Search Results

Search found 1306 results on 53 pages for 'csrf protection'.

Page 2/53 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • Is a GWT app running on Google App Engine protected from CSRF

    - by gerdemb
    I'm developing a GWT app running on the Google App Engine and wondering if I need to worry about Cross-site request forgery or is that automatically taken care of for me? For every RPC request that requires authentication, I have the following code: public class BookServiceImpl extends RemoteServiceServlet implements BookService { public void deleteInventory(Key<Inventory> inventoryKey) throws NotLoggedInException, InvalidStateException, NotFoundException { DAO dao = new DAO(); // This will throw NotLoggedInException if user is not logged in User user = dao.getCurrentUser(); // Do deletion here } } public final class DAO extends DAOBase { public User getCurrentUser() throws NotLoggedInException { currentUser = UserServiceFactory.getUserService().getCurrentUser(); if(currentUser == null) { throw new NotLoggedInException(); } return currentUser; } I couldn't find any documentation on how the UserService checks authentication. Is it enough to rely on the code above or do I need to to more? I'm a beginner at this, but from what I understand to avoid CSRF attacks some of the strategies are: adding an authentication token in the request payload instead of just checking a cookie checking the HTTP Referer header I can see that I have cookies set from Google with what look like SID values, but I can't tell from the serialized Java objects in the payloads if tokens are being passed or not. I also don't know if the Referer header is being used or not. So, am I worrying about a non-issue? If not, what is the best strategy here? This is a common enough problem, that there must be standard solutions out there...

    Read the article

  • How good is Word's password protection?

    - by Yuval
    Hi, I have a password protected MS-Word 2007 file that needs to stay private. How good is Word's protection? If it's not very good, can you suggest a better method for keeping the file protected? EDIT: my goal is to send the protected file to a recipient (who knows the password). I assume this recipient knows nothing about encryption/decryption, but if I absolutely have to, I'll encrypt the file and painstakingly teach the recipient how to decrypt it.

    Read the article

  • How does copy protection work?

    - by Yar
    Many programs refuse to go beyond a trial period. Even if they are trashed and then reinstalled, they 'remember' that the trial period has expired. Assuming no contact with a licensing server, what is the general way that most copy protection works? Do programs drop files in random folders on the hard disk that are hard to track down? I know there's no registry on OSX/Linux, but perhaps something similar... ? Or must it be a file/folder? I'm actually not curious from a hacking side but rather from the implementation side, but in any case the question is basically the same.

    Read the article

  • Why is "googlehosted.com" in the DNS records for our website after signing up for DDOS protection?

    - by Blake Nic
    Recently we had to get some DDOS protection for our website because of the large attacks we were seeing after getting a bit of popularity. We handed over our domain and hosting information to our DDOS protection provider. It worked perfectly but I have a question. On our DNS records we have the Host and Answer and Type. The host has our domain name there. The answer is this: SOMETEXTXXXX.dv.googlehosted.com. And when I copy and paste it into my browser it gives me a 404 error. But our website still loads and functions as it should. I don't understand why it would need this? I asked them about this and they said it is a method for DDOS protection and the other IPs are the reverse proxy (the other IPs give a 404 error too). Can anyone expand on this more please. How does all this tie in together and make the internet browser know where to point the person with all these reverse proxies and stuff I don't understand. Here is an image for reference:

    Read the article

  • How do you code against CSRF malicious requests?

    - by user355950
    how to Decline malicious requests.... Cross-Site Request Forgery Severity: Medium Test Type: Application Remediation Tasks: Decline malicious requests Reasoning: The same request was sent twice in different sessions and the same response was received. This shows that none of the parameters are dynamic (session identifiers are sent only in cookies) and therefore that the application is vulnerable to this issue.

    Read the article

  • CSRF (Cross-site request forgery) attack example and prevention in PHP

    - by Saif Bechan
    I have an website where people can place a vote like this: http://mysite.com/vote/25 This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on the website, and someone gives them a link like this: http://mysite.com/vote/30 then the vote will be places for him on the item without him wanting to do this. I have read the explanation on the OWASP website, but i don't really understand it Is this an example of CSFR, and how can I prevent this. The best thing i can think off is adding something to the link like a hash. But this will be quite irritating to put something on the end of all the links. Is there no other way of doing this. Another thing can someone maybe give me some other example of this, because the website seems fairly fugue to me.

    Read the article

  • Is surge protection actually needed?

    - by andrew
    Am I am an idiot for not using a surge protected powerboard? Does this mean my computer gets fried in a power outage? Which particular parts of the computer are most vulnerable to damage if I get a 'surge'? Sorry for being a newb.

