Search Results

Search found 1306 results on 53 pages for 'csrf protection'.

Page 8/53 | < Previous Page | 4 5 6 7 8 9 10 11 12 13 14 15  | Next Page >

  • Protecting design ideas from being copied by other websites?

    - by mickburkejnr
    Hi everyone, I'm planning a project at the moment, while building a completely different project at the same time. Both of these projects are quite innovative in the way they either work or the way they are presented. One of the projects hasn't been done before, and the other is being made has competition, but I feel the competitions websites are light years behind what I'm doing. Is there a way for me to prevent the way my sites work or presented from being stolen? I've thought of patenting parts of them, but it requires £10,000 and I don't have that amount of money. Also, would me putting a Copyright notice on the site or an All Rights Reserved tag give me any muscle when going to websites that I feel have stolen my ideas (if they have)? Cheers!

    Read the article

  • How to tackle archived who-is personal data with opt-out?

    - by defaye
    As far as I understand it, it is possible to opt-out (in the UK at least) of having your address details displayed on who-is information of a domain for non-trading individuals. What I want to know is, after opt-out, how do individuals combat archived data? Is there any enforcement of this? How many who-is websites are there which archive data and what rights do we have to force them to remove that data without paying absurd fees? In the case of capitulating to these scoundrels, what point is it in paying for the removal of archived data if that data can presumably resurface on another who-is repository? In other words, what strategy is one supposed to take, besides being wiser after the fact?

    Read the article

  • Are the other organizations such as BSA that a small company can join?

    - by Saariko
    I am looking for other associations such as BSA. Setting aside the long debate about : should/can a software be protected?! I am currently actively looking for other, local, intentaional or even rgional groups/organizations that a small software company wants to join. I mark : small, since the BSA fees are expensive. please don't open the debate: if you are not big enough to pay the fee, than you are not big enough to join the __. Thank you

    Read the article

  • dotnetopenauth token ? is it required?

    - by df
    Hi, I've implementend openId login system on my site and it works ok, but when i compare what is send to openidprovider and back is different with that what is send by stackoverflow.com for example whis send s paramenter and token parameter? Are these parameteres custom parameters send by stackoverflow or dotnetopenid can sand them but you have to turn it on? Is that token against CSRF attack?

    Read the article

  • client generated double submit cookie, cross site request forgery prevention

    - by james
    in a double-submitted cookie csrf prevention scheme, is it necessary for the server to provide the cookie? it seems i could have javascript on the clients page generate and set a cookie "anti_csrf", then double submit that (once as a cookie, done by the browser, and once in the body of the request). a foreign domain would not be able to read or write the "anti_csrf" cookie to include it in the body of a request. is this secure, or am i overlooking something?

    Read the article

  • WCF client encrypt message to JAVA WS using username_token with message protection client policy

    - by Alex
    I am trying to create a WCF client APP that is consuming a JAVA WS that uses username_token with message protection client policy. There is a private key that is installed on the server and a public certificate file was exported from the JKS keystore file. I have installed the public key into certificate store via MMC under Personal certificates. I am trying to create a binding that will encrypt the message and pass the username as part of the payload. I have been researching and trying the different configurations for about a day now. I found a similar situation on the msdn forum: http://social.msdn.microsoft.com/Forums/en/wcf/thread/ce4b1bf5-8357-4e15-beb7-2e71b27d7415 This is the configuration that I am using in my app.config <customBinding> <binding name="certbinding"> <security authenticationMode="UserNameOverTransport"> <secureConversationBootstrap /> </security> <httpsTransport requireClientCertificate="true" /> </binding> </customBinding> <endpoint address="https://localhost:8443/ZZZService?wsdl" binding="customBinding" bindingConfiguration="cbinding" contract="XXX.YYYPortType" name="ServiceEndPointCfg" /> And this is the client code that I am using: EndpointAddress endpointAddress = new EndpointAddress(url + "?wsdl"); P6.WCF.Project.ProjectPortTypeClient proxy = new P6.WCF.Project.ProjectPortTypeClient("ServiceEndPointCfg", endpointAddress); proxy.ClientCredentials.UserName.UserName = UserName; proxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "67 87 ba 28 80 a6 27 f8 01 a6 53 2f 4a 43 3b 47 3e 88 5a c1"); var projects = proxy.ReadProjects(readProjects); This is the .NET CLient error I get: Error Log: Invalid security information. On the Java WS side I trace the log : SEVERE: Encryption is enabled but there is no encrypted key in the request. I traced the SOAP headers and payload and did confirm the encrypted key is not there. Headers: {expect=[100-continue], content-type=[text/xml; charset=utf-8], connection=[Keep-Alive], host=[localhost:8443], Content-Length=[731], vsdebuggercausalitydata=[uIDPo6hC1kng3ehImoceZNpAjXsAAAAAUBpXWdHrtkSTXPWB7oOvGZwi7MLEYUZKuRTz1XkJ3soACQAA], SOAPAction=[""], Content-Type=[text/xml; charset=utf-8]} Payload: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:UsernameToken u:Id="uuid-5809743b-d6e1-41a3-bc7c-66eba0a00998-1"><o:Username>admin</o:Username><o:Password>admin</o:Password></o:UsernameToken></o:Security></s:Header><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><ReadProjects xmlns="http://xmlns.dev.com/WS/Project/V1"><Field>ObjectId</Field><Filter>Id='WS-Demo'</Filter></ReadProjects></s:Body></s:Envelope> I have also tryed some other bindings but with no success: <basicHttpBinding> <binding name="basicHttp"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="Certificate"/> </security> </binding> </basicHttpBinding> <wsHttpBinding> <binding name="wsBinding"> <security mode="Message"> <message clientCredentialType="UserName" negotiateServiceCredential="false" /> </security> </binding> </wsHttpBinding> Your help will be greatly aprreciatted! Thanks!

