Search Results

Search found 18715 results on 749 pages for 'website attack'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 173/749 | < Previous Page | 169 170 171 172 173 174 175 176 177 178 179 180  | Next Page >

  • SEO Always Necessary Or Not Really?

    SEO or Search Engine Optimization is a tactic used by companies and advertisers to get a website at the top of search engine results pages. The beauty of this tactic is that the results are more sustainable than almost any other form of advertising. In other words once a website has attained a top position on a search engine for a given keyword, the website will remain there or there about for time to come.

    Read the article

  • SEO Company Tips

    It is very important to get your website search engine optimized. No matter how hard you work on the website and how well you design it, chances are the website will remain largely unnoticed if you cannot ensure a good SEO for it.

    Read the article

  • [Architecture] Roles for white-label service access.

    - by saurabhj
    Okay, I know I'm doing something wrong - but can't figure out a better way. I am developing a website which is going to allow users to setup their own mini-websites. Something like Ning. Also, I have only 1 basic login and access to each mini website is provided (right now) via roles. So the way I am doing this right now is: Everytime a new mini website is created - say blah, I create 2 roles in my application. blah_users and blah_admin The user creating the mini website is given the role - blah_admin and every other user wanting to join this mini website (or network) is given the role - blah_user. Anyone can view data from any website. However to add data, one must be a member of that mini site (must have the blah_user role assigned) The problem that I am facing is that by doing a role based system, I'm having to do loads of stuff manually. Asp.Net 2 controls which work on the User.IsAunthenticated property are basically useless to me now because along with the IsAuthenticated property, I must also check if the user has the proper role. I'm guessing there is a better way to architect the system but I am not sure how. Any ideas? This website is being developed in ASP.Net 2 on IIS 6. Thanks a tonne!

    Read the article

  • How to build n-layered web architecture with PHP?

    - by Alex
    I have a description and design of a website and I need to redesign it to allow for new requirements. The website's purpose is the offering of government's contracts and bidding opportunities for different businesses.I'm dealing with the 3-tier architecture PHP website comprising of the user-interface tier(client's web browser),business logic layer(Apache web server with PHP engine in it and a couple of applications running within a web server as well) and a database layer(local mysql database). Now,i need to redesign it to su???rt distributed n-tier architecture and specify how I would go about it.After long hours of research i came to this solution: business logic should be separated into presentation and purely business logic tier to allow for n-layer architecture(user-interface,presentation tier,b.logic and data tier).I have decided to use ??? just for the presentation(since the original existing website is in PHP) and use it within apache web server.In the business logic i want to use J2?? implementation technology instead of implementing it in PHP(i.e using Zend app.server and smarty template) cz J2EE can provide much more essential container services which are essential for business logic,its robustness,maintainability and different critical business operations which will be carried out by the g?v?rnment's website.So,particularly,i want to use J??ss app.server with ?J? business objects in it which would provide all the b.logic in java and would interact with the database and so forth.In order to connect PHP on a web server with java on app.server i'm gonna use PHP/Java bridge API (or maybe Quercus or SOAP is better?).Finally,i have my data tier with mysql which will communicate with b.logic via JD??.Payment system application in ???.server is gonna use S??? to talk with credit card company. From your professional point of view,does it sound like a good way of redesigning the original website to allow for n-tier architecture considering the specifics of the website and the criticality of its operations?(payment system is included in it)or u would personally prefer to use PHP business objects for business logic as well instead of J2EE?If you have any wiser recommendation or some alternative,please let me know what is right or wrong in my current solution. H??? to hear your professional advice very s??n (I'm new to the area of web development) Thanks in advance

    Read the article

  • How should I setup my Visual Studio projects/solutions in a Mercurial repository?

