Search Results

Search found 13196 results on 528 pages for 'security audit'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 108/528 | < Previous Page | 104 105 106 107 108 109 110 111 112 113 114 115  | Next Page >

  • Is Rails default CSRF protection insecure

    - by schickb
    By default the form post CSRF protection in Rails creates an authenticity token for a user that only changes when the user's session changes. One of our customers did a security audit of our site and flagged that as an issue. The auditor's statement was that if we also had a XSS vulnerability that an attacker could grab another user's authenticity token and make use of it for CSRF attacks until the user's session expired. But is seems to me that if we had an XSS vulnerability like that an attacker could just as easily grab another user's session cookie and login as that user directly. Or even just make call to our REST Api as the user being attacked. No secondary CSRF attack needed. Have I missed something? Is there a real problem with the default CSRF protection in Rails?

    Read the article

  • AD User Passwords expiring without any notifications?

    - by scooter133
    We setup password Policies in Active Directory to Expire peoples passwords after so many days. Well it looks like the time has come for the Expiration of the Passwords and people are getting locked out... There has been no warning of user passwords about to expire. They just come in to work and they cannot log in, the phones no longer connect, nothing. Reset the password and all is good. Some of the users are locked out, though most are not, they just cannot log in. On setting the password Expiration, I didn't see anything about nor warning the users of the impending expiration. Seems like it used to warn you 15 days or so before it would expire. Clients range from: WinXP, WinVista, Win7 and Server 2008R2 Remote Desktop Services. How can I make sure my users are warned of the Expiration? Resultant Set of Policy for User that was not prompted: Account Policies/Password Policy Policy Setting Winning GPO Enforce password history 10 passwords remembered Default Domain Policy Maximum password age 270 days Default Domain Policy Minimum password age 0 days Default Domain Policy Minimum password length 4 characters Default Domain Policy Password must meet complexity requirements Disabled Default Domain Policy Store passwords using reversible encryption Disabled Default Domain Policy Account Policies/Account Lockout Policy Policy Setting Winning GPO Account lockout duration 20 minutes Default Domain Policy Account lockout threshold 5 invalid logon attempts Default Domain Policy Reset account lockout counter after 15 minutes Default Domain Policy Local Policies/Audit Policy Policy Setting Winning GPO Audit account logon events Failure Default Domain Policy Audit account management Success, Failure Default Domain Policy Audit directory service access Success, Failure Default Domain Policy Audit logon events Failure Default Domain Policy Audit policy change Success, Failure Default Domain Policy Audit privilege use Failure Default Domain Policy Local Policies/Security Options Interactive Logon Policy Setting Winning GPO Interactive logon: Prompt user to change password before expiration 7 days Default Domain Policy

    Read the article

  • Authenticated WCF: Getting the Current Security Context

    - by bradhe
    I have the following scenario: I have various user's data stored in my database. This data was entered via a web app. We'd like to expose this data back to the user over a web service so that they can integrate their data with their applications. We would also like to expose some business logic over these services. As such we do not want to use OData. This is a multi-tenant application so I only want to expose their data back to them and not other users. Likewise, the business logic we expose should be relative to the authenticated user. I would like let the user use an OASIS scheme to authenticate with the web service -- WCF already allows for this out of the box as far as I understand -- or perhaps we can issue them certificates to authenticate with. That bit hasn't really been worked out yet. Here is a bit of pseudo-code of how I envision this would work within the service: function GetUsersData(id) var user := Lookup User based on Username from Auth Context var data := Get Data From Repository based on "user" return data end function For the business logic scenario I think it would look something like this: function PerformBusinessLogic(someData) var user := Lookup User based on Username from Auth Context var returnValue := Perform some logic based on supplied data return returnValue end function The hard bit here is getting the current username (or cert info in the cert scenario) that the user authenticated with! Does WCF even enable this scenario? If not would WSE3 enable this? Thanks,

