Search Results

Search found 6427 results on 258 pages for 'customer protection'.

Page 27/258 | < Previous Page | 23 24 25 26 27 28 29 30 31 32 33 34  | Next Page >

  • Looking for DOS/DDOS protection tools and strategies

    - by Alexandre Victoor
    I am working on a java application that exposes webservices for a flash client. Any idea on how to prevent DOS/DDOS attacks ? I cannot use mechanism unfriendly for the end user such as captcha. So far I have found mod_evasive, an apache module which looks quite promising... Any suggestions, best practices, tools I might use ? Thanks in advance

    Read the article

  • Rails request forgery protection settings

    - by Vitaly
    Hey, please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class. Basically here's the code: class ApplicationController < ActionController::Base helper :all # include all helpers, all the time protect_from_forgery helper_method :current_user_session, :current_user filter_parameter_logging :password, :password_confirmation What I assume it should do is: it should prevent any POST requests without correct authenticity_token. But when I send post request with jQuery like the one below, it works fine (there's update statement that is executed in the database)! $.post($(this).attr("href"), { _method: "PUT", data: { test: true } }); I see in console that there's no authenticity_token among sent parameters, but request is still considered valid. Why is that?

    Read the article

  • CSRF Protection in AJAX Requests using MVC2

    - by mnemosyn
    The page I'm building depends heavily on AJAX. Basically, there is just one "page" and every data transfer is handled via AJAX. Since overoptimistic caching on the browser side leads to strange problems (data not reloaded), I have to perform all requests (also reads) using POST - that forces a reload. Now I want to prevent the page against CSRF. With form submission, using Html.AntiForgeryToken() works neatly, but in AJAX-request, I guess I will have to append the token manually? Is there anything out-of-the box available? My current attempt looks like this: I'd love to reuse the existing magic. However, HtmlHelper.GetAntiForgeryTokenAndSetCookie is private and I don't want to hack around in MVC. The other option is to write an extension like public static string PlainAntiForgeryToken(this HtmlHelper helper) { // extract the actual field value from the hidden input return helper.AntiForgeryToken().DoSomeHackyStringActions(); } which is somewhat hacky and leaves the bigger problem unsolved: How to verify that token? The default verification implementation is internal and hard-coded against using form fields. I tried to write a slightly modified ValidateAntiForgeryTokenAttribute, but it uses an AntiForgeryDataSerializer which is private and I really didn't want to copy that, too. At this point it seems to be easier to come up with a homegrown solution, but that is really duplicate code. Any suggestions how to do this the smart way? Am I missing something completely obvious?

    Read the article

  • Best Practices / Patterns for Enterprise Protection/Remediation of SSNs (Social Security Numbers)

    - by Erik Neu
    I am interested in hearing about enterprise solutions for SSN handling. (I looked pretty hard for any pre-existing post on SO, including reviewing the terriffic SO automated "Related Questions" list, and did not find anything, so hopefully this is not a repeat.) First, I think it is important to enumerate the reasons systems/databases use SSNs: (note—these are reasons for de facto current state—I understand that many of them are not good reasons) Required for Interaction with External Entities. This is the most valid case—where external entities your system interfaces with require an SSN. This would typically be government, tax and financial. SSN is used to ensure system-wide uniqueness. SSN has become the default foreign key used internally within the enterprise, to perform cross-system joins. SSN is used for user authentication (e.g., log-on) The enterprise solution that seems optimum to me is to create a single SSN repository that is accessed by all applications needing to look up SSN info. This repository substitutes a globally unique, random 9-digit number (ASN) for the true SSN. I see many benefits to this approach. First of all, it is obviously highly backwards-compatible—all your systems "just" have to go through a major, synchronized, one-time data-cleansing exercise, where they replace the real SSN with the alternate ASN. Also, it is centralized, so it minimizes the scope for inspection and compliance. (Obviously, as a negative, it also creates a single point of failure.) This approach would solve issues 2 and 3, without ever requiring lookups to get the real SSN. For issue #1, authorized systems could provide an ASN, and be returned the real SSN. This would of course be done over secure connections, and the requesting systems would never persist the full SSN. Also, if the requesting system only needs the last 4 digits of the SSN, then that is all that would ever be passed. Issue #4 could be handled the same way as issue #1, though obviously the best thing would be to move away from having users supply an SSN for log-on. There are a couple of papers on this: UC Berkely: http://bit.ly/bdZPjQ Oracle Vault: bit.ly/cikbi1

    Read the article

  • How do these user/userParam references relate to the Customer and Account lookups?