    - by Dave A
    At my company we have a few different web apps that each share some common libraries. The Visual Studio setup looks like this. Website 1 Solution Website 1 Shared Library 1 Project Shared Library 2 Project Website 2 Solution Website 2 Shared Library 1 Project Shared Library 2 Project Windows Service Solution Windows Service Project Shared Library 1 Project Shared Library 2 Project Shared Library Solution Shared Library 1 Project Shared Library 2 Project All Projects Solution Website 1 Website 2 Windows Service Project Shared Library 1 Project Shared Library 2 Project We want to start using Mercurial for source control, but I'm still not sure the best way to do it. From what I've read you're supposed to use a separate repository for each project. No problem there, but where do the Visual Studio solution files (.sln) go? Should there be a separate repository with just an .sln file? Ideally the projects that use the shared libraries should all use the same version, and the solution "All Projects Solution" should build without errors, but sometimes we need to branch the shared libraries. What is the best way to do this, and how would the repositories be setup? How do I get a working copy of a certain branch/tag of the Website 1 solution when every project is in a separate repository. Do I have to pull each one separately, or write a script to do it all at once? Can tortoise hg do that for me? Any other tips to make this process easier?

    Read the article

  • aspnet_compiler -fixednames does not work?

    - by Terrence
    I am unable to get the -fixednames switch to create dlls for the cs code behind files. The files in the bin folder are compiled aspx pages, but the code behind files are all compiled into one large websitename.dll file. Here is my command with switches. aspnet_compiler -v / -p E:\Source\DotNet4\mysolution\website -f -d -fixednames E:\Source\DotNet4\CompiledWebSite This produces many files in the bin folder. website.dll and website.pdb (contains code behind) myform1.aspx.643c7876.dll (compiled aspx layout ui) I have tested this over and over to make sure I am not missing anything. The test is place a label on myform1.aspx, and in the codebehind populate the label with some text. Compile the website with the above switches and deploy the website. Make a change to the myform1 codebehind and change the label text. Compile and only deploy the myform1.aspx.643c7876.dll to the website. Result: label is still the same. Now deploy the website.dll and pdb and the label changes. Can anyone tell me how to get -fixednames to create sinle dlls for codebehind?

    Read the article

  • What is the form_for syntax for nested resources?

    - by Kris
    I am trying to create a form for a nested resource. Here is my route: map.resources :websites do |website| website.resources :domains end Here are my attempts and the errors: <% form_for(@domain, :url => website_domains_path(@website)) do | form | %> <%= form.text_field :name %> # ArgumentError: wrong number of arguments (1 for 0) # form_helper.rb:290:in 'respond_to?' # form_helper.rb:290:in 'apply_form_for_options!' # form_helper.rb:277:in 'form_for' <% form_for([@website, @domain]) do | form | %> <%= form.text_field :name %> # ArgumentError: wrong number of arguments (1 for 0) # form_helper.rb:290:in 'respond_to?' # form_helper.rb:290:in 'apply_form_for_options!' # form_helper.rb:277:in 'form_for' <% form_for(:domain, @domain, :url => website_domains_path(@website)) do | form | %> <%= form.text_field :name %> # ArgumentError: wrong number of arguments (1 for 0) # wrapper.rb:14:in 'respond_to?' # wrapper.rb:14:in 'wrap' # active_record_helper.rb:174:in 'error_messages_for' <% form_for(:domain, [@website, @domain]) do | form | %> <%= form.text_field :name %> # UndefinedMethodError 'name' for #<Array:0x40fa498> I have confirmed both @website and @domain contain instances of the correct class. The routes also generate correctly is used like this for example, so I dont think their is an issue with the route or url helpers. <%= website_domains_path(1) %> <%= website_data_source_path(1, 1) %> Rails 2.3.5

    Read the article

  • IIS to SQL Server kerberos auth issues

    - by crosan
    We have a 3rd party product that allows some of our users to manipulate data in a database (on what we'll call SvrSQL) via a website on a separate server (SvrWeb). On SvrWeb, we have a specific, non-default website setup for this application so instead of going to http://SvrWeb.company.com to get to the website we use http://application.company.com which resolves to SvrWeb and the host headers resolve to the correct website. There is also a specific application pool set up for this site which uses an Active Directory account identity we'll call "company\SrvWeb_iis". We're setup to allow delegation on this account and to allow it to impersonate another login which we want it to do. (we want this account to pass along the AD credentials of the person signed into the website to SQL Server instead of a service account. We also set up the SPNs for the SrvWeb_iis account via the following command: setspn -A HTTP/SrvWeb.company.com SrvWeb_iis The website pulls up, but the section of the website that makes the call to the database returns the message: Cannot execute database query. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. I thought we had the SPN information set up correctly, but when I check the security event log on SrvWeb I see entries of my logging in, but it seems to be using NTLM and not kerberos: Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Any ideas or articles that cover this setup in detail would be extremely appreciated! If it helps, we are using SQL Server 2005, and both the web and SQL servers are Windows 2003.

