Search Results

Search found 52277 results on 2092 pages for 'web security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 68/2092 | < Previous Page | 64 65 66 67 68 69 70 71 72 73 74 75  | Next Page >

  • Testing for security vulnerabilities on web applications

    - by Moak
    A lot of companies use CMS software that updates on the regular, often they are security fixes, implying that the previous version have security vulnerabilities. But most clients never upgrade this, or even the CMS has been modified so that an update would break the site. Are there sites that document these exploits, and instruct how to test for them? Or does this information not even get published? (in order not to have people try to exploit them) Also is there a generic php/js based check list to prevent hack attempts? I know about SQL injections and XSS, but I'm sure that there are more threats out there. Peace

    Read the article

  • W3C Web Content Accessibility Guidelines 1.0, which technology could I use?

    - by vtortola
    Hi, I've a project where one of the requirements is fullfil the "W3C Web Content Accessibility Guidelines 1.0 (WCAG 1.0)". I'm now considering wich technology could I use to acomplish it, but I'm a little bit confused. Silverlight would be the easiest way, but I cannot find conclusive information about if silverlight is or isn't compilant. I've seen controls pack done in javascript that looks very nice, like DHTMLX, but again the same problem, I don't know for sure. Besides, I've always read that a website should work wihthout javascript, and use it just for improve the user experience. Thanks.

    Read the article

  • Handling user security scope with nHibernate or other ORM

    - by Schotime
    How should one handle the situation where you may need to filter by a group of users. Here is the scenario. I have an administrator role in my company. I should be able to see all the data belonging to me plus all the other users who I have control over. A plain old user however should only be able to access their own data. If you are writing regular sql statements then you can have a security table with every user and who they have access too but i'm not sure how to handle this situation in the OO and ORM world. Any one dealt with this scenario in a web application using an ORM? Would love to hear your thoughts!

    Read the article

  • help in security assignment

    - by scatman
    i have to write a program that sniffs network packets (part1-the simple part). and i have to update the program (part2) so that it will be able to terminate connections. the specific requirements are: construct raw packets by specifying data link layer and network layer information including appropriate source and destination MAC and IP addresses. These packets are intended to terminate the connection. To do so, you should used SOCK_RAW as the socket type to be able to set the header information by yourself. can anybody give me some ideas on the second part? should i hijack the session,apply a dos attack on one of the users?? all i need is some tips of how to terminate the connection. i am using c programming language. and this is a course assignment for the security course.

    Read the article

  • Form Security (discussion)

    - by Eray Alakese
    I'm asking for brain storming and sharing experience. Which method you are using for form submiting security ? For example , for block automatically sended POST or GET datas, i'm using this method : // Generating random string <?php $hidden = substr(md5(microtime()) ,"-5"); ?> <form action="post.php" .... // assing this random string to a hidden input <input type="hidden" value="<?php echo $hidden;" name="secCode> // and then put this random string to a session variable $_SESSION["secCode"] = $hidden; **post.php** if ($_POST["secCode"] != $_SESSION["secCode"]) { die("You have to send this form, on our web site"); }

    Read the article

  • ASP.Net Web API Routing fails when api is created as a web application under another asp.net site in IIS

    - by neo
    I developed a rest api using ASP.net web api. When I deploy this rest api on iis, I need to create it as a web application under an asp.net web site. When I was deploying the rest api as a new web site in iis, then things worked fine. I was using the following Route api/{controller}/{id}. When I created the rest api as a web application underneath asp.net web site project, I named the web application as api. I can't access the api methods now. Can someone point what I do wrong?

    Read the article

  • Calling web service methods using URLs

    - by Alka
    Hi. So, i have a central web service that is responsible for managing other services. These services register in the main WS with their URL, leading to their own web service. what i need to do now is call the child web services from the central web service. I've searched google on how to do this but all i could find was this. I would like to register any web service and not create a web reference, as suggested in the solution i've found. How is this done without using a web reference?

