Search Results

Search found 41 results on 2 pages for 'owasp'.

Page 1/2 | 1 2  | Next Page >

  • OWASP Regex Repository: Is this regex correct?

    - by Jacco
    I was looking at the regular expression for validating various data types from the (OWASP Regex Repository). One of the regular expressions in there is called safetext and looks like: ^[a-zA-Z0-9\s.\-]+$ My first question is: Is this regular expression correct? complementary question If this Regex Repository any good at all?

    Read the article

  • Interesting links week #24 and #25

    - by erwin21
    Below a list of interesting links that I found this week: Interaction: Design Usability and All About It Frontend: CSS Lint – CSS Cleaning Tool 10 HTML Entity Crimes You Really Shouldn’t Commit Development: OWASP Top 10 for .NET developers part 7: Insecure Cryptographic Storage C#/.NET Fundamentals: Choosing the Right Collection Class Mobile: Tips to Design a Website for Mobile Marketing: 30 (New) Google Ranking Factors You May Over- or Underestimate Other: 5 Little-Known Web Files That Can Enhance Your Website Interested in more interesting links follow me at twitter http://twitter.com/erwingriekspoor

    Read the article

  • CSRF (Cross-site request forgery) attack example and prevention in PHP

    - by Saif Bechan
    I have an website where people can place a vote like this: http://mysite.com/vote/25 This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on the website, and someone gives them a link like this: http://mysite.com/vote/30 then the vote will be places for him on the item without him wanting to do this. I have read the explanation on the OWASP website, but i don't really understand it Is this an example of CSFR, and how can I prevent this. The best thing i can think off is adding something to the link like a hash. But this will be quite irritating to put something on the end of all the links. Is there no other way of doing this. Another thing can someone maybe give me some other example of this, because the website seems fairly fugue to me.

    Read the article

  • How do you protect against specific CSRF attack

    - by Saif Bechan
    I am going trough the OWASP Top 10 list of 2007 and 2010. I stumbled upon Cross Site Request Forgery (CSRF) this is often called session riding as you let the user usee his session to fulfill your wishes. Now a solution to this is adding a token to every url and this token is checked for every link. For example to vote on product x the url would be: 'http://mysite.com?token=HVBKJNKL' This looks like a solid solution to because a hacker can not guess the token. But I was thinking of the following scenario(I do not know if it is possible): You create a website with an hidden iFrame or div. After that you can load my website in it either using just the normal iFrame or ajax. When you have my website loaded hidden inside your website, and the user has a stored session, the following can be done. You can retrieve the token from the URLS, and still do all the actions needed. Is it possible to do something like this. Or is it not possible to do this cross domain.

    Read the article

  • SQL Injection Protection for dynamic queries

    - by jbugeja
    The typical controls against SQL injection flaws are to use bind variables (cfqueryparam tag), validation of string data and to turn to stored procedures for the actual SQL layer. This is all fine and I agree, however what if the site is a legacy one and it features a lot of dynamic queries. Then, rewriting all the queries is a herculean task and it requires an extensive period of regression and performance testing. I was thinking of using a dynamic SQL filter and calling it prior to calling cfquery for the actual execution. I found one filter in CFLib.org (http://www.cflib.org/udf/sqlSafe): <cfscript> /** * Cleans string of potential sql injection. * * @param string String to modify. (Required) * @return Returns a string. * @author Bryan Murphy ([email protected]) * @version 1, May 26, 2005 */ function metaguardSQLSafe(string) { var sqlList = "-- ,'"; var replacementList = "#chr(38)##chr(35)##chr(52)##chr(53)##chr(59)##chr(38)##chr(35)##chr(52)##chr(53)##chr(59)# , #chr(38)##chr(35)##chr(51)##chr(57)##chr(59)#"; return trim(replaceList( string , sqlList , replacementList )); } </cfscript> This seems to be quite a simple filter and I would like to know if there are ways to improve it or to come up with a better solution?