    Read the article

  • UPS for hard drive protection

    - by dimi
    I am in a place where electricity is not ideal (old house, no ground), sometimes it occasionally shuts down and supposedly there are some spikes. I consider using UPS with the goal to increase safety of my personal data. My first priority is the health of my internal and external USB hard drives which can be damaged due to possible power instability. I do not care that much about possible losses of not-saved work, instead I just want to let my system have a minimum time to turn off without any risk of physical damaging my hard drives. Would a cheap offline UPS suit my neads? Or do i need a better one with automatic voltage regulator (AVR)? How critical is AVR for the hard drives? The external ones require their own power supplies and will be plugged directly into UPS.

    Read the article

  • How to implement copy protection of content in an open source application?

    - by Lococo
    I have an idea for an open source app -- the app would be free, but I would charge a small fee for data that a customer would order. For instance, let's say I'm writing a map application. I'd give the app away, make it open-source, but I would like to sell various maps to individual users. Is there a way to protect the data in such a way that makes it very difficult for someone to simply take the map they bought and distribute it to others? Is this feasible for an open source app?

    Read the article

  • Android app copy protection and data files

    - by Ben Mc
    I'm going to rephrase this question. As it turns out the original answer wasn't definitive and problems were found. ======================================================================= In my app, I access my sqlite database at the following hard-coded location in my code: /data/data/com.mydomain.appname/databases/database.db If I turn ON copy protection in the Market Place, will my app still have access to this location? Or will I have to change it to something like: */data-private/*data/com.mydomain.appname/databases/database.db (or something like this) Since I have a Dev phone only, I have no way of testing to see if my app still functions normally after turning on copy protection. Thank you!

    Read the article

  • protection points in survivable mutlicast network

    - by wantobegeek
    I am working on a project on survivable multicasting.I want to propose a hybrid scheme(protection and restoration) for that purpose.Can anyone help me with an approach to decide protection points in a multicast tree??(The protection points will be those points upto which there will be an alternate path from the multicast source(protection) and from protection point to the multicast destination the path will be dynamically restored.).Pls suggest an approach to find the protection points.I found an approach name caterpillar tree which assigns the nodes on the spine of caterpillar tree as protection points.Is there any other such approach..?

    Read the article

  • What's the best value for money c# code protection for a single developer

    - by Cliff Cawley
    What's the best value for money c# code protection? Some just use obfuscation, others add win32 wrapping, some cost a fortune. So far I've come up with http://www.eziriz.com/ who's Intellilock looks promising. Any other suggestions? Any reasons why this is not a good idea? I know its impossible to completely protect but I'd prefer the ability to protect my code so that it would require a lot of effort in order to recover it. I do hope to sell my products eventually, while also releasing some for free.

    Read the article

  • Copy protection and licensing tools.

    - by Skittles
    I'm new to stackoverflow.com after hearing about it from Jon Skeet on DotNetRocks.This seems like the perfect place to ask this question. I am in the middle of trying to find a 3rd party Copy protection and licensing tool. The company that I work with have 4 products that need to be protected. We want to supply a Trail license (with extensions). A single user license and a floating license (where the client purchases a number to run over a network). We also want to be able to supply both the Single and Floating license as a subscription license. I have trialled DeployLX and although it seems to give everything that we need, and they are quick to answer emails, their documentation is truly awful with NO examples of how to achieve results. Has anyone any experience with DeployLX and if so, would you recommend it? Could you point me in the direction to find some real help on it? Finally, would anyone have any recommendations of a 3rd party licensing tool to use for very quick development. Thank you so much,

    Read the article

  • Quick and easy flood protection?

    - by James P
    I have a site where a user submits a message using AJAX to a file called like.php. In this file the users message is submitted to a database and it then sends a link back to the user. In my Javascript code I disabled the text box the user types into when they submit the AJAX request. The only problem is, a malicious user can just constantly send POST requests to like.php and flood my database. So I would like to implement simple flood protection. I don't really want the hassle of another database table logging users IPs and such... as if they are flooding my site there will be a lot of database read/writes slowing it down. I thought about using sessions, like have a session that contains a timestamp that gets checked every time they send data to like.php, and if the current time is before the timestamp let them add data to the database, otherwise send out an error and block them. If they are allowed to enter something into the database, update their session with a new timestamp. What do you think? Would this be the best way to go about it or are there easier alternatives? Thanks for any help. :)

    Read the article

  • Microsoft Forefront Endpoint Protection 2010 sort en version RTM avec un nouveau moteur anti-malwares

