MQSeries API/Channel Exits
I am looking for sample code that will encrypt/decrypt the message while in the store. I will be using SSL for the transport. ...
security
Minimum-trust AppDomain cross-calling methods in a full trust AppDomain
I have a minimum-trust AppDomain that is calling (across a remoting boundary) methods in a full trust assembly in a full trust AppDomain. However I am getting lots of security exceptions when making these method calls. It would appear that the minimum-trust 'sandbox' is propagating up the stack its minimal security privileges onto the f...
Flash cs4 local security sandbox
I'm testing a flash script that calls a JavaScript function (both, the swf and the HTML file are local). The flash movie is not allowed to access the HTML file that contains the js-function. I've learned that I have to put both files into a security sandbox, so I added the path to both files (HTML+swf) to a file test.cfg in C:\WINDOWS\s...
PHP Username Password Solution
I am working on my first PHP based website, and I was wondering what solutions were out there for a username/password system? I have tried using a .htaccess file for basic security, and while it works, I want something a little easier for a layman to administer. Are there any other solutions out there that I could try? I don't have a dat...
How do i handle POST->Session->page? ASP.NET
I have the user submit a form and if my spam filter catches it i redirect() the user into a captcha page to make sure it isnt a bot (reCaptcha appears not to be broken yet). My question is how do i handle going back to the original page? I was thinking i could generate a random number (check if there is a current session tag with that ...
Request for the permission of type 'System.Security.Permissions.FileIOPermission.. failed
I am getting this error when calling a web service method which writes to a file on the local drive on Windows 2003. "System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed." I have done thes...
Are these random numbers 'safe'
I'm not asking if these are truly random. I just wanted to know if two users hit the a page at the same time can they get the same random number? I'm thinking if i run this on a multicore server will i generate the same randon number a good amount of time due to syncing or whatever other reasons? public static class SBackend { stati...
SSL authentication by comparing certificate fingerprint?
Question for all the SSL experts out there: We have an embedded device with a little web server on it, and we can install our own SSL self-signed certificates on it. The client is written in .NET (but that doesn't matter so much). How can I authenticate the device in .NET? Is it enough to compare the fingerprint of the certificate aga...
What characters have to be escaped to prevent (My)SQL injections?
Hi, I'm using MySQL API's function mysql_real_escape_string() Based on the documentation, it escapes the following characters: \0 \n \r \ ' " \Z Now, I looked into OWASP.org's ESAPI security library and in the Python port it had the following code (http://code.google.com/p/owasp-esapi-python/source/browse/esapi/codecs/mysql.py): ...
Why is Chrome reporting a secure / non secure warning when no other browsers aren't?
When I go to our web site through HTTPS mode, Chome is reporting an error saying that the page contains secure and not secure items. However, I used Firebug, Fiddler, and HttpDebuggerPro, all which are telling me that everything is going through HTTPS. Is this a bug in Chrome? Sorry but I'm unable to give out the actual URL. ...
Active Directory and PrincipalPermission
This is more of a curiosity than a request for help, but I noticed that when using PrincipalPermission and verifying a user is part of a specific group in Active Directory it will not use the true group name but instead validates against the pre-Windows 2000 group name instead. Ordinarily this wouldn't make a difference - unless someone ...
Getting/setting security attributes of files on a network share
I am able to get/set security attributes (group, owner, DACL, SACL) of files on a NTFS volume by using the GetSecurityInfo/SetSecurityInfo API. The handles I pass to these APIs must be opened with specific access rights (READ_CONTROL, ACCESS_SYSTEM_SECURITY, WRITE_DAC, WRITE_OWNER) which require certain privileges (SE_SECURITY, SE_BACKUP...
authentication token is encrypted but not signed - weakness?
Through the years I've come across this scenario more than once. You have a bunch of user-related data that you want to send from one application to another. The second application is expected to "trust" this "token" and use the data within it. A timestamp is included in the token to prevent a theft/re-use attack. For whatever reason (le...
Isolate a specific thread to run in medium trust
I'm writing a .net win app that loads foreign assemblies and executes third party scripts. I am looking for a way to sanitize the code executed by the foreign script, and only allow the third party scripts access to a defined set of websites. Creating a PermissionSet with its state set to none, and then adding the desired websites, and s...
Safe Dynamic Include
I been using this php dynamic include code on my site. But I think it not safe, how can write safer and better code to replace this: $page = (empty($_GET['page'])) ? '' : $_GET['page'].".html"; if (empty($page)) { $page = 'index.html'; } else { $page = $page; } include($page); Thank you very much ...
Where can I find resources about SharePoint best coding security practices?
Where can find resources about best practices for SharePoint programming? I am talking about CODING against Sharepoint and NOT administration and deployment ...
In .NET/C# test if user is an administrative user
Is there a canonical way to test to see if a user has administrative privileges on a machine? I'm going to be starting a long running process, and much later in the process' lifetime it's going to attempt some things that require admin privileges. I'd like to be able to test up front if the user has those rights rather than later on....
How can I forms authenticate a user in a custom webservice?
I am working on integrating a silverlight site into our existing application and am trying to get the login functionality working. The Silverlight application needs to have it's own login page, and the login needs to utilize the existing ASP.NET forms authentication. As part of the login procedure, we are calling some external code, so...
ELMAH: ASP.NET security
Hey all! I have an ASP.NET 3.5 application which is using the Visual Studio Development Server. I set ELMAH up, and it is working fine. I set up the AXD "file" and XML files (using XML as the storage medium) to be in a folder under the root: v3/elmah/ Now, I'd like to have it so that when elmah or elmah/elmah.axd (or anything in this ...
Tomcat security constraint for valid user
I'm trying to protect a resource in tomcat so that only "valid users" (those with a valid login and password in the realm) can access it. They do not necessarily belong to a group in the realm. I have tried with many combinations of the <security-constraint> directive without success. Any ideas? ...