security

PHP Session Security

What are some guidelines for maintaining responsible session security with PHP? There's information all over the web, so it's about time it all landed in one place!...

Found a critical bug, but the company doesn't care

I know several people who were in a situation like this. Let's say, you were trying out random sites for basic XSS/SQL Injection vulnerabilities, and you've found one that could be easily compromised. You email the admin/webmaster, but they don't reply. What would you do? ...

What is the best way to avoid SQL injection attacks?

I've provided a solution for Python... please flesh this out with examples for other languages. ...

Are there best practices for testing security in an Agile development shop?

I'm putting together a best practices training program for agile and there are no real good resources for secure design and testing related to Agile (as far as my contextual searching ability has shown). What are the best practices for testing security per release? If it is a monthly release, are there shops doing pen-tests every month?...

Best .NET obfuscation tools/strategy

My product is both ASP.NET, Windows forms app and Windows service. 95% of code is .NET (VB if you must know). For IP reasons, I need to obfuscate the code. I am using an old dotfuscator (over 5 years old) and thinking it is time to move to a new gen. Anyone can recommend from their personal experience (please don't just give me a list ...

How do you disable browser Autocomplete on web form field / input tag?

How do you disable Autocomplete in the major browsers for a specific input (or form field)? ...

What all do I need to escape when sending a (My)SQL query?

When you execute a SQL query, you have to clean your 'strings' or users can execute malicious SQL on your website. I usually just have a function escape_string(blah), which: Replaces escapes () with double escapes (\). Replaces single quotes (') with an escaped single quote (\'). Is this adequate? Is there a hole in my code? Speedy...

My website got hacked... What should I do?

My dad called me today and said people going to his website were getting 168 viruses trying to download to their computers. He isn't technical at all, and built the whole thing with a WYSIWYG editor. I popped his site open and viewed the source, and there was a line of Javascript includes at the bottom of the source right before the clo...

Is there an Unobtrusive Captcha for web forms?

What is the best unobtrusive CAPTCHA for web forms? One that does not involve a UI, rather a non-UI Turing test. I have seen a simple example of a non UI CAPTCHA like the Nobot control from Microsoft. I am looking for a CAPTCHA that does not ask the user any question in any form. No riddles, no what's in this image. ...

Block user access to internals of a site using HTTP_REFERER

I have control over the HttpServer but not over the ApplicationServer or the Java Applications sitting there but I need to block direct access to certain pages on those applications. Precisely, I don't want users automating access to forms issuing direct GET/POST HTTP requests to the appropriate servlet. So, I decided to block users ba...

Personal Linux web server

I'd like to set up a cheap Linux box as a web server to host a variety of web technologies (PHP & Java EE come to mind, but I'd like to experiment with Ruby or Python in the future as well). I'm fairly versed in setting up Tomcat to run on Linux for serving up Java EE applications, but I'd like to be able to open this server up, even j...

Defensive programming

When writing code do you consciously program defensively to ensure high program quality and to avoid the possibility of your code being exploited maliciously, e.g. through buffer overflow exploits or code injection ? What's the "minimum" level of quality you'll always apply to your code ?...

Best Practices for securing a REST API / web service

When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the topic. I have found less information about securing REST endpoints. While I understand ...

Resolving Session Fixation in JBoss

I need to prevent Session Fixation, a particular type of session hijacking, in a Java web application running in JBoss. However, it appears that the standard idiom doesn't work in JBoss. Can this be worked around? ...

Secure Memory Allocator in C++

I want to create an allocator which provides memory with the following attributes: cannot be paged to disk. is incredibly hard to access through an attached debugger The idea is that this will contain sensitive information (like licence information) which should be inaccessible to the user. I have done the usual research online a...

Best references for secure coding practices in ASP.NET and classic ASP.

What are some of the best reference material for secure coding in the ASP.NET and classic ASP environments? I'm sure there are a ton of books out there but which ones are the best for this? If anyone has pointers to online resources also, that would be appreciated. ...

Using VM to get around VPN restrictions

One major problem I have is corporate IT policy (Oh, I'm not alone then? :) ) Specifically that if I'm off-site using a VPN connection, I cannot link to anything outside that VPN connection. So my local printer at home is off-limits unless I disconnect - a simplistic example of the hampering. I've been pondering whether a VM machine ...

Best way to store a database password in a startup script / config file?

So our web server apps need to connect to the database, and some other apps have startup scripts that execute at boot time. What's the best way to store the name/password for these applications, in terms of security, e.g. perhaps we don't want sysadmins to know the database password maintainability, e.g. making the configuration easy ...

How do I call a Flex SWF from a remote domain using Flash (AS3) ?

I have a Flex swf hosted at http://www.a.com/a.swf. I have a flash code on another doamin that tries loading the SWF: _loader = new Loader(); var req:URLRequest = new URLRequest("http://services.nuconomy.com/n.swf"); _loader.contentLoaderInfo.addEventListener(Event.COMPLETE,onLoaderFinish); _loader.load(req); On the onLoaderFinish even...

Java: What is the best way to SFTP a file from a server

What is the best was to retrieve a file from a server using SFTP (as opposed to FTPS) using Java? I'll leave the particular definition of best up to you but in my mind it should include free :) ...