    - by plath
    In the following code example how do the user/userParam references relate to the Customer and Account lookups and what is the relationship between Customer and Account? // PersistenceManager pm = ...; Transaction tx = pm.currentTransaction(); User user = userService.currentUser(); List<Account> accounts = new ArrayList<Account>(); try { tx.begin(); Query query = pm.newQuery("select from Customer " + "where user == userParam " + "parameters User userParam"); List<Customer> customers = (List<Customer>) query.execute(user); query = pm.newQuery("select from Account " + "where parent-pk == keyParam " + "parameters Key keyParam"); for (Customer customer : customers) { accounts.addAll((List<Account>) query.execute(customer.key)); } } finally { if (tx.isActive()) { tx.rollback(); } }

    Read the article

  • How do these user/userParam references relate to the Customer and Account lookups?

    - by marmalade
    In the following code example how do the user/userParam references relate to the Customer and Account lookups and what is the relationship between Customer and Account? // PersistenceManager pm = ...; Transaction tx = pm.currentTransaction(); User user = userService.currentUser(); List<Account> accounts = new ArrayList<Account>(); try { tx.begin(); Query query = pm.newQuery("select from Customer " + "where user == userParam " + "parameters User userParam"); List<Customer> customers = (List<Customer>) query.execute(user); query = pm.newQuery("select from Account " + "where parent-pk == keyParam " + "parameters Key keyParam"); for (Customer customer : customers) { accounts.addAll((List<Account>) query.execute(customer.key)); } } finally { if (tx.isActive()) { tx.rollback(); } }

    Read the article

  • Password/Key protection

    - by user221919
    hi I am implementing paymentgateways and I need to protect its key and password for security reason. also some webservices keys and password in asp.net. Please help me to do as mention. waiting for your valuable thought. Thanking You.

    Read the article

  • Domain Transfer Protection - need advice

    - by Jack
    Hey, I am about to purchase a domain name for a bit of money. I do not personally know the person who I am purchasing the domain name from, we have only chatted via email. The proposed process for the transfer is: The owner of the domain lowest the domain name security and emails me the domain password, I request the transfer After the request, I transfer the money via PayPal When the money has been cleared the current domain name owner confirms the transfer via the link that he receives in that email I wait for it to be transferred. The domain is currently registered with DirectNIC - http://www.directnic.com/ Is this the best practice? Seeing I am paying a bit of money for this domain name, I am worried that after the money has been cleared that I won't see the domain name or hear from the current domain name owner again. Is there a 'domain governing body' which I can report to if this is the case? Is the proposed transfer process the best solution? Any advice would be awesome. Thanks! Jack

    Read the article

  • image protection in rails

    - by Cezar
    Hello, I am looking for ways to protect my product images and I don't know if there's anything out there better than what I've already found: disable right click, use a transparent image in front of your picture and watermarking. Obviously none of them is perfect but I was curious if someone came up with a better solution to this problem. Also is there any rails plugin to aid with that ? Thanks

