Secure XML Parsers
In typical Java applications, the XML parsers is XALAN/XERCES but they were not written with security in mind. I am curious to know if there are parsers that are more robust when it comes to security. ...
security
Rewriting Binary Streams using Java
I have been studying Netty and Mina but am confused as to the best way to rewrite binary streams. For example, I would like to create a proxy that will allow for replacement of XML and forward along. Examples appreciated. ...
What's the correct response to unauthorized HTTP request?
I am writing web application I am not sure what is the correct response to unauthorized request. For user it is convenient when server response with 302 and redirects him to login page. However somewhere deep inside I feel that 401 is more correct. I am also little afraid if the 302 cannot be misinterpreted by search engines. So how do...
Network share access problem migrating asp.net web site from 2000 to xp
I realize this is somewhat similar to other questions here, but I've been through everything I can find, and still haven't gotten anywhere. It's very humbling. I have a small asp.net web site that we use internally for some simple logs, like a timesheet and a support log. These use Access databases on a network share (using domain use...
Problem viewing sites with SSL certs
I am managing a number of websites that use SSL certificates and have had a few complaints from individuals that are not able to view some of these sites in secure mode. The problem persists regardless of browser or version that is used, does not affect viewing in non-secure mode, and only occurs with a few of the secure sites, not all....
Are there any security vulnerabilities in this PHP registration code?
Can you experts give me some thougths on this code? Some security hole i have missed? Can you see any potential threats? Something i can do better? I'm still learning :) Thanks <?php if (isset($_POST['username'])) { $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $pa...
On Windows, who is in the Everyone and Authenticated Users groups?
My application uses a Named Pipe to do IPC. What access control should I place on it, to provide broad local only access? The pipe is created by the .net 2.0 remoting protocol, and it already has an ACL for the 'NETWORK' group to deny all access, so I think only local users can access it. In my remoting configuration file I need to pick...
Create a Survey in SharePoint 2007 where external users can submit but....
I have a task to make a survey to be displayed in SharePoint 2007 to external users for them to fill out and submit, but not be able to view the submitted results (so they don't see what others have entered). This survey will be for outside vendors to my company to submit information about them for our records. I am open to any suggest...
Is an LSA MSV1_0 subauthentication package needed for some impersonation use cases?
Greetings, I'm working with a vendor who has implemented some code that uses a Windows LSA MSV1_0 subauthentication package (MSDN info if you're interested: http://msdn.microsoft.com/en-us/library/aa374786(VS.85).aspx ) and I'm trying to figure out if it's necessary. As far as I can tell, the subauthentication routine and filter allow ...
How do I bypass a same origin policy violation for one local file to another?
I'm trying to semi-recreate Mozilla's demo usage of JavaScript + <video> + <canvas> with files that aren't hosted on a server. Loading my document causes the error console to report this error: Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "file:...
Encrypting multiple config sections in one command
Hi guys, I need to know that is there any way that we could provide multiple sections in one command. aspnet_regiis -pe "connectionStrings" "appSettings" -app "/abc" As I have 3 config files, if the above is not possible then I need to do write that command 6 times. ...
Opening a password-protected website from servlet
Hi All, The scenario is intended user will access the servlet (e.g http://someip/myservlet) which in turn authenticates a password protected website (e.g. mysite.com - which is hosted on IIS server with Use Windows authentication enabled) implicitly and then opens that mysite.com – so that: target users will not get prompt for usernam...
Wpf + Winforms WebBrowser security in Vista
I have a simple WPF app that browses to a web cam. Same issue for winforms app. This works great on XP but fails on Vista ? Looks like IE is doing some sand boxing on vista. With vista the request to install the activeX happens every time but not on XP. Any one know why or how to make it work ? Here is the WPF code. <Window x:Class="W...
Storing Password Reset Questions in LDAP
I want to store answers to password reset questions in LDAP. I know that the answers should be hashed with a salt. I would like insight into the following: What attributeClass should we use? Is it possible to get the LDAP server to perform the hashing operations? Is there a way to use the LDAP compare operation if the container doesn't...
What is the most secure python "password" encryption
Hi, I am making a little webgame that has tasks and solutions, the solutions are solved by entering a code given to user after completion of a task. To have some security (against cheating) i dont want to store the codes genereted by the game in plain text. But since i need to be able to give a player the code when he has accomplished t...
Redirect problems on PHP Web site
I created a simple PHP site for a friend last year. I went to check out the site yesterday and when the main page loads up, my AV software (Avira Antivir) raises an alarm about a JS/Redirector.A malware infection. The message seems to indicate that one of the CSS files is infected. I'm obviously going to go through all the code on the s...
Communication Between MS 2003 CA Server and Client - Non active directory environment :Design Query
Hello I have a scenerio where the CA and its clients are not in an active directory environment(win2003 enterprise). They are located physically apart(different places). For example, *If the domain name is 'ExampleBank.org'* *The CA name is 'ca.ExampleBank.org' * *CA type is Enterprise Root CA (online) [windows 2003 enterprise ser...
securely send data from one site to another?
I am going to post some data from one website to another website. I need a way for the receiving website to be sure that the data was sent from the sending website and not sent by some other malicious user. I am using PHP4. How can I do this? Thanks! ...
ASP.NET Authenticaion and Security with Session
I'm building an intranet ASP.net web application that unfortunately cannot use the built-in membership features because all the users and logins are stored on the company database. It will use Windows authentication and match against this. I'm planning to have my own "users" table in a separate database that will handle access privileg...
Securing ELMAH while yet making it possible to access it via RSS Reader
We use ELMAH error exception logging in our application. I'd like to keep ELMAH secure from regular users while still making it available to administrators/developers of the application. When you set security with forms authentication in the web.config you then lose the ability to access the RSS feed. I'd like to be able to secure EL...