I've recently been learning perl and am wondering what frameworks are available for creating a web app. I'm mostly concerned about security, so if there are any security-specific web frameworks you'd recommend, I'd be more interested in those. Currently accepted answer from thread below ...
How can I create a "security aware" action link that detects if a user is authorized to click (invoke) the action? Hide link if user is not allowed to use that action... Depending from web.config (authorization) and [Authorize] attributes on actions PS I guess it is bad practice to mix those 2 in MVC? ...
I'm looking for guidence on writing a custom password reset UI, but it must fit the Provider 'Pattern', or degrade silently to built-in defaults. E.g. my Reset Control must collect extra information, and perform differently to the standard Password Recovery Control. It must close as possible use the standard MembershipProvider interfa...
Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability. What would a mal...
The reason I ask is mostly due to how Google Chrome installation works once you click the "Accept and install" button from Firefox. After you click the installation is started directly and when it's completed Chrome itself starts up. Firefox does not show any "Save" or "Confirm" dialogs after you click the Install button (on Chrome inst...
I am using php, mysql with smarty and I places where users can put comments and etc. I've already escaped characters before inserting into database for SQL Injection. What else do I need to do? ...
Hi, If I have a reference to an external third party JavaScript file on my website, what are the security implications? Can the JavaScript file be used to steal cookies? One example of this is the Google Analytics JavaScript reference file. Could the third party technically steal cookies or any other sensitive information from my log...
We're currently in the process of re-creating a brand new security model that dwarfs our existing process. Right now, we plan on grabbing a user's roles during the login process and then using a Base Page class to check if the user has the role of the corresponding page the user is navigating to. We can limit the menu's options by the u...
I know Silverlight 4 can handle elevated permissions outside the browser. Is there a way to accomplish this inside the browser? I need to make a folder/file upload manager that gives a better user experience than the standard , and I'd like to implement it in Silverlight. I know Java has an option to gain elevated permissions, but you...
I'd like to know what people consider best practice for securing the Admin sections of websites, specifically from an authentication/access point of view. Of course there are obvious things, such as using SSL and logging all access, but I'm wondering just where above these basic steps people consider the bar to be set. For example: A...
I am working on document storage and retrieval application. In which i display the pdf document as an png image , but i have a email button on the top. On clicking that the user would be able to provide an email address to which the document needs to be sent, and I need to send this pdf as an attachment. I need to password protect the f...
Hi, I have a question: In Flash, I have the ability to save certain info onto the server. Now the problem is the user needs to be authenticated as admin in order to do so. I can't use sessions, since if you work longer than 20 minutes in the Flash application, the session is gone. The way I see it, I have 2 possibilities: 1. passing a...
Let's say we have this form, and the possible part for a user to inject malicious code is this below ... <input type=text name=username value= <?php echo htmlspecialchars($_POST['username']); ?>> ... We can't simply put a tag, or a javascript:alert(); call, because value will be interpreted as a string, and htmlspecialchars fi...
Hi, I'm working on the web app which will be hosted on the client's server. There are various restrictions/security measures in place and I'm concerned that these can be "hacked" because the client will have a direct access to the ASP.Net user database through the SSMS. I can think of few ways to stop the user from doing this, but I...
Hi, I'm interested to find out whether there are any standards or resources that you can recommend for developing license models in C#? Thank you ...
We recently got a call from one of our clients, complaining that their site has some "strange looking code" at the bottom of the page. We checked out the source code, and discovered that about 800 bytes of malicious javascript code had been appended to the templates/master file, after the </html> tag. I won't post said code because it lo...
I'm working through NerdDinner and I'm a bit confused about the following section... First they've added a form for creating a new dinner, with a bunch of textboxes delcared like: <%= Html.TextArea("Description") %> They then show two ways of binding form input to the model: [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create() ...
Title says it all. ...
When doing an AJAX call, why do browser security rules state that you cannot make a request to a different domain? ...
I am implementing a simple(hopefully) security manager within an application. Is it better to have predefined(static) roles, custom roles(dynamic)? I am leaning more towards dynamic groups or roles only because then it would not require a redeploy to update the system. Also, what would be the best approach to define resources in general...