    Read the article

  • Flash Media Server Streaming: Content Protection

    - by dbemerlin
    Hi, i have to implement flash streaming for the relaunch of our video-on-demand system but either because i haven't worked with flash-related systems before or because i'm too stupid i cannot get the system to work as it has to. We need: Per file & user access control with checks on a WebService every minute if the lease time ran out mid-stream: cancelling the stream rtmp streaming dynamic bandwidth checking Video Playback with Flowplayer (existing license) I've got the streaming and bandwidth check working, i just can't seem to get the access control working. I have no idea how i know which file is played back or how i can play back a file depending on a key the user has entered. Server-Side Code (main.asc): application.onAppStart = function() { trace("Starting application"); this.payload = new Array(); for (var i=0; i < 1200; i++) { this.payload[i] = Math.random(); //16K approx } } application.onConnect = function( p_client, p_autoSenseBW ) { p_client.writeAccess = ""; trace("client at : " + p_client.uri); trace("client from : " + p_client.referrer); trace("client page: " + p_client.pageUrl); // try to get something from the query string: works var i = 0; for (i = 0; i < p_client.uri.length; ++i) { if (p_client.uri[i] == '?') { ++i; break; } } var loadVars = new LoadVars(); loadVars.decode(p_client.uri.substr(i)); trace(loadVars.toString()); trace(loadVars['foo']); // And accept the connection this.acceptConnection(p_client); trace("accepted!"); //this.rejectConnection(p_client); // A connection from Flash 8 & 9 FLV Playback component based client // requires the following code. if (p_autoSenseBW) { p_client.checkBandwidth(); } else { p_client.call("onBWDone"); } trace("Done connecting"); } application.onDisconnect = function(client) { trace("client disconnecting!"); } Client.prototype.getStreamLength = function(p_streamName) { trace("getStreamLength:" + p_streamName); return Stream.length(p_streamName); } Client.prototype.checkBandwidth = function() { application.calculateClientBw(this); } application.calculateClientBw = function(p_client) { /* lots of lines copied from an adobe sample, appear to work */ } Client-Side Code: <head> <script type="text/javascript" src="flowplayer-3.1.4.min.js"></script> </head> <body> <a class="rtmp" href="rtmp://xx.xx.xx.xx/vod_project/test_flv.flv" style="display: block; width: 520px; height: 330px" id="player"> </a> <script> $f( "player", "flowplayer-3.1.5.swf", { clip: { provider: 'rtmp', autoPlay: false, url: 'test_flv' }, plugins: { rtmp: { url: 'flowplayer.rtmp-3.1.3.swf', netConnectionUrl: 'rtmp://xx.xx.xx.xx/vod_project?foo=bar' } } } ); </script> </body> My first Idea was to get a key from the Query String, ask the web service about which file and user that key is for and play the file but i can't seem to find out how to play a file from server side. My second idea was to let flowplayer play a file, pass the key as query string and if the filename and key don't match then reject the connection but i can't seem to find out which file it's currently playing. The only remaining idea i have is: create a list of all files the user is allowed to open and set allowReadAccess or however it was called to allow those files, but that would be clumsy due to the current infrastructure. Any hints? Thanks.

    Read the article

  • Java Client .class File Protection

    - by Zac
    I am in the requirements phase of building a JEE application that will most likely run on a GlassFish/JBoss backend (doesn't matter for now). I know I shouldn't be thinking about architecture at requirements time, but one can't help but start to imagine how the components would all snap together :-) Here are some hard, non-flexible requirements on the client-side: (1) The client application will be a Swing box (2) The client is free to download, but will use a subscription model (thus requiring a login mechanism with server-side authentication/authorization, etc.) (3) Yes, Java is the best platform solution for the problem at hand for reasons outside the scope of this post (4) The client-side .class files need safeguarding against decompiling That last (4th) requirement is the basis of this post. I'm not really worried about someone actually decompiling and getting at my source code: in the end, it's just Swing controls driven by some lightweight business logic. I'm worried about a scenario where someone decompiles my code, modifies it to exploit/attack the server, re-compiles, and fires it up. I've envisioned all sorts of nasty solutions, but didn't know if this was a common problem with a common solution for JEE developers. Any thoughts? Not interested in "code obfuscation" techniques! Thanks for any input!

    Read the article

  • Preventing HTML character entities in locale files from getting munged by Rails3 xss protection

    - by Chris S
    We're building an app, our first using Rails 3, and we're having to build I18n in from the outset. Being perfectionists, we want real typography to be used in our views: dashes, curled quotes, ellipses et al. This means in our locales/xx.yml files we have two choices: Use real UTF-8 characters inline. Should work, but hard to type, and scares me due to the amount of software which still does naughty things to unicode. Use HTML character entities (&#8217; &#8212; etc). Easier to type, and probably more compatible with misbehaving software. I'd rather take the second option, however the auto-escaping in Rails 3 makes this problematic, as the ampersands in the YAML get auto-converted into character entities themselves, resulting in 'visible' &8217;s in the browser. Obviously this can be worked around by using raw on strings, i.e.: raw t('views.signup.organisation_details') But we're not happy going down the route of globally raw-ing every time we t something as it leaves us open to making an error and producing an XSS hole. We could selectively raw strings which we know contain character entities, but this would be hard to scale, and just feels wrong - besides, a string which contains an entity in one language may not in another. Any suggestions on a clever rails-y way to fix this? Or are we doomed to crap typography, xss holes, hours of wasted effort or all thre?

    Read the article

  • d2: strange lowering of protection and possible misbehavior in static imports

    - by modchan
    Consider there is moda.d: module moda; private struct modb {}; And modb.d: module modb; private import moda; And modmain.d: module modmain; static import moda; static import modb; void main() { modb v; // should NOT compile, should it? } I don't know why, but moda.modb is visible in both modmain and modb, while, as far as I understand, it should not - both due to moda being imported as static and moda.modb being private. Or should? Have I run into dmd bug or it's planned behaviour I hadn't understood?

