I am new to web programming and have been exploring issues related to web security. I have a form where the user can post two types of data - lets call them "safe" and "unsafe" (from the point of view of sql). Most places recommend storing both parts of the data in database after sanitizing the "unsafe" part (to make it "safe"). I am ...
I have a server behind a firewall. It runs a web application (Java servlets under Apache Tomcat) and responds only to port 443 (HTTPS). There is no scripting code in the pages served - the forms use HTTP POST to receive the form, process the data (with appropriate input filtering) and then output an HTTP result page. I am currently usin...
I have what appears to be a fairly common scenario: I have a database that contains a list of users/passwords, and ideally, when someone visits the site, I'd like to use their windows name (internal), otherwise whatever name the user provided (external). My main question is how do I send a response to the browser forcing it to prompt f...
I'm a software developer at a large insurance company in Canada. Our dept. is looking at getting some training for us all. We are mostly a java group (JSF/JSP/Servlets) but obviously we use a lot of other web technologies (tiles, ajax, YUI ...etc). The main topics we're looking at are: JSF AJAX Web security Advanced Java/EE topics ...
I'm tinkering with a web tool that, given a URL, will retrieve the text and give the user some statistics on the content. I'm worried that giving users a way to initiate a GET request from my box to any arbitrary URL on the net may serve as a vector for attacks (e.g. to http://undefended.box/broken-sw/admin?do_something_bad). Are there...
I have received the unfortunate requirement of building a page that displays a new password to the authenticated user. I have unsuccessfully protested this requirement as a generally bad idea, but I think the jury is still out so perhaps there are arguments against displaying a new password that I haven't tried yet. Do you have any sugge...
I wanna allow users to embed videos freely in the application in developing, but do not want to expose then and the application to malicious uses. With that in mind, what are the main security concerns (XSS, etc) in allowing users to embed videos from external sources, like YouTube, Vimeo, etc. In which way this exploits could be used? ...
From security reasons, is it worth encrypting user emails before putting them into the database? I know we hash and salt passwords but that's another story as we do not really need password originals. With emails it is different. Knowing that the decryption key will anyway be somewhere close to the database, does it make sense to encry...
I want to lock down my website so that the end customer cannot change the standard web pages(aspx). I have investigated code signing and digital certificates. But that is more suited for the dlls and executables, and not to the aspx/html pages themselves. Is this possible? If so, please provide me some links. Thanks, Murali ...
Hey guys, here's the setup (bear in mind I'm really struggling with the Windows/.NET security stack i.e. I don't get it): A Windows Service running as LocalSystem on a Windows Server 2003 box. A .NET 3.5 Website running on the same box, under "default" production server IIS settings (so probably as NETWORKSERVICE user?) On my default...
Greetings all, My hosting company says it is possible to fill an HTML form text input field with just the right amount of garbage bytes to cause a buffer overflow/resource problem when used with Apache/HTTP POST to a CGI-Bin Perl script (such as NMS FormMail). They say a core dump occurs at which point an arbitrary script (stored as p...
I was wondering what security issues appear when the end user of a website can upload files to the server. For instance if my website allows the users to upload a profile picture, and one user uploads something harmful instead, what could happen? What kind of security should I set up to prevent attacks like this? I'm talking here about...
How can I prevent that forms can be scanned with a sort of massive vulnerability scanners like XSSME, SQLinjectMe (those two are free Firefox add-ons), Accunetix Web Scanner and others? These "web vulnerability scanners" work catching a copy of a form with all its fields and sending thousands of tests in minutes, introducing all kind o...
In PHP, I know that mysql_real_escape in much safer than using addslashes. However, I could not find an example of a situation where addslashes would let an SQL Injection happen. Can anyone give some examples? Thanks! ...
Is it sufficient to have System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking set to true (default) to fully prevent Http Header Injection attacks like Response Splitting etc.? I'm asking because a white box penetration testing tool (fortify) reports exploitable http header injection issues with HttpResponse.Redirect and coo...
I am a rails noob. I am having a problem conceptualizing how assets work in an authenticated system. All of the tutorials I've seen so far talk about putting your swfs in the public folder and embedding them in your view. However, the swf I'm using is a flex gui that should only be used by users logged-in through restful-authentication....
I've setup a WCF service that is using transport security over netTcpBinding. The certificate used for the service's security is signed by a CA we created for development. Can someone explain how it works that my anonymous client can connect and communicate with the service without having that same CA installed locally? I'm rather new...
Hi, I have a scenario inwhich users of a site I am building need the ability to enter some basic information into a webform without having to logon. The site is being developed with ASP.NET/C# and is using MSSQL 2005 for its relational data. The users will be sent an email from the site, providing them a unique link to enter the speci...
What are anti-spam measure i should consider before launching my user content website? Somethings i have considered Silent JavaScript based captcha on the register page (i do not have an implementation) Validate emails by forcing a confirmation link/number Allow X amount of comments per 10mins and Y per 2hours (i am considering excited...
I am looking for... A spider/automated Will find all input fields and queryStrings, then insert potential XSS discoveries Reports any XSS vulnerabilities found ...