Search Results

Search found 497 results on 20 pages for 'xss prevention'.

Page 4/20 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • Windows7 corrupted profile - prevention exists?

    - by Radek
    I have dedicated Windows7 (not on domain) virtual machine for overnight automation testing. Some commands (mySQLdump, tscon.exe) must be run under administrator account. Last week administrator account's profile was corrupted. I fixed it by renaming it in the registry and logging in as administrator. And today it is corrupted again. I use administrator account only to run above commands via runas. Also the computer is restarted via cmd - shutdown command - quite often. Especially every night before automation testing starts. I checked the comp for viruses - did full scan using avast although I believed that the comp is clean. Any idea how to prevent the profile to get corrupted again? update So the first log entry in event log is today from 1.15am and one of my scripts ran runas command as administrator exactly at 1.15am. It was second time that runas war executed though after the testing started. The same happened second day in a row. Before the testing starts I need to copy one file that is locked. So I run handle.exe from runas to unlock it. That is what I think causing the profile to get corrupted. I am not able to reproduce it by myself. The message from event viewer is Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. DETAIL – The process cannot access the file because it is being used by another process.

    Read the article

  • Dust prevention for home servers [closed]

    - by Payson Welch
    I found some posts on here about dealing with dust relating to servers but nothing that specifically addressed my question. I have several servers at home for research and as you can probably guess they are not cheap. It is impossible for me to remove 100% of the dust from my home as much as I may try. Does anyone know of any practical solutions to filtering the air that will go into the servers? For instance maybe place some sort of material over the bezel to catch dust particles before they enter? I realize the ideal home solution would be to have a small room with environmental controls but I'm not there yet. Thanks!

    Read the article

  • client generated double submit cookie, cross site request forgery prevention

    - by james
    in a double-submitted cookie csrf prevention scheme, is it necessary for the server to provide the cookie? it seems i could have javascript on the clients page generate and set a cookie "anti_csrf", then double submit that (once as a cookie, done by the browser, and once in the body of the request). a foreign domain would not be able to read or write the "anti_csrf" cookie to include it in the body of a request. is this secure, or am i overlooking something?

    Read the article

  • Practical way to implement prevention of IP Spoofing

    - by user1369975
    I am an undergraduate Computer Science student and was hoping to gain some knowledge of ways to help prevent IP spoofing but all the resources I have tried out elaborate this concept in a theoretical way. I want to try out my hands at one of the techniques like: http://en.wikipedia.org/wiki/Port_knocking http://en.wikipedia.org/wiki/SYN_cookies How do I simulate this whole situation in my own system were I myself am the attacker and I myself have to defend it? And once I have gained an understanding of it, then how do I start translating that into programming terms?

    Read the article

  • How can I prevent spam on sites which I control?

    - by danlefree
    This is a general, community wiki question to address all non-specific spam prevention questions. If your question was closed as a duplicate of this question and you feel that the information provided here does not provide a sufficient answer, please open a discussion on Pro Webmasters Meta. For purposes of this question, spam will include: Any automated post Manually-posted content which includes links to spammers' sites Manually-posted content which includes instructions to visit a spammer's site

    Read the article

  • Google Calendar API DoS prevention

    - by Don
    Hi, It appears that the Google calendar API effectively locks you out if you create and delete a few (less than 10) calendars within a short space of time. This has made it basically impossible for me to test my app, because it creates/deletes a calendar for each user that is added/removed from the app. Currently, I'm "working around" this issue by creating a new Google account each time I get locked out of the Calendar API. Clearly, this solution is less than satisfactory. Is there any way I can avoid this over-zealous DoS prevention? Thanks, Don

    Read the article

  • Where can I learn various hacking techniques on the web?

    - by Carson Myers
    I would like to try my hand at hacking -- that is, exploiting various website vulnerabilities. Not for any illegal purpose mind you, but so I can have a better understanding and appreciation of these exploits while writing my own web software. I seem to recall that there was a community that hosted a bunch of demo websites, and you had to find and exploit certain vulnerabilities with each one. I can't remember what it is called but this is the sort of thing I am looking for -- I have read a tonne of little XSS and CSRF examples but have yet to find a real-life hands-on example of one. Does anyone know of such a place, where I can be given an example page and look for security holes? I would really rather not try this with actual websites, I don't want to break any laws.

