Search Results

Search found 12717 results on 509 pages for 'ouaf security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 161/509 | < Previous Page | 157 158 159 160 161 162 163 164 165 166 167 168  | Next Page >

  • Create x509 certificate with openssl/makecert tool

    - by Zé Carlos
    I'm creating a x509 certificate using makecert with the following parameters: makecert -r -pe -n "CN=Client" -ss MyApp I want to use this certificate to encrypt and decrypt data with RSA algoritm. I look to generated certificate in windows certificate store and everything seems ok (It has a private key, public key is a RSA key with 1024 bits and so on..) Now i use this C# code to encrypt data: X509Store store = new X509Store("MyApp", StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, "Client", false); X509Certificate2 _x509 = certs[0]; using (RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)_x509.PrivateKey) { byte[] dataToEncrypt = Encoding.UTF8.GetBytes("hello"); _encryptedData = rsa.Encrypt(dataToEncrypt, true); } When executing the Encrypt method, i receive a CryptographicException with message "Bad key". I think the code is fine. Probably i'm not creating the certificate properly. Any comments? Thanks ---------------- EDIT -------------- If anyone know how to create the certificate using OpenSsl, its also a valid answer for me.

    Read the article

  • How important is it to use SSL?

    - by Mark
    Recently I installed a certificate on the website I'm working on. I've made as much of the site as possible work with HTTP, but after you log in, it has to remain in HTTPS to prevent session hi-jacking, doesn't it? Unfortunately, this causes some problems with Google Maps; I get warnings in IE saying "this page contains insecure content". I don't think we can afford Google Maps Premier right now to get their secure service. It's sort of an auction site so it's fairly important that people don't get charged for things they didn't purchase because some hacker got into their account. All payments are done through PayPal though, so I'm not saving any sort of credit card info, but I am keeping personal contact information. Fraudulent charges could be reversed fairly easily if it ever came to that. What do you guys suggest I do? Should I take the bulk of the site off HTTPS and just secure certain pages like where ever you enter your password, and that's it? That's what our competition seems to do.

