Search Results

Search found 497 results on 20 pages for 'xss prevention'.

Page 15/20 | < Previous Page | 11 12 13 14 15 16 17 18 19 20  | Next Page >

  • ASP.NET MVC Application In Action - I (DailyJournal)

    - by Rajesh Pillai
    Its been long due I was planning to write an article on creating some useful ASP.NET MVC application. I have code named it "DailyJournal". Its a simple application which allows creation of multiple activities and assign tasks to these activities. Its' kind of "Yet another Task/Todo application". The credentials which you can use with the attached demo application is shown below.   Collapse Copy Code User Name : admin Password : admin123 Framework/Libraries Used ASP.NET MVC jQuery + jQuery UI (for ajax and UI) ELMAH for Error logging Warning Ahead This is just a rough draft and so I am putting down some of the known limitation. Some points of warning before we move further with this application. This is just an early prototype. As such many of the design principles have been ignored. But, I try to cover that up in the next update once I get my head around this. The application in its current state supports the following features Create users Assign Activities to users Assign tasks to activities Assign a status to a task The user creation/authentication is being done by the default Membership provider. Most of the activities are highly visual i.e. you can drag-drop task to different areas, in-place edition of task details and so on.   The following are the current issues with the design which I promise to refactor in the second version. No Validations Fat Controller XSS/CSS vulnerable No Service model/abstraction yet. For the demo LINQ to SQL is implemented. No separation of layers UI Design et el... This is just an extract.  For source code and more information proceed to http://www.codeproject.com/KB/aspnet/mvcinaction.aspx Hope you like this!

    Read the article

  • Is browser fingerprinting a viable technique for identifying anonymous users?

    - by SMrF
    Is browser fingerprinting a sufficient method for uniquely identifying anonymous users? What if you incorporate biometric data like mouse gestures or typing patterns? The other day I ran into the Panopticlick experiment EFF is running on browser fingerprints. Of course I immediately thought of the privacy repercussions and how it could be used for evil. But on the other hand, this could be used for great good and, at the very least, it's a tempting problem to work on. While researching the topic I found a few companies using browser fingerprinting to attack fraud. And after sending out a few emails I can confirm at least one major dating site is using browser fingerprinting as but one mechanism to detect fake accounts. (Note: They have found it's not unique enough to act as an identity when scaling up to millions of users. But, my programmer brain doesn't want to believe them). Here is one company using browser fingerprints for fraud detection and prevention: http://www.bluecava.com/ Here is a pretty comprehensive list of stuff you can use as unique identifiers in a browser: http://browserspy.dk/

    Read the article

  • Demo on Data Guard Protection From Lost-Write Corruption

    - by Rene Kundersma
    Today I received the news a new demo has been made available on OTN for Data Guard protection from lost-write corruption. Since this is a typical MAA solution and a very nice demo I decided to mention this great feature also in this blog even while it's a recommended best practice for some time. When lost writes occur an I/O subsystem acknowledges the completion of the block write even though the write I/O did not occur in the persistent storage. On a subsequent block read on the primary database, the I/O subsystem returns the stale version of the data block, which might be used to update other blocks of the database, thereby corrupting it.  Lost writes can occur after an OS or storage device driver failure, faulty host bus adapters, disk controller failures and volume manager errors. In the demo a data block lost write occurs when an I/O subsystem acknowledges the completion of the block write, while in fact the write did not occur in the persistent storage. When a primary database lost write corruption is detected by a Data Guard physical standby database, Redo Apply (MRP) will stop and the standby will signal an ORA-752 error to explicitly indicate a primary lost write has occurred (preventing corruption from spreading to the standby database). Links: MOS (1302539.1). "Best Practices for Corruption Detection, Prevention, and Automatic Repair - in a Data Guard Configuration" Demo MAA Best Practices Rene Kundersma