    Microsoft Forefront Endpoint Protection 2010 sort en version RTM Pour les constructeurs et les revendeurs, elle embarque un nouveau moteur anti-malwares Microsoft vient d'annoncer la disponibilité pour les constructeurs et revendeurs (version RTM) de Forefront Endpoint Security 2010, sa solution d'administration unifiée pour la protection contre les malwares pour les serveurs et les postes de travail des entreprises. En Release Candidate depuis novembre, cette version s'appuie sur « System Center Configuration Manager 2007 », facilitant ainsi le déploiement au niveau des entreprises ayant déjà mis en place des infrastructures de gestion des postes clients de Microsoft. Fore...

    Read the article

  • Javascript image copy protection

    - by Chris
    Is there a way to protect your images from being copied, specifically their URL's. So that if someone were to try right click the image and copy the URL I could pop up an embed box, or perhaps specify my own particular copy code so that I dictate the terms of the copy? An alternate to this would be popping up a custom dialog box on right click with copy / embed options... How would one do this?

    Read the article

  • Rails form protection questions, hidden field

    - by user284194
    I have a live rails website and I want to have a form with a lot of fields on it. I have set up validations and allowed formatting for every field. I've tested it quite a bit and it seems to catch anything I throw at it. I think it's almost ready to go live, but I want to quadruple check if there's anything else I should do to protect it. My site has a low volume of visitors, but I want it to be a safe as possible. I'd like to avoid using a captcha if I can. I've read that you can use a hidden field to protect forms against bots. Do people recommend this instead of using a captcha, or even using it with a captcha? my form is really standard: <% form_for(@entry) do |f| %> ... <%= f.submit 'Create' %> <% end %> Any suggestions or code samples would be greatly appreciated.

    Read the article

  • How does memory protection in SASOS works?

    - by chris
    I'd like to know how it works - whether it checks if process can read/write/execute memory on every access, or it does it only once? But when it does it only once, and all processes are in a single address space, how are these other hostile processes are prevented from accessing memory from not their's areas?

    Read the article

  • Copy protection tool to limit number of units

    - by Jonathan Harris
    I have written a winform application to manage a certain type of project. I want to charge my users on a per project basis, e.g. they purchase a base version of my app to manage 3 projects for 300$ and can buy extensions for 100$ per project. Do you know of any good tools that support this type of licensing? Currently the project counter is buried in the database, but I am looking for something more reliable.

    Read the article

  • Client/JS Framework for "Unsaved Data" Protection?

    - by Kevin Dostalek
    Hey all- we have a typical web application that is essentially a data entry application with lots of screens some of which have some degree of complexity. We need to provide that standard capability on making sure if the user forgets to click the "Save" button before navigating away or closing their browser they get a warning and can cancel (but only when there is unsaved or dirty data). I know the basics of what I've got to do-- in fact I'm sure I've done it all before over the years (tie in to onbeforeunload, track the "dirty" state of the page, etc...) but before I embark on coding this YET AGAIN, does anyone have some suggestions for libraries already out there (free or otherwise) that will help out? Thanks!

    Read the article

  • Software Protection: Shuffeling my application?

    - by Martijn Courteaux
    Hi, I want to continue on my previous question: http://stackoverflow.com/questions/3007168/torrents-can-i-protect-my-software-by-sending-wrong-bytes Developer Art suggested to add a unique key to the application, to identifier the cracker. But JAB said that crackers can search where my unique key is located by checking for binary differences, if the cracker has multiple copies of my software. Then crackers change that key to make them self anonymous. That is true. Now comes the question: If I want to add a unique key, are there tools to shuffle (a kind of obfuscation) the program modules? So, that a binary compare would say that the two files are completely different. So they can't locate the identifier key. I'm pretty sure it is possible (maybe by replacing assembler blocks and make some jumps). I think it would be enough to make 30 to 40 shuffles of my software. Thanks

    Read the article

  • GWT RPC - Does it do enough to protect against CSRF ?

    - by sri
    GWT's RPC mechanism does the following things on every HTTP Request - Sets two custom request headers - X-GWT-Permutation and X-GWT-Module-Base Sets the content-type as text/x-gwt-rpc; charset=utf-8 The HTTP request is always a POST, and on server side GET methods throw an exception (method not supported). Also, if these headers are not set or have the wrong value, the server fails processing with an exception "possibly CSRF?" or something to that effect. Question is : Is this sufficient to prevent CSRF? Is there a way to set custom headers and change content type in a pure cross-site request forgery method?

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >