I have read the section on header injections as described here: http://guides.rubyonrails.org/security.html. But I can't seem to walk through a step by step example of this in my head. Could someone walk me through an example of how exploiting the referer header could cause issues in an application? ...
HTTP Referer is the way I'm doing it at the moment. As everyone who's used this method knows it is not 100% accurate as the Referer header is optional and maybe fiddled with. Looking at how-to-ensure-access-to-my-web-service-from-my-code-only I'm still undsure of how to go about this in a minimal way. The situation: Advertising on som...
I'm trying to add some security to my ASP.NET 1.0 MVC app (VB), but I can't get it to work. At the top of my controller, I've got: <HandleError()> _ Public Class HomeController I'm overriding OnActionExecuting and throwing a SecurityException if the user is not in the proper role. Everything I've read states that this should by defau...
Hi all For a Web Application I'd like to generate an email validation link and send it to the user. Like on many public websites, the user should click it to validate his email address. Looks similar to this: http://www.foo.bar/validation?code=421affe123j4h141k2l3bjkbf43134kjbfkl34bfk3b4fkjb43ffe Can anybody help me with some hints ab...
I've spent some time casually mulling over ACLs in my head. I can see the real benefit of ACLs and their flexibility. But I have some serious concerns when it comes to implementing ACLs for a project that could have hundreds of thousands of users , if not millions. All connected someway to hundreds of thousands of resources (such as imag...
How do I (or can I?) retrieve the cached credentials for the currently logged-in Windows user in Java? I want to reuse these credentials in some other GSS-API calls. Specifically, I'm answering an SPNEGO challenge from IIS. Thanks. ...
Is it better (more convenient or secure) to provide users with a lost username or password via direct message on Twitter rather than via email? ...
Reading what is currently the top answer to a recent question on how/whether to send users their passwords, I was intrigued that the most popular answer said the following... storing passwords in such a way that they are retrievable is insecure using a reset feature with the help of a secret question is a valid alternative (These two...
Hi all, I was wondering - are there any known techniques to control access to a shared memory object from anywhere but an authorized program? For instance, lets say I create a shared memory segment for use in a program P, to be accessed by Q, and I make it Read-Write. I can access it using Q because I've given it (Q) the required permi...
I'm working on a project where we have several SOAP Web Services developed on different programming languages, like Java, Perl and Python. I need to authenticate users that will use each Web Service, denying users that we do not want. I have already seen OAuth, but I didn't found any documentation that helped me on this way. And with OA...
I'm brand spanking new at Spring and have gotten a majority of the knowledge I do have from the Spring Recipes book from Apress. I've got LDAP authentication working with Spring Security within one webapp. I would like to rip out my application context beans and properties files from this one webapp, however, and somehow externalize the...
specifically what I'm trying to achieve is to have the possibility of supporting both types of authentication, but giving priority to integrated security I mean, if the credentials are passed, use integrated security (and I could see who logged in thru ServerVariables["logon_user"], if no credentials are passed, then fall back to anonym...
I recently found this RSA JavaScript library: http://www.ohdave.com/rsa/. However, it requires that the key be pre-generated. Here are my questions/issues: I'd like to generate an RSA keypair in the JavaScript (so that I don't have to change the code every time I want a new keypair.) While I understand how this can be used to send secu...
I have a problem where I have a frameset consisting of a parent frame loaded from one domain and a contained frame from a different domain. The contained domain also sets a cookie before the frameset is loaded. However, because of the 'same orgin' policy, enforced by most browsers, a contained frame will not pass cookies if it is not fro...
Who know how to configure the web.xml jespa services account name and bindstr value? ...
This question is a little opinion based, but I think it can be based in fact and I would prefer answers backed up with a link to a reputable company if possible. The problem is at my job, we have "okay" hardware for the developers, laptops running Windows XP (I know) with dual core 2.3 Ghz processor, 2GB of memory and 60 GB hard disk @7...
I recently used Meebo and I must admit I'm a little paranoid about typing my IM login information into a site like this. How do they store my username and password for each of the separate IM services? I only feel comfortable when a site takes my password and does some type of irreversible, one-way function on it, but it seems that Meebo...
I just migrated a development workstation FROM: Windows XP Pro SP3 with IIS 6 TO: Vista Enterprise 64bit with IIS 7 Since the move, one of my pages that accesses an SQL Server 2000 database is receiving the following error from my ASP.NET 2.0 web page: "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." I have: enabled Windows...
I've looked through the questions and I haven't seen anyone ask this yet. What is the for sure method to remove any sort of XSS attempts in some user submitted content? I know that < and > should be converted to < and > respectively but I've heard mention that encoding differences can get around this too. Supposing a whitelist, ...
Hi I am programming a new site in JSF. At the moment i program the Login. I used md5 some years ago, but with Rainbow Tables i think its noch safe anymore. So, how should i store the Password in the Database ? ...