The web sites will be register and get an API key to use widgets. For example; Site A is registered as sitea.com for widget. But the main problem is, the widget can not be accessable from siteb.com with API key of sitea.com. Are there any way to implement this? ...
I'm wondering why ssl encrypted data can't be cracked easily once the packets are intercepted. As i understand it when you connect to a site like facebook the browser and site agree on a cipher, what stops the sniffer from seeing what cipher they agreed to? ...
Hi All, I am developing one web application ( using php), I want to provide more security to application so that no one can easily break the functionality. Brief explanation about my problem : In one module there is one stage where I am checking the source of the request ( from where this request is coming from ) Currently, I am using...
did someone know about a good perl module that implement the most of the functionality of paros proxy http://www.parosproxy.org/ if yes could someone provide some modules do that ...
Let's say I am testing beta pages on my server and was too lazy to password protect the pages I put up. I am putting them up in some obscure named sub-directory. Is there any way of people seeing the beta pages without guessing around at file names or looking at the directory from an FTP client? These are all orphaned pages, there is no...
Im creating a simple private page with links to some files to download. I've done it with simple session management but I have a problem: if somebody click on the file-url he can download the file without the authentication. So what I can do to avoid this? I can make a HTTP Authentication but I want a custom login form and not the window...
I'm aware that there is a Cross site forgery attack that can be performed on a request that returns an array by overloading the Array constructor. For example, suppose I have a site with a URL: foo.com/getJson that returns: ['Puff the Dragon', 'Credit Card #'] This would normally be Javascript eval'd by my own site after an XHR re...
Hi everybody, what should my concerns be if I we're about to make an application that handles logins the following way: http://api.myApp.example/printSomething/username/password/ How insecure is it compared to a normal login page that are based on POSTed user details (username+password)? Is there a difference? Thanks ...
I'm looking for the best reusable libraries and inbuilt features in ASP.Net to prevent the OWASP top 10 security vulnerabilities like injection, XSS, CSRF etc., and also easy to use tools for detecting these vulnerabilities for use by the testing team. When do you think is the best time to start incorporating the security coding into ...
Is it possible to get into legal trouble for identifying vulnerabilities in a web application even if you don't exploit them? I have considered using tools like NetSparker on occasion to see if a site has any vulnerabilities and I'd like to contact the owner of the site to see if they'd be interested in me fixing it. I suspect that s...
Hi, I am a beginner in PHP. How can I restrict user access to controller.php and allow access to it only via view.php? My proposal: I don't know if this is proper, or how to avoid robots accessing it directly. view.php: <?php session_start(); $_SESSION['isFromView'] = true; ?> <html> <body> <form action="...
I'm writing a database front end for a website. Next to the records I want to include a link likes this: Record 1 - [Add][1] [Edit][2] [Delete][3] But I want to protect these links from being used more than once. My thinking is to pass a hash value then store a list of valid HASH values in a table somewhere and only process request...
Could someone provide ideas how HTTP::Proxy module is compared to others proxies like paros and burp proxy and if someone use it during his work specifically if it used by the pen testing community for real job ...
Our application uses WinInet to download data from a web server that supports Windows Authentication (Negotiate). However, when Internet Explorer's Windows Authentication setting is disabled, we only get an HTTP 401 - Unauthorized error. Both .NET's WebClient and the newer WinHTTP don't show this behaviour, but they are not a feasible o...
Could someone provide links for tutorial about libwhisker library? ...
I'm about to create the update system for .NET CF application. It is going to be a manual update system, customer will be able to "check for available updates" and install them. There will be one global update server for about 500-5000 devices. The application will be distributed as a zip compressed folder. The client application will ...
From what I understand document.cookie only gets your cookies for the current site you are on. Would it be possible for a malicious site to get around this by using an iFrame, modifying my HTTP header, making a request to the target site or some other method? ...
I'm doing it to image uploads to prevent any embedded malicious code. Am I right in doing this? But yeah my main question is how to actually do it, because I've never used ImageMagick before - I've just installed it on my server. ...
I read most of the documentation, I only see the use of @RolesAllowed or @DeclareRoles, how can I add user or delete user. I have a table of users with username and password in my database, how can I make my web app to authenticate those user? How can I map these user (principal) to a particular roles. Samples code would be greatly appre...
I've heard that some XSS attacks can be done by posting an image to a site that has javascript as the src attribute. Are there certain browsers that will protect me from this type of attack? ...