Search Results

Search found 30819 results on 1233 pages for 'software security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 309/1233 | < Previous Page | 305 306 307 308 309 310 311 312 313 314 315 316  | Next Page >

  • Preventing LDAP injection

    - by Matias
    I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code. I'd like to know which sanitizing techniques are known, not only for C/unix development but in more general terms, i.e., web development etc. I thought that escaping equals and semicolons would be enough, but not sure. Here is a little piece of code so I can make clearer the question: String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery); Obviously I do need to sanitize $userName, as stated in this OWASP ARTICLE

    Read the article

  • ASP.NET Membership Provider - Single Login

    - by RSolberg
    I'm considering utilizing the ASP.NET Membership Provider for a few different web apps/tools with a single login approach. REQUIREMENTS User logs in to my.domain.com and sees a list of apps/tools that they have permission to use. The user selects the tool they'd like to use and clicks the link. When the tool opens, it is able to identify that they are currently logged in and who they are to identify any unique permissions to the application. I know that each app could simply point to the same back end Membership Provider DB, however will each app require a login or will it be able to identify if the user is already logged in?

    Read the article

  • Magic quotes in PHP

    - by VirtuosiMedia
    According to the PHP manual, in order to make code more portable, they recommend using something like the following for escaping data: if (!get_magic_quotes_gpc()) { $lastname = addslashes($_POST['lastname']); } else { $lastname = $_POST['lastname']; } I have other validation checks that I will be performing, but how secure is the above strictly in terms of escaping data? I also saw that magic quotes will be deprecated in PHP 6. How will that affect the above code? I would prefer not to have to rely on a database-specific escaping function like mysql_real_escape_string().

    Read the article

  • WCF MessageHeaders in OperationContext.Current

    - by Nate Bross
    If I use code like this [just below] to add Message Headers to my OperationContext, will all future out-going messages contain that data on any new ClientProxy defined from the same "run" of my application? The objective, is to pass a parameter or two to each OpeartionContract w/out messing with the signature of the OperationContract, since the parameters being passed will be consistant for all requests for a given run of my client application. public void DoSomeStuff() { var proxy = new MyServiceClient(); Guid myToken = Guid.NewGuid(); MessageHeader<Guid> mhg = new MessageHeader<Guid>(myToken); MessageHeader untyped = mhg.GetUntypedHeader("token", "ns"); OperationContext.Current.OutgoingMessageHeaders.Add(untyped); proxy.DoOperation(...); } public void DoSomeOTHERStuff() { var proxy = new MyServiceClient(); Guid myToken = Guid.NewGuid(); MessageHeader<Guid> mhg = new MessageHeader<Guid>(myToken); MessageHeader untyped = mhg.GetUntypedHeader("token", "ns"); OperationContext.Current.OutgoingMessageHeaders.Add(untyped); proxy.DoOtherOperation(...); } In other words, is it safe to refactor the above code like this? bool isSetup = false; public void SetupMessageHeader() { if(isSetup) { return; } Guid myToken = Guid.NewGuid(); MessageHeader<Guid> mhg = new MessageHeader<Guid>(myToken); MessageHeader untyped = mhg.GetUntypedHeader("token", "ns"); OperationContext.Current.OutgoingMessageHeaders.Add(untyped); isSetup = true; } public void DoSomeStuff() { var proxy = new MyServiceClient(); SetupMessageHeader(); proxy.DoOperation(...); } public void DoSomeOTHERStuff() { var proxy = new MyServiceClient(); SetupMessageHeader(); proxy.DoOtherOperation(...); } Since I don't really understand what's happening there, I don't want to cargo cult it and just change it and let it fly if it works, I'd like to hear your thoughts on if it is OK or not.

    Read the article

  • Encrypted AES key too large to Decrypt with RSA (Java)

    - by Petey B
    Hello, I am trying to make a program that Encrypts data using AES, then encrypts the AES key with RSA, and then decrypt. However, once i encrypt the AES key it comes out to 128 bytes. RSA will only allow me to decrypt 117 bytes or less, so when i go to decrypt the AES key it throws an error. Relavent code: KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(1024); KeyPair kpa = kpg.genKeyPair(); pubKey = kpa.getPublic(); privKey = kpa.getPrivate(); updateText("Private Key: " +privKey +"\n\nPublic Key: " +pubKey); updateText("Encrypting " +infile); //Genereate aes key KeyGenerator kgen = KeyGenerator.getInstance("AES"); kgen.init(128); // 192/256 SecretKey aeskey = kgen.generateKey(); byte[] raw = aeskey.getEncoded(); SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES"); updateText("Encrypting data with AES"); //encrypt data with AES key Cipher aesCipher = Cipher.getInstance("AES"); aesCipher.init(Cipher.ENCRYPT_MODE, skeySpec); SealedObject aesEncryptedData = new SealedObject(infile, aesCipher); updateText("Encrypting AES key with RSA"); //encrypt AES key with RSA Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.ENCRYPT_MODE, pubKey); byte[] encryptedAesKey = cipher.doFinal(raw); updateText("Decrypting AES key with RSA. Encrypted AES key length: " +encryptedAesKey.length); //decrypt AES key with RSA Cipher decipher = Cipher.getInstance("RSA"); decipher.init(Cipher.DECRYPT_MODE, privKey); byte[] decryptedRaw = cipher.doFinal(encryptedAesKey); //error thrown here because encryptedAesKey is 128 bytes SecretKeySpec decryptedSecKey = new SecretKeySpec(decryptedRaw, "AES"); updateText("Decrypting data with AES"); //decrypt data with AES key Cipher decipherAES = Cipher.getInstance("AES"); decipherAES.init(Cipher.DECRYPT_MODE, decryptedSecKey); String decryptedText = (String) aesEncryptedData.getObject(decipherAES); updateText("Decrypted Text: " +decryptedText); Any idea on how to get around this?

    Read the article

  • Test Case Design and Responsibility

    - by Sakamoto Kazuma
    So it seems like a lot of people are playing the blame game around where I work, and it brings up an interesting question. Knowns: Requirements team writes requirements for product. Developers create their own unit tests out of requirements. Testing team creates their general tests out of requirements and past customer issues. Product released if and only if X% of testcases from Testing team passes Customer response team gets bugs from the field, and lets the testing team know about these issues. Question: If the customer ends up filing a lot of defects, who is to blame? Is it the Testing team for not covering those? Or is it the requirements team for not writing better requirements? And how does one improve upon the system?

    Read the article

  • Symfony user authentication using Active Directory

    - by Radu Dragomir
    Is there a way to authenticate users in symfony apps using Active Directory? Can you please point out some documentation? edit What i need is to have a transparent login in my application. The user authenticates once at windows logon, then all applications should be accessed with the same credentials without being asked for the domain\username and password again. I tried the following in a simple php script: if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="my realm"'); header('HTTP/1.0 401 Unauthorized'); exit; } else { echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>"; echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>"; } but then i get the authentication form popped up. Is there any way to pass the header the credentials used at windows logon? Thanks, Radu.

    Read the article

  • Prevent SQL injection from form-generated SQL - NO PreparedStmts

    - by Markos Fragkakis
    Hi all, I have a search table where user will be able to filter results with a filter of the type: Field [Name], Value [John], Remove Rule Field [Surname], Value [Blake], Remove Rule Field [Has Children], Value [Yes], Remove Rule Add Rule So the user will be able to set an arbitrary set of filters, which will result essentially in a completely dynamic WHERE clause. In the future I will also have to implement more complicated logical expressions, like Where (name=John OR name=Nick) AND (surname=Blake OR surname=Bourne), Of all 10 fields the user may or may not filter by, I don't know how many and which filters the user will set. So, I cannot use a prepared statement (which assumes that at least we know the fields in the WHERE clause). This is why prepared statements are unfortunately out of the question, I have to do it with plain old, generated SQL. What measures can I take to protect the application from SQL Injection (REGEX-wise or any other way)?

    Read the article

  • Does each authenticated WCF client connection need a CAL?

    - by Sentax
    Just like the title says. Does each authenticated WCF client connection to a WCF server that you have developed need a windows CAL? http://www.microsoft.com/windowsserver2008/en/us/client-licensing.aspx Microsoft's licensing on that page sure makes it sound like it, but I can't find anything out there that confirms, or even denies this. Anyone know?

    Read the article

  • Get a list of members of a WinNT group (C#)

    - by Keith Moore
    There are a couple of questions similar to this on stack overflow but not quite the same. I want to open, or create, a local group on a win xp computer and add members to it, domain, local and well known accounts. I also want to check whether a user is already a member so that I don't add the same account twice, and presumably get an exception. So far I started using the DirectoryEntry object with the WinNT:// provider. This is going ok but I'm stuck on how to get a list of members of a group? Anyone know how to do this? Or provide a better solution than using DirectoryEntry?

