I am looking to improve the accessibility of a site for very young children. As their keyboard skills are quite poor, we get alot of complaints that entering passwords without being able to see the characters is too hard for them. I wouldn't like to have a password completely unmasked but I was thinking of maybe using the cell phone sty...
I have to run command line operation from some legacy ASP application. Here is my code: <% cmd = "%comspec% /c echo Hello" set wsh = CreateObject("WScript.Shell") ireturn = wsh.Run(cmd, 0, true) set wsh = nothing %> And here is result I am receiving: Microsoft VBScript runtime error '800a0046' Permissi...
I'm using rails 2.0.5 with cookie session. but cookie session has serious problem wis the possibility of replay attacks. How do I prevent replay attacs with cookie store? I hope a plug in of Rails 2.0 use or concrete source example codes. Could you help me? more information more information ...
I've got this code on my page: header("Location: $page"); $page is passed to the script as a GET variable, do I need any security? (if so what) I was going to just use addslashes() but that would stuff up the URL... ...
I'm allowing authenticated users to upload image files with my PHP application. Assume I've built in the necessary security to make sure the file itself is valid, is there a possibility of the http transmitted file to be intercepted in some way? If so, how can I protect the transmission of the file? Would HTTPS be the way to go? Also, ...
I have a j2ee web app that is using JAAS form based authentication. However, due to some unusual requirements, I cannot have the user enter their username and password directly into the logon.jsp form and have them submit it. Instead, I must gather the data on a separate page, and then later redirect to logon.jsp to log them in. What I ...
In a couple of my tables in my SQL Server 2005 database all of my data has been erased. Is there anyway to get a log in SQL Server of all the statements that have ran in the past day? I am trying to find out if someone did this on accident, there is a vulnerability in my web app, or the actual DB has been compromised. ...
I have a set of Win32 applications that share information using a shared memory segment created with CreateFileMapping() and MapViewOfFile(). One of the applications is a system service; the remainder are started by the logged-in user. On Windows XP, there was no problem. We named our segments “Global\Something” and all was well. The a...
I have a web application on an IBM WAS server (Windows). In the WAS app users are able to browse files on a different server. This functionality connects to a web service in order to retrieve a listing of files from a network path. The web service is built with .net and resides on a separate server which is in the same domain as the f...
I'm not actually writing this software myself, but it occurred to me that I have no idea how to solve the problem. As the best way to explain the problem, I'll describe a specific scenario from a hypothetical multi-player first-person shooter game... Player A is hiding in some bushes facing west Player B is sneaking up on player A from...
How would you secure access to the admin area for a web app? Our Rails CMS serves pages publicly. I would like to make the backend (/admin) inaccessible using either the webserver(apache) or firewall(netfilter). Could this be done using an SSL certificate? I would like to limit access to the backend to only those whose have the "key"...
I'm programming a community website. I want to build a "forgot my password" feature. Looking around at different sites, I've found they employ one of three options: send the user an email with a link to a unique, hidden URL that allows him to change his password (Gmail and Amazon) send the user an email with a new, randomly generated...
We're currently developing an entirely AJAX based app that will interact with the server via a RESTful API. I've considered potential schemes to protect against XSRF attacks against the API. User authenticates and receives a session cookie, which is also double-submitted with each request. We implement an OAuth consumer in Javascript,...
Hello, I have an MFC app which is wizard based. The App asks a user a variable number of questions which are then written to an INI file which is later encrypted when the user clicks Finish. All the INI file parsers I have seen so far seen read or write to a physical file on Disk. I don't want to do this as the INI file contains con...
I was looking at the livehttpheaders plugin for Firefox and decided to test my login page. I noticed that the parameters shown inside of it contain my login and password. For example: username=sarmenhb&password=thepassword&submit=Login in plain English. I don not see this on other sites. What can I be doing wrong? I see this as a se...
Possible Duplicates: What are the security concerns I need to consider while coding? What should a developer know before building a public web site? If you're not able to or just plain aren't going to use SSL then you should: Not be transmitting sensitive information. Using SSL does not make your website totally secure (man-...
I was listening to the stackoverflow podcast (i think it was episode 52). Jeff was talking how they came up with some type of authorization mechanism where they were encrypting credentials in the cookie they sent to the client. Apparently someone Jeff knows was able to find a hole in this and was able to login with anyones id that he wan...
I'm testing my application under the user Guest. It crashes with the following error. 'UnauthorizedAccessException' - 'Global.net clr networking' Now, I know I can edit the security policy on the machine to allow CLR code running under guest to be trusted, but what should one do on a commercial app? (Sign, and add CAS attributes?) I'm...
Hello I have a program that use schannel.dll to make a SSL connection to remote server. But I'd like to disconnect from server often and reconnect without the need to renegotiate shared key again. I know that SSL support this, but don't know how to make it with SChannel. Can you help me? Here are some links that can help: Creating a ...
I see the guidance when using formsAuthentication in ASP.NET is to use SSL via the requireSSL property. I was under the impression that the contents of the cookie are encrypted. So I'm trying to grasp why SSL is required as well? ...