    Read the article

  • Secure Coding Practices in .NET

    - by SoftwareSecurity
    Thanks to everyone who helped pack the room at the Fox Valley Day of .NET.   This presentation was designed to help developers understand why secure coding is important, what areas to focus on and additional resources.  You can find the slides here. Remember to understand what you are really trying to protect within your application.  This needs to be a conversation between the application owner, developer and architect.  Understand what data (or Asset) needs to be protected.  This could be passwords, credit cards, Social Security Numbers.   This also may be business specific information like business confidential data etc.  Performing a Risk and Privacy Assessment & Threat Model on your applications even in a small way can help you organize this process. These are the areas to pay attention to when coding: Authentication & Authorization Logging & Auditing Event Handling Session and State Management Encryption Links requested Slides Books The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software Threat Modeling Writing Secure Code The Web Application Hackers Handbook  Secure Programming with Static Analysis   Other Resources: OWASP OWASP Top 10 OWASP WebScarab OWASP WebGoat Internet Storm Center Web Application Security Consortium Events: OWASP AppSec 2011 in Minneapolis

    Read the article

  • Website Vulnerabilities

    - by Ben Griswold
    The folks at the Open Web Application Security Project publish a list of the top 10 vulnerabilities. In a recent CodeBrew I provided a quick overview of them all and spent a good amount of time focusing on the most prevalent vulnerability, Cross Site Scripting (XSS).  I gave an overview of XSS, stepped through a quick demo (sorry vulnerable site), reviewed the three XSS variations and talked a bit about how to protect one’s site.  References and reading materials were also included in the presentation and, look at that, they are provided here too. Open Web Application Security Project The OWASP Top Ten Vulnerabilities (pdf) OWASP List of Vulnerabilities The 56 Geeks Project by Scott Johnson ha.ckers.org OWASP XSS Prevention Cheat Sheet Wikipedia Is XSS Solvable?, Don Ankney The Anatomy of Cross Site Scripting, Gavin Zuchlinski

    Read the article

  • Application Logging needs work

    Application Logging Application logging is the act of logging events that occur within an application much like how a court report documents what happens in court case. Application logs can be useful for several reasons, but the most common use for logs is to recreate steps to find the root cause of applications errors. Other uses can include the detection of Fraud, verification of user activity, or provide audits on user/data interactions. “Logs can contain different kinds of data. The selection of the data used is normally affected by the motivation leading to the logging. “ (OWASP, 2009) OWASP also stats that logging include applicable debugging information like the event date time, responsible process, and a description of the event. “There are many reasons why a logging system is a necessary part of delivering a distributed application. One of the most important is the ability to track exactly how many users are using the application during different time periods.” (Hatton, 2000) Hatton also states that application logging helps system designers determine whether parts of an application aren't being used as designed. He implies that low usage can be used to identify if users like or do not like aspects of a system based on user usage of the application. This enables application designers to extract why users don't like aspects of an application so that changes can be made to increase its usefulness and effectiveness. “Logging memory usage can also assist you in tuning up the internals of your application. If you're experiencing a randomly occurring problem, being able to match activities performed with the memory status at the time may enable you to discover the cause of the problem. It also gives you a good indication of the health of the distributed server machine at the time any activity is performed. “ (Hatton, 2000) Commonly Logged Application Events (Defined by OWASP) Access of Data Creation of Data Modification of Data in any form Administrative Functions  Configuration Changes Debugging Information(Application Events)  Authorization Attempts  Data Deletion Network Communication  Authentication Events  Errors/Exceptions Application Error Logging The functionality associated with application error logging is actually the combination of proper error handling and applications logging.  If we look back at Figure 4 and Figure 5, these code examples allow developers to handle various types of errors that occur within the life cycle of an application’s execution. Application logging can be applied within the Catch section of the TryCatch statement allowing for the errors to be logged when they occur. By placing the logging within the Catch section specific error details can be accessed that help identify the source of the error, the path to the error, what caused the error and definition of the error that occurred. This can then be logged and reviewed at a later date in order recreate the error that was received based data found in the application log. By allowing applications to log errors developers IT staff can use them to recreate errors that are encountered by end-users or other dependent systems.

