Search Results

Search found 492 results on 20 pages for 'abuse prevention'.

Page 7/20 | < Previous Page | 3 4 5 6 7 8 9 10 11 12 13 14  | Next Page >

• What am I missing in this ASP.NET XSS Security Helper class?

  - by smartcaveman

  I need a generic method for preventing XSS attacks in ASP.NET. The approach I came up with is a ValidateRequest method that evaluates the HttpRequest for any potential issues, and if issues are found, redirect the user to the same page, but in a away that is not threatening to the application. (Source code below) While I know this method will prevent most XSS attacks, I am not certain that I am adequately preventing all possible attacks while also minimizing false positives. So, what is the most effective way to adequately prevent all possible attacks, while minimizing false positives? Are there changes I should make to the helper class below, or is there an alternative approach or third party library that offers something more convincing? public static class XssSecurity { public const string PotentialXssAttackExpression = "(http(s)*(%3a|:))|(ftp(s)*(%3a|:))|(javascript)|(alert)|(((\\%3C) <)[^\n]+((\\%3E) >))"; private static readonly Regex PotentialXssAttackRegex = new Regex(PotentialXssAttackExpression, RegexOptions.IgnoreCase); public static bool IsPotentialXssAttack(this HttpRequest request) { if(request != null) { string query = request.QueryString.ToString(); if(!string.IsNullOrEmpty(query) && PotentialXssAttackRegex.IsMatch(query)) return true; if(request.HttpMethod.Equals("post", StringComparison.InvariantCultureIgnoreCase)) { string form = request.Form.ToString(); if (!string.IsNullOrEmpty(form) && PotentialXssAttackRegex.IsMatch(form)) return true; } if(request.Cookies.Count > 0) { foreach(HttpCookie cookie in request.Cookies) { if(PotentialXssAttackRegex.IsMatch(cookie.Value)) { return true; } } } } return false; } public static void ValidateRequest(this HttpContext context, string redirectToPath = null) { if(context == null || !context.Request.IsPotentialXssAttack()) return; // expire all cookies foreach(HttpCookie cookie in context.Request.Cookies) { cookie.Expires = DateTime.Now.Subtract(TimeSpan.FromDays(1)); context.Response.Cookies.Set(cookie); } // redirect to safe path bool redirected = false; if(redirectToPath != null) { try { context.Response.Redirect(redirectToPath,true); redirected = true; } catch { redirected = false; } } if (redirected) return; string safeUrl = context.Request.Url.AbsolutePath.Replace(context.Request.Url.Query, string.Empty); context.Response.Redirect(safeUrl,true); } }

  Read the article

• Spotting similarities and patterns within a string - Python

  - by RadiantHex

  Hi folks, this is the use case I'm trying to figure this out for. I have a list of spam subscriptions to a service and they are killing conversion rate and other usability studies. The emails inserted look like the following: [email protected] [email protected] [email protected] roger[...]_surname[...]@hotmail.com What would be your suggestions on spotting these entries by using an automated script? It feels a little more complicated than it actually looks. Help would be very much appreciated!

  Read the article

• Disabling javascript in specific block/div (containing suspect HTML) ?

  - by T4NK3R

  Is it, in any way, possible to disable the browsers execution of script inside a block/section/element ? My scenario is, that I'm letting my (future) users create "rich content" (using CK-editor). Content that wil later be shown to other users - with all the dangers that imply: xss, redirection, identity theft, spam and what not... I've, more or less, given up on trying to "sanitize" the incomming XHTML, after seeing how many known "vectors of attack" there are: http://ha.ckers.org/xss.html What I'm really looking for is something like: < div id="userContent"< scriptOFF suspect HTML < /scriptOFF< /div

  Read the article

• Licensing web applications

  - by jeffreyveon

  If I want to sell a web application as an installable product on the customer's servers, what are the best method practices for enforcing licensing such that it's not easily ripped and pirated?

  Read the article

• Do I need to sanitize the callback parameter from a JSONP call?

  - by christian studer

  I would like to offer a webservice via JSONP and was wondering, if I need to sanitize the value from the callback parameter. My current server side script looks like this currently (More or less. Code is in PHP, but could be anything really.): header("Content-type: application/javascript"); echo $_GET['callback'] . '(' . json_encode($data) . ')'; This is a classic XSS-vulnerability. If I need to sanitize it, then how? I was unable to find enough information about what might be allowed callback strings.

  Read the article

• Calculating probability that a string has been randomized? - Python

  - by RadiantHex

  Hi folks, this is correlated to a question I asked earlier (question) I have a list of manually created strings such as: lucy87 gordan_king fancy_unicorn77 joplucky_kanga90 base_belong_to_narwhals and a list of randomized strings: johnkdf pancake90kgjd fancy_jagookfk manhattanljg What gives away that the last set of strings are randomized is that sequences such as 'kjg', 'jgf', 'lkd', ... . Any clever way I could separate strings that contain these apparently randomized strings from the crowd? I guess that this plays a lot on the fact that certain characters are more likely to be placed next to others (e.g. 'co', 'ka', 'ja', ...). Any ideas on this one? Kylotan mentioned Reverend, but I am not sure if it can be used fr such purpose. Help would be much appreciated!

  Read the article

• Malicious crawler blocker for ASP.NET

  - by Marek

  I have just stumbled upon Bad Behavior - a plugin for PHP that promises to detect spam and malicious crawlers by preventing them from accessing the site at all. Does something similar exist for ASP.NET/ASP.NET MVC? I am interested in blocking access to the site altogether, not in detecting spam after it was posted.

  Read the article

• Where can I learn about security and online privacy?

  - by user278457

  I'd really like to start including shopping cart functionality in my projects. At first im content relying on paypal links, but I really want to be learning about specific security threats and how to combat them. Eventually I want to feel comfortable receiving and sending customer credit card details for ecommerce. Obviously this is a common thing on the net but most tutorials and resources are content to say "it's every web developers responsibility to consider security, but we're not going to cover that here/today/ever." so, my question is, where is a good place to learn? And once I've learned, how do I stay abreast of new vulnerabilities as the web evolves?

  Read the article

• Attack from anonymous proxy

  - by mmgn

  We got attacked by some very-bored teenagers registering in our forums and posting very explicit material using anonymous proxy websites, like http://proxify.com/ Is there a way to check the registration IP against a black list database? Has anyone experienced this and had success?

  Read the article

• how to prevent all crawlers except good ones (google, bing, yahoo) access website content?

  - by tranhuyhung

  I just want to let Google, Bing, Yahoo crawl my website to build indexes. But I do not want my opposite website use crawling service to steal my website content. What should I do?

  Read the article

• Is there a good API for blacklisted domains?

  - by beagleguy

  hi all, just curious if there was a good service paid or unpaid where I can send in either a user's email address or the domain from their email address and get back if they're a known spammer or not? thanks

  Read the article

• Microsoft AntiXSS in Medium Trust :Error

  - by aramugam

  I want to include Microsoft AntiXss V1.5 library on my live site running in a medium trust setting.However, I got an error something like: Required permissions cannot be acquired. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Security.Policy.PolicyException: Required permissions cannot be acquired. I tried this in full trust setting on my development machine and everything works good.Looks like this will run only in full trust configuration......Does anybody knows a solution or workaround for this?

  Read the article

• Best solution to anti-spam in PHP?

  - by user198729

  How to distinguish robots from normal user? How does SO do this job? Currently I'm met with a robot which post once every 1 hour...

  Read the article

• Implementing a "flag as spam/offensive" system

  - by UltraVi01

  I am looking for a community moderated way of managing/eliminating spam and offensive content. Functionality similar to StackOverflow and many other sites seems like a good way to go. Although I'm sure this could greatly vary based on specific needs, I am curious about the backend mechanism/algorithm --that is, has anyone had success using something like "3 strikes and you're out" -- the flagged post is automatically closed/deleted after 3 reports by users with the required credentials. Would something like this likely be effective or would it require a more complex solution to ensure honesty and effectiveness. Any thoughts / experiences would be great

  Read the article

• How to stop spam in PHPBB3 ?

  - by newbie

  I'm getting awful lot of spam to my forums where only registered users can post and captcha is in use. What could we best solution to stop spammers registering to my forums?

  Read the article

• PHP Security checklist (injection, sessions etc)

  - by NoviceCoding

  So what kind of things should a person using PHP and MySql be focused on to maximize security. Things I have done: -mysql_real_escape_string all inputs -validate all inputs after escaping em -Placed random alpha numerics before my table names -50character salt + Ripemd passwords Heres where I think I am slacking: -I know know nothing about sessions and securing them. How unsafe/safe is it if all you are doing is: session_start(); $_SESSION['login']= $login; and checking it with: session_start(); if(isset($_SESSION['login'])){ -I heard something about other forms of injection like cross site injection and what not... -And probably many other things I dont know about. Is there a "checklist"/Quicktut on making php secure? I dont even know what I should be worried about.I kinda regret now not building off cakephp since I am not a pro.