    Read the article

  • Experience the Oracle Support Stars Bar

    - by Oracle OpenWorld Blog Team
    By Gina WolfDon't miss the opportunity to meet with the stars of Oracle Support, live and in person at the Moscone West Level 2 lobby. Ask our experts your toughest questions about the Oracle hardware, software, and engineered systems you use to run your business. Explore new Oracle Support innovations including Oracle Platinum Services, My Oracle Support Mobile, and the Oracle Enterprise Manager Ops Center Everywhere program. Learn the latest best practices for problem prevention, rapid resolution, and product upgrades. In addition, discover how Oracle Advanced Customer Support Services can help you maximize the performance of all mission-critical Oracle systems. Come meet the stars behind your support: our trusted experts are ready to assist! The Oracle Support Stars Bar at the Moscone West Level 2 lobby is open all conference week at the following times: Sunday, September 30, 12:00 p.m. – 4:00 p.m. Monday, October 1, 10:00 a.m. – 6:00 p.m. Tuesday, October 2, 10:00 a.m. – 6:00 p.m. Wednesday, October 3, 9:00 a.m. – 5:00 p.m. Thursday, October 4, 9:00 a.m. – 1:00 p.m. Attend one or more of the 27 Oracle Customer Support Services sessions during Oracle OpenWorld to learn how Oracle Support enables you to gain maximum value from your Oracle hardware and software investments.

    Read the article

  • Restful Java based web services in json + html5 and javascript no templates (jsp/jsf/freemarker) aka fat/thick client

    - by Ismail Marmoush
    I have this idea of building a website which service JSON data through restful services framework. And will not use any template engines like jsp/jsf/freemarker. Just pure html5 and Javascript libs. What do you think of the pros and cons of such design ? Just for elaboration and brain storming a friend of mine argued with the following concerns: sounds like gwt this way you won't have any control over you service api for example say you wanna charge the user per request how will you handle it? how will you control your design and themes? what about the 1st request the browser make? not easy with this all of the user's requests will come with "Accept" header "application/json" how will you separate browser from abuser? this way all of your public apis will be used by third party apps abusively and you won't be able to lock it since you won't be able to block the normal user browser We won't use compiled html anyway but may be something like freemarker and in that case you won't expose any of your json resources to the unauthorized user but you will expose all the html since any browser can access them all the well known 1st class services do this can you send me links to what you've read? keep in mind the DOM based XSS it will be a nightmare ofc, if what you say is applicable.

    Read the article

  • Disaster Recovery Example

    Previously, I use to work for a small internet company that sells dental plans online. Our primary focus concerning disaster prevention and recovery is on our corporate website and private intranet site. We had a multiphase disaster recovery plan that includes data redundancy, load balancing, and off-site monitoring. Data redundancy is a key aspect of our disaster recovery plan. The first phase of this is to replicate our data to multiple database servers and schedule daily backups of the databases that are stored off site. The next phase is the file replication of data amongst our web servers that are also backed up daily by our collocation. In addition to the files located on the server, files are also stored locally on development machines, and again backed up using version control software. Load balancing is another key aspect of our disaster recovery plan. Load balancing offers many benefits for our system, better performance, load distribution and increased availability. With our servers behind a load balancer our system has the ability to accept multiple requests simultaneously because the load is split between multiple servers. Plus if one server is slow or experiencing a failure the traffic is diverted amongst the other servers connected to the load balancer allowing the server to get back online. The final key to our disaster recovery plan is off-site monitoring that notifies all IT staff of any outages or errors on the main website encountered by the monitor. Messages are sent by email, voicemail, and SMS. According to Disasterrecovery.org, disaster recovery planning is the way companies successfully manage crises with minimal cost and effort and maximum speed compared to others that are forced to make decision out of desperation when disasters occur. In addition Sun Guard stated in 2009 that the first step in disaster recovery planning is to analyze company risks and factor in fixed costs for things like hardware, software, staffing and utilities, as well as indirect costs, such as floor space, power protection, physical and information security, and management. Also availability requirements need to be determined per application and system as well as the strategies for recovery.

    Read the article

  • Massive 404 attack with non existent URLs. How to prevent this?

    - by tattvamasi
    The problem is a whole load of 404 errors, as reported by Google Webmaster Tools, with pages and queries that have never been there. One of them is viewtopic.php, and I've also noticed a scary number of attempts to check if the site is a WordPress site (wp_admin) and for the cPanel login. I block TRACE already, and the server is equipped with some defense against scanning/hacking. However, this doesn't seem to stop. The referrer is, according to Google Webmaster, totally.me. I have looked for a solution to stop this, because it isn't certainly good for the poor real actual users, let alone the SEO concerns. I am using the Perishable Press mini black list (found here), a standard referrer blocker (for porn, herbal, casino sites), and even some software to protect the site (XSS blocking, SQL injection, etc). The server is using other measures as well, so one would assume that the site is safe (hopefully), but it isn't ending. Does anybody else have the same problem, or am I the only one seeing this? Is it what I think, i.e., some sort of attack? Is there a way to fix it, or better, prevent this useless resource waste? EDIT I've never used the question to thank for the answers, and hope this can be done. Thank you all for your insightful replies, which helped me to find my way out of this. I have followed everyone's suggestions and implemented the following: a honeypot a script that listens to suspect urls in the 404 page and sends me an email with user agent/ip, while returning a standard 404 header a script that rewards legitimate users, in the same 404 custom page, in case they end up clicking on one of those urls. In less than 24 hours I have been able to isolate some suspect IPs, all listed in Spamhaus. All the IPs logged so far belong to spam VPS hosting companies. Thank you all again, I would have accepted all answers if I could.

    Read the article

  • Should this be written in C or php?

    - by user1867842
    This is my code; it speaks for itself on what I'm trying to do. <?php define("html","<html>"); define("htmlEnd","</html>"); etc... etc... ?> What I'm trying to do is make a wrapper for html's tags so they won't be needed anymore. But I can't get any of the attributes for html elements to be defined in PHP. This again speaks for itself; I don't know any other way of saying this. I guess how would I make another mark-up language like HTML without any tags but still keep everything about HTML is what I'm trying to say. My idea is for preventing XSS. For example, creating a special framework for the website itself that way there is no way any malicious attacker can guess because they know the HTML or PHP. I just don't want to make my website or something, and then my website gets hacked. Or if I make a website for someone and the website gets hacked. I am going to look like a unprofessional web developer. And what if I never get a job again.

    Read the article

  • Good quality Secure Software Development Training [closed]

    - by Patrick
    Just had my annual appraisal and found out my company is willing to pay for training and exams etc! Woohoo (they kept that one quiet). I'm interested in doing a course on secure development techniques. Has anyone got any suggestions for good quality distance learning courses in secure development (I could probably get a couple of days off to attend a conference/ course if required)? We're mostly an MS .Net house but I have no particular allegiance to MS or any other programming language (though, obviously, C++ is the best language in the world). I have 12 years development experience working in (what are now) PCI:DSS environments, including designing and developing a key management system and I have some knowledge of basic attacks (XSS, injection etc). I would prefer a hard course I struggle with to a basic course I learn 3 things from (but hopefully get something right at my level). A quick google found these two course which look good: http://www.sans.org/course/secure-coding-net-developing-defensible-applications https://www.isc2.org/csslpedu/default.aspx I don't really know how to choose between them, and finding other courses isn't going to make that job any easier, so I thought I'd ask those who know. EDIT : Hmm, care to share the reason for your down vote, will help me learn how to use the site better...