    Read the article

  • Common vulnerabilities for WinForms applications

    - by David Stratton
    I'm not sure if this is on-topic or not here, but it's so specific to .NET WinForms that I believe it makes more sense here than at the Security stackexchange site. (Also, it's related strictly to secure coding, and I think it's as on-topic as any question asking about common website vulnerabiitles that I see all over the site.) For years, our team has been doing threat modeling on Website projects. Part of our template includes the OWASP Top 10 plus other well-known vulnerabilities, so that when we're doing threat modeling, we always make sure that we have a documented process to addressing each of those common vulnerabilities. Example: SQL Injection (Owasp A-1) Standard Practice Use Stored Parameterized Procedures where feasible for access to data where possible Use Parameterized Queries if Stored Procedures are not feasible. (Using a 3rd party DB that we can't modify) Escape single quotes only when the above options are not feasible Database permissions must be designed with least-privilege principle By default, users/groups have no access While developing, document the access needed to each object (Table/View/Stored Procedure) and the business need for access. [snip] At any rate, we used the OWASP Top 10 as the starting point for commonly known vulnerabilities specific to websites. (Finally to the question) On rare occasions, we develop WinForms or Windows Service applications when a web app doesn't meet the needs. I'm wondering if there is an equivalent list of commonly known security vulnerabilities for WinForms apps. Off the top of my head, I can think of a few.... SQL Injection is still a concern Buffer Overflow is normally prevented by the CLR, but is more possible if using non-managed code mixed in with managed code .NET code can be decompiled, so storing sensitive info in code, as opposed to encrypted in the app.config... Is there such a list, or even several versions of such a list, from which we can borrow to create our own? If so, where can I find it? I haven't been able to find it, but if there is one, it would be a great help to us, and also other WinForms developers.

    Read the article

  • What advantages does mod_evasive have over mod_security2 in terms of DDOS protection?

    - by Martynas Sušinskas
    Good day, I'm running an Apache2 server in front of a Tomcat and I need to implement a DDOS protection mechanism on the Apache2 layer. I have two candidates: mod_evasive and mod_security2 with the OWASP core rule set. Mod_security is already installed for overall protection, but the question is: is it worth adding mod_evasive besides mod_security just for the DDOS (does it have any major advantages) or the OWASP crs rules in the /experimental_rules/ directory (modsecurity_crs_11_dos_protection.conf) provide the same protection? Or it's just a matter of preference? The sites are not very high traffic normally. Thank you for your answers, Martynas

    Read the article

  • Is using GET with a tokenID for security a good idea?

    - by acidzombie24
    I was thinking about this and it appears POST only a little less vulnerable and somewhat harder (do to requiring the user to click something). I read about token ids and double submitted cookies and i am not sure what the difference is http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Double_Submit_Cookies Right now i have the user id (PK in my table) and a session id so you cant simply change your cookie ID and act like someone else. Now it seems like i put the session id as a token in each of my forms and check them bc attackers cant guess these tokens. However i dislike the idea of putting the session id into the page for ppl to see. But really, is there a problem with that? short of having the user copy/pasting the html is there any attacks that can happen due to the session id being in plain view in html?

    Read the article

  • A New Threat To Web Applications: Connection String Parameter Pollution (CSPP)