    Read the article

  • Having Hotlink Protectin problem in nginx

    - by Ayaz Malik
    Hello, i am having image hotlink protection problem in my nginx need help. i have a huge issue of my site's images being submited to social networks like stumbleupon with direct link ... xxxxx.jpg which some times get huge traffic and increases cpu usage plus bandwidth usage. what i am trying to do is block direct access to image from other refrers and hotlink protection. Here is the code from my vhost.conf server { access_log off; error_log logs/vhost-error_log warn; listen 80; server_name mydomain.com www.mydomain.com; # uncomment location below to make nginx serve static files instead of Apache # NOTE this will cause issues with bandwidth accounting as files wont be logged location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ { root /home/username/public_html; expires 1d; } root /home/mydomain/public_html; } location / { client_max_body_size 10m; client_body_buffer_size 128k; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; # you can increase proxy_buffers here to suppress "an upstream response # is buffered to a temporary file" warning proxy_buffers 16 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_connect_timeout 30s; proxy_redirect http://www.mydomain.com:81 http://www.mydomain.com; proxy_redirect http://mydomain.com:81 http://mydomain.com; proxy_pass http://ip_address/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; expires 24h; } } So for hotlink protection i added this code : location ~* (\.jpg|\.png|\.gif|\.jpeg)$ { valid_referers blocked www.mydomain.com mydomain.com; if ($invalid_referer) { return 403; } This is how the current nginx code for this domain looks like but didn't worked: server { access_log off; error_log logs/vhost-error_log warn; listen 80; server_name mydomain.com www.mydomain.com; # uncomment location below to make nginx serve static files instead of Apache # NOTE this will cause issues with bandwidth accounting as files wont be logged location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ { root /home/username/public_html; expires 1d; } root /home/mydomain/public_html; } location ~* (\.jpg|\.png|\.gif|\.jpeg)$ { valid_referers blocked www.mydomain.com mydomain.com; if ($invalid_referer) { return 403; } location / { client_max_body_size 10m; client_body_buffer_size 128k; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; # you can increase proxy_buffers here to suppress "an upstream response # is buffered to a temporary file" warning proxy_buffers 16 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_connect_timeout 30s; proxy_redirect http://www.mydomain.com:81 http://www.mydomain.com; proxy_redirect http://mydomain.com:81 http://mydomain.com; proxy_pass http://ip_address/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; expires 24h; } } Thank you in advance :) cheers

    Read the article

  • How do I write to an outer truecrypt volume when the inner volume protection prevents writng?

    - by con-f-use
    In a nutshell After some time using the outer volume of a hidden volume in Truecrypt I cannot write to the outer volume anymore. The protection of the inner volume always kicks in before. How do I fix this? Details I'm using truecrypt's two layered encryption of a USB stick. The outer container carries my semi-sensitive stuff while the inner hidden values has a bit more valuable information. I use both, the inner and outer volume regularly and that is part of the problem. Truecrypt can mount the outer volume for writing while protecting the inner. Usually the inner volume, when not protected this way (or mounted read-only) would be indistinguishable from free space. That is of course part of the plausible deniability scheme of truecrypt. At the beginning, everything worked as expected. I could copy and delete data to the outer volume as I pleased. Now it seams that I have written and deleted enough data to have filled the outer volume once. Despite the write protection Ubuntu tries now to write to the continuous "free space" that is the inner volume. It does that although enough other free space is on the outer volume. But on this free space there used to be data so its fragmented and the file system write prefers continuous space. The write on the continuous free space of the outer volume of course fails (with the error message in the picture above) as Truecrypt's inner-volume-protection kicks in. The Question I know this is expected behaviour, but is there a better way to write to the outer volume that does not attempt to write to the hidden free space at the end? The whole question could be more generally rephrased to: How do I control, where on a partition data is written in Ubuntu?