    Read the article

  • CodePlex Daily Summary for Friday, April 02, 2010

    CodePlex Daily Summary for Friday, April 02, 2010New ProjectsAE.Remoting: An alternative means of remoting for .NET to allow for intuitive usage and easy implementation into existing code.animated-smoke-modeling: This is an implementation or a demo of our method to model animated smokes. ASP.NET Google Maps: Extensible and easy to use, this is ASP.NET Google Maps Control. Drag & Drop and is ready to go. You can configure map style, add a PushPin using t...CartPatches able to see: CartPatches able to see youCodemix Cms: Codemix CmsDo the right thing - The Simple TodoManager: A simple Todo Manager which lets you focus on your daily most important tasks/todos. So do the right thing.....at your home, in your office, in you...Fast Console: Fast Console is a simple xml programming language. This may be a really good starting language as there are printing, variables and as soon as poss...Graphing Calculator in Silverlight: This was initially an effort to port a WPF graphing calculator written by Bob Brown (Microsoft) into Silverlight but soon after it became necessary...InformationVSTS: This application allows you to have all informations on VSTS installed. It also lets you know the server of BUILD and project.La Ranisima: La Ranisima is an open source "Space Invaders" alike game totally written in DHTML (JavaScript, CSS and HTML) that uses keyboard. This cross-platfo...La villa del seis: La villa del seis is a multiplatform point-and-click graphical adventure. Also, you can play it like a text adventure (interactive fiction) on a te...LParse: LParse is a monadic parser combinator library, similar to Haskell’s Parsec. It allows you create parsers on C# language. All parsers are first-clas...Manage Recents File/Project VS2005/2008: Clear Recents Files and Projects, and Clear Broken Links of Recents Files and Projects for VS2005 and VS2008. Developed in Visual Studio 2008 SP...Mavention: Mavention makes SharePoint work for you.MixMail: MixMailMixScrum: mixScrumMixTemplate: MixTemplate.NepomucenoBR Regex Learning Tool: This is a simple program designed to help people to study regular expressions.Pruebas: Pruebas is an open source game mix of text adventure and RPG written in Microsoft QBasic (under MS-DOS 6.22) that uses keyboard. Runs natively unde...Python Design by Contract: Simple to use invariants, pre- and postconditions which use some of the new metaprogramming features in Python 3.Rubik Cube's 3D Silverlight 3.0 Animated Solution: Rubik Cube's Silverlight 3.0 Animated Solution is a 3D presentation of Rubik Cube in range of up to 7x7x7 size with full functionality and an anima...Seminarka: Seminarka - ko treba znat šta je zna!SENAC 2010 - Projeto Integrador 2 (Material de Apoio): Material utilizado para apoiar os alunos da disciplina de Projeto integrador 2. O tema são sistemas web utilizando ASP.NET, com C# e banco de da...SENAC CG2010: Contém código apresentado em sala de aula para a disciplina de CG, 5ºBSI NoturnoSistema de facturación: Sistema de facturación desarrollado en C# para la clase de programación 3.SmartFront - WPF and Silverlight Toolkit: SmartFront is a framework piece which allow to quickly building Smart Client application in WPF and in Silverlight. This framework uses existing s...Solar 1: This is the ASP.NET MVC engine based on Oxite and used for 32planets.net.TemporalSQL: SQL Patterns - tables, queries, and functions - to design a temporal database. TFunkOrderSystem: The Funkalistic Blueprint and Items order management systemTribe.Cache: Tribe.Cache is a simple dictionary cache (persistent dictionary) written in C# which is easy to implement and use.tstProject: Testing ProjectUDC indexes parser: UDC (Universal Decimal Classification) indexes parserWebAssert: A test assertion library to assist in writing automated tests against websites. Allows for assertion of HTML validity, etc. Initially has support f...Words Via Subtitle: Words Via Subtitle makes it easier for English Learners to learn new words that appears in TV shows or movies. You'll no longer have to look up the...x5s - a cross site scripting (XSS) testing tool: x5s aims to be a specialized testing tool which assists penetration testers in finding cross-site scripting hot-spots. By auto-injecting token valu...XNA Shooter Engine: The XNA Shooter Engine is a game engine for XNA designed specifically with first-person-shooter-style games in mind. It's being developed for an as...我的开发集: for my study .net csharpNew ReleasesAppFabric Caching Admin Tool: AppFabric Caching Admin Tool 1.1: System Requirements:.NET 4.0 RC AppFabric Caching Beta2 Test On:Win 7 (64x) Note: Must run as Administrator !!!ASP.NET Google Maps: ASP.NET Google Maps 0.1b: Project Description Extensible and easy to use, this is ASP.NET Bing Maps Control. Drag & Drop and is ready to go. You can configure map style, add...AutoFixture: Version 1.0.9 (RC1): This is Release Candidate 1 of AutoFixture 1.1. This release contains no known bugs. Compared to AutoFixture 1.0, it fixes some bugs that were dis...Camlex.NET: Camlex.NET 2.0: Camlex.NET 2.0 release New features Search by field id Support for native System.Guid type for values Search by lookup id and lookup value D...CloudCache - Distributed Cache Tier with Azure: v1.0.0.1: New Release on April 1st 2010 No this is not April fools a new release has made it's way out. Below are the changes: Removed dependency on Azure S...DigitallyCreated