  Read the article

• Getting on mediawiki spammers list? [closed]

  - by Dave

  hi ther - this is a "strange question"... :) I WANT to get on a wiki spammers list for a test project i'm trying to do with some folks - how do i go about doing that?? :)

  Read the article

• Preventing decompilation of C# application

  - by Kalpak

  Hi, We are planning to develop a client server application using C# and MySQL. We plan to sell the product on the shelf like any other software utility. We are worried about the decompilation of our product which does have some sort of edge over our competitors in terms of usability and bundled functionality. How can we prevent our software from decompilation, so the business logic of the product remains intact? We have heard about Reflector and other decompilers which makes our code very much vulnerable for copying. Our customer base is not Corporates by medical practitioners who themselves may not do it but our competitors may want to copy/disable licensing so value of our software goes down. Any suggestion to prevent this is most welcome. regards.. Obelisk

  Read the article

• How can I cut down on this spam, and what is the point of it anyway?

  - by Steven

  I run a small, niche personal ads site. People post ads and then other people reply to them, which sends an email to the original creator of the ad telling them that someone is interested and giving them contact information for that interested person. Lately there's been some weird spam. People are receiving nonsense replies to their ads. Here is an example of one: Name: xkauwvyr Reply: vRYmbI <a href="http://rypmoxdkfblf.com/">rypmoxdkfblf</a>, url=http://pnjlwvhizwbq.com/]pnjlwvhizwbq[/url], [link=http://hmenwoujxrfv.com/]hmenwoujxrfv[/link], http://ogsekuhoyeud.com/ They vary in length and composition but they all look roughly like that. The first idea I had was to simply throw out any reply that contained the string " Also, is this spam just some ass playing a trick on my website, or is it something more malicious?

  Read the article

• Imposing email limits on web page

  - by Martin

  To avoid spammers, what's a good strategy for imposing limits on users when sending email from our site? A count limit per day on individual IPs? Sender emails? Domains? In general terms, but recommended figures will also be helpful. Our users can send emails through our web page. They can register and log in but are also allowed to do this without logging in, but with a captcha and with a field for the senders email. Certainly, there is a header, "The user has sent you the following message.", limiting the use for spammers, so perhaps it's not a big problem. Any comments on what I'm doing will be greatly appreciated.

  Read the article

• Generating test cases to abuse a BNF grammar automagically.

  - by Paul Nathan

  Hi, I am wondering if there is a tool or technique which, given a BNF grammar, adjusts it randomly(but intelligently) and generates a stream of output for use in detecting cases that slip past the BNF (but shouldn't). Thanks

  Read the article

• Is it abuse to put application/business logic inside of jQuery plugins?

  - by RenderIn

  Is it appropriate to create jQuery plugins which are specific to a single page? I've been creating generic plugins that are not tied to any context and contain no business logic, but some people I've talked to suggest that almost all javascript, including business logic and logic specific to a single page, should be inside of jQuery plugins. Is it appropriate to have a validateformXYZ plugin which validates a specific HTML form? I'm buying into jQuery 100% but am not sure if this is a misuse or not.

  Read the article

• Creating a PHP web app to allow users to vote on submissions - How can I minimize abuse.

  - by sibliant

  Hi Community, I've only written a few small php web apps and I'm throwing code together right now to allow for users to submit short stories. these stories will display and allow others to vote them up. The winner receives something rather valuable and I'm paranoid people are going to try to manipulate it. Debian / Apache / PHP 5.2 / jquery users are not required to login / authenticate. users can vote multiple stories up but only once for each story Is it as simple as tagging each story with an IP address and not counting other submissions from that IP? Thanks for any advise.

  Read the article

• What the difference between deadlock avoidance and deadlock prevention?

  - by skydoor

  I met two terms and are they the same thing or different thing?

  Read the article

• How can QA prevent defects?

  - by user970696

  Also according to Software Testing By Srinisvasan Desikan, Gopalaswamy Ramesh or ISTQB text books. Quality assurance is e.g. reviewing products, inspections, walkthroughs to see if all standards are being followed. This is preventive activity. I cannot see how this can be preventive? For the references: defect prevention (Quality Assurance) Software Testing By Srinisvasan Desikan, Gopalaswamy Ramesh Quality Assurance (QA) tries to go one step further. Instead of concentrating on post- facto defect detection and correction, it focusses on the prevention of defects from the very start. Managing Global Software Projects - Page 110 QA deals with prevention of defects in the product being developed. Software Testing and Quality Assurance

  Read the article

< Previous Page | 3 4 5 6 7 8 9 10 11 12 13 14  | Next Page >