    - by eric.maurice
    Hi, this is Shaomin Wang. I am a security analyst in Oracle's Security Alerts Group. My primary responsibility is to evaluate the security vulnerabilities reported externally by security researchers on Oracle Fusion Middleware and to ensure timely resolution through the Critical Patch Update. Today, I am going to talk about a serious type of attack: Connection String Parameter Pollution (CSPP). Earlier this year, at the Black Hat DC 2010 Conference, two Spanish security researchers, Jose Palazon and Chema Alonso, unveiled a new class of security vulnerabilities, which target insecure dynamic connections between web applications and databases. The attack called Connection String Parameter Pollution (CSPP) exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). In today's blog, we are going to first look at what connection strings are and then review the different ways connection string injections can be leveraged by malicious hackers. We will then discuss how CSPP differs from traditional connection string injection, and the measures organizations can take to prevent this kind of attacks. In web applications, a connection string is a set of values that specifies information to connect to backend data repositories, in most cases, databases. The connection string is passed to a provider or driver to initiate a connection. Vendors or manufacturers write their own providers for different databases. Since there are many different providers and each provider has multiple ways to make a connection, there are many different ways to write a connection string. Here are some examples of connection strings from Oracle Data Provider for .Net/ODP.Net: Oracle Data Provider for .Net / ODP.Net; Manufacturer: Oracle; Type: .NET Framework Class Library: - Using TNS Data Source = orcl; User ID = myUsername; Password = myPassword; - Using integrated security Data Source = orcl; Integrated Security = SSPI; - Using the Easy Connect Naming Method Data Source = username/password@//myserver:1521/my.server.com - Specifying Pooling parameters Data Source=myOracleDB; User Id=myUsername; Password=myPassword; Min Pool Size=10; Connection Lifetime=120; Connection Timeout=60; Incr Pool Size=5; Decr Pool Size=2; There are many variations of the connection strings, but the majority of connection strings are key value pairs delimited by semicolons. Attacks on connection strings are not new (see for example, this SANS White Paper on Securing SQL Connection String). Connection strings are vulnerable to injection attacks when dynamic string concatenation is used to build connection strings based on user input. When the user input is not validated or filtered, and malicious text or characters are not properly escaped, an attacker can potentially access sensitive data or resources. For a number of years now, vendors, including Oracle, have created connection string builder class tools to help developers generate valid connection strings and potentially prevent this kind of vulnerability. Unfortunately, not all application developers use these utilities because they are not aware of the danger posed by this kind of attacks. So how are Connection String parameter Pollution (CSPP) attacks different from traditional Connection String Injection attacks? First, let's look at what parameter pollution attacks are. Parameter pollution is a technique, which typically involves appending repeating parameters to the request strings to attack the receiving end. Much of the public attention around parameter pollution was initiated as a result of a presentation on HTTP Parameter Pollution attacks by Stefano Di Paola and Luca Carettoni delivered at the 2009 Appsec OWASP Conference in Poland. In HTTP Parameter Pollution attacks, an attacker submits additional parameters in HTTP GET/POST to a web application, and if these parameters have the same name as an existing parameter, the web application may react in different ways depends on how the web application and web server deal with multiple parameters with the same name. When applied to connections strings, the rule for the majority of database providers is the "last one wins" algorithm. If a KEYWORD=VALUE pair occurs more than once in the connection string, the value associated with the LAST occurrence is used. This opens the door to some serious attacks. By way of example, in a web application, a user enters username and password; a subsequent connection string is generated to connect to the back end database. Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; In the password field, if the attacker enters "xxx; Integrated Security = true", the connection string becomes, Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; Intergrated Security = true; Under the "last one wins" principle, the web application will then try to connect to the database using the operating system account under which the application is running to bypass normal authentication. CSPP poses serious risks for unprepared organizations. It can be particularly dangerous if an Enterprise Systems Management web front-end is compromised, because attackers can then gain access to control panels to configure databases, systems accounts, etc. Fortunately, organizations can take steps to prevent this kind of attacks. CSPP falls into the Injection category of attacks like Cross Site Scripting or SQL Injection, which are made possible when inputs from users are not properly escaped or sanitized. Escaping is a technique used to ensure that characters (mostly from user inputs) are treated as data, not as characters, that is relevant to the interpreter's parser. Software developers need to become aware of the danger of these attacks and learn about the defenses mechanism they need to introduce in their code. As well, software vendors need to provide templates or classes to facilitate coding and eliminate developers' guesswork for protecting against such vulnerabilities. Oracle has introduced the OracleConnectionStringBuilder class in Oracle Data Provider for .NET. Using this class, developers can employ a configuration file to provide the connection string and/or dynamically set the values through key/value pairs. It makes creating connection strings less error-prone and easier to manager, and ultimately using the OracleConnectionStringBuilder class provides better security against injection into connection strings. For More Information: - The OracleConnectionStringBuilder is located at http://download.oracle.com/docs/cd/B28359_01/win.111/b28375/OracleConnectionStringBuilderClass.htm - Oracle has developed a publicly available course on preventing SQL Injections. The Server Technologies Curriculum course "Defending Against SQL Injection Attacks!" is located at http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm - The OWASP web site also provides a number of useful resources. It is located at http://www.owasp.org/index.php/Main_Page

    Read the article

  • Efficient way to secure tomcat database connections

    - by Greymeister
    Our customer has a problem with database information in plaintext within a server.xml or context.xml file on the Tomcat server. I've looked at several sites like OWASP and it seems like there's no obvious solution. I've also seen things like this wordpress blog which describe implementing a custom Tomcat extension to do this. There must exist some standard implementation(s) already without having to roll your own. Does anyone have experience with such a solution?

    Read the article

  • Checking for cross-site scripting vulnerabilities in Perl web applications

    - by David Scholefield
    I'm putting together some notes for a dev team on how to write secure Perl code - especially taking into account the current OWASP top 10 web application vulnerabilities. For cross-site scripting I've included information on ensuring that all output to the browser is checked and escaped where necessary, but I'm looking for more automated mechanisms that would mean a developer doesn't have to think about every output statement and, potentially, miss one. Perl's 'taint' function sounds like it should be a help because it distrusts all user input, but it doesn't complain on tainted data being output to the browser. Apart from checking all output statements individually (probably by calling a generic sanitizing function) does anyone have any ideas on how Perl can help with this with existing libraries or techniques?

    Read the article

  • How should I practice web server administration?

    - by Astyanax
    Security students can practice their skills with software like OWASP's webgoat or something similar to "hackthissite". Students interested in Operating Systems can study MINIX and PintOS, write shell scripts or study POSIX system calls. What would be the best course of action in order to practice Server Administration? Is there any such software/resource available, teaching you such skills with small lessons, or it is totally up to you? I've practiced live FreeBSD server administration and management of VMs (CentOS, Gentoo, Debian) under VirtualBox, but I always feel that this isn't enough and I must push myself harder. So, what would you recommend? What has worked for you?

    Read the article

  • Is there a .NET equivalent of WebGoat

    - by PJB
    Looking at this question the OWASP WebGoat project looks like a great way to learn about web security. Although the principles will equally to .NET applications I would prefer to use .NET based application. Does anybody know of a suitable .NET alternative?

    Read the article

  • DevDays ‘00 The Netherlands day #2

    - by erwin21
    Day 2 of DevDays 2010 and again 5 interesting sessions at the World Forum in The Hague. The first session of the today in the big world forum theater was from Scott Hanselman, he gives a lap around .NET 4.0. In his way of presenting he talked about all kind of new features of .NET 4.0 like MEF, threading, parallel processing, changes and additions to the CLR and DLR, WPF and all new language features of .NET 4.0. After a small break it was ready for session 2 from Scott Allen about Tips, Tricks and Optimizations of LINQ. He talked about lazy and deferred executions, the difference between IQueryable and IEnumerable and the two flavors of LINQ syntax. The lunch was again very good prepared and delicious, but after that it was time for session 3 Web Vulnerabilities and Exploits from Alex Thissen. This was no normal session but more like a workshop, we decided what kind of subjects we discussed, the subjects where OWASP, XSS and other injections, validation, encoding. He gave some handy tips and tricks how to prevent such attacks. Session 4 was about the new features of C# 4.0 from Alex van Beek. He talked about Optional- en Named Parameters, Generic Co- en Contra Variance, Dynamic keyword and COM Interop features. He showed how to use them but also when not to use them. The last session of today and also the last session of DevDays 2010 was about WCF Best Practices from Gerben van Loon. He talked about 7 best practices that you must know when you are going to use WCF. With some quick demos he showed the problem and the solution for some common issues. It where two interesting days and next year i sure will be attending again.

    Read the article

  • Is browser and bot whitelisting a practical approach?

    - by Sn3akyP3t3
    With blacklisting it takes plenty of time to monitor events to uncover undesirable behavior and then taking corrective action. I would like to avoid that daily drudgery if possible. I'm thinking whitelisting would be the answer, but I'm unsure if that is a wise approach due to the nature of deny all, allow only a few. Eventually someone out there will be blocked unintentionally is my fear. Even so, whitelisting would also block plenty of undesired traffic to pay per use items such as the Google Custom Search API as well as preserve bandwidth and my sanity. I'm not running Apache, but the idea would be the same I'm assuming. I would essentially be depending on the User Agent identifier to determine who is allowed to visit. I've tried to take into account for accessibility because some web browsers are more geared for those with disabilities although I'm not aware of any specific ones at the moment. The need to not depend on whitelisting alone to keep the site away from harm is fully understood. Other means to protect the site still need to be in place. I intend to have a honeypot, checkbox CAPTCHA, use of OWASP ESAPI, and blacklisting previous known bad IP addresses.

