scan user uploaded files prior to writing to disk and would like to leverage this method. ...