I've got an object that is owned by the Network Service that I want to delete. It is a Message Queue, a Private Queue. The queue's Properties | Security tab shows Network Services has full control, Everyon has just Get Properties, Get Permissions, and Send Message, And Anonymous Logon has Send Message. I've got the Administrator login...
Hey all, I'm considering embarking on a new project. The premise of the project is generate a widget on my site, then copy a piece of javascript into your site and viola you have your widget. It's a new spin on existing services such as polldady.com, twiig.com and addthis.com. Many of these such services are designed to be publicly ac...
Why do some scenarios require both ciphering and integrity whereas some scenarios require only ciphering ? What are the factors that decide this in the case of networking domain ? ...
What are the steps to be made to run an IIS7 Application Pool under a domain account? I know how to create a domain account and how to set the identity of the Application Pool. My question is rather what rights does this Domain Account need to have? (logon right to the server? read rights to the files of the web sites running under appl...
I am starting to use boost/format. When coding with boost/format, what should I pay attention to with regard to security? Can I do the following without being concerned about security? std::cout << boost::format("Hello %2%! Do you want to %1%?") % user_supplied_str1 % user_supplied_str2 << std::endl; What are situations where ...
I would like to use JSON, however, the security issues related to using JSON are holding me back. There are two main issues CSRF (Cross Site Request Forgery) and the JSON/Array hack. I have read that Double Submit the Cookie expanding from Secret Hidden Fields are possible solutions to the CSRF problem. I wonder if there are any co...
Hi! I have a WCF Service that runs over TCP with Certificate security like this : <binding name="netTcpUserNameMessageSecurity" portSharingEnabled="True" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="2147483647" maxBuf...
Hey Dudes, I am well aware that parsing HTML with regex has its many caveats and vociferous opponents. So rather than trying to re-invent the wheel, I'm looking for a tool that I can point to a web page and say "Get me the comments, b*tch". Anyone able to advise? I was reading some OWASP documentation or a security blog, and I'm almos...
Hi all, I am trying to use iOS security framework to securely communicate with my server. I have a certificate file from which I am able to get a public key reference. This is what I doing. NSString *certPath = [[NSBundle mainBundle] pathForResource:@"supportwarriors.com" ofType:@"cer"]; SecCertificateRef myCertificate = nil; NSDat...
Hi all, I have tested a JSF application with the CSRFtester tool, and the tool didn't report any CSRF problems. But I had read in the "OWASP_Top_10_2007_for_JEE.pdf", that all Java EE web application frameworks are vulnerable to CSRF and also some says we need to create a secret key for each session and append it to the url. By doing thi...
Hi all, I currently have a webapp that consists of ~100 unique URLs + ~75 pages. The application uses Spring for security and Tomcat to host. My question is how do I prevent the following from happening: http://localhost/myApp/myPage;rollback; If that's not clear, what I am trying to prevent is my application from processing anythin...
I work with a group that is very adamant on keeping the wsdl and xsd that are associated with our web services as private as possible, and only distributing them to customers on a need to know basis. My question is this... Is this overkill? I realize that adds anyone layer of obscurity to any potential attacks, but is this really doing ...
Hello This I think may be a silly question, but I have become quite confused on what I should do here for the best. When salting a password hash, should the salt also be hashed or left as plaintext? NOTE: I am hashing a password in SHA-256 and the Salt is a pre defined string as only one password will ever be stored at a time. TIA C...
When you need to store sensitive data such as CCs or SSNs, do you: 1) Build your own encryption routine within the application, define a secret key somewhere in a config file, and then manually encrypt/decrypt data going to the database. 2) Push all the problem to the database, using the built in DB capabilities (I think most vendors c...
Hi, I'm extracting a part of a web application that handles the signup, the other part will be rewritten. The idea is the signup part can exist as a separate application, interface with the rest of the application for creating and setting up the account. Obviously there are a ton of ways to do this, most of them network based solutions ...
when you upload files, you can then get the necessary data from $_FILES files contains the list of file inputs, where each one has a field like [type] for example: Array ( [file1] => Array ( [name] => 'MyFile.txt' [type] => text/plain //where does this come from? [tmp_name] => /tmp/php/p...
I have to make connection to the DB and Insert a row based on the data that the SWF sent me... I will need to make it so that the SWF->PHP part is secure by not letting users tamper with data. I don't want to use SSL because its not a suitable solution... what other method is available? ...
Hi, I have had several contexts where table names or schemas were not hard-coded, but rather configured by the administrator, or, worse, generated from user input. Since cases were easy (schemas and table names in plain English, without numbers nor symbols), it was easy to avoid SQL Injection by just forbid any character outside A-Z an...
Hi I want to put my NIC into promiscuous mode. Why? Because I wrote app which is able potentially to detect sniffing in my local network (send modyfied appropriately ethernet packets). I just want now check it out, so in my second comp I want to set up promisc mode. There's Windows 7 and simply Dell Wireless 1397 WLAN Mini-Card...if it...
After a file has been uploaded to the tmp folder, for example a pdf file, would php fileinfo mime check be enough to verify that the file is indeed a pdf file and is not infected? How do you verify that a user uploaded file has no virus? so that I could let users download it? My scenario is this: A user uploads a pdf file, I then let...