    Read the article

  • Public ASPXAUTH cookie and security

    - by Bara
    Due to a bug in Flash, I have to use the ASPXAuth cookie to log a user in on a page that a flash upload script calls after upload. See this page for more information: http://geekswithblogs.net/apopovsky/archive/2009/05/06/working-around-flash-cookie-bug-in-asp.net-mvc.aspx I have to make the ASPXAUTH string "public" in the sense that it will be in the HTML of the page. My question is, how secure is this? I understand that anyone that can get to the string in the HTML can probably get to it from the cookie just as easily, but let's say someone does have this ASPXAUTH string. Is it possible that they can login as another user using this cookie? Would they be able to decrypt it? Bara

    Read the article

  • PHP URL Security Question

    - by TaG
    I want to have users store the url in my database I'm using php mysql and htmlpurifier I was wondering if the following code was good way to filter out bad data? Here is the Partial PHP code. $url = mysqli_real_escape_string($mysqli, $purifier->purify(htmlspecialchars(strip_tags($_POST['url'])));

    Read the article

  • Paypal IPN security

    - by keithics
    Hello! I am developing a website which will allow users to pay via Paypal. Paypal IPN seems to be easy to integrate and it works on my localhost. Now the problem is that, the amount and the business name are passed to paypal using POST Data. I know it's very dangerous to put it that way, but I am not sure what are the alternatives. How can I make Paypal IPN secure?

    Read the article

  • Facebook Flash app security?

    - by mhdouglas
    I'm developing a Facebook app implemented in Flash, and I'd like to authenticate communication between my app and my server. In other words, I'd like to guarantee that all communication with my server is coming from my app, which has been launched from within facebook by a valid facebook user. Does the Facebook actionscript API support this type of operation? Or am I on my own?

    Read the article

  • False sense of security with `snprintf_s`

    - by xtofl
    MSVC's "secure" sprintf funcions have a template version that 'knows' the size of the target buffer. However, this code happily paints 567890 over the stack after the end of bytes... char bytes[5]; _snprintf_s( bytes, _TRUNCATE, "%s", "1234567890" ); Any idea what I do wrong, or is this a known bug? (I'm working in VS2005 - didn't test in 2008 or 2010)

    Read the article

  • What fields have job security?

    - by computergeek6
    I can program pretty well, and I'm trying to think of a programming area that I can practice so I have a better chance of getting a job when I finish my education. I'm currently learning game development, but there are a ton of other people trying to get into game dev, so I want to find something a little more secure and sustainable to develop skills in. I've thought of things like financial systems and engineering stuff, but nothing I can think of is accessible to someone in high school. I'm trying to find something that involves physics or networking and isn't as popular a field as game dev. Does anyone have any ideas?

    Read the article

  • Coldbox Security Interceptor

    - by faheem
    Hi I am new to coldbox and working on a guestbook messaging forum. does anyone know how I can apply some rule in coldbox to show edit and delete for specified users of admin or user in the edit page. I am not sure how to specify this as I already have my rules here as shown in securityRules.xml: SecurityRules.XML <?xml version="1.0" encoding="UTF-8"?> <!-- Declare as many rule elements as you want, order is important Remember that the securelist can contain a list of regular expression if you want ex: All events in the user handler user\..* ex: All events .* ex: All events that start with admin ^admin If you are not using regular expression, just write the text that can be found in an event. <whitelist>ehSecurity\.dspLogin,ehSecurity\.doLogin,ehSecurity\.dspLogoff</whitelist> --> <rules> <rule> <whitelist>^entries,ehSecurity\..*,registry\..*</whitelist> <securelist></securelist> <roles>admin</roles> <permissions>read,write</permissions> <redirect>ehSecurity.dspLogin</redirect> </rule> <rule> <whitelist>^entries,ehSecurity\..*,main\..*,^registry</whitelist> <securelist></securelist> <roles>author,admin</roles> <permissions>read</permissions> <redirect>ehSecurity.dspLogin</redirect> </rule> </rules>

    Read the article

  • Google Chrome showing javascript security error

    - by Clint
    I need help resolving this Google Chrome Error..."Uncaught Error: SECURITY_ERR: DOM Exception 18" Here is the code. //Get Cookie function get_cookie (cookie_name) { var results = document.cookie.match ( '(^|;) ?' + cookie_name + '=([^;]*)(;|$)' ); if (results) return ( unescape ( results[2] ) ); else return null; }; Many thanks, C

    Read the article

  • IIS reveals internal IP address in content-location field - fix

    - by saille
    Referring: http://support.microsoft.com/kb/q218180/, there is a known issue in IIS4/5/6 whereby it will reveal the internal IP of a web server in the content-location field of the HTTP header. We have IIS 6. I have tried the fix suggested, but it has not worked. The website is configured to send all requests to ASP.NET, and I am wondering if this is why the fix, which addresses IIS configuration, has not worked for us. If this is the case, how would we fix this in ASP.NET? We need to fix this issue in order to pass a security audit.