    Read the article

  • Subversion: Write protection for tagged directories

    - by Alexander
    Hi, i am using subversion as RCS. Always when a new version of my project is finised i create a tag of it (copy of the trunk). Does anybody know how i can protect this tagged directory from being accidentally modified? At the moment as a workaround i lock all files. But this sill means that the user with the lock can edit the files. Is there any better solution?

    Read the article

  • PHP -- automatic SQL injection protection?

    - by ashgromnies
    I took over maintenance of a PHP app recently and I'm not super familiar with PHP but some of the things I've been seeing on the site are making me nervous that it could be vulnerable to a SQL injection attack. For example, see how this code for logging into the administrative section works: $password = md5(HASH_SALT . $_POST['loginPass']); $query = "SELECT * FROM `administrators` WHERE `active`='1' AND `email`='{$_POST['loginEmail']}' AND `password`='{$password}'"; $userInfo = db_fetch_array(db_query($query)); if($userInfo['id']) { $_SESSION['adminLoggedIn'] = true; // user is logged in, other junk happens here, not important The creators of the site made a special db_query method and db_fetch_array method, shown here: function db_query($qstring,$print=0) { return @mysql(DB_NAME,$qstring); } function db_fetch_array($qhandle) { return @mysql_fetch_array($qhandle); } Now, this makes me think I should be able to do some sort of SQL injection attack with an email address like: ' OR 'x'='x' LIMIT 1; and some random password. When I use that on the command line, I get an administrative user back, but when I try it in the application, I get an invalid username/password error, like I should. Could there be some sort of global PHP configuration they have enabled to block these attacks? Where would that be configured? Here is the PHP --version information: # php --version PHP 5.2.12 (cli) (built: Feb 28 2010 15:59:21) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies with the ionCube PHP Loader v3.3.14, Copyright (c) 2002-2010, by ionCube Ltd., and with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies

    Read the article

  • htaccess password protection and mod-rewrite?

    - by mathiregister
    hey guys, i wonder how i can solve the following problem. on the root directory of my server lies a file calles upload.php i want to be able to add a "/upload" (without .php) to my URL and the browser should ask for a password (and maybe username if possible). I i enter the password (and username) correctly upload.php should be opened. Is this possible with htaccess?

    Read the article

  • Quick CPU ring mode protection question

    - by b-gen-jack-o-neill
    Hi, me again :) I am very curious in messing up with HW. But my top level "messing" so far was linked or inline assembler in C program. If my understanding of CPU and ring mode is right, I cannot directly from user mode app access some low level CPU features, like disabling interrupts, or changing protected mode segments, so I must use system calls to do everything I want. But, if I am right, drivers can run in ring mode 0. I actually don´t know much about drivers, but this is what I ask for. I just want to know, is learning how to write your own drivers and than call them the way I should go, to do what I wrote? I know I could write whole new OS (at least to some point), but what I exactly want to do is acessing some low level features of HW from standart windows application. So, is driver the way to go?

    Read the article

  • How do I password protect my printer in Windows 7?

    - by Dillie-O
    I have two young kids who have gotten rather computer saavy. They love playing their games, especially when it allows them to print out awards or coloring pages. Unfortunately this means that in the time it takes to refresh my cup of coffee, they can easily drop a 10 page document into the printer queue, and my printer ink runs out rather fast. How would I setup some kind of password protection on the printing, so that I would have to do some kind of final approval before they get their printouts?

    Read the article

  • .htaccess or PHP protection code against multiple speedy requests

    - by Phil Jackson
    Hi, I am looking for ideas for how I can stop external scripts connecting with my site. I'm looking for the same kind of idea behind Google. As in if a certain amount of requests are made per a certain amount of time then block the IP address or something. I thought there maybe a htaccess solution if not, I will write a PHP one. Any ideas or links to existing methods or scripts is much appreciated. Regards Phil

    Read the article

  • direct file download protection

    - by Ahmet vardar
    Hi, I have a folder for downloads on my server, i want to prevent direct access to that folder so i am makin it pass-protected with htaccess and i will push download with a php script. But i have some questions regarding mkdir and file_exists Do mkdir and file_exists works good for pass-protected folders ? and would i get any error while uploading file to that folder ? AND is this a good way of preventing direct access ? thanks

    Read the article

< Previous Page | 23 24 25 26 27 28 29 30 31 32 33 34  | Next Page >