Search Results

Search found 417 results on 17 pages for 'malicious'.

Page 12/17 | < Previous Page | 8 9 10 11 12 13 14 15 16 17  | Next Page >

• Running custom Javascript on every page in Mozilla Firefox

  - by saturn

  I have a custom piece of Javascript which I would like to run on every web page from specific domains, or perhaps simply on every web page. (If you are wondering: it is not malicious. It allows to display formulas by using MathJax.) Is that possible? I tried including it in userContent.css, that of course did not work. A simple Greasemonkey script I tried did not insert it. Is it because of the security precautions? (Which would be very logical). Still, there should be a way to do it on the machine I physically control, by changing something in Mozilla chrome directory, shouldn't it? Anyway, how can I do this for myself?

  Read the article

• Security precautions and techniques for a User-submitted Code Demo Area

  - by Jack W-H

  Hey folks Maybe this isn't really feasible. But basically, I've been developing a snippet-sharing website and I would like it to have a 'live demo area'. For example, you're browsing some snippets and click the Demo button. A new window pops up which executes the web code. I understand there are a gazillion security risks involved in doing this - XSS, tags, nasty malware/drive by downloads, pr0n, etc. etc. etc. The community would be able to flag submissions that are blatantly naughty but obviously some would go undetected (and, in many cases, someone would have to fall victim to discover whatever nasty thing was submitted). So I need to know: What should I do - security wise - to make sure that users can submit code, but that nothing malicious can be run - or executed offsite, etc? For your information my site is powered by PHP using CodeIgniter. Jack

  Read the article

• How do I protect myself?

  - by ved

  I was poking around at my work computer this evening and was looking at my timesheets. I noticed that all my timesheets had variables in the URLs and I could figure out the numbering scheme for the pages. Then I got a little curious about SQL injection and thought of trying out adding simple SQL injections like "OR 1=1" etc. to see how protected we really were with our timesheet info. One of these strings yielded a friendly error page saying that an error email was sent to the developer. I am concerned that my ID, and request will be seen by the developer , immediately recognized as SQL injection and will be reported to network security officer as a malicious attempt by an employee to hack the timesheet dB. what is my defense? I am really worried.

  Read the article

• How can I monitor if a cookie is being sent to a domain other than the one it originated from?

  - by Brendan Salt

  I am trying to write a program that will verify that all cookies sent out from the machine are in fact going to the domain they came from. This is part of a larger security project to detect cookie based malicious attacks (such as XSS). The main snag for this project is actually detecting the out-going cookies. Can someone point me in the right direction for monitoring out-going HTTP traffic for cookie information? Other information about the project: This is a windows application written in C and numerous scripting languages. Thanks so much for the help.

  Read the article

• Displaying untrusted HTML using PHP

  - by esryl

  I have a read a number of excellent questions and answers today about dealing with user input. I am now using htmlspecialchars() to display user data in the create/edit forms (but accepting the raw input via prepared PDO statements into my database). The main question I know have is, what do you do when you are allowing the user to submit HTML which will then be displayed to the public. Obviously htmlspecialchars() is no longer suitable as it just encodes the tags and renders the content useless for purpose. My application is currently accepting HTML from an admin for product descriptions. This would allow a malicious admin to inject potentially unsafe data into public facing pages. How do people cope with this?

  Read the article

• What is the most EVIL code you have ever seen in a production enterprise environment?

  - by Registered User

  What is the most evil or dangerous code fragment you have ever seen in a production environment at a company? I've never encountered production code that I would consider to be deliberately malicious and evil, so I'm quite curious to see what others have found. The most dangerous code I have ever seen was a stored procedure two linked-servers away from our core production database server. The stored procedure accepted any NVARCHAR(8000) parameter and executed the parameter on the target production server via an double-jump sp_executeSQL command. That is to say, the sp_executeSQL command executed another sp_executeSQL command in order to jump two linked servers. Oh, and the linked server account had sysadmin rights on the target production server.

  Read the article

• Plugin architecture in .net: unloading

  - by henchman

  Hello everybody, I need to implement a plugin architecture within c#/.net in order to load custom user defined actions data type handling code for a custom data grid / conversion / ... from non-static linked assembly files. Because the application has to handle many custom user defined actions, Iam in need for unloading them once executed in order to reduce memory usage. I found several good articles about plugin architectures, eg: ExtensionManager PluginArchitecture ... but none of them gave me enough sausage for properly unloading an assembly. As the program is to be distributed and the user defined actions are (as the name states) user defined: how to i prevent the assembly from executing malicious code (eg. closing my progra, deleting files)? Are there any other pitfalls one of you has encountered?

  Read the article

• Securing Plugin Data in WordPress From Access by Other Plugins?

  - by farinspace

  There probably is some solution to this, whether it involves code running on just the wordpress installation or a combination of a wordpress installation and a master server I am not sure yet, but please remember not to have tunnel vision and consider any and all possible solutions: The scenario is this: A WordPress plugin (plugin-A) that manages some sort of valuable data (something that the admin would not want stolen), lets say, lead data with user's name and email addresses, the plugin uses its own db tables. Other than the obvious (which is the admin installing plugin-B, not knowing its malicious intent), what is to prevent another WordPress plugin (plugin-B) from accessing plugin-A data or hacking plugin-A files to circumvent security.

  Read the article

• Best approach to create a security environment in Java

  - by Tom Brito

  I need to create a desktop application that will run third party code, and I need to avoid the third party code from export by any way (web, clipboard, file io) informations from the application. Somethig like: public class MyClass { private String protectedData; public void doThirdPartyTask() { String unprotedtedData = unprotect(protectedData); ThirdPartyClass.doTask(unprotectedData); } private String unprotect(String data) { // ... } } class ThirdPartyClass { public static void doTask(String unprotectedData) { // Do task using unprotected data. // Malicious code may try to externalize the data. } } I'm reading about SecurityManager and AccessControler, but I'm still not sure what's the best approach to handle this. What should I read about to do this implementation?

  Read the article

• Downloaded chm is blocked, is there a solution?

  - by David Rutten

  CHM files that are downloaded are often tagged as potentially malicious by Windows, which effectively blocks all the html pages inside of it. There's an easy fix (just unblock the file after you download it), but I was wondering if there's a better way to provide unblocked chm files. What if I were to download the chm file (as a byte stream) from our server inside the application, then write all the data to a file on the disk. Would it still be blocked? Is there another/better way still?

  Read the article

• How to release a simple program

  - by Zenya

  What is the best practice for releasing a simple software? Suppose I created a very small simple and useful program or a tool and would like to share it with everyone by uploading it to my web-site. Do I need a license and which one? (I read http://www.gnu.org/ and http://www.fsf.org/ but still cannot decide - there are too many of them.) Do I need to put somewhere a copyright and what is the basic principles of creating "Copyright" string? How can I make a user, who is going to download and install my program, to believe that my program doesn't contain viruses or a malicious code?

  Read the article

• align WMD editor's preview HTML with server-side HTML validation (e.g. no embedded javascript)

  - by Justin Grant

  There are many SO questions (e.g. here and here) about how to do server-side scrubbing of Markdown produced by the WMD editor to ensure the HTML generated doesn't contain malicious script, like this: <img onload="alert('haha');" src="http://www.google.com/intl/en_ALL/images/srpr/logo1w.png" /> This doesn't affect the WMD client's preview box. I doubt this is a big deal since if you're scrubbing the HTML on the server, an attacker can't save the bad HTML so no one else will be able to see it later and have their cookies stolen or sessions hijacked by the bad script. But it's still kinda odd to allow an attacker to run any script in the context of your site, and it's probably a bad idea to allow the client preview window to allow different HTML than your server will allow. StackOverflow has clearly plugged this hole. How did they do it? [NOTE: I already figured this out but it required some tricky javascript debugging, so I'm answering my own question here to help others who may want to do ths same thing]

  Read the article

• Question regarding Ajax Hacking

  - by Vincent

  All, I have a PHP website written in Zend Framework and MVC. Most of the controller actions check if the request is an Ajax request or not, else they redirect the user to home page. I am thinking about various ways to break that site. I am considering the following scenario: A user creates his own PHP project on his Local machine. User writes a JQuery ajax post request to one of the controllers on my site and tries to post malicious info. Ex: $.ajax({ type: 'POST', url: "https://marketsite/getinfo/getstuff", cache: false, dataType: "html", success: function(html_response){ alert(html_response); }, error: function(xhr,ajaxOptions,errorThrown){ alert(errorThrown); } }); My Question is does "url" attribute in the ajax request above take absolute path? I know it takes relative path. Also, is it possible to break any site by sending such requests? Thanks

  Read the article

• Facebook javascript in address bar, possible to replicate?

  - by DoMx

  This is my first experience with stackoverflow and I'm afraid my question asks of a lot for a first. I was looking at this thread: http://stackoverflow.com/questions/2634159/javascrypt-in-the-adress-bar-is-this-malicious and as you will see SLaks has very kindly deobfuscated the javascript and left us with what appears as the Javascript behind the automatic facebook invite code. As I'm fairly new to javascript, I was wondering, what other components were needed to get this code to work? You of course have the functions there and they are called by the obfuscated javascript but how exactly? Would it be possible to replicate this on a page of my own using the information available or is there more to this script I am missing? I am willing to financially assist somebody who could compile a solution for me. Thank you in advance.

  Read the article

• can I prohibit users from loading swf files by AS3 / Flash Loader.load() and only allow loading imag

  - by EndangeringSpecies

  I want to have an AS3 app load images from url supplied by the user. But I don't want a malicious user to be able to load an SWF file in place of the image, such as with an altered extension "maliciousSwf.png". Well, not sure how big a security threat that is above and beyond the ability of the hacker to decompile swf, but I think that ideally such behavior should not be allowed. So, is there any way to prevent this? When people allow users to load images in their Flash apps, do they somehow guard against loading of SWF? Or is this really absolutely no big deal?

  Read the article

• Validating/Allowing YouTube Embed Code

  - by mellowsoon

  Hi, hopefully this is a simple question. I have a simple custom forum on my site written in PHP. For security reasons I don't allow any HTML in the forum posts. I only allow certain BBCode tags. I would however like to allow embedded YouTube videos. So my question is this: What's the best (most secure) way to validate the YouTube embed code? YouTube is currently using iframes to embed videos, but obviously I can't just allow the iframe tag. I also need to ensure the src of the iframe is a YouTube URL, and ensure there's no other malicious bits of code in the iframe code.

  Read the article

• How to escape/strip special characters in the LaTeX document?

  - by Igor

  We implemented the online service where it is possible to generate PDF with predefined structure. User can choose a LaTeX template and then compile it with an appropriate inputs. The question we worry about is the security, that the malicious user was not able to gain shell access through the injection of special instruction into latex document. We need some workaround for this or at least a list of special characters that we should strip from the input data. Preferred language would be PHP, but any suggestions, constructions and links are very welcomed. PS. in few word we're looking form mysql_real_escape_string for LaTeX

  Read the article

• Why I have to call 'exit' after redirection through header('Location..') in PHP?

  - by Nicolò Martini

  You know that if you want to redirect an user in PHP you can use the header function: header('Location: http://smowhere.com'); It is also well known that it is a good practice to put also an exit; after the header call, to prevent execution of other php code. So my question is: could the code after the header-location call be effectively executed? In which cases? Can a malicious user be able to completely ignore the header('Location..') call? How?

  Read the article

• How prevent anyone from stealing my shared_ptr?

  - by Kyle

  So, I use boost::shared_ptr for all the various reference-counting benefits it provides -- reference counting for starters, obviously, but also the ability to copy, assign, and therefore store in STL Containers. The problem is, if I pass it to just one "malicious" function or object, the object can save the ptr and then I'll never be able to de-allocate it without the foreign function or object nicely relinquishing its ownership. Ultimately, I try to keep object ownership explicit. I accomplish this by having the owner keep the only shared_ptr to the object, and "guest" objects only store weak_ptrs to the object. I really don't want the "shared" part of shared_ptr, but I'm required to use shared_ptr in order to make weak_ptrs. I want to use scoped_ptr, but it's extremely limited since you can't copy it. You can't store it in a container, you can't lend out weak_ptrs from it, and you can't transfer ownership to a new manager. What's the solution?