    Read the article

  • SSH public key authentication -- always require users to generate their own keypair?

    - by schinazi
    I was working with a partner today that I needed to upload files to my server using scp. I have passwords turned off in the server's SSH configuration, so I wanted them to use public key authentication. I generated the keypair for them on the server and gave them the private key and put the public key in the appropriate authorized_keys file. After a bunch of problems with them setting up their job, they finally got a more experienced sysadmin involved on their end, and he scolded me for handling the key generation this way. He said that by giving them a private key generated on my system, I had enabled them to do a brute-force attack against other keys generated on the same server. I even asked him "so if I have an account on a server, and I can log in with a password but I want to automate something and I generate a keypair on that system, does that then give me an attack vector for brute forcing other users' keys?" and he said yes. I've never heard of this, is it true? Can anyone point me to a discussion of this attack? Thanks in advance.

    Read the article

  • Server Recovery from Denial of Service

    - by JMC
    I'm looking at a server that might be misconfigured to handle Denial of Service. The database was knocked offline after the attack, and was unable to restart itself after it failed to restart when the attack subsided. Details of the Attack: The Attacker either intentionally or unintentionally sent 1000's of search queries using the applications search query url within a couple of seconds. It looks like the server was overwhelmed and it caused the database to log this message: Server Specs: 1.5GB of dedicated memory Are there any obvious mis-configurations here that I'm missing? **mysql.log** 121118 20:28:54 mysqld_safe Number of processes running now: 0 121118 20:28:54 mysqld_safe mysqld restarted 121118 20:28:55 [Warning] option 'slow_query_log': boolean value '/var/log/mysqld.slow.log' wasn't recognized. Set to OFF. 121118 20:28:55 [Note] Plugin 'FEDERATED' is disabled. 121118 20:28:55 InnoDB: The InnoDB memory heap is disabled 121118 20:28:55 InnoDB: Mutexes and rw_locks use GCC atomic builtins 121118 20:28:55 InnoDB: Compressed tables use zlib 1.2.3 121118 20:28:55 InnoDB: Using Linux native AIO 121118 20:28:55 InnoDB: Initializing buffer pool, size = 512.0M InnoDB: mmap(549453824 bytes) failed; errno 12 121118 20:28:55 InnoDB: Completed initialization of buffer pool 121118 20:28:55 InnoDB: Fatal error: cannot allocate memory for the buffer pool 121118 20:28:55 [ERROR] Plugin 'InnoDB' init function returned error. 121118 20:28:55 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed. 121118 20:28:55 [ERROR] Unknown/unsupported storage engine: InnoDB 121118 20:28:55 [ERROR] Aborting **ulimit -a** core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 13089 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 1024 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited **httpd.conf** StartServers 10 MinSpareServers 8 MaxSpareServers 12 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 **my.cnf** innodb_buffer_pool_size=512M # Increase Innodb Thread Concurrency = 2 * [numberofCPUs] + 2 innodb_thread_concurrency=4 # Set Table Cache table_cache=512 # Set Query Cache_Size query_cache_size=64M query_cache_limit=2M # A sort buffer is used for optimizing sorting sort_buffer_size=8M # Log slow queries slow_query_log=/var/log/mysqld.slow.log long_query_time=2 #performance_tweak join_buffer_size=2M **php.ini** memory_limit = 128M post_max_size = 8M

    Read the article

  • Strange Domain name under the same IP Address

    - by Mike Chip
    There's something really weird happening in my server. But first things first: I wanted to have my website and chose the domain name "myowndomain.com", Now on my domain registrar I point "myowndomain.com" to the address of my recently setup VPS, let's say 50.50.50.50 So I installed everything I needed to run my website, and I started to notice strange queries coming from different IP Addresses. Like these [client 123.123.123.123] File does not exist: /var/www/html/api, referer: http://www.strangedomain.com/api/manyou/my.php [client 456.456.456.456] File does not exist: /var/www/html/api, referer: http://www.strangedomain.com/api/manyou/my.php or like this (Really a long line, I cut some things) GET /?s=vod-show-id-22-area-%E5%85%B6%E4%BB%96-language-%E9%9F%A9%E8%AF%AD.html HTTP/1.1" 301 295 "http://v.strangedomain.com/?s=vod-s ...[cut]... spider" That above is happening the most. The 'strangedomain.com' returns the same IP address of my VPS which my website is hosted on. The whois of such domain shows it's registered to a chinese. But the street name didn't look so right (like a huge single word), so I think all of that info might be fake, but still might be a chinese. I also noticed that all 'clients' trying to access the 'strangedomain.com' is coming from china. If I type in the browser 'strangedomain.com', I see my website. I'm worried, because my website is actually an e-commerce. I don't know if 'strangedomain.com' WAS a website on 50.50.50.50 in the not so far past, or if it's something else.

    Read the article

  • Connection Refused running multiple environments on Selenium Grid 1.04 via Ubuntu 9.04

    - by ReadyWater
    Hello, I'm writing a selenium grid test suite which is going to be run on a series of different machines. I wrote most of it on my macbook but have recently transfered it over to my work machine, which is running ubuntu 9.04. That's actually my first experience with a linux machine, so I may be missing something very simple (I have disabled the firewall though). I haven't been able to get the multienvironment thing working at all, and I've been trying and manual reviewing for a while. Any recommendations and help would be greatly, greatly appreciated! The error I'm getting when I run the test is: [java] FAILED CONFIGURATION: @BeforeMethod startFirstEnvironment("localhost", 4444, "*safari", "http://remoteURL:8080/tutor") [java] java.lang.RuntimeException: Could not start Selenium session: ERROR: Connection refused I thought it might be the mac refusing the connection, but using wireshark I determined that no connection attempt was made on the mac . Here's the code for setting up the session, which is where it seems to be dying @BeforeMethod(groups = {"default", "example"}, alwaysRun = true) @Parameters({"seleniumHost", "seleniumPort", "firstEnvironment", "webSite"}) protected void startFirstEnvironment(String seleniumHost, int seleniumPort, String firstEnvironment, String webSite) throws Exception { try{ startSeleniumSession(seleniumHost, seleniumPort, firstEnvironment, webSite); session().setTimeout(TIMEOUT); } finally { closeSeleniumSession(); } } @BeforeMethod(groups = {"default", "example"}, alwaysRun = true) @Parameters({"seleniumHost", "seleniumPort", "secondEnvironment", "webSite"}) protected void startSecondEnvironment(String seleniumHost, int seleniumPort, String secondEnvironment, String webSite) throws Exception { try{ startSeleniumSession(seleniumHost, seleniumPort, secondEnvironment, webSite); session().setTimeout(TIMEOUT); } finally { closeSeleniumSession(); } } and the accompanying build script used to run the test <target name="runMulti" depends="compile" description="Run Selenium tests in parallel (20 threads)"> <echo>${seleniumHost}</echo> <java classpathref="runtime.classpath" classname="org.testng.TestNG" failonerror="true"> <sysproperty key="java.security.policy" file="${rootdir}/lib/testng.policy"/> <sysproperty key="webSite" value="${webSite}" /> <sysproperty key="seleniumHost" value="${seleniumHost}" /> <sysproperty key="seleniumPort" value="${seleniumPort}" /> <sysproperty key="firstEnvironment" value="${firstEnvironment}" /> <sysproperty key="secondEnvironment" value="${secondEnvironment}" /> <arg value="-d" /> <arg value="${basedir}/target/reports" /> <arg value="-suitename" /> <arg value="Selenium Grid Java Sample Test Suite" /> <arg value="-parallel"/> <arg value="methods"/> <arg value="-threadcount"/> <arg value="15"/> <arg value="testng.xml"/> </java>

    Read the article

  • best-practive to display flash on Iphone / Ipad ?

    - by terrani
    Hi, I have a website that uses flash. I would like to convert the website so that iphone / ipad users can see my website. I understand that Iphone / Ipad can't render flash. What would be the best-practive to convert flash website to iphone / ipad compatible? I am thinking HTML 5.

    Read the article

  • How do I map a java Map including another Map, as element, into hibernate *.hbm.xml

    - by Václav
    is there possibility to map something like: private Map<Website, Map<String, String>> parameterMaps = new HashMap<Website, Map<String, String>>(); Where 'Website' is my class having some strings attributes, and inner map should be some website specific url parts. I'd like to map it into *.hbm.xml rather than using annotations, because its habit in my project. I appreciate any useful reference to any manual too. Thanks!

    Read the article

  • Mod Rewrite Hide Folder

    - by MILESMIBALERR
    I think this is a pretty simple question. How do you an apache rewrite to hide a folder. EX: www.website.com/pages/login.php to www.website.com/login.php or www.website.com/pages/home.php to www.website.com/home.php The folder needs to alway be hidden. thanks

    Read the article

  • PHP Simple dynamic breadcrumb

    - by Adrian
    Hello, I think this script is of big interest to any noob around here :) including me :) What I want to create is a little code that I can use in any file and will generate a breadcrumb like this: If the file is called "website.com/templates/index.php" the breadcrumb should show: Website.com Templates ^^ link ^^plain text If the file is called "website.com/templates/template_some_name.php" the breadcrumb should show: Website.com Templates Template Some Name ^^ link ^^link ^^plain text I am grateful for any reply, thanks!

    Read the article

  • best-practice to display flash on Iphone / Ipad ?

    - by terrani
    Hi, I have a website that uses flash. I would like to convert the website so that iphone / ipad users can see my website. I understand that Iphone / Ipad can't render flash. What would be the best-practice to convert flash website to iphone / ipad compatible? I am thinking HTML 5.

    Read the article

  • Ruby or PHP or Php Framework?

    - by the_
    I am starting a website and am wondering if I should go with PHP, a php framework, or ruby on rails? I want to make a website fast, easiest and without a big learning curve. I already know a little bit of php and a little ruby on rails...But which would be best? OK so to clarify more on the topic of what my site will be, It's basically a Classified Ads website that needs to have a user login, ability to post classifieds, and categorizing, and basically anything else a classified website has.

    Read the article

  • Is there a greasemonkey for IE? or, how do I get a website to use MSXML6 instead of MSXML5 ?

    - by Cheeso
    I don't know greasemonkey but I think it is a way to script or extend Firefox. Is there a greasemonkey for IE? for example: There's a website that is hosting a page that asks me to install MSXML5.0. I don't want MSXML5.0. I was thinking if I had a greasemonkey capability (if it is what I think it is), I'd be able to write a script that changes the 5.0 to 6.0 and everything would be cool. I know there's a way to do this kind of thing in Fiddler, if I have it running, and set up as a proxy.

    Read the article

  • How do I get MSDeploy to skip specific folders and file types in folders as CCNet task