    Read the article

  • Security question

    - by Syom
    in my cms i have index.php, where client must enter username and password. if they are correct, he'll moove to admin.php, where the cms is. but now hacker can enter to cms/admin.php, so my security now is awful. i know, that i can use $_SESSION variable. index.php - i can give some value to $_SESSION['success']: $_SESSION['success'] = TRUE, and in admin.php just verify it admin.php if($_SESSION['success'] == TRUE) { my script here... } else header("Location: index.php"); but i want to rich this effect without SESSION. could you give me an idea, how can i do it? thanks

    Read the article

  • global security manager in flex

    - by ron
    hi, I made a swf that interacts with other site on the internet (which has a crossdomainfile for me). in the main.mxml there is a definition of webservice (mx:WebService)(which is not in my domain). Therefore when loading the swf, there is a first call to crossdomainfile.xml. I put this swf on my server so that my clients can get it. When i connect to my server to download the swf, i expect to be asked if i want to allow the swf connect to foreign webservice domain. But i am not being asked. Do i always need to define exception in Global Security Settings panel? I don't want my client do define special things.. Is there a best practice for that? Why when i surfing the net other swf can do this? I read about the FlashPlayerTrust, can i define there a website i trust my swf will connect to? anyone knows?

    Read the article

  • implementing security with session variables, how it is insecure

    - by haansi
    I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]). Please help me understand how this could be insecure. I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc. Please guide me on this.

    Read the article

  • Security of PHP script, embedded or otherwise

    - by typoknig
    Hi all, I am curious about the security of PHP on an HTML webpage where PHP code is embedded (a webpage that would exist on the server as "webpage.php") or on a PHP script that may be referenced by an HTML page (that is, a PHP script that is not actually part of a webpage that exists on the server as "something.php" and is referenced by "webpage.html"). Getting to the point, let us say that if the source code of my PHP script is known by anyone it would be a very big problem. I know that when you view the source of a PHP page in a browser the PHP script is not shown, but what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script? To be more general, is there ANY possible way that a user could access the source of a PHP script from a web browser, and if so, how do I prevent it?

    Read the article

  • PHP Security checklist (injection, sessions etc)

    - by NoviceCoding
    So what kind of things should a person using PHP and MySql be focused on to maximize security. Things I have done: -mysql_real_escape_string all inputs -validate all inputs after escaping em -Placed random alpha numerics before my table names -50character salt + Ripemd passwords Heres where I think I am slacking: -I know know nothing about sessions and securing them. How unsafe/safe is it if all you are doing is: session_start(); $_SESSION['login']= $login; and checking it with: session_start(); if(isset($_SESSION['login'])){ -I heard something about other forms of injection like cross site injection and what not... -And probably many other things I dont know about. Is there a "checklist"/Quicktut on making php secure? I dont even know what I should be worried about.I kinda regret now not building off cakephp since I am not a pro.

    Read the article

  • Secure WS client with UsernameToken(SOAP security header)

    - by user79163
    Hi, I'm trying to secure my WS client to be able to call the WS. My code looks like this: SendSmsService smsService = new SendSmsService(); SendSms sendSMS = smsService.getSendSms(); BindingProvider stub = (BindingProvider)sendSMS; //Override endpoint with local copy of wsdl. String URL ="";//here is the wsdl url Map<String,Object> requestContext = stub.getRequestContext(); requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, URL); //Set usernametoken URL fileURL = loader.getResource("client-config.xml"); File file = new File(fileURL.getFile()); FileInputStream clientConfig = null; try { clientConfig = new FileInputStream(file); } catch (FileNotFoundException e) { e.printStackTrace(); } XWSSecurityConfiguration config = null; try { config = SecurityConfigurationFactory.newXWSSecurityConfiguration(clientConfig); } catch (Exception e) { e.printStackTrace(); log.warn("Exception: "+e.getMessage()); } requestContext.put(XWSSecurityConfiguration.MESSAGE_SECURITY_CONFIGURATION, config); //Invoke the web service String requestId = null; try { requestId = sendSMS.sendSms(addresses, senderName, charging, message, receiptRequest); } catch (PolicyException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (ServiceException e) { // TODO Auto-generated catch block e.printStackTrace(); } and the config file looks like this: <xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" optimize="true"> <xwss:Service> <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"> <xwss:UsernameToken name="username" password="password> </xwss:SecurityConfiguration> </xwss:Service> <xwss:SecurityEnvironmentHandler> util.SecurityEnvironmentHandler </xwss:SecurityEnvironmentHandler> </xwss:JAXRPCSecurity> The SecurityEnviromentHandler is a dummy class that implements javax.security.auth.callback.CallbackHandler. Authentication must be in compliance with Oasis Web Services Security Username Token Profile 1.0. But I'm constantly getting "Security header not valid" error. Where am I going wrong, can anyone tell me. I used wsimport(JAX_WS 2.1 to generate classes for my client) Note:Only thing I know about this WS is WSDL URL and user&pass for authentication

