I come from a C/C++ background and now do a lot of C# stuff. Lately I have become interested in doing some projects in Java since playing around with the Android SDK. I know that Java apps run in a sandbox that can limit their access to the system. In a desktop/server application environment what kind of things are restricted? ...
I have a flash file developed with Flex/ActionScript and put it on www.domainA.com How can I prevent others to download my flash (*.swf) and to embed it in other web site (e.g. www.domainX.com) ? I can hard code it by checking if "loaderinfo.url" is the same as www.domainA.com, but it seems not a clever solution. can policy file be us...
I have a Greasemonkey userscript which runs most of its code in an unprivileged context by inserting a <script> tag like so: function code { ... } var script = document.createElement("script"); script.type = "application/javascript"; script.innerHTML = "(" + code + ")();"; document.body.appendChild(script); This avoids the need to ...
All of the examples I have seen end up converting a SecureString back to a standard string before using it, defeating the object. What's a good way of using a secure string without this problem? I know I can marshall the SecureString to a BSTR but what can I do with this BSTR? Can I get the characters back one at a time? If so, how? ...
Hi guys, How can you test Http header injection in your application. Actually I want to see what is the diff after adding enableheader=false in config and before in my application. Can somebody help me with that. Framework .NET 2.0 Language C# Platform: windows XP ...
Is there a sensible setup for private feeds (rss or atom) with some sort of security and authentication? The application in question creates "private news" with sensible information for each user and the request is to present these news via feeds. Only the user may gain access and read his news and should be able to subscribe to then. ...
In the MVC way of doing things, where is the best place to run, for example htmlspecialchars() on any input? Should it happen in the view (it sort of makes sense to do it here, as I should be dealing with the raw input throughout the controller and model?) I'm not quite sure... What are benefits of doing it in the view or controller? Th...
We have a kerberos domain at my company and I'm running a few of the Java/Kerberos examples. The question I have is around the login mechanism from the server's perspective. When running the server example GssServer.java, I need to get a javax.security.auth.Subject; in the supplied code this is via a LoginContext thus: // Create a Login...
I need to rollout an application in appliance form factor and have been asked to design a CLI as exposing BASH is problematic from a simplicity/usability perspective. I would like to understand the best practices for CLI development around: Security Configuration backup and restore Making it work not only via IP but also serial port Cr...
I have a mostly desktop programming background. In my spare time I dabble in web development, page faulting my way from problem to solution with some success. I have reached the point were I need to allow site logins and collect some data from a community of users (that is the plan anyway). So, I realize there is a whole world of nefa...
I'm working in the Codeigniter framework, and want to send requests to my controller/model that have several variables involved. Is there a difference between passing those variables via a hidden form (i.e. using "post") as opposed to passing them through URIs (e.g. 'travel/$month/$day/')? What about security concerns? e.g. URIs: http:...
I have a client program that talks to a web server through a SSL connection (https). How safe is this connection? I bought a SSL certificate installed on my web server, so my understanding is that even if someone attemps a man-in-the-middle attack between my client and my server they would not have the certificate? Is this true? So for...
If I choose lots of files tactics, then I become to have directory traversal security problem? I need to write login system, and lots of file tactics means make lots of id files and use scandir. so the directory would have aaa.txt (contents is aaa_pass) bbb.txt (contents is bbb_pass) ccc.txt (contents is ccc_pass) and when some...
I have the following form: http://fuzzysiberians.com/app4.cfm when there is no social security number, my error message is being displayed after each text field. Is there a way to group these error messages so that there will be 3 text boxes next to each other and then display only one error message? ...
So you don't have programming privileges on a SharePoint Server but you can use SharePoint Designer. You create lists and you need to separate field permissions. You need fields that all can fill out and fields for administrators to fill out. How do you accomplish this without code? ...
Hi, I need to store a user's password for a short period of time in memory. How can I do so yet not have such information accidentally disclosed in coredumps or tracebacks? Is there a way to mark a value as "sensitive", so it's not saved anywhere by a debugger? ...
I have an application that uses a SQL Server application role on the database side. During one of the application’s processes, I need it to reindex a table, however, I run into problems because apparently the application role doesn’t have permissions to run the DBCC DBREINDEX command. Do you know of a way to enable that? Here’s the erro...
I would like to transfer user name and password information from one process to another process running on the same server in Windows. What is the best approach to achieve this transfer in a secure way? One simple approach is to copy the passwords to a file and then have the other process read from a file and then delete the file once it...
Swing's JPasswordField has the getPassword() method that returns a char array. My understanding of this is that the array can be zeroed immediately after use so that you do not have sensitive things hanging around in memory for long. The old way to retrieve the password was to use getText(), which returns a String object, but it has been...
Does anybody has ever created any class consisting of functions to deal with web security vulnerabilities. I do know that we can do avoid by adding some config settings like validaterequest and enableheader. ...