    Read the article

  • CodePlex Daily Summary for Tuesday, April 20, 2010

    CodePlex Daily Summary for Tuesday, April 20, 2010New ProjectsASP.NET MVC Extensibility: ASP.NET MVC Extensibility.ASP.NET MVC Starter: Tekpub's ASP.NET MVC 2.0 Starter Site, as put together by Rob Conery in Episode 15 of Mastering ASP.NET MVC (http://tekpub.com/production/starter)AzureDemo: An internal Azure demo and test bed for some projects. After demo is complete this project will be closed.Basic Sprite Sheet Creator: A basic c# program to create sprite sheets. CodeDefender: Protect your .Net codes easily with this smart obfuscator!Crawlr: Tema 2 projectDocument Session Manager - Visual Studio addin: Document Session Manager is a Visual Studio 2008 addin for saving and restoring the list of opened documents (xml files, source files, winforms, et...Esferatec.Text.RegularExpressions: assembly to build regular expression patternsFIFA World Cup 2010 Mobile Sticker Checklist: FIFA World Cup 2010 Mobile Sticker Checklist is a small application for Windows Mobile developed in CF 3.5 to keep tracking of your sticker album. ...Finia.net: 追忆 游乐网·幻之大地FusspawnsAI: Fusspawns UT AI is a small test engine for a classic ut remote bot api. intending to improve ut's ai to a god like level without cheating bots(bots...G.A.E.T.: This is a Graphical Asymmetric Encryption Tool based on R.S.A. algorithm with the help of Java Language.Even though, this may be a small applicatio...ItzyBitzySpider: Webcrawler project from computer science at UCN.JingQiao.Ads: My DDD NTier Architecture example project.Managed Meizu SDK Demo: In this project we are sharing the source code to demonstrate the usage of managed SDK for Meizu cell phones, currently for M8. With the help of th...MaxxUtils.MaxxTagger: MaxxTagger: An Mp3 Tag Editor.. Add /Edit/Remove MP3 ID3 V1 and 2.3 Tags like Title, Artist, Album, Album Art, Genre. Besides tag editing, it also ...Maya Project Management: The Maya Project Management is a clone of RedMine with all its functions and plug-in support, using the following technologies: Microsoft .net Fra...MessageBoxLib: A simple, robust library for Xbox 360 and Windows development using the XNA Game Studio that makes using the Guide class's message box functionalit...MyWSAT - ASP.NET Membership Administration Tool: MyWSAT aka ASP.NET WSAT is a WebForms based website Starter Kit for the ASP.NET Membership Provider. It is a feature rich application that takes ca...OntologyCreator: this is my thesis and it is not finished yetPOS for .Net Handheld Products Service Object: POS for .Net Service Object Handheld Products Bar Code ScannerPostBinder: PostBinder is a small helper library that deserializes ASP.NET requests into C# classes. This eliminates having to write repeated hand wiring co...PostSharp for ASP.NET Web Sites: Adds support for PostSharp 2.0 on ASP.NET Web Sites.Rapid Dictionary: * Rapid Dictionary is a Translation Dictionary initialized by language learning network http://wordsteps.com. * Dictionary developed in C# and Co...ROrganizer: If you feel your movie files are kept in messy way, try out the ROrganizer which helps you rearrange them.RoRoWoBlog: 萝萝窝个人博客开源项目SPGroupDeflector - Explicitly deny groups to webs within your Site Collection: Secure webs within your MOSS or WSS Portal by explicitly denying access to specific users in SharePoint groups.SSIS ShapeFileSource: SSIS ShapeFileSource imports ESRI Shapefiles, and the associated attribute file (.dbf). The component based on the free Shapefile C Library.StoreManagement: University assignment. The task is to build an application that can perform basic CRUD operations on a property and use an arbitrary database. ...Surfium: TODO ;-)TaskCleaner: This is a Windows Forms project created to kill some running process in order to enhace the performance of Windows execution. Sometimes it is desi...The Expert Calendar: The Expert Calendar is a MOSS 2007 webpart which allows to connect to a Event Item List and display event items in a small design customizable cale...Visual Studio Find Results Window Tweak: This is a Visual Studio 2010 add-in which enables you to adjust the format of the Find Results Window. It is written in C#, .NET 4.0 and requires ...Weightlifting Sinclair coeficient calculator: Weightlifting Sinclair coeficient calculator for competitors (for Windows Mobile platform)Windows Azure Web Storage Explorer: Windows Azure Web Storage Explorer makes it easier for developers to browse and manage Blobs, Queues and Tables from Windows Azure Storage account....New Releases#SNMP - C# Based Open Source SNMP for .NET and Mono: CatPaw (5.0) Beta 1: SNMP v3 support in snmpd is complete.ASP.Net MVC Crud with JqGrid: Mvc Crud with JqGrid 0.3.0: Fairly major reworking of the GenericDataGrid (with alot of work from James). Most noticeable is the replacing of Edit and Delete with action butt...Basic Sprite Sheet Creator: Sprite Tool v1.1: Fixed the progress bar, it now correctly displays text and progress. Also download will now come with an installer and an executable so you don't h...Basic Sprite Sheet Creator: Sprite Tool Version 1.0: Program used to make basic sprite sheets. please visit http://coderplex.blogspot.com for more infoBraintree Client Library: Braintree-1.2.1: Escape all XMLCodeDefender: CodeDefender v0.1: Protect your .Net exe and dll files with this smart tool.ColinTesting: test: testColinTesting: test2: test2ColinTesting: test3: test3ColinTesting: test4: test4ColinTesting: test6: test6CycleMania Starter Kit EAP - ASP.NET 4 Problem - Design - Solution: Cyclemania 0.08.63: See Source Code tab for recent change history.Document Session Manager - Visual Studio addin: Release v0.45948: Release v0.45948DotNetNuke® Community Edition: 05.04.00: Major Highlights Fixed issue where portal settings were not saved per portal. Fixed issue with importing page templates. Fixed issue with...DotNetNuke® Postgres Data Provider: DNN PG Provider 01.00.00 Beta2: Fixes problems with deprecated datatype money in Postgres. Upgrades DotnetNuke code base to 04.09.05 It comes with a patch for the DotNetNuke insta...FIFA World Cup 2010 Mobile Sticker Checklist: FIFA World Cup 2010 Mobile Sticker Checklist v0.1b: FIFA World Cup 2010 Mobile Sticker Checklist v0.1b First beta release. Requires Microsoft Compact Framework 3.5. It was tested on an HTC Touch Viva...FIFA World Cup 2010 Mobile Sticker Checklist: FIFA World Cup 2010 Mobile Sticker Checklist v0.2b: FIFA World Cup 2010 Mobile Sticker Checklist v0.2b Second beta release. Requires Microsoft Compact Framework 3.5. It was tested on an HTC Touch Viv...Fluent Ribbon Control Suite: Fluent Ribbon Control Suite 1.2: Fluent Ribbon Control Suite 1.2(supports .NET 3.5 and .NET 4 RTM) Includes: Fluent.dll (with .pdb and .xml) Showcase Application Samples Found...G.A.E.T.: Graphical Asymmetric Encryption Tool: User Interface The GAET User Interface is a window with five buttons. Each button is explained the following sections. Each button has a functional...HTML Ruby: 6.21.7: As long as I don't find anything else that I can improve, this will be submitted to Mozilla for review tomorrow. Added back process inserted conten...IBCSharp: IBCSharp 1.03: What IBCSharp 1.03.zip unzips to: http://i43.tinypic.com/24ffbqr.png Note: The above solution has MSTest, Typemock Isolator, and Microsoft CHESS c...LogikBug's IoC Container: Second Release: This project is dependent upon Microsoft.Practices.ServiceLocation and must be referenced when referencing LogikBug.Injection. Click here to view d...Managed Meizu SDK Demo: Library and Demo: Library and DemoMaxxUtils.MaxxTagger: MaxxUtils.MaxxTagger: Version: 1.0.0 (Beta) Instructions: Unzip the files to a folder and then dbl click on the exe. Known Issues: 1. When u copy or move a folde...OrthoLab: Cellule: Compile with Autodesk Maya 2008 32bit and 2010 64bit.OWASP Code Crawler: OWASP Code Crawler 2.7: Code Crawler 2.7 DescriptionIn terms of functionality there is not much new stuff in this release. We transplanted the new engine. Code Crawler is ...PerceptiveMCAPI - A .NET wrapper for the MailChimp Api: V1.2.3 PerceptiveMCAPI .Net Wrapper [Beta 2]: PerceptiveMCAPI – v 1.2.3 Change logFunctionality through MailChimp API announce v1.2.5 on 15-Feb-2010 .NET Wrapper New wrapper directives; api_Me...POS for .Net Handheld Products Service Object: POS for .Net Handhelp Products Service Object: The Service Object contained herein is a work in progress. This Service Object's is written as VS 2008 C# Project. The Target Platform is x86. ...PostSharp for ASP.NET Web Sites: R1: First release.Rich Ajax empowered Web/Cloud Applications: 6.4 beta 2c: A revisiov to the first fully featured version of Visual webGui offering web/cloud development tool that puts all ASP.NET Ajax limits behind with e...Should: Beta - 1.0: This is the initial release of the Should assertions extensions.Shrinkr: v1.0: First public release.Site Directory for SharePoint 2010 (from Microsoft Consulting Services, UK): v1.2: Address a bug found in v1.1 relating to the Delete Site Listings job not incrementing the 'Site Missing Count' for some SharePoint sites.Software Localization Tool: SharpSLT 1.0: New functions Backup before saving Delete entries Undo deletion Added more comments in the codeSPGroupDeflector - Explicitly deny groups to webs within your Site Collection: SPGroupDeflector: Download the source code, the wsp solution package, and Setup.docSSIS ShapeFileSource: Version 0.1: Short Preview of SSIS ShapeFileSource ComponentStarter Kit Mytrip.Mvc.Entity: Mytrip.Mvc.Entity 1.0: Warning Install MySql Connector/Net 6.3 MySQL Membership MSSQL Membership XML Membership UserManager FileManager Localization Captcha ...Surfium: Linux Expo Prebuild: First public releaseTaskCleaner: Initial Working Version: In this version we have all the features listed in the project description working fine. Built under Framework 3.5.Text to HTML: 0.4.5.0: CambiosSustitución de los siguientes caracteres: Anteriores: " < > ¡ © º ¿ Á Ä É Í Ñ Ó Ö Ú Ü ß á ä é í ñ ó ö ú ü € Nuevos: & ´ ≈ ¦ • ¸ ˆ ↓ ð … ∫ ...TS3QueryLib.Net: TS3QueryLib.Net Version 0.21.16.0: This release contains a bugfix for a bug that caused connection problems when connecting using an IP for some cases. So it's strongly recommended t...Tweety - Twitter Client: Tweety - 0.96: Form activation from system tray improved. General fixes. General code refactor.Web/Cloud Applications Development Framework | Visual WebGui: 6.4 Beta 2c: A revision to the first fully featured version of Visual webGui offering unique developer/designer interface and enhanced extensibility and customi...Windows Azure - PHP contributions: PhpAzureExtensions (Azure Drives) - 0.2.0: Extension for use with Windows Azure SDK 1.1! Breaking changes! Documentation can be found at http://phpazurecontrib.codeplex.com/wikipage?title=A...WoW Character Viewer: Viewer (40545): New setup build for 40545.Xrns2XMod: Xrns2XMod 0.0.5.3: Major Source code optimization: >> Separated logical code of xm/mod conversion from renoiseSong xml. Now all necessary renoise song data code is st...XsltDb - DotNetNuke XSLT module: 01.00.99: callable tag is introduced - create javascript ajax functions more easy import/export bug is fixed mdo:ajax checkbox processing is now the same...Most Popular ProjectsRawrWBFS ManagerSilverlight ToolkitAJAX Control ToolkitMicrosoft SQL Server Product Samples: DatabaseWindows Presentation Foundation (WPF)ASP.NETpatterns & practices – Enterprise LibraryPHPExcelMicrosoft SQL Server Community & SamplesMost Active ProjectsRawrpatterns & practices – Enterprise LibraryIndustrial DashboardIonics Isapi Rewrite FilterFarseer Physics EngineBlogEngine.NETPHPExcelCaliburn: An Application Framework for WPF and SilverlightNB_Store - Free DotNetNuke Ecommerce Catalog ModuleTweetSharp

    Read the article

  • Preventing LDAP injection

    - by Matias
    I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code. I'd like to know which sanitizing techniques are known, not only for C/unix development but in more general terms, i.e., web development etc. I thought that escaping equals and semicolons would be enough, but not sure. Here is a little piece of code so I can make clearer the question: String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery); Obviously I do need to sanitize $userName, as stated in this OWASP ARTICLE

    Read the article

  • Is it possible to make the AntiForgeryToken value in ASP.NET MVC change after each verification?

    - by jmcd
    We've just had some Penetration Testing carried out on an application we've built using ASP.NET MVC, and one of the recommendations that came back was that the value of the AntiForgeryToken in the Form could be resubmitted multiple times and did not expire after a single use. According to the OWASP recommendations around the Synchronizer Token Pattern: "In general, developers need only generate this token once for the current session." Which is how I think the ASP.NET MVC AntiForgeryToken works. In case we have to fight the battle, is it possible to cause the AntiForgeryToken to regenerate a new value after each validation?

    Read the article

  • Is there anyway to make a Rails / Rack application tell the web server to drop the connection

    - by dasil003
    There are many security reasons why one would want to drop an HTTP connection with no response (eg. OWASP's SSL best practices). When these can be detected at the server level then it's no big deal. However, what if you can only detect this condition at the application level? Does Rails, or more generally Rack, have any standard way of telling the server to drop the connection without a response? If not, are there some standard headers to pass in that will accomplish that in common web servers (I'm thinking Nginx or Apache)? Even if there is not a standard header is there a reasonable way to configure that behavior? Is this a fool's errand?

    Read the article

1 2  | Next Page >