web-security

What is the best way to secure a RESTful API to be accessed on an iPhone.

I am looking for some suggestions on how to secure access to a RESTful API which initially be used by an iPhone application, but will have other clients in the future. The data exposed by this API must be kept secure as it may contain health information. All access will be done over HTTPS. I was thinking that I'd like to require pre-reg...

Encrypting config files info

I have many ASP.NET applications running on server and i want to encrypt the web.config file for each. Is there a way I can encrypt all config files using single class/app or do i have to write separate code under each solution/project to encrypt config? I have idea how to do one file in a project using http://davidhayden.com/blog/dave/...

How can I throttle user login attempts in PHP

I was just reading this post http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication-beta#477585 on Preventing Rapid-Fire Login Attempts. Best practice #1: A short time delay that increases with the number of failed attempts, like: 1 failed attempt = no delay 2 failed attempts = 2 sec delay 3 failed ...

Can an attacker change the src attribute in an iframe?

I have a website that uses IFrame in a page that loads other pages based on server side logic. So, if I do a View source, I would see something like this: <iframe src="DeterminedOnServerSide.aspx" id="myFrame"> </iframe> My question is - Is there any way, an attacker can change the src attribute to point other users to a malicious web...

Preventing Cookie replay attacks in ASP.Net MVC

I have been tasked with implementing point 4 in this article: http://support.microsoft.com/kb/900111 This involves using the Membership provider to add a comment to users server side records when they log in and out, and then confirming that when a cookie is used to authenticate, that the user hasn't logged out. This makes perfect sense...

Security implications of allowing framing?

I notice that when I try to access Stackoverflow through the reddit toolbar, I get a popup that says "For security reasons, framing is not allowed". See here for an example. What exactly are those security reasons? I realize that this might be a question for meta, but it is really more of a general web security question, so I'm givi...

How much data is leaked from SSL connection?

Say I was trying to access https://www.secretplace.com/really/really/secret.php, what's actually sent in plain text before the SSL session is established? Does the browser intervene, see that I want https, initiate a SSL session with secretplace.com (i.e. without passing the path in plain text) and only after the SSL session is set up ...

Best Java framework to manage/create dynamic security policy rules?

Typically in any web application, the major security concern is securing the resources from the malicious users who are trying to access un-authorized resources. They can change a value in the request parameter and try to access something that doesn't belong to that particular user. For Example: http://blah.com/id=foo a user can change...

Read browser history

In http://www.merchantos.com/makebeta/tools/spyjax/ there is a script that reads browser history. Its not the javascript history object. It checks the color of links that changes if the link was visited or not. Is there a script like this but in jquery? ...

Htmlentities vs addslashes vs mysqli_real_escape_string

I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string is the correct function to use when inserting data into MySQL tables because addslashes can cause some weird things to happen for a smart attacker. Right? However, there is one thing that is confusing me. I seem to remember being...

Is it possible to make the AntiForgeryToken value in ASP.NET MVC change after each verification?

We've just had some Penetration Testing carried out on an application we've built using ASP.NET MVC, and one of the recommendations that came back was that the value of the AntiForgeryToken in the Form could be resubmitted multiple times and did not expire after a single use. According to the OWASP recommendations around the Synchronize...

What types of security measures should I take while developing an ajax-driven application?

Let's say you were building a multi-step ( 5 part ) booking engine that had a fully working backend but had a layer of ajax, where you can go through all 5 steps in the initially loaded page. The steps would be: input dates and specify availability information availability results where you can choose rooms input your information inclu...

Should the AntiForgeryToken be applied to every post action?

Should the AntiForgeryToken be applied to every post action in an ASP.NET MVC application? Off the top of my head I can't think of any reason why you would not want to include this on every post action, but it seems that nobody ever actually recommends using it on all of your actions. I'd love to hear your thoughts. ...

Implementing application security - App Level & DB level (ASP .NET & SQL Server 08)

Hello, I am about to deploy an ASP .NET application (developed with LINQ-to-SQL). I have taken following precautions: Database access via user with limited access, however, since application is to access the sensitive data, I can't deprive this limited access user from it Database server is not exposed to external network - is hidin...

How to get security question answer in .net sql membership provider?

Hi, Is there any way to get form code level security question answer in .net SQL Membership Provider? I'm struggling with allowing user to have change password reset and change features using the same provider. Do anybody knows how to do that? Or if I would like to use question and answer feature it means that I automatically have to us...

Why does conversion tracking use pixels and why do images potentially expose information about you?

First, why (historically) was conversion tracking implemented by html pixel tracking versus using other small and able-to-be-made-nearly-invisible html elements which could provide the same information? Curious why html images were used as opposed to other methods. Second, many email clients, e.g. Outlook and Gmail don't display images...

Data Loss Prevention Solution: Has anyone implemented one?

Has anyone implemented a DLP (Data Loss Prevention) solution? How effective and manageable is it? If someone could share the insights of its implementation? For e.g. it's administration requires experts, has some caveats, etc. Many Thanks. ...

Am I under risk of CSRF attacks in a POST form that doesn't require the user to be logged in?

I'm probably being a total noob here, but I'm still uncertain about what a CSRF (Cross-Site Request Forgery) attack is exactly. So lets look at three situations... 1) I have a POST form that I use to edit data on my site. I want this data to be edited only by users that are logged in. 2) I have a site, which can be used by both users w...

Django with custom authentication backends, is Csrf middleware really required ?

Hello, Under Django 1.1.1, I am using several authentication backends such as social-registration for facebook connect and django-emailauth for email based authentication instead of user names. I am curious if the Csrf middleware is an essential security measure as it seems like it sometimes generates problems, especially with facebook ...

How can I secure my ASP.NET AJAX application?

Ajax seems to give a better user experience, but I'm not so sure if I take the right steps to protect and secure my application. Is there a checklist of things I must pay attention to? ...