I have downloaded a web project from CodePlex and am getting the following error in Application_Start: System.Security.SecurityException: That assembly does not allow partially trusted callers. This project references several other assemblies from other open source projects. My theory is that one of these do not have the AllowP...
There is a very particular edge case in cross-domain policies regarding the window.top.Location object... Let's say I have IFrame A , in domain www.xxx.com, living inside a page in domain www.aaa.com. The page inside the IFrame can: Compare window.top.location to window.location (to detect whether it's being framed) Call window.top...
What are the security topics that you should always include when writing a proposal for a website implementation? ...
I am very new to SSL,wants to install SSL for my application on GLASSFISH,though tried to find some tutorials which can teach me from basic,but was unable to find any elaborative solution . 1)Like how to generate a self signed Certificate for the SSL? 2)How to configure this certificate with my application? 3)how to Configure only LOGIN ...
Hi everyone, I've got a web application with an SQL injection as part of an INSERT statement, it looks like this: INSERT INTO table1 VALUES ('str1', 1, 'INJECTION HERE') I can insert the regular multiple-query injections such as ');truncate table1;-- but due to the fact that Java+MySQL is used it does not allow stacking multiple queri...
Hi world, I'm going to integrate a license key generator in my web site, in the way that It can automatically generate license keys when occurs a paypal notification (IPN)... but my question is: what is the best way to protect the php file (that contains the method used to generate the key) and the private (a .pem file)? Thanks in adva...
I have some IO code that reads a stream within a try..catch. It catches IOException and calls System.Runtime.InteropServices.Marshal.GetHRForException() within the catch, in an attempt to take different actions based on the HResult. Something like this: try { stream.Read(...); } catch (IOException ioexc1) { uint hr = (uint) Mar...
I am currently developing a Silverlight 3 app that needs some sort of user authentication, because the data pulled from a WCF service is user specific. Target audience is the regular Internet - so there is no AD to authenticate against. Here are some of the questions I have concerning that situation: Is there a framework or other mech...
I came across something in one of my rails books that said I should set ServerSignature Off ServerTokens Prod to disable apache from showing server information in production when the app screws up. Is this necessary? The only error message I see in prod is the standard Rails production error message. I never see any server informat...
Hi, I was wondering if you could protect xml files through forms authentication in ASP.NET 3.5. I have some licensekeys that are found online, but you shouldn't be able to download them unless you are logged on. For aspx pages this works automatically but not for xml files. ...
How do I determine and force users to view my website using HTTPS only? I know it can be done through IIS, but want to know how its done programmatically. ...
Say a user registers for your site, you hash the password they have chosen then use that hash as a salt and rehash their password with that salt. Example: String hash1 = MD5(password); String endHash = MD5(hash1 + password); then store endHash in your database. Would this effective agaisnt Rainbow Table attacks if my database was com...
Many Rails apps use the CookieStore method of storing sessions. The security of this method depends mainly on the security of the session secret key which is defined by default in config/environment.rb: config.action_controller.session = { :session_key => '_some_name_session', :secret => 'long secret key' } Most people i...
I have a ASP.NET MVC application that runs in both IIS 6 and 7. The application requires special right and needs to run in a application pool with a special users that are part of of some specific groups. The application also stores a a lot of settings in a couple of XML files. These files are stored under "Application Data" special fold...
I'm working on a web applications where - believe it or not- the users aren't required to provide their email address to sign up. These requirements can not change. The users will login to the system with an id and password just like any standard web site. The problem I'm facing has to do with user's that have forgotten their password...
I have read about session fixation and from what I understand it forces a user to use an attacker's session. Is this correct? Can you give me an example of how this could offend the user? ...
I recently just started my first gig as a professional programmer as part of small development team. At my work developers have two machines, a "web machine" for internet access and a "dev machine" for programming tasks. Our dev machines are completely sand-boxed to the point of not even having a CD drive access. At first this was not a...
I've been wondering about this for a while after reading through an interesting article a while ago (probably old news for some of you here) about a technique which one could use to introduce intrinsically hidden backdoors in compilers (article here). Another interesting article: (Did NSA Put a Secret Backdoor in New Encryption Standard?...
Hi, I'm currently developing a small business database application for which we plan to go towards multi-user access in the next time. The database mainly contains projects (in a project table) with a couple of joined tables containing additional information. One requirement of our customers regarding multi-user operations will be a f...
Hmm. Instead of "defanging" input or using some kind of regex to remove tags, how safe is it to dump user stuff into a <textarea>? For example, say there's a PHP page that does the following: echo '<textarea>'; echo $_GET['whuh_you_say'] ; echo '</textarea>'; Normally this is vulnerable to xss attacks, but in the textarea, all scrip...