Utilities: DigitallyCreated Utilities v1.0.1: This release is the v1.0.1 version of DigitallyCreated Utilities. This update is highly recommended for all users of v1.0.0 as it fixes a critical ...Fast Console: Fast Console Alpha: Fast Console is an easy to use and learn programming language. Code example is found in the file TestFile.xml When you've written your code just sa...Free Silverlight & WPF Chart Control - Visifire: Visifire SL and WPF Charts 3.0.6 beta Released: Hi, This release contains following enhancements. * Zooming feature has been enhanced with the new functionality of ZoomRectangle. Now, users...Graphing Calculator in Silverlight: 1.0.1: Graphing Calculator for Silverlight is written entirely in C# and is based on the Silverlight 3 release. I will soon release the full documentation...Home Access Plus+: v3.2.0.1: v3.2.0.1 Release Change Log: Fixed: Issue with & ampersand File Changes: ~/bin/CHS Extranet.dll ~/bin/CHS Extranet.pdb ~/Scripts/viewmode.jsIcarus Scene Engine: Icarus Professional 2 Alpha 2 v 1.10.329.913: Alpha release 2 of Icarus Professional. This release includes: IcarusX: The ActiveX-based browser control for rendering IPX projects online. Icaru...Line Counter: 1.5.2: The Line Counter is a tool to calculate lines of your code files. The tool was written in .NET 2.0. Line Counter 1.5.2 Added General Code Counter ...ManagedCv: ManagedCv v0.0.0.1: Win32Mavention: Mavention Simple Menu: SharePoint 2010 ships with a menu control that allows you to render a site menu using semantic markup. Using the Mavention Simple Menu you can do t...MDownloader: MDownloader-0.15.10.57200: Fixed uploading.com links detection; Fixed downloading from uploading.com; Fixed downloading from load.to; Fixed detecting incompatible sources;MixMail: V1: MixMailMixTemplate: v1: releaseMvcPager: MvcPager 1.3 for ASP.NET MVC 1.0: MvcPager 1.3 for ASP.NET MVC 1.0 compiled assembly files and demo projectsMvcPager: MvcPager 1.3 for ASP.NET MVC 2.0: MvcPager 1.3 for ASP.NET MVC 2.0 compiled assembly and demo projectsMvcUnity - ASP.NET MVC Dependency Injection: 2.1 Source Code: Drop 2.1 Source CodeNepomucenoBR Regex Learning Tool: NepomucenoBR Regex Learning Tool v0.1 alpha: This is the first version of this application. If you find any bug, please contact me at http://www.nepomucenobr.com.brNepomucenoBR Regex Learning Tool: NepomucenoBR Regex Learning Tool v0.1 source-code: This is the first version of this application. If you find any bug, please contact me at http://www.nepomucenobr.com.brocculo: occulo 0.2 binaries: Release build binaries instead of debug, should now work for other users. Fixed bit rotation and output filename bugs.occulo: occulo 0.2 source: Second source release. See binary release for changes.Python Design by Contract: v0.1: This is the inital release. I think it is working fine.SharePoint Labs: SPLab5002A-FRA-Level200: SPLab5002A-FRA-Level200 This SharePoint Lab will teach you how to modify CAML schema to have IntelliSense on Feature's GUID. Lab Language : French ...SharePoint Labs: SPLab5003A-FRA-Level100: SPLab5003A-FRA-Level100 This SharePoint Lab will teach you how to manually create a Feature, how to brand a Feature and how to incorporate ressourc...SharePoint Labs: SPLab5004A-FRA-Level100: SPLab5004A-FRA-Level100 This SharePoint Lab will teach you how to create a Feature within Visual Studio, how to brand it, how to incorporate ressou...SharePoint Labs: SPLab5005A-FRA-Level100: SPLab5005A-FRA-Level100 This SharePoint Lab will teach you how to create a Feature within Visual Studio, how to brand it, how to incorporate ressou...SSIS ReportGeneratorTask: Version 1.53: Some bugfixes to version 1.52 beta Server Report properties can be displayed. Snapshots can be created. Screenshots of the planned version 1.53 ca...TemporalSQL: April 2010: Initial set of prototypes demonstrating temporal patterns, queries, and functions in SQL ServerTortoiseHg: TortoiseHg 1.0.1: TortoiseHg 1.0.1 is a bug fix release. We recommend all users upgrade to this release. http://bitbucket.org/tortoisehg/stable/wiki/ReleaseNotes#t...Tribe.Cache: Tribe.Cache Alpha: Functional Alpha Release - Do not use in productionTS3QueryLib.Net: TS3QueryLib.Net Version 0.21.15.0: Changelog Added class "ServerListItemBase" which is used in the new method "GetServerListShort" of QueryRunner class. (Change of Beta 21) Added ...UDC indexes parser: Runtime Binary Alpha 1: First alpha versionVisual Studio DSite: Text To Binary (Visual C++ 2008): A simple c program that can convert text to binary. Source code only.x5s - a cross site scripting (XSS) testing tool: x5s 1.0 beta: PLACEHOLDER (coming soon)XNA Shooter Engine: GDK Tools 0.1.0.0: This is a small, very early release of the GDK Tools. The only included tool is Input Map Editor.XPath Visualizer: XPathVisualizer v1.2: Last updated 1 April 2010. This is not a joke! includes new features: Ctrl-S shortcut key for Saving the XML file Ctrl-F shortcut for re-form...すとれおじさん(仮): すとれおじさん β 0.01: とりあえず公開のバージョンです。 中途半端な機能がいっぱいあります。Most Popular ProjectsRawrWBFS ManagerASP.NET Ajax LibraryMicrosoft SQL Server Product Samples: DatabaseSilverlight ToolkitAJAX Control ToolkitWindows Presentation Foundation (WPF)ASP.NETLiveUpload to FacebookMicrosoft SQL Server Community & SamplesMost Active ProjectsRawrGraffiti CMSBase Class LibrariesjQuery Library for SharePoint Web ServicesBlogEngine.NETMicrosoft Biology FoundationN2 CMSLINQ to TwitterManaged Extensibility FrameworkFarseer Physics Engine

    Read the article

  • Which is a good opensource user management system?

    - by Lost_in_code
    I'm new to php/mySQL and am trying to create a website which will allow users to register. In future, there will be a paid content area where content will be shown based on the payment status. Is there a good opensource lightweight framework which takes care of the user management part? (Register, edit user info, retrieve lost password etc). I'm a flash platform developer and not aware of how to take care of stuff like session hijacking, XSS etc. Should I go ahead and learn to do all this on my own, without using any framework? I thought of using Wordpress' user management system, but not sure how easy that would be. Any suggestion would be great.

    Read the article

  • CMS Preventing Bad HTML Insertion by Client?

    - by Jascha
    I'm building a small CMS in PHP for a client and something I've noticed that comes up fairly often is a client will enter a bit of HTML in a field without closing his/her tag. I'm wondering if there is some parsing technique to prevent bad HTML from rendering my whole output page in italics because the user forgot to add a closing </i> tag. I'm not worried about XSS or malicious html, just a forgotten tag here and there as it's the client who is managing the content. Forgive me if this is a duplicate question, I did some searching, but could not find an appropriate answer. -J

    Read the article

  • wmd editor sanitizing

    - by Ke
    hi, i am trying to find ways to sanitize the input of wmd editor Specifically, I am trying to make HTML tags only available in the <code>tags that wmd generates. Is that possible My problem is that the following code is rendered as html which is vunerable to potential xss attacks e.g. <a onmouseover="alert(1)" href="#">read this!</a> The above code renders normally both in preview mode and when saved to the db. I notice that SO doesnt seem to have this problem. The same code is just rendered as text. I notice that SO has shared their code here http://refactormycode.com/codes/333-sanitize-html Do I really have to use c# in order to sanitize wmd to do this? Any help appreciated , cheers Ke

    Read the article

  • JRuby Slick CanvasGameContainer using too much heap memory

    - by Jwosty
    I'm using Java's Slick library (great, by the way) just fine from JRuby. To start a game, I use AppGameContainer which works completely fine and as expected, but if I try to use CanvasGameContainer instead (I want a resizable window and Slick uses an old version of LWJGL that doesn't support this directly) it throws this error: Fri Jun 01 10:22:07 MDT 2012 INFO:Slick Build #274 Error: Your application used more stack memory than the safety cap of 2048K. Specify -J-Xss####k to increase it (#### = cap size in KB). Specify -w for full StackOverflowError stack trace I've tried increasing the heap size until my computer can't allocate any more memory, but to no avail. The CanvasGameContainer uses an awt window to display, which is resizable. Any ideas on why this is happening and/or how to fix this?