    Read the article

  • My jquery AJAX POST requests works without sending an Authenticity Token (Rails)

    - by dchua
    Hi all, Is there any provisions in rails that would allow all AJAX POST requests from the site to pass without an authenticity_token? I have a Jquery POST ajax call that calls a controller method, but I did not put any authenticity code in it and yet the call succeeds. My ApplicationController does have 'request_forgery_protection' and I've changed config.action_controller.consider_all_requests_local to false in my environments/development.rb I've also searched my code to ensure that I was not overloading ajaxSend to send out authenticity tokens. Is there some mechanism in play that disables the check? Now I'm not sure if my CSRF protection is working or not. I'm using Rails 2.3.5.

    Read the article

  • For securing forms, when do I issue the token?

    - by AQuestionADayKeepsTheDrAway
    So, I have a form, to make it a little more secure and potentially help prevent CSRF attacks I want to add a random token value in a hidden field that value is also stored server side in my session data. When should I issue a new token? Per form? Per page load where there is any form? Per session? I can render it invalid as soon as a form is successfully submitted but I'm wondering when to generate one. I ask as if I issue it per form or per page do I not risk the chance of a duplicate token value overwriting the existing (valid) token if a user opens a separate window but submitting the first form (with the now overwritten value)?

    Read the article

  • How can I configure Symantec Endpoint Protection Agent to allow access to windows shares?

    - by Peter Bernier
    I'm having some difficulties exposing a standard windows file share on a Windows Embedded Standard 2009 device that is running Symantec Endpoint Protection Agent 5.1. I'm using simply file sharing to expose a particular directory. That share is visible locally on the machine and externally visible when I disable the endpoint protection agent. I've added a rule (and moved it to the to ensure priority) allowing all hosts access on TDP ports 137,138,138,445 and another rule allowing UDP access on ports 137,138,139. When I try to connect, two endpoint protection dialogs pop up saying: Traffic has been blocked from this application: NWLINK2 IPX Protocol Driver (nwlnkipx.sys) Traffic has been blocked from this application: IPv6 driver (tcpip6.sys) I'm not using IPv6 anywhere. Interestingly, I discovered a workaround in that I can white-list all traffic from the subnet the device is on, which meets my needs, but I'm still curious as to why my original approach wasn't successful. Can anyone suggestion a reason why the above endpoint protection rules won't allow me to access windows file shares on the device?

    Read the article

  • App.config connection string Protection error

    - by MikeScott8
    I am running into an issue I had before; can't find my reference on how to solve it. Here is the issue. We encrypt the connection strings section in the app.config for our client application using code below: config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None) If config.ConnectionStrings.SectionInformation.IsProtected = False Then config.ConnectionStrings.SectionInformation.ProtectSection(Nothing) ' We must save the changes to the configuration file.' config.Save(ConfigurationSaveMode.Modified, True) End If The issue is we had a salesperson leave. The old laptop is going to a new salesperson and under the new user's login, when it tries to to do this we get an error. The error is: Unhandled Exception: System.Configuration.ConfigurationErrorsException: An error occurred executing the configuration section handler for connectionStrings. ---> System.Configuration.ConfigurationErrorsException: Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Object already exists. ---> System.Security.Cryptography.CryptographicException: Object already exists

    Read the article

  • SQL Injection Protection for dynamic queries

    - by jbugeja
    The typical controls against SQL injection flaws are to use bind variables (cfqueryparam tag), validation of string data and to turn to stored procedures for the actual SQL layer. This is all fine and I agree, however what if the site is a legacy one and it features a lot of dynamic queries. Then, rewriting all the queries is a herculean task and it requires an extensive period of regression and performance testing. I was thinking of using a dynamic SQL filter and calling it prior to calling cfquery for the actual execution. I found one filter in CFLib.org (http://www.cflib.org/udf/sqlSafe): <cfscript> /** * Cleans string of potential sql injection. * * @param string String to modify. (Required) * @return Returns a string. * @author Bryan Murphy ([email protected]) * @version 1, May 26, 2005 */ function metaguardSQLSafe(string) { var sqlList = "-- ,'"; var replacementList = "#chr(38)##chr(35)##chr(52)##chr(53)##chr(59)##chr(38)##chr(35)##chr(52)##chr(53)##chr(59)# , #chr(38)##chr(35)##chr(51)##chr(57)##chr(59)#"; return trim(replaceList( string , sqlList , replacementList )); } </cfscript> This seems to be quite a simple filter and I would like to know if there are ways to improve it or to come up with a better solution?