    - by Simon Martin
    I want MSDeploy to skip specific folders and file types within other folders when using sync. Currently I'm using CCNet to call MSDeploy with the sync verb to take websites from a build to a staging server. Because there are files on the destination that are created by the application / user uploaded files etc, I need to exclude specific folders from being deleted on the destination. Also there are manifest files created by the site that need to remain on the destination. At the moment I've used -enableRule:DoNotDeleteRule but that leaves stale files on the destination. <exec> <executable>$(MsDeploy)</executable> <baseDirectory>$(ProjectsDirectory)$(projectName)$(ProjectsWorkingDirectory)\Website\</baseDirectory> <buildArgs>-verb:sync -source:iisApp="$(ProjectsDirectory)$(projectName)$(ProjectsWorkingDirectory)\Website\" -dest:iisApp="$(website)/$(websiteFolder)" -enableRule:DoNotDeleteRule</buildArgs> <buildTimeoutSeconds>600</buildTimeoutSeconds> <successExitCodes>0,1,2</successExitCodes> </exec> I have tried to use the skip operation but run into problems. Initially I dropped the DoNotDeleteRule and replaced it with (multiple) skip <exec> <executable>$(MsDeploy)</executable> <baseDirectory>$(ProjectsDirectory)$(projectName)$(ProjectsWorkingDirectory)\Website\</baseDirectory> <buildArgs>-verb:sync -source:iisApp="$(ProjectsDirectory)$(projectName)$(ProjectsWorkingDirectory)\Website\" -dest:iisApp="$(website)/$(websiteFolder)" -skip:objectName=dirPath,absolutePath="assets" -skip:objectName=dirPath,absolutePath="survey" -skip:objectName=dirPath,absolutePath="completion/custom/complete*.aspx" -skip:objectName=dirPath,absolutePath="completion/custom/surveylist*.manifest" -skip:objectName=dirPath,absolutePath="content/scorecardsupport" -skip:objectName=dirPath,absolutePath="Desktop/docs" -skip:objectName=dirPath,absolutePath="_TempImageFiles"</buildArgs> <buildTimeoutSeconds>600</buildTimeoutSeconds> <successExitCodes>0,1,2</successExitCodes> </exec> But this results in the following: Error: Source (iisApp) and destination (contentPath) are not compatible for the given operation. Error count: 1. So I changed from iisApp to contentPath and instead of dirPath,absolutePath just Directory like this: <exec> <executable>$(MsDeploy)</executable> <baseDirectory>$(ProjectsDirectory)$(projectName)$(ProjectsWorkingDirectory)\Website\</baseDirectory> <buildArgs>-verb:sync -source:contentPath="$(ProjectsDirectory)$(projectName)$(ProjectsWorkingDirectory)\Website\" -dest:contentPath="$(website)/$(websiteFolder)" -skip:Directory="assets" -skip:Directory="survey" -skip:Directory="content/scorecardsupport" -skip:Directory="Desktop/docs" -skip:Directory="_TempImageFiles"</buildArgs> <buildTimeoutSeconds>600</buildTimeoutSeconds> <successExitCodes>0,1,2</successExitCodes> </exec> and this gives me an error: Illegal characters in path: < buildresults Info: Adding MSDeploy.contentPath (MSDeploy.contentPath). Info: Adding contentPath (C:\WWWRoot\MySite -skip:Directory=assets -skip:Directory=survey -skip:Directory=content/scorecardsupport -skip:Directory=Desktop/docs -skip:Directory=_TempImageFiles). Info: Adding dirPath (C:\WWWRoot\MySite -skip:Directory=assets -skip:Directory=survey -skip:Directory=content/scorecardsupport -skip:Directory=Desktop/docs -skip:Directory=_TempImageFiles). < /buildresults < buildresults Error: Illegal characters in path. Error count: 1. < /buildresults So I need to know how to configure this task so the folders referenced do not have their contents deleted in a sync and that that *.manifest and *.aspx files in the completion/custom folders are also skipped.

    Read the article

  • A New Threat To Web Applications: Connection String Parameter Pollution (CSPP)