    Read the article

  • Is Rails default CSRF protection insecure

    - by schickb
    By default the form post CSRF protection in Rails creates an authenticity token for a user that only changes when the user's session changes. One of our customers did a security audit of our site and flagged that as an issue. The auditor's statement was that if we also had a XSS vulnerability that an attacker could grab another user's authenticity token and make use of it for CSRF attacks until the user's session expired. But is seems to me that if we had an XSS vulnerability like that an attacker could just as easily grab another user's session cookie and login as that user directly. Or even just make call to our REST Api as the user being attacked. No secondary CSRF attack needed. Have I missed something? Is there a real problem with the default CSRF protection in Rails?

    Read the article

  • Preventing spam bots on site?

    - by Mike
    We're having an issue on one of our fairly large websites with spam bots. It appears the bots are creating user accounts and then posting journal entries which lead to various spam links. It appears they are bypassing our captcha somehow -- either it's been cracked or they're using another method to create accounts. We're looking to do email activation for the accounts, but we're about a week away from implementing such changes (due to busy schedules). However, I don't feel like this will be enough if they're using an SQL exploit somewhere on the site and doing the whole cross site scripting thing. So my question to you: If they are using some kind of XSS exploit, how can I find it? I'm securing statements where I can but, again, its a fairly large site and it'd take me awhile to actively clean up SQL statements to prevent XSS. Can you recommend anything to help our situation?

    Read the article

  • Disabling javascript in specific block/div (containing suspect HTML) ?

    - by T4NK3R
    Is it, in any way, possible to disable the browsers execution of script inside a block/section/element ? My scenario is, that I'm letting my (future) users create "rich content" (using CK-editor). Content that wil later be shown to other users - with all the dangers that imply: xss, redirection, identity theft, spam and what not... I've, more or less, given up on trying to "sanitize" the incomming XHTML, after seeing how many known "vectors of attack" there are: http://ha.ckers.org/xss.html What I'm really looking for is something like: < div id="userContent"< scriptOFF suspect HTML < /scriptOFF< /div

    Read the article

  • MongoDB, Carrierwave, GridFS and prevention of files' duplication

    - by Arkan
    I am dealing with Mongoid, carrierwave and gridFS to store my uploads. For example, I have a model Article, containing a file upload(a picture). class Article include Mongoid::Document field :title, :type => String field :content, :type => String mount_uploader :asset, AssetUploader end But I would like to only store the file once, in the case where I'll upload many times the same file for differents articles. I saw GridFS has a MD5 checksum. What would be the best way to prevent duplication of identicals files ? Thanks

    Read the article

  • Which knowledge base/rule-based inference engine to choose for real time Runway incursion prevention

    - by Piligrim
    Hello, we are designing a project that would listen to dialog between airport controllers and pilots to prevent runway incursions (eg. one airplane is taking off while other is crossing the runway). Our professor wants us to use Jena for knowledge base (or anything else but it should be some sort of rule-based engine). Inference is not the main thing in Jena and there's not much documentation and examples of this. So we need an engine that would get messages from pilots as input and output possible risks of incursion or any other error in message protocol. It should be easy to write rules, and should be easy to provide engine with real time data. I image it something like this: A pilot sends a message that he lands on some runway, the system remembers that the runway is busy and no one should cross it If someone is given an instruction to cross this runway, the engine should fire a rule that something is wrong When the pilot sends a message that he left the runway and goes to the gate, the system clears the runway and lets other planes to use it. So is Jena, or prolog or any other rules engine suitable for this? I mean it is suitable, but do we really need to use it? I asked the prof. if we could just keep state of the runway and use some simple checks based on messages we receive and he said that it is not scalable and we need the knowledge base. Can someone give me any advise on which approach to use for this system? If you recommend k.b., then which one should we use? The project is written in java. Thank you.

