web-security

Security token expiration

I am implementing a security token feature in my application. You can specify an expirytime and/or max number of uses. If both are specified then both conditions are checked, if either one is specified then just that condition is checked. My question is, how should i handle the scenario where a token exists without expiry time or maxus...

Is there any need to use Html.Encode for an internal site?

I'm having some problems with Html.Encode and users wanting to use special characters. Firstly the characters are replaced by the html codes and so are not displayed properly. And then, if the text is later edited and re-submitted, an exception is thrown when these html codes are re-submitted. Given that this is an intranet site and the...

Is this googlebot or someone trying to impersonate googlebot ?

On my elmah exceptions i keep getting exceptions of what appears to be googlebot but what I imagine is someone impersonating themselves trying to download what appears to be wares and other dodgy software from my server. Here are just a few of the attempts and the software they are trying to get. The controller for path '/download/msj...

Final year project ideas(Data mining - Security)

Hey all, I'm in my CS final year and I have like 8 months and a group of 4 to accomplish the project. About the idea, I searched a lot, but nothing was really interesting. I don't want to work on (because I've already did): Simulations for physical issues. 3D games. Learning Systems. I was searching in the following topics: Data ...

Is a POST from HTTP to HTTPS secure?

i have a HTTP page with a form, if a set the action to a HTTPS page, is this secure?, the browser process all tha data before send it to the net?? or should i use HTTPS for my entire site?? ...

Large scale internet application, where to start?

I'm involving in kind of work that i think knowledge about large scale application, large scale web will help me much. What do you think i should take? I mean books to read, courses to take... etc... Thanks in advance for any suggestion. PS: maybe applications i mean are not large enough :D, kind of social network for >100k users or rea...

Mvc application not serving files from the content folder when user is logged in

I am using a custom membership system and works great but when the user logs in all my pages get distorted because some styles and images fail to load, I used Google Chrome Developer Tools and I get several errors "Failed to load resource, (error 500 internal error) or something similar but everything else seems to be working fine only t...

Demystifying Web Authentication

I'm currently researching user authentication protocols for a website I'm developing. I would like to create an authentication cookie so users can stay logged in between pages. Here is my first bash: cookie = user_id|expiry_date|HMAC(user_id|expiry_date, k) Where k is HMAC(user_id|expiry_date, sk) and sk is a 256 bit key only known ...

Whats a good database Schema for Forms auth with OpenId?

I'm trying to find a good standard for a database schema that will let me do a couple things. Mainly, I am writing a web app that needs to handle various types of logins. First being the standard ASP Application Services login, Second being OpenId/oAuth logins and third being Active Directory logins. What's a good suggestion for a dat...

Why does new Facebook Javascript SDK not violate the "same origin policy"?

The new Facebook Javascript SDK can let any website login as a Facebook user and fetch data of a user... So it will be, www.example.com including some Javascript from Facebook, but as I recall, that script is considered to be of the origin of www.example.com and cannot fetch data from facebook.com, because it is a violation of the "same...

Which markup language? Markdown or ???

I am currently looking for a markup language to use in a project. I want to allow site vistors to edit a wiki like page using a markup language (not HTML). I am implementing this site in Ruby on Rails, and would prefer (although not bound) to use something that already has strong support in the form of a gem. There are a few main thing...

Why should primary keys of DB not be shown in html code, e.g. in select fields?

Hi, anywhere I read that values in select boxes (or anything else in the html code) should not be the primary key of the database table. For example: <select> <option value="1">Value 1</option> <option value="2">Value 2</option> </select> In the database there are lookup tables with these values as primary key (1, 2, 3,....

Error when trying to access web browser from windows application

I am trying to access open IE instance from my desktop application. Code is IHTMLDocument2 *pDoc; LRESULT lr; HRESULT hr; if ( SendMessageTimeout( hwndChild, uMsg, 0L, 0L, SMTO_ABORTIFHUNG, 1000, (DWORD_PTR *) &lr ) ) { hr = ObjectFromLresult( lr, IID_IHTMLDocument2, 0, (void**)&pDoc ); if ( SUCCEEDED( hr ) ) { IWebBrowser2 *...

I am having trouble understanding XSS

I understand that XSS is when you can get a site to run arbitrary JavaScript by appending it to a URL or embedding it in the page somehow. I understand this is bad because it can allow people to steal cookies and such. What I don't understand is how that is possible. ALl my reading about it just shows people using alert() to display th...

rails csrf token lifetime

hi, I use Rails request_forgery_protection mechanism to protect my POST actions from CSRF attacks and captcha to protect the GET actions. This way if someone stages a two-phase attack within one session, GET-ting the form with the current token and then POST-ing a forged request with that token, he will eventually be faced with a captch...