    Read the article

  • "Authorize" attribute and 403 error page

    - by zerkms
    [Authorize] property is nice and handy MS invention, and I hope it can solve the issues I have now To be more specific: When current client isn't authenticated - [Authorize] redirects from secured action to logon page and after logon was successfull - brings user back, this is good. But when current cilent already authenticated but not authorized to run specific action - all I need is to just display my general 403 page. Is it possible without moving authorization logic within controller's body? UPD: The behavior I need in should be semantically equals to this sketch: public ActionResult DoWork() { if (!NotAuthorized()) { return RedirectToAction("403"); } return View(); } so - there should no any redirect and url should be stay the same, but contents of the page should be replaced with 403-page

    Read the article

  • Javascript Injection and Sql Script injection

    - by Pranali Desai
    Hi All, I am writing an application and for this to make it safe I have decided to HtmlEncode and HtmlDecode the data to avoid Javascript Injection and Paramaterised queries to avoid Sql Script injection. But I want to know whether these are the best ways to avoid these attacks and what are the other ways to damage the application that I should take into consideration.

    Read the article

  • What Issue Tracking System to select?

    - by Mikee
    What Issue Tracking Sytem is the most appropriate for fast, big, multilingual and international websites? The system has to handle both technical and content/editorial issues. What's the size and type of your site do you run? Whart System are you using for the keeping it state of the art? Thanks a lot for sharing your good or bad experience.

    Read the article

  • Pattern for verifying authenticity of a request to WCF service

    - by fung
    I have a client app that makes calls to a WCF service. This app is on a public computer that's easily accessible and anyone can easily copy the .EXE and .CONFIG of my app into another machine and start using it. Is there a pattern where I can check if the request is coming only from an app on a computer I installed it on and not on one it has been copied to? Thanks in advance.

    Read the article

  • want to build an alarm app in iphone.

    - by Sumit Kr Singh
    Hi, I want to build an alarm application for iphone. I want to ignore iphone device state and volume buttons state. I want to play sound anyhow in full volume and also want that user cant modify volume using iphone hardware buttons while sound is played. Does anybody know how to implement it? Please post the code here....... Thankx in Advance.......

    Read the article

  • Silverlight 4 - elevated permission *inside* the browser

    - by Doug
    I know Silverlight 4 can handle elevated permissions outside the browser. Is there a way to accomplish this inside the browser? I need to make a folder/file upload manager that gives a better user experience than the standard , and I'd like to implement it in Silverlight. I know Java has an option to gain elevated permissions, but you have to attach a signed certificate to your app. Does Silverlight 4 have a similar option - to gain elevated permissions by attaching a signed certificate (after warning the user, of course)? -Doug

    Read the article

  • Is it possible to make the AntiForgeryToken value in ASP.NET MVC change after each verification?

    - by jmcd
    We've just had some Penetration Testing carried out on an application we've built using ASP.NET MVC, and one of the recommendations that came back was that the value of the AntiForgeryToken in the Form could be resubmitted multiple times and did not expire after a single use. According to the OWASP recommendations around the Synchronizer Token Pattern: "In general, developers need only generate this token once for the current session." Which is how I think the ASP.NET MVC AntiForgeryToken works. In case we have to fight the battle, is it possible to cause the AntiForgeryToken to regenerate a new value after each validation?

    Read the article

  • MembershipProvider, IPrincipal, IIdentity?

    - by MRFerocius
    Hello guys; I have a conceptual question... I am making an Intranet application (Web platform) for a company. I have a SQL Server DB with these tables: Users (userID, userName, userPass, roleID) Roles (roleID, roleName) Pages (pageID, pageURL) RolesXPages(pageID, roleID) How is the best way to create a structure to store all this information while the user navigates the site, I mean, on the thread I should be able to check his role, his pages (the ones he can access) I have been reading and there is a lot of stuff there where Im confused, I saw the MembershipProvider, IPrincipal, IIdentity, etc classes but Im not sure what should be the best one for me. Any thoughts... Thanks in advance! Edit: Everytime gets more confusing... I just want to handle those structures at runtime and be able to mantain state during page callbacks or changing pages...

    Read the article

  • How to implement SAML SSO

    - by A_M
    How is SAML SSO typically implemented? I've read this about using SAML with Google Apps, and the wikipedia entry on SAML. The wikipedia entry talks about responding with forms containing details of the SAMLRequest and SAMLResponse. Does this mean that the user has to physically submit the form in order to proceed with the single sign on? The google entry talks about using redirects, which seems more seemless to me. However, it also talks about using a form for the response which the user must submit (although it does talk about using JavaScript to automatically submit the form). Is this the standard way of doing this? Using redirects and JavaScript for form submission? Does anyone know of any other good resources about how to go about implementing SSO between a Windows Domain and a J2EE web application. The web application is on a separate network/domain. My client wants to use CA Siteminder (with SAML).

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 305 306 307 308 309 310 311 312 313 314 315 316  | Next Page >