    Read the article

  • move selected item from one selectbox to another selectbox(with duplicate prevention)

    - by I Like PHP
    i have two select box, now what i want is i want to move option from one select box to another via a button below is my code: php <table> <tr> <td> <select size="5" id="suppliedMovies" name="suppliedMovies"> <option selected="selected" value="">Select Movie</option> <option value="1">sholay</option> <option value="3">Jism</option> <option value="4">Rog</option> <option value="5">Zeher</option> <option value="6">Awarpan</option> <option value="7">Paap</option> <option value="8">paanch<option> <option value="9">no entry</option> </select> </td> <td> <input type="button" id="toRight" value="&gt;&gt;"><br> <input type="button" id="toLeft" value="&lt;&lt;"> </td> <td> <select size="5" id="accquiredMovies" name="accquiredMovies"> <option> No item right now</option> </select> </td> </tr> </table> Jquery jQuery(document).ready( function() { function displayVals() { var myValues = jQuery("#suppliedMovies").val(); return myValues; } jQuery('#toRight').click(function(){ var x=displayVals(); console.log(x); var txt=jQuery("#suppliedMovies option[value='"+x+"']").text(); console.log(txt); if(x!=''){ jQuery('#accquiredMovies').append("<option value='"+x+"' >"+txt+"</option>"); } }); }); i m using above jQuery, that is working fine but, i want that when one item is copy from one select box to another select box, then that item should be disable(or probably delete) from first select box (to prevent duplicate entry). i also want to move item from right to left select box please suggest me optimized jQuery . Thanks. UPDATE if i want to use multiple select box on both side? then how do i use that? more update if i click on a item on rightselectbox and move it to left selectbox, and go further(post) then on right selectbox, there is nothing selected items?? what i need is on right selectbox, there all items shoud be always selected , otherwise what i need to do? after i move an item from right to left ,i again have to select rest of items on right selectbox and go further

    Read the article

  • XSS to change ASP.NET session state

    - by Juri Bogdanov
    Hello! I am developing the application that stores current user and user's role to session state (System.Web.SessionState.HttpSessionState Page.Session). if (Session["username"] == null) Session.Add("username", User.Identity.Name); if (Session["isAdministrator"] == null) Session.Add("isAdministrator", User.IsInRole(domain + "\\Domain Admins")); After I check these session states in code behind for granting permissions to some excecution: if ((bool)Session["isAdministrator"] || computer.Administrators.Contains(Session["username"].ToString())) My question is next: how safe that mechanism is? Is it possible to change the session states using some JavaScript for example or some how else? Thanks :)

    Read the article

  • Session hijacking prevention...how far will my script get me? additional prevention procedures?

    - by Yusaf Khaliq
    When the user logs in the current session vairables are set $_SESSION['user']['timeout'] = time(); $_SESSION['user']['ip'] = $_SERVER['REMOTE_ADDR']; $_SESSION['user']['agent'] = $_SERVER['HTTP_USER_AGENT']; In my common.php page (required on ALL php pages) i have used the below script, which resets a 15 minute timer each time the user is active furhtermore checks the IP address and checks the user_agent, if they do not match that as of when they first logged in/when the session was first set, the session is unset furthermore with inactivity of up to 15 minutes the session is also unset. ... is what i have done a good method for preventing session hijacking furthermore is it secure and or is it enough? If not what more can be done? if(!empty($_SESSION['user'])){ if ($_SESSION['user']['timeout'] + 15 * 60 < time()) { unset($_SESSION['user']); } else { $_SESSION['user']['timeout'] = time(); if($_SESSION['user']['ip'] != $_SERVER['REMOTE_ADDR']){ unset($_SESSION['user']); } if($_SESSION['user']['agent'] != $_SERVER['HTTP_USER_AGENT']){ unset($_SESSION['user']); } } }

    Read the article

  • Drupal SQL injection attacks prevention and apostrophe handling in Forms

    - by jini
    in typical PHP applications I used to use mysql_real_escape_string before I did SQL inserts. However I am unable to do that in Drupal so would need some assistance. And without any sort of function like that, user input with apostrophes is breaking my code. Please suggest. Thank You My SQL is as follows: $sql = "INSERT INTO some_table (field1, field2) VALUES ('$field1', '$field2')"; db_query($sql);

    Read the article

  • List of free hosted domains (phishing prevention)

    - by nigative
    Does anyone has a compiled list of free hosting domains? On the website, when user clicks on external link I want them to be redirected to my page that will check if that external link is on free hosting or not. If it is, I want to warn the user, but right now I can't find a list of such domains. Any help?