    Read the article

  • OpenId authentication and automatic registration with Spring Security 3.0.2

    - by xlluch
    I'm implementing an app using spring security 3.0.2 with OpenId login and registration. I can login succesfully, but if the user isn't registered i want to do: 1) Get some OpenId attributes like email and name. 2) Show to the user a registration form with just these two fields and the OpenId URI filled. I've been searching a lot but i didn't find an "ellegant" way of doing this. I wonder if some of u can come out with a solution to implement this strategy in my app. Thanks in advance.

    Read the article

  • Security issues in accepting passwords vs auto generating the password

    - by Vivekanand Poojari
    Hi, I am developing a console application. This application generates a self signed certificate and installs it in the current machine's certificate store. The steps invlolved are :- Generate a certificate Create a pfx file Install the pfx file For these steps i would need a password for protecting the private key and the pfx file. However these passwords are used only during the execution of the exe. Should I auto generate a password using some random number generation algorithm or accept the password as input from the user? What are the security issues involved in both the scenarios ? Thanks Vivekanand

    Read the article

  • Creating a PHP web app to allow users to vote on submissions - How can I minimize abuse.

    - by sibliant
    Hi Community, I've only written a few small php web apps and I'm throwing code together right now to allow for users to submit short stories. these stories will display and allow others to vote them up. The winner receives something rather valuable and I'm paranoid people are going to try to manipulate it. Debian / Apache / PHP 5.2 / jquery users are not required to login / authenticate. users can vote multiple stories up but only once for each story Is it as simple as tagging each story with an IP address and not counting other submissions from that IP? Thanks for any advise.

    Read the article

  • Spring security with database and multiple roles?

    - by Joe
    I'm trying to make an application using spring 3.0. Now I've decided to try my hand at spring-security and hibernate. I've already seen that it's possible to back it with a databasem and I've seen a reference to defining your own queries? Now the problem I have is that the tutorials I've been finding aren't too clear and that they assume that a user can only have one role. I want to give some users multiple roles. So I was thinking about a database scheme along the lines of: User: user_id username password registrationDate User_Role: user_id role_id Role: role_id rolename Now I was wondering if anyone had some pointers to some usefull tutorials/advice/comments.

    Read the article

  • File permissions on web server

    - by plua
    I have just read this useful article on files permissions, and I am about to implement a as-strict-as-possible file permissions policy on our webserver. Our situation: we have a web server accessed through sftp by different users from within our company, and we have the general public accessing Apache - sometimes uploading files through PHP. I distinguish folders and files by their use. So based on this reading, here is my plan: All people who need to upload files will have separate users. But all of those users will belong to two groups: uploaders, and webserver. Apache will belong to the group webserver. Directories Permission: 771 Owner: user:uploaders Explanation: to access files in the folder, everybody needs to have execute permission. Only uploaders will be adding/removing files, so they also get r+w permission. Files within the web-root Permission: 664 Owner: user:uploaders Explanation: they will be uploaded and changed by different users, so both owner and group need to have w+r permissions. Webserver needs to only read files, so r permission only. Upload-directories Permission: 771 Owner: user:webserver Explanation: when files need to be uploaded, Apache needs to be able to write to this directory. But I figure it is safer to change the owner to webroot, thus giving Apache sufficient privileges (and all uploaders also belong to this group and will have the same permissions), while safeguarding from "others" writing to this folder. Uploaded files Permission: 664 Owner: user:webserver Explanation: after uploading Apache might need to delete files, but this is no problem because they have w+r permission of the folder. So no need to make this file any more accessible than r access for group. Being not an expert on file permissions, my question is whether or not this is the best possible policy for our situation? Any suggestions welcome.