    Read the article

  • Ask a DNS server what sites it hosts - and how to possibly prevent misuse

    - by Exit
    I've got a server which I host my company website as well as some of my clients. I noticed a domain which I created, but never used, was being attacked by a poke and hope hacker. I imagine that the hacker collected the domain from either hitting my DNS server and requesting what domains are hosted. So, in the interest of prevention and better server management, how would I ask my own DNS server (Linux CentOS 4) what sites are being hosted on it? Also, is there a way to prevent these types of attacks by hiding this information? I would assume that DNS servers would need to keep some information public, but I'm not sure if there is something that most hosts do to help prevent these bandwidth wasting poke and hope attacks. Thanks in advance.

    Read the article

  • Best way to deal with session handling in Zend Framework

    - by JACK IN THE CRACK
    So I'm starting up in Zend framework and looking to implement a site-wide "User" session.... something I can easily access from ALL modules/controllers in the application. I'm like, should I make a new namespace in the library and extend the controller, like: MyLib_Controller_Action extends Zend_Controller_Action { protected $_userSession; function preDispatch(Zend_Controller_Request_Abstract $req) { $this->_userSession = new Zend_Session_Namespace('user'); } } ANd then have all my controllers/modules/etc extend from that? Or should I create a Plugin or what? How would you go about making this plugin to pass the user session to the controller? Or do I do it in the bootstrap?? Again how to pass to controller? Also should I use Zend_Session_Namespace or Zend_Http_Cookie and also how do I encrypt and xss clean the cookie or is that did automagically?

    Read the article

  • Markup filter wanted for a public website

    - by sibidiba
    Developing a community site where everyone can post text, I'm looking for a markup filter: What is not part of the markup must be escaped (htmlspecialchars()) as it is. Should turn URL-s automatically into links Should support some form of basic markups (bold, image, url, pre, list) Should have a simple parser, that turns user input text into HTML Content on the site is public to everyone, XSS must not allowed to happen. What do you suggest? What markup language in the first place? BBCode? Wiki? Markdown? Are there any complete API-s with good examples? PHP is available on the server side. If there is a WYSIWYG-like texarea in addition (like here on SO) that would be a fantastic bonus!

    Read the article

  • ASP.NET MVC Alter Markup before Output

    - by youwhut
    Hi, Excuse my limited knoweldge here. In the past I have used Steve Sanderson's method to HTML encode by default at runtime: http://blog.stevensanderson.com/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/ I have a need to alter img src and a href attributes before they are spat out in the user's browser. There is a solution using JavaScript but this is not ideal for several reasons. Intercepting the compiler is not an option because of unnecessarily using Response.Write for trivial HTML. Is there something I can do with HTTP modules or the view engine? Any thoughts? Cheers.

    Read the article

  • Are there any differences between SQL Server and MySQL when it comes to preventing SQL injection?

    - by Derek Adair
    I am used to developing in PHP/MySQL and have no experience developing with SQL Server. I've skimmed over the PHP MSSQL documentation and it looks similar to MySQLi in some of the methods I read about. For example, with MySQL I utilize the function mysql_real_excape_string(). Is there a similar function with PHP/SQL Server? What steps do I need to take in order to protect against SQL injection with SQL Server? What are the differences between SQL Server and MySQL pertaining to SQL injection prevention? also - is this post accurate? is the escape string character for SQL Server a single quote?

    Read the article

  • Remove HTTP headers from a raw response

    - by Ed
    Let's say we make a request to a URL and get back the raw response, like this: HTTP/1.1 200 OK Date: Wed, 28 Apr 2010 14:39:13 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: PREF=ID=e2bca72563dfffcc:TM=1272465553:LM=1272465553:S=ZN2zv8oxlFPT1BJG; expires=Fri, 27-Apr-2012 14:39:13 GMT; path=/; domain=.google.co.uk Server: gws X-XSS-Protection: 1; mode=block Connection: close <!doctype html><html><head>...</head><body>...</body></html> What would be the best way to remove the HTTP headers from the response in C#? With regexes? Parsing it into some kind of HTTPResponse object and using only the body? EDIT: I'm using SOCKS to make the request, that's why I get the raw response.

    Read the article

  • What's my best bet for replacing plain text links with anchor tags in a string? .NET

    - by Craig Bovis
    What is my best option for converting plain text links within a string into anchor tags? Say for example I have "I went and searched on http://www.google.com/ today". I would want to change that to "I went and searched on http://www.google.com/ today". The method will need to be safe from any kind of XSS attack also since the strings are user generated. They will be safe before parsing so I just need to make sure that no vulnerabilities are introduced through parsing the URLs.

    Read the article

  • Security precautions and techniques for a User-submitted Code Demo Area

    - by Jack W-H
    Hey folks Maybe this isn't really feasible. But basically, I've been developing a snippet-sharing website and I would like it to have a 'live demo area'. For example, you're browsing some snippets and click the Demo button. A new window pops up which executes the web code. I understand there are a gazillion security risks involved in doing this - XSS, tags, nasty malware/drive by downloads, pr0n, etc. etc. etc. The community would be able to flag submissions that are blatantly naughty but obviously some would go undetected (and, in many cases, someone would have to fall victim to discover whatever nasty thing was submitted). So I need to know: What should I do - security wise - to make sure that users can submit code, but that nothing malicious can be run - or executed offsite, etc? For your information my site is powered by PHP using CodeIgniter. Jack

    Read the article

  • Using C preprocessor to construct a string literal for scanf?

    - by Brett
    I'm attempting to create an sscanf string literal to aid in buffer overrun prevention in C99. The goal is something like: #define MAX_ARG_LEN 16 char arg[MAX_ARG_LEN] = ""; if (sscanf(arg, "%"(MAX_ARG_LEN-1)"X", &input) > 0) The obvious "manual" solution is something like: #define MAX_ARG_LEN 16 #define MAX_ARG_CHARS "15" char arg[MAX_ARG_LEN] = ""; if (sscanf(arg, "%"MAX_ARG_CHARS"X", &input) > 0) However, I would prefer something to automatically generate "%15X" given a buffer size of 16. This link is almost works for my application: http://stackoverflow.com/questions/240353/convert-a-preprocessor-token-to-a-string but it does not handle the -1. Suggestions?

    Read the article

  • SQL server 2005 remote connection problem, cannot solve it help please thank you

    - by user287745
    note:- if this question does not fit this site please do not just close it but also redirect the question to the fitting sister site, thank you" the steps taken and the error are mentioned please help, i am stuck here! installed sql server 2005 express on both computers installed sql server management studio express on both computers ran each management studio and connect to instance sqlserver using windows authentication ( one computer connection example "A-63A9D4D7E7834\SQLEXPRESS" ) created a database in the databases named as "test1" created a few tables with data saved and exit. did everything what this site says " How to configure SQL Server 2005 to allow remote connections" [add h t t p here as spam prevention] ://support.microsoft.com/kb/914277/en-us" but i have just disable the firewalls completely :turn off connecting to A-63A9D4D7E7834 started "SQL Server Management Studio Express" on computer A-63A9D4D7E7834 sever name: "ALL-E425BE6C41D\SQLEXPRESS" authentication: "windows authentication" and CONNECT I GET THE FOLLOWING ERROR Cannot connect to ALL-E425BE6C41D\SQLEXPRESS. ADDITIONAL INFORMATION: Login failed for user 'ALL-E425BE6C41D\Guest'. (Microsoft SQL Server, Error: 18456) For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=18456&LinkId=20476 BUTTONS: OK HELP

    Read the article

  • Another answer to the CAPTCHA problem?

    - by Xeoncross
    Most sites at least employ server access log checking and banning along with some kind of bot prevention measure like a CAPTCHA (those messed-up text images). The problem with CAPTCHAs is that they poss a threat to the user experience. Luckily they now come with user friendly features like refresh and audio versions. Anyway, like linux vs windows, it isn't worth the time of a spammer to customize and/or build a script to handle a custom CAPTCHA example that only pertains to one site. Therefore, I was wondering if there might be better ways to handle the whole CAPTCHA thing. In A Better CAPTCHA Peter Bromberg mentions that one way would be to convert the image to HTML and display it embedded in the page. On http://shiflett.org/ Chris simply asks users to type his name into an input. Examples like this are ways to simplifying the CAPTCHA experience while decreasing the value for spammers. Does anyone know of more good examples I could use or see any problem with the embedded image idea?

    Read the article

< Previous Page | 11 12 13 14 15 16 17 18 19 20  | Next Page >