    - by eric.maurice
    Hi, this is Shaomin Wang. I am a security analyst in Oracle's Security Alerts Group. My primary responsibility is to evaluate the security vulnerabilities reported externally by security researchers on Oracle Fusion Middleware and to ensure timely resolution through the Critical Patch Update. Today, I am going to talk about a serious type of attack: Connection String Parameter Pollution (CSPP). Earlier this year, at the Black Hat DC 2010 Conference, two Spanish security researchers, Jose Palazon and Chema Alonso, unveiled a new class of security vulnerabilities, which target insecure dynamic connections between web applications and databases. The attack called Connection String Parameter Pollution (CSPP) exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). In today's blog, we are going to first look at what connection strings are and then review the different ways connection string injections can be leveraged by malicious hackers. We will then discuss how CSPP differs from traditional connection string injection, and the measures organizations can take to prevent this kind of attacks. In web applications, a connection string is a set of values that specifies information to connect to backend data repositories, in most cases, databases. The connection string is passed to a provider or driver to initiate a connection. Vendors or manufacturers write their own providers for different databases. Since there are many different providers and each provider has multiple ways to make a connection, there are many different ways to write a connection string. Here are some examples of connection strings from Oracle Data Provider for .Net/ODP.Net: Oracle Data Provider for .Net / ODP.Net; Manufacturer: Oracle; Type: .NET Framework Class Library: - Using TNS Data Source = orcl; User ID = myUsername; Password = myPassword; - Using integrated security Data Source = orcl; Integrated Security = SSPI; - Using the Easy Connect Naming Method Data Source = username/password@//myserver:1521/my.server.com - Specifying Pooling parameters Data Source=myOracleDB; User Id=myUsername; Password=myPassword; Min Pool Size=10; Connection Lifetime=120; Connection Timeout=60; Incr Pool Size=5; Decr Pool Size=2; There are many variations of the connection strings, but the majority of connection strings are key value pairs delimited by semicolons. Attacks on connection strings are not new (see for example, this SANS White Paper on Securing SQL Connection String). Connection strings are vulnerable to injection attacks when dynamic string concatenation is used to build connection strings based on user input. When the user input is not validated or filtered, and malicious text or characters are not properly escaped, an attacker can potentially access sensitive data or resources. For a number of years now, vendors, including Oracle, have created connection string builder class tools to help developers generate valid connection strings and potentially prevent this kind of vulnerability. Unfortunately, not all application developers use these utilities because they are not aware of the danger posed by this kind of attacks. So how are Connection String parameter Pollution (CSPP) attacks different from traditional Connection String Injection attacks? First, let's look at what parameter pollution attacks are. Parameter pollution is a technique, which typically involves appending repeating parameters to the request strings to attack the receiving end. Much of the public attention around parameter pollution was initiated as a result of a presentation on HTTP Parameter Pollution attacks by Stefano Di Paola and Luca Carettoni delivered at the 2009 Appsec OWASP Conference in Poland. In HTTP Parameter Pollution attacks, an attacker submits additional parameters in HTTP GET/POST to a web application, and if these parameters have the same name as an existing parameter, the web application may react in different ways depends on how the web application and web server deal with multiple parameters with the same name. When applied to connections strings, the rule for the majority of database providers is the "last one wins" algorithm. If a KEYWORD=VALUE pair occurs more than once in the connection string, the value associated with the LAST occurrence is used. This opens the door to some serious attacks. By way of example, in a web application, a user enters username and password; a subsequent connection string is generated to connect to the back end database. Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; In the password field, if the attacker enters "xxx; Integrated Security = true", the connection string becomes, Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; Intergrated Security = true; Under the "last one wins" principle, the web application will then try to connect to the database using the operating system account under which the application is running to bypass normal authentication. CSPP poses serious risks for unprepared organizations. It can be particularly dangerous if an Enterprise Systems Management web front-end is compromised, because attackers can then gain access to control panels to configure databases, systems accounts, etc. Fortunately, organizations can take steps to prevent this kind of attacks. CSPP falls into the Injection category of attacks like Cross Site Scripting or SQL Injection, which are made possible when inputs from users are not properly escaped or sanitized. Escaping is a technique used to ensure that characters (mostly from user inputs) are treated as data, not as characters, that is relevant to the interpreter's parser. Software developers need to become aware of the danger of these attacks and learn about the defenses mechanism they need to introduce in their code. As well, software vendors need to provide templates or classes to facilitate coding and eliminate developers' guesswork for protecting against such vulnerabilities. Oracle has introduced the OracleConnectionStringBuilder class in Oracle Data Provider for .NET. Using this class, developers can employ a configuration file to provide the connection string and/or dynamically set the values through key/value pairs. It makes creating connection strings less error-prone and easier to manager, and ultimately using the OracleConnectionStringBuilder class provides better security against injection into connection strings. For More Information: - The OracleConnectionStringBuilder is located at http://download.oracle.com/docs/cd/B28359_01/win.111/b28375/OracleConnectionStringBuilderClass.htm - Oracle has developed a publicly available course on preventing SQL Injections. The Server Technologies Curriculum course "Defending Against SQL Injection Attacks!" is located at http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm - The OWASP web site also provides a number of useful resources. It is located at http://www.owasp.org/index.php/Main_Page

    Read the article

  • HTML5 web storage: can different websites overwrite each other’s data on a user’s computer?

    - by Deepak Mahalingam
    I have a few questions regarding the concept of HTML5 storage. I went through the w3c specification, books and tutorials on the same, but still I am a bit unclear about certain concepts: Assume that I access Website A. Some JavaScript runs in my browser that sets a key value pair, say ('username','deepak'). Then I access Website B which also adds a key,value pair in the localstorage as ('username','mahalingam'). How will they both be differentiated? Will Website B override the value set by website A in my localstorage? How can we ensure that a website would not erase all of my localstorage?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 169 170 171 172 173 174 175 176 177 178 179 180  | Next Page >