  Read the article

• Structure of open source project's repository

  - by hokkaido

  I'm in the beginning of starting a small open source project. When cloning the main repository one gets a complete build environment with all the libraries and all the tools needed to make an official installer file, with correct version numbers. I like the fact that anyone who wants to contribute can clone the repository and get started with anything they want. But I'm thinking this makes it to easy for Evil People to create malicious installers and release into the wild. How should it be structured? What do you recommend including in the repository, versus keeping on the build server only?

  Read the article

• How do I validate that my the openid.op_endpoint when a request is completed.

  - by Sam Saffron

  I have an Open ID based authentication system on my site. Occasionally users will have an account registered under [email protected] and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id, in this case I would like to automatically associate the account and log them in. When the process is done I get a payload from somewhere claiming that openid.op_endpoint=https://www.google.com/accounts/o8/id. My question: Can I trust openid.op_endpoint to be correct? Can this be spoofed somehow by a malicious openid provider? For illustration, lets say someone types in http://evil.org as their openid provider, can I somehow end up getting a request back that claims openid.op_endpoint is google? Do I need to store extra information against the nonce to validate? The spec is kind of tricky to understand

  Read the article

• How to make sure no scripts except those under my own domain, can include the db connection file?

  - by Jack

  I would like to ensure that any scripts that are trying to "include" my database connection file are located under my own domain. I don't want a hacker to include the database connection file to their malicious script and gain access to my database that way. My connection file's name is pretty easy to guess, it's called "connect.php". So without renaming it and taking the security through obscurity route, how can I protect it by making sure all connection requests are made by scripts residing under my own domain name? How can this be checked using PHP?

  Read the article

• Malware on a client's website - Ideas?

  - by Jeriko

  We recently got a call from one of our clients, complaining that their site has some "strange looking code" at the bottom of the page. We checked out the source code, and discovered that about 800 bytes of malicious javascript code had been appended to the templates/master file, after the </html> tag. I won't post said code because it looked particularly nasty. As far as I can tell, there would be no way for this file to be edited in any way, unless someone had direct access to the server and/or FTP login details. The actual file itself has been modified, so that rules out any kind of SQL attack. Besides a person physically gaining credentials and hand-modifying this file, would there be any other logical explaination for what happened? Has anyone else had experience with something like this happening?

  Read the article

• Using user editable image URL in application. Security issues.

  - by sharas

  Hi there. I am writing an application where users are required to show their photo, however as my server resources are very limited I can not let them upload it to the server. So I have three major questions: 1. How to properly validate photo URL? At least I can validate with regexp, however I need to check for file ending: `validates_format_of :photo_url, :with => URI::regexp(%w(http https))` 2. Security issues? XSS? Even I validate the picture at the moment of creation, hacker can replace image with malicious stuff anytime. 3. Maybe there are free asset stores with API?

  Read the article

• How can I cut down on this spam, and what is the point of it anyway?

  - by Steven

  I run a small, niche personal ads site. People post ads and then other people reply to them, which sends an email to the original creator of the ad telling them that someone is interested and giving them contact information for that interested person. Lately there's been some weird spam. People are receiving nonsense replies to their ads. Here is an example of one: Name: xkauwvyr Reply: vRYmbI <a href="http://rypmoxdkfblf.com/">rypmoxdkfblf</a>, url=http://pnjlwvhizwbq.com/]pnjlwvhizwbq[/url], [link=http://hmenwoujxrfv.com/]hmenwoujxrfv[/link], http://ogsekuhoyeud.com/ They vary in length and composition but they all look roughly like that. The first idea I had was to simply throw out any reply that contained the string " Also, is this spam just some ass playing a trick on my website, or is it something more malicious?

  Read the article

< Previous Page | 8 9 10 11 12 13 14 15 16 17  | Next Page >