web-security

Recover Index File + Overwrite or Hacked by SomeOne + Linux Server

Some body overwrites my index file of every folder at linux server. Is it possible to recover all the files from server to make website in running state. ...

Is there a definitive or idiots guide to implementing strong web security using ASP.Net MVC 2/SQL 2008?

Hello. I'm about to begin building an e-commerce website using c#, ASP.Net MVC 2, IIS7 and SQL 2008. The site will allow users to login, make purchases, and manage their orders. Obviously, there's a need for strong security here. I've been searching around on SO and Google for a single definitive guide that covers enough on security ...

How safe is it to accept a pre-defined set of non-harmful HTML tags from a request?

Hi guys, One of the first things I learned as a web developer was to never ever accept any HTML from the client. (Perhaps only if I HTML encode it.) I use a WYSIWYG editor (TinyMCE) that outputs HTML. So far I have only used it on an admin page, but now I'd like to also use it on a forum. It has a BBCode module, but that seems to be inc...

How to identify curl request

Is there a way to detect in my script whether the request is coming from normal web browser or some script executing curl. I can see the headers and can distinguish with "User-Agent and other few headers" but in curl fake headers can be set, so i am not able to track the request. Please suggest me ways about identifying the curl or othe...

Multiple authentication schemes for HTTP 'Authorization' Header

For our api user we need two styles of authentication: authenticate the api-user (mobile-device, partner integration) authenticate a specific "normal" user, which owns data on our side The standard challenge vs. response is handled through WWW-Authenticate and Authorization Headers. I want to reuse this. I have following use-case: O...

What are attack ways on a website?!

Hi Can anyone tell me so short what are attack kinds on a website?! I'm using Asp.net and SQL server 2005. And can you give me a reference about each of them please?! ...

Iframe – let the user pick the src - any security issues?

I want to allow the logged in users to view any 3rd party content via an IFrame. Something like allowing Gmail users to view any Web Calendar they want inside an IFrame. Is allowing the users to set the IFrame Src Url a security problem? What security issues will I face? Any other need to know Tips for using IFrames will be welcome. ...

How useful is the X-Frame-Options header in protecting against malicious framing?

Adding the X-Frame-Options DENY to the response header helps protect against malicious framing of the web page and as a solution it's certainly better that client-side JavaScript solutions. But just how useful is it? Is is supported by all (modern) browsers and can it be bypassed by hackers intent on hijacking your site? ...

What is the most secure way to setup an admin area in PHP?

Recently I have been contemplating the most secure way to setup an admin area on a website. The two options that I was toying with are, Create the admin area as part of the main site, require them to register first using their email address as their username, and set them up with an admin level.Create a completely separate admin area fr...

stopping ZmEu attacks with ASP.NET MVC

Hello, recently my elmah exception logs are full of attempts from people using thus dam ZmEu security software against my server for those thinking “what the hell is ZmEu?” here is an explanation... “ZmEu appears to be a security tool used for discovering security holes in in version 2.x.x of PHPMyAdmin, a web based MySQL database man...

How to implement Website security based on client hardware or other solution?

Hi, I have two websites (one asp classic and the other asp.net) which we would like to implement some kind of security based on the client's hardware. We want something other than a password which could be shared. The purpose is to be sure access to information on the websites is not shared. We were contrmplating storing hardware info...

Best way to protect a REST service that will be accessed by mobile and desktop applications

I have REST services that I was planning on protecting with Windows Integrated Authentication (NTLM), as it should only be accessible to those internal to the company, and it will end up being on a website that is accessible by the public. But, then I thought about mobile applications and I realized that Android, for example, won't be a...

Deploying a Mercurial Repository to Production - Security Concerns and Tips

In my research, I found some concern around deploying an online PHP application while leaving its ".hg" folder or ".svn" folders in place on the production server. Unfortunately, I was not able to find a clear explanation as to why this is a concern. I would like to better understand this security risk. It seems to me that you don't...

What security issues need to be addressed when working with Google App Engine?

I've been considering using Google App Engine for a few hobby projects. While they won't be handling any sensitive data, I'd still like to make them relatively secure for a number of reasons, like learning about security, legal, etc. What security issues need to be addressed when working with Google App Engine? Are they the same issues...

Looking for a simple, secure web application service.

I'm a programmer but not a web programmer looking to help out a friend set up a simple web-accessible database for a non-profit. It would need to be available both inside and out of the office, provide at least 2 levels of access (ie. clients could access their own records, employees could access everything), and do everything right in ...

common login component

Hello I have a server side component which performs user authentication with the LDAP server. My organization has got a set of different web applications and all of them depend on this component for user authentication. Now I need to make a common login UI component so that individual web application pages just need to include this on ...

How do we "test" our security policy?

DISCLAIMER: At my place of work we are aware that, as none of us are security experts, we can't avoid hiring security consultants to get a true picture of our security status and remedial actions for vulnerabilities. This question is asked in the spirit of trying to be a little less dumb and a bit more aware of the issues. In my place o...

Security and Spam filtering of an online survey?

I'm not sure how many of you are familiar with XKCDs color survey that was up awhile back, you can read about it in his blog, but I want to have a test along the same lines as his. Ask some questions and collect people's responses. Not necessarily about colors and such. I want to gear my test towards converting emotions to numbers using ...

How vunerable to XSS attacks is Flash?

The reason why I ask is that I'm telling a vendor of ours they have to use the MS AntiXSS library with the ASP.NET UI components they make, but they also work with Flex to build Flash based UIs - and I was wondering if there's an equivalent for Flash (assuming it's vunerable). ...

Web Applications Security

Hi does anybody know of any other programs similar to Webgoat for the demonstration of web application security flaws? ...