    Read the article

  • XML security in world wide web

    - by nikky
    Hi, Im a newbie in XML and i have some questions Can XML be used in stead of normal database (store data in a tuple and column) in website? XML is built to share information easier (from my understanding) such as can share cross platform and in different language used so Is it secure to store secure data in XML? thank you so much

    Read the article

  • Security issue using Nant

    - by Diego C.
    I need to store authentication information and I rather not have the password in plain text: <property name="user" value="theUser"/> <property name="password" value="secret"/> Has anyone figured out a way to encrypt property values in Nant? I've looked in Nant and Nantcontrib docs but no mention of encryption. I am considering going the route of creating my own Nant Task. Any suggestions?

    Read the article

  • Are there cross-platform tools to write XSS attacks directly to the database?

    - by Joachim Sauer
    I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications. I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development). Is anyone aware of a similar tool? Preferably it should be: cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok) open source (I really like being able to audit my security tools) able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)

    Read the article

  • .NET ORM and Security

    - by Sphynx
    We're going to use an ORM tool with a .NET desktop application. The tool allows creation of persistent classes. It generates all database tables automatically. In addition to other data, our system needs to store user credentials, and deliver access control. The question is, is there any possibility of access control by means of ORM, without creating the database authentication mechanisms manually? Is there any product on the market which allows this? We thought of limiting the access in the program itself, but users can easily access the database directly, and bypass the program limitations. Thanks.

    Read the article

  • IE6 https security message appearing after closing jQuery colorbox overlay

    - by RyanP13
    I am working on a secure site, https. I am using the colorbox jquery plugin to iframe another page from the same site over the current content. In IE6 when i close the colorbox overlay i get the following message: "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?" Any ideas why this is happening? Can it be prevented? Assume i would have to make the whole site http rather than https but this is not possible as we have online payments.

    Read the article

  • Stream post URL security and wall post links

    - by Jeff Lee
    Our app's mobile client can create wall post links to our app's web-facing pages. Since this happens in the context of a mobile app, we do this on behalf of our user using the Graph API's feed/message endpoint. I noticed that the links showing up in the wall posts are being routed through our app's auth dialog, which is NOT what we want. We just want transparent links, without forcing the client to auth our app, similar to what happens when you share to FB in Path. I went ahead and disabled the "Stream post URL option" several hours ago, but we still seem to be getting the re-routed links for wall posts. The target URLs for these links are within the domain we've registered for our Facebook app. Is there anything else I need to do fix this?

    Read the article

  • code access security

    - by rkrauter
    Why do I need to Demand permission? Why can't it simply fail (commenting out the .Demand() call)? ref: http://support.microsoft.com/kb/315529 Thanks! try { // Demand the permission to access the C:\Temp folder. permFileIO.Demand(); resultText.Append("The demand for permission to access the C:\\Temp folder succeeded.\n\n"); }

    Read the article

  • Security & Authentication: SSL vs SASL

    - by 4herpsand7derpsago
    My understanding is that SSL combines an encryption algorithm (like AES, DES, etc.) with akey exchange method (like Diffier-Hellman) to provide secure encryption and identification services between two endpoints on an un-secure network (like the Internet). My understanding is that SASL is an MD5/Kerberos protocol that pretty much does the same thing. So my question: what are the pros/cons to choosing both and what scenarios make both more preferable? Basically, I'm looking for a guidelines to follow when choosing SSL or to go with SASL instead. Thanks in advance!

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 104 105 106 107 108 109 110 111 112 113 114 115  | Next Page >