    Read the article

  • Ubuntu web server cluster checks Ubuntu repository for script updates with cron

    - by StuartTheY
    I have a cluster of Ubuntu 12.04 web servers running a lamp stack. All of these servers are connected to a Load Balancer on Amazon Web Services. What I want to be able to do is have a dedicated Ubuntu server that I can update the PHP files on and have the other web servers check with cron to get the updates files from the repository. They don't have to use cron but that was the only thing I could think of, unless there was a way to have the updated repository tell them that it has updated files. And then how to transfer those files. Also if there is a ways for a server to check for updated files when it boots because I am going to be using auto scaling on AWS so when there is an increase in the load and another server gets created I need it to download the updated files from the repository when launched. Not sure how to transfer files from server to server.

    Read the article

  • Web based library management (FOSS) application

    - by pgb
    I'm looking for a FOSS web-based library management application. I want to manage the few books we have at our company, and I'm looking for applications that provide a simple web interface to: Add new books. Search for books. (Not Required) Place holds on books. My ideal would be something like Delicious Library, but web based and open source. I've looked at Koha (which I could not install), Emilda, which seems to be a dead project (last emails are from 2006 and I could not install it) and VuFind which looks awesome but doesn't provide (or I could not find) an interface to add new records to the library. Any suggestions?

    Read the article

  • Necesity of ModSecurity if Apache is behind Nginx

    - by Saif Bechan
    I have my Apache installed behind Nginx. So every request that comes in is first handeled by Nginx. If there is dynamic content needed the request is send to Apache which listens on port 8080. Pretty basic reverse proxy setup. Now with this setup the first entry point is Nginx. Is it still needed to install ModSecurity to protect Apache against unwanted request. Or should I just focus on protecting Nginx as this is the first entry point. All suggestions are welcome.

    Read the article

  • Do browsers allows pages loaded on one tab to access/intercept/inject data in other tabs?

    - by jairo
    I was surprised to hear from this Reuters video that it was possible for a page loaded on one tab to access and/or inject data onto another page loaded on a different tab. TL;DW (too lazy; didn't watch) The interviewee in the video suggests that when doing online banking, the user exit his browser (thus closing all windows) and start a new browser session with just your banking page/tab open. Allegedly, malicious sites can check if you have your banking site open and inject commands onto those sites. Can someone confirm and/or deny this claim? Is it only possible even if there is not parent/child relationship between windows/tabs?

    Read the article

  • how do web hosting companies host end users domain and give so many public IPs

    - by Registered User
    Hi, I am a Computer Science guy who understands networking very well. But when it comes to Web hosting companies I am clue less. I want to know how do web hosting companies give so many public IPs to so many users and each of them has root login also. How this is technically done that is what I am interested to know. I do not know how you people configure it. In my case if I have to do I will buy a public IP from some one and connect my server to it and at max give some people SSH access to it.In case of Web hosting companies how is it done.

    Read the article

  • How can I have APF block script kiddies that mod_security detects?

    - by Gaia
    In one of the vhosts' error_log I found thousands of lines like these, all from the same IP: [Mon Apr 19 08:15:59 2010] [error] [client 61.147.67.206] mod_security: Access denied with code 403. Pattern match "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\\\\(.*\\\\)\\\\;" at THE_REQUEST [id "330001"] [rev "1"] [msg "Generic PHP exploit pattern denied"] [severity "CRITICAL"] [hostname "x.x.x.x"] [uri "//webmail/config.inc.php?p=phpinfo();"] Given how obvious the situation is, how come mod_security isnt automatically adding at least that IP to deny rules? There is no way someone hasnt thought of this before...

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 64 65 66 67 68 69 70 71 72 73 74 75  | Next Page >