    Read the article

  • Is it necessary to "escape" character "<" and ">" for javascript string?

    - by Morgan Cheng
    Sometimes, server side will generate strings to be embedded in inline JavaScript code. For example, if "UserName" should be generated by ASP.NET. Then it looks like. <script> var username = "<%UserName%>"; </script> This is not safe, because a user can have his/her name to be </script><script>alert('bug')</script></script> It is XSS vulnerability. So, basically, the code should be: <script> var username = "<% JavascriptEncode(UserName)%>"; </script> What JavascriptEncode does is to add charater "\" before "/" and "'" and """. So, the output html is like. var username = "<\/scriptalert(\'bug\')<\/script<\/script"; Browser will not interpret "<\/script" as end of script block. So, XSS in avoided. However, there are still "<" and "" there. It is suggested to escape these two characters as well. First of all, I don't believe it is a good idea to change "<" to "&lt;" and "" to "&gt;" here. And, I'm not sure changing "<" to "\<" and "" to "\" is recognizable to all browsers. It seems it is not necessary to do further encoding for "<" and "". Is there any suggestion on this? Thanks.

    Read the article

  • Any danger in calling flash messages html_safe?

    - by PreciousBodilyFluids
    I want a flash message that looks something like: "That confirmation link is invalid or expired. Click here to have a new one generated." Where "click here" is of course a link to another action in the app where a new confirmation link can be generated. Two drawbacks: One, since link_to isn't defined in the controller where the flash message is being set, I have to put the link html in myself. No big deal, but kind of messy. Number two: In order for the link to actually display properly on the page I have to html_safe the flash display function in the view, so now it looks like (using Haml): - flash.each do |name, message| = content_tag :div, message.html_safe This gives me pause. Everything else I html_safe has been HTML I've written myself in helpers and whatnot, but the contents of the flash hash are stored in a cookie client-side, and could conceivably be changed. I've thought through it, and I don't see how this could result in an XSS attack, but XSS isn't something I have a great understanding of anyway. So, two questions: 1. Is there any danger in always html_safe-ing all flash contents like this? 2. The fact that this solution is so messy (breaking MVC by using HTML in the controller, always html_safe-ing all flash contents) make me think I'm going about this wrong. Is there a more elegant, Rails-ish way to do this? I'm using Rails 3.0.0.beta3.

    Read the article

  • How best to present a security vulnerability to a web development team in your own company?

    - by BigCoEmployee
    Imagine the following scenario: You work at Big Co. and your coworkers down the hall are on the web development team for Big Co's public blog system, which a lot of Big Co employees and some public people use. The blog system allows any HTML and JavaScript, and you've been told that it was a choice (not by accident) but you aren't sure if they realize the implications of this. So you want to convince them that this is a bad idea. You write some demonstration code and plant a XSS script in your own blog, and then write some blog posts. Soon after, the head blog admin (down the hall) visits your blog post and the XSS sends his cookies to you. You copy them into your browser and you are now logged in as him. Okay, now you're logged in as him... And you start realizing that it maybe wasn't such a good idea to go ahead and 'hack' the blog system. But you are a good guy! You don't touch his account after logging into it, and you definitely don't plan on publicizing this weakness; you just maybe want to show them that the public is able to do this, so that they can fix it before someone malicious realizes the same thing! What is the best course of action from here?

    Read the article

  • Why use a whitelist for HTML sanitizing?

    - by Carson Myers
    I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input? How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything?

    Read the article

  • To HTMLENCODE or not to HTMLENCODE user input on web form (asp.net vb)

    - by Phil
    I have many params making up an insert form for example: x.Parameters.AddWithValue("@city", City.Text) I had a failed xss attack on the site this morning, so I am trying to beef up security measures anyway.... Should I be adding my input params like this? x.Parameters.AddWithValue("@city", HttpUtility.HtmlEncode(City.Text)) Is there anything else I should consider to avoid attacks? Thanks

    Read the article

  • Sanitizing input for display in view when using simple_format

    - by Eric
    Hi, I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the simple_format and auto_link methods. What I am now doing is: simple_format(santize(auto_link(comment.text))) Is this the right way to do this, and is it still safe from XSS attacks? Thanks! Eric

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >