Shredding files in .NET
Is there a SDK that can be used in managed code to shred files securely? EDIT: This is the only link i could find in google that helps me EDIT: Either SDK or some kind of COM based component. ...
security
.NET Code Access Security: Useful or just overcomplicated?
see also Is “Code Access Security” of any real world use? I want to get some other opinions on this... I like the idea of Code Access Security for desktop applications. But in the lifetime of .NET I have to admit I've never actually had a situation where CAS has actually blocked something to my benefit. I have, however, had many...
Is it dangerous thing to view access log without sanitizing via web browser?
Is it dangerous thing to view access log without sanitizing via web browser? I am considering to record access log, and I am considering to view it via wev browser, but if attacker modifies his remote host or user agent or something, can he attack to me? By inserting attacking code into his remote host or user agent or ect. So do I ne...
Setting Secure cookies when HTTPS (for mixed HTTPS/HTTP site) with JRun/ColdFusion
We have a site running on CF7 that has both logged in and logged out sections, and uses jsessionid for sessions. When switching to HTTPS (for the secure sections), we need to start a new secure session, setting the 'Secure' flag on the jsessionid cookie. Whilst JRun has an option for setting 'Secure' it appears to be an all-or-nothing ...
Winforms WebBrowser fails on vista.
I have a simple winforms app just one window with one WebBrowser control inside. On vista this fails to show the date but works OK XP ? The website runs activeX to show the date. namespace WindowsFormsBrowserTest { public partial class Form1 : Form { public Form1() { InitializeComponent(); ...
How do I make my application Integrated Loginable?
Hi there, I am always doing the following Login module: 1. Create a table with Username and Password 2. Login by checking the user table. So how do I use integrated Login just like the application like Sql Server? I don't mean by passing a connection string, I mean it will check the credential of my application without putting any user...
Ajax Security Question: JQuery ajax() + PHP scandir() = Security Issue??
I'm a beginner with PHP security issues. Someone reported a security issue with my code, but never gave details. Below is a condensed version of the code. I'm using the JQuery AJAX function to send some data to the server where it's used by the PHP scandir() function. Do you see any security issues? HTML Document <script src="h...
ASP.Net 1.1 Viewstate Security
In ASP.Net 1.1 is it possible for the end user to change the viewdata before it's sent back to the server to for instance make it look like an item is selected in a dropdown that does not exist? I've tried manipulating the values in the dropdown using firebug but the server seems to ignore that, I'm presuming because the viewstate says t...
regex and $_GET
I'm making a little site for a friend, noobfriendly, so she can add pages easy. I think I'm just gonna include everything in index.php. So she can just drop a page in a folder named /pages/ and it's done. index.php if (preg_match('/[a-zA-Z]/', $_GET['page'])){ $page = 'pages/'.$_GET['page'].'.php'; if ($page) { include $page; } else ...
Does read-only file system access guarantee a write access?
Hello, I am developing a web application and I am wondering if someone has a full read-only access to my filesystem, can this person (assuming that he is aware of everything necessary) have a write access to the system? For example, if you have a PHP script that outputs contents of any files on the server - will someone really be able ...
Where in the call stack should role checks be done?
In my typical app, the user clicks a button in an aspx page, invokes a C# business object, then runs a stored procedure. Should role checks be done at the top of the stack, the bottom of the stack or at every level? It seems that if a malicious user can invoke one method, he could invoke any, so for effective security, you'd need a ...
What is the best way to encrypt a text file in C/C++?
A C/C++ based cgi web application will be creating a temporary text file on the server as long as the user is logged in. The text file will be deleted when the user logs off. I want to encrypt this text file and also the content of the file. The file will contain information like username and password. What is the best way to do this? ...
Securing a WCF service so that it can only be called by a Silverlight application
I am writing a Silverlight application that will be both reading and writing data to a serverside database via some WCF web services. What is the best way to secure these web services? My goal is to make sure the services can't be called by other applications and potentially spammed with requests to add items to the database. Only the ...
Beginner RegEx Question - PHP RegEx to allow only relative paths (not URL's)
Does anyone know a PHP RegEx to allow only relative paths, not absolute? For example, I have an AJAX function that submits this value to my PHP script "some-directory/another-directory/some-file.php". My PHP script then includes that file.... include($some-php-document); I don't want a hacker to be able to use my AJAX function to subm...
Overwriting the Array constructor does not affect [], right?
I just read this: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx I was under the impression that overwriting Object or Array only had an effect if you chose to use the constructor functions when creating arrays/objects, but, according to that article, it also has an effect on literal creation ({} and [...
Best way to store password in database
I am working on a project that has to have authentication (user name/pass) It also connects to a database so i figured i would store the user name and password there but it seems like not such a good idea to have passwords as just a text field in a table sitting on the db I'm using C# and connecting to a 2008 express server. can anyon...
What encryption algorithm is best for encrypting session file on the server?
Possible Duplicate: What is the best way to encrypt a text file in C/C++? It may sound weird but there is a C++ web application (CGI). Every new request creates a new process. So in order to maintain session a text file will be created on the server which will contain info like sessionid, username, password, timestamp etc. This ...
How to sanitze user input in PHP before mailing?
I have a simple PHP mailer script that takes values from a form submitted via POST and mails them to me: <?php $to = "[email protected]"; $name = $_POST['name']; $message = $_POST['message']; $email = $_POST['email']; $body = "Person $name submitted a message: $message"; $subject = "A message has been submitted"; $headers = 'From: ' ....
Requiring unique email addresses while protecting the privacy of your users?
I setup my website to require unique email addresses (no two users can have the same email address), but I realized that this could allow someone to check if a person is registered on my website by attempting to signup with that email. Granted that this person would have to know the email address they wanted to try, but it could be usefu...
Swiching between Http or Https (based on parent directory)
I have a direcory for the members area. All the files within that directory should be treated by https. All other files outside the specific dir should be treated by http. How can i automate the redirecting from http and https and vice versa? Btw, the links are relative. ...