    Read the article

  • Looking for DOS/DDOS protection tools and strategies

    - by Alexandre Victoor
    I am working on a java application that exposes webservices for a flash client. Any idea on how to prevent DOS/DDOS attacks ? I cannot use mechanism unfriendly for the end user such as captcha. So far I have found mod_evasive, an apache module which looks quite promising... Any suggestions, best practices, tools I might use ? Thanks in advance

    Read the article

  • Rails request forgery protection settings

    - by Vitaly
    Hey, please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class. Basically here's the code: class ApplicationController < ActionController::Base helper :all # include all helpers, all the time protect_from_forgery helper_method :current_user_session, :current_user filter_parameter_logging :password, :password_confirmation What I assume it should do is: it should prevent any POST requests without correct authenticity_token. But when I send post request with jQuery like the one below, it works fine (there's update statement that is executed in the database)! $.post($(this).attr("href"), { _method: "PUT", data: { test: true } }); I see in console that there's no authenticity_token among sent parameters, but request is still considered valid. Why is that?

    Read the article

  • Best Practices / Patterns for Enterprise Protection/Remediation of SSNs (Social Security Numbers)

    - by Erik Neu
    I am interested in hearing about enterprise solutions for SSN handling. (I looked pretty hard for any pre-existing post on SO, including reviewing the terriffic SO automated "Related Questions" list, and did not find anything, so hopefully this is not a repeat.) First, I think it is important to enumerate the reasons systems/databases use SSNs: (note—these are reasons for de facto current state—I understand that many of them are not good reasons) Required for Interaction with External Entities. This is the most valid case—where external entities your system interfaces with require an SSN. This would typically be government, tax and financial. SSN is used to ensure system-wide uniqueness. SSN has become the default foreign key used internally within the enterprise, to perform cross-system joins. SSN is used for user authentication (e.g., log-on) The enterprise solution that seems optimum to me is to create a single SSN repository that is accessed by all applications needing to look up SSN info. This repository substitutes a globally unique, random 9-digit number (ASN) for the true SSN. I see many benefits to this approach. First of all, it is obviously highly backwards-compatible—all your systems "just" have to go through a major, synchronized, one-time data-cleansing exercise, where they replace the real SSN with the alternate ASN. Also, it is centralized, so it minimizes the scope for inspection and compliance. (Obviously, as a negative, it also creates a single point of failure.) This approach would solve issues 2 and 3, without ever requiring lookups to get the real SSN. For issue #1, authorized systems could provide an ASN, and be returned the real SSN. This would of course be done over secure connections, and the requesting systems would never persist the full SSN. Also, if the requesting system only needs the last 4 digits of the SSN, then that is all that would ever be passed. Issue #4 could be handled the same way as issue #1, though obviously the best thing would be to move away from having users supply an SSN for log-on. There are a couple of papers on this: UC Berkely: http://bit.ly/bdZPjQ Oracle Vault: bit.ly/cikbi1

    Read the article

  • Password/Key protection

    - by user221919
    hi I am implementing paymentgateways and I need to protect its key and password for security reason. also some webservices keys and password in asp.net. Please help me to do as mention. waiting for your valuable thought. Thanking You.

    Read the article

  • Domain Transfer Protection - need advice

    - by Jack
    Hey, I am about to purchase a domain name for a bit of money. I do not personally know the person who I am purchasing the domain name from, we have only chatted via email. The proposed process for the transfer is: The owner of the domain lowest the domain name security and emails me the domain password, I request the transfer After the request, I transfer the money via PayPal When the money has been cleared the current domain name owner confirms the transfer via the link that he receives in that email I wait for it to be transferred. The domain is currently registered with DirectNIC - http://www.directnic.com/ Is this the best practice? Seeing I am paying a bit of money for this domain name, I am worried that after the money has been cleared that I won't see the domain name or hear from the current domain name owner again. Is there a 'domain governing body' which I can report to if this is the case? Is the proposed transfer process the best solution? Any advice would be awesome. Thanks! Jack

    Read the article

  • image protection in rails

    - by Cezar
    Hello, I am looking for ways to protect my product images and I don't know if there's anything out there better than what I've already found: disable right click, use a transparent image in front of your picture and watermarking. Obviously none of them is perfect but I was curious if someone came up with a better solution to this problem. Also is there any rails plugin to aid with that ? Thanks

    Read the article

  • Flash Media Server Streaming: Content Protection

    - by dbemerlin
    Hi, i have to implement flash streaming for the relaunch of our video-on-demand system but either because i haven't worked with flash-related systems before or because i'm too stupid i cannot get the system to work as it has to. We need: Per file & user access control with checks on a WebService every minute if the lease time ran out mid-stream: cancelling the stream rtmp streaming dynamic bandwidth checking Video Playback with Flowplayer (existing license) I've got the streaming and bandwidth check working, i just can't seem to get the access control working. I have no idea how i know which file is played back or how i can play back a file depending on a key the user has entered. Server-Side Code (main.asc): application.onAppStart = function() { trace("Starting application"); this.payload = new Array(); for (var i=0; i < 1200; i++) { this.payload[i] = Math.random(); //16K approx } } application.onConnect = function( p_client, p_autoSenseBW ) { p_client.writeAccess = ""; trace("client at : " + p_client.uri); trace("client from : " + p_client.referrer); trace("client page: " + p_client.pageUrl); // try to get something from the query string: works var i = 0; for (i = 0; i < p_client.uri.length; ++i) { if (p_client.uri[i] == '?') { ++i; break; } } var loadVars = new LoadVars(); loadVars.decode(p_client.uri.substr(i)); trace(loadVars.toString()); trace(loadVars['foo']); // And accept the connection this.acceptConnection(p_client); trace("accepted!"); //this.rejectConnection(p_client); // A connection from Flash 8 & 9 FLV Playback component based client // requires the following code. if (p_autoSenseBW) { p_client.checkBandwidth(); } else { p_client.call("onBWDone"); } trace("Done connecting"); } application.onDisconnect = function(client) { trace("client disconnecting!"); } Client.prototype.getStreamLength = function(p_streamName) { trace("getStreamLength:" + p_streamName); return Stream.length(p_streamName); } Client.prototype.checkBandwidth = function() { application.calculateClientBw(this); } application.calculateClientBw = function(p_client) { /* lots of lines copied from an adobe sample, appear to work */ } Client-Side Code: <head> <script type="text/javascript" src="flowplayer-3.1.4.min.js"></script> </head> <body> <a class="rtmp" href="rtmp://xx.xx.xx.xx/vod_project/test_flv.flv" style="display: block; width: 520px; height: 330px" id="player"> </a> <script> $f( "player", "flowplayer-3.1.5.swf", { clip: { provider: 'rtmp', autoPlay: false, url: 'test_flv' }, plugins: { rtmp: { url: 'flowplayer.rtmp-3.1.3.swf', netConnectionUrl: 'rtmp://xx.xx.xx.xx/vod_project?foo=bar' } } } ); </script> </body> My first Idea was to get a key from the Query String, ask the web service about which file and user that key is for and play the file but i can't seem to find out how to play a file from server side. My second idea was to let flowplayer play a file, pass the key as query string and if the filename and key don't match then reject the connection but i can't seem to find out which file it's currently playing. The only remaining idea i have is: create a list of all files the user is allowed to open and set allowReadAccess or however it was called to allow those files, but that would be clumsy due to the current infrastructure. Any hints? Thanks.

    Read the article

  • Java Client .class File Protection

    - by Zac
    I am in the requirements phase of building a JEE application that will most likely run on a GlassFish/JBoss backend (doesn't matter for now). I know I shouldn't be thinking about architecture at requirements time, but one can't help but start to imagine how the components would all snap together :-) Here are some hard, non-flexible requirements on the client-side: (1) The client application will be a Swing box (2) The client is free to download, but will use a subscription model (thus requiring a login mechanism with server-side authentication/authorization, etc.) (3) Yes, Java is the best platform solution for the problem at hand for reasons outside the scope of this post (4) The client-side .class files need safeguarding against decompiling That last (4th) requirement is the basis of this post. I'm not really worried about someone actually decompiling and getting at my source code: in the end, it's just Swing controls driven by some lightweight business logic. I'm worried about a scenario where someone decompiles my code, modifies it to exploit/attack the server, re-compiles, and fires it up. I've envisioned all sorts of nasty solutions, but didn't know if this was a common problem with a common solution for JEE developers. Any thoughts? Not interested in "code obfuscation" techniques! Thanks for any input!

    Read the article

< Previous Page | 4 5 6 7 8 9 10 11 12 13 14 15  | Next Page >