    Read the article

  • Please Critique this PHP Login Script

    - by NightMICU
    Greetings, A site I developed was recently compromised, most likely by a brute force or Rainbow Table attack. The original log-in script did not have a SALT, passwords were stored in MD5. Below is an updated script, complete with SALT and IP address banning. In addition, it will send a Mayday email & SMS and disable the account should the same IP address or account attempt 4 failed log-ins. Please look it over and let me know what could be improved, what is missing, and what is just plain strange. Many thanks! <?php //Start session session_start(); //Include DB config include $_SERVER['DOCUMENT_ROOT'] . '/includes/pdo_conn.inc.php'; //Error message array $errmsg_arr = array(); $errflag = false; //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return $str; } //Define a SALT, the one here is for demo define('SALT', '63Yf5QNA'); //Sanitize the POST values $login = clean($_POST['login']); $password = clean($_POST['password']); //Encrypt password $encryptedPassword = md5(SALT . $password); //Input Validations //Obtain IP address and check for past failed attempts $ip_address = $_SERVER['REMOTE_ADDR']; $checkIPBan = $db->prepare("SELECT COUNT(*) FROM ip_ban WHERE ipAddr = ? OR login = ?"); $checkIPBan->execute(array($ip_address, $login)); $numAttempts = $checkIPBan->fetchColumn(); //If there are 4 failed attempts, send back to login and temporarily ban IP address if ($numAttempts == 1) { $getTotalAttempts = $db->prepare("SELECT attempts FROM ip_ban WHERE ipAddr = ? OR login = ?"); $getTotalAttempts->execute(array($ip_address, $login)); $totalAttempts = $getTotalAttempts->fetch(); $totalAttempts = $totalAttempts['attempts']; if ($totalAttempts >= 4) { //Send Mayday SMS $to = "[email protected]"; $subject = "Banned Account - $login"; $mailheaders = 'From: [email protected]' . "\r\n"; $mailheaders .= 'Reply-To: [email protected]' . "\r\n"; $mailheaders .= 'MIME-Version: 1.0' . "\r\n"; $mailheaders .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $msg = "<p>IP Address - " . $ip_address . ", Username - " . $login . "</p>"; mail($to, $subject, $msg, $mailheaders); $setAccountBan = $db->query("UPDATE ip_ban SET isBanned = 1 WHERE ipAddr = '$ip_address'"); $setAccountBan->execute(); $errmsg_arr[] = 'Too Many Login Attempts'; $errflag = true; } } if($login == '') { $errmsg_arr[] = 'Login ID missing'; $errflag = true; } if($password == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } //If there are input validations, redirect back to the login form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header('Location: http://somewhere.com/login.php'); exit(); } //Query database $loginSQL = $db->prepare("SELECT password FROM user_control WHERE username = ?"); $loginSQL->execute(array($login)); $loginResult = $loginSQL->fetch(); //Compare passwords if($loginResult['password'] == $encryptedPassword) { //Login Successful session_regenerate_id(); //Collect details about user and assign session details $getMemDetails = $db->prepare("SELECT * FROM user_control WHERE username = ?"); $getMemDetails->execute(array($login)); $member = $getMemDetails->fetch(); $_SESSION['SESS_MEMBER_ID'] = $member['user_id']; $_SESSION['SESS_USERNAME'] = $member['username']; $_SESSION['SESS_FIRST_NAME'] = $member['name_f']; $_SESSION['SESS_LAST_NAME'] = $member['name_l']; $_SESSION['SESS_STATUS'] = $member['status']; $_SESSION['SESS_LEVEL'] = $member['level']; //Get Last Login $_SESSION['SESS_LAST_LOGIN'] = $member['lastLogin']; //Set Last Login info $updateLog = $db->prepare("UPDATE user_control SET lastLogin = DATE_ADD(NOW(), INTERVAL 1 HOUR), ip_addr = ? WHERE user_id = ?"); $updateLog->execute(array($ip_address, $member['user_id'])); session_write_close(); //If there are past failed log-in attempts, delete old entries if ($numAttempts > 0) { //Past failed log-ins from this IP address. Delete old entries $deleteIPBan = $db->prepare("DELETE FROM ip_ban WHERE ipAddr = ?"); $deleteIPBan->execute(array($ip_address)); } if ($member['level'] != "3" || $member['status'] == "Suspended") { header("location: http://somewhere.com"); } else { header('Location: http://somewhere.com'); } exit(); } else { //Login failed. Add IP address and other details to ban table if ($numAttempts < 1) { //Add a new entry to IP Ban table $addBanEntry = $db->prepare("INSERT INTO ip_ban (ipAddr, login, attempts) VALUES (?,?,?)"); $addBanEntry->execute(array($ip_address, $login, 1)); } else { //increment Attempts count $updateBanEntry = $db->prepare("UPDATE ip_ban SET ipAddr = ?, login = ?, attempts = attempts+1 WHERE ipAddr = ? OR login = ?"); $updateBanEntry->execute(array($ip_address, $login, $ip_address, $login)); } header('Location: http://somewhere.com/login.php'); exit(); } ?>

    Read the article

  • X.509 certificate based authentication with OpenSSL (without using sockets)

    - by hartem
    Hi, Is there an alternative in OpenSSL to SSL_set_connect_state()/SSL_set_accept_state() for X.509 certificate based authentication? The problem is that in my application the client and server do not communicate using sockets, and the establishment of direct connection between them is not possible. So what I want from OpenSSL is to 'expose' the intermediate SSL context establishment messages which I would then convey to the party at the other end. Thanks for your help!

    Read the article

  • RESTFul, statelesness and sessions

    - by Per Arneng
    RESTFul service has a rule that it should be stateless. By beeing that it does not allow a session to be created and maintained by sending a session key between the client and the server and then holding a session state on the server. If i look at the definition in wikipedia of stateless server http://en.wikipedia.org/wiki/Stateless_server "A stateless server is a server that treats each request as an independent transaction that is unrelated to any previous request" It states that it should be unrelated to any previous request. In practice this means that any type of authentication will be comparing the credentials of a user to a state on the server that was created by a previous operation. So a service called login is related to and dependent on the state that has been created by previous requests (ex: create_user and/or change_password). In my view you are breaking statelessnes by doing authentication. My point is that people are complaining about having sessions in RESTFul is breaking statelesness but doing authentication is also breaking the same rule. What do you think?

    Read the article

  • Prevent query string manipulation by adding a hash?

    - by saille
    To protect a web application from query string manipulation, I was considering adding a query string parameter to every url which stores a SHA1 hash of all the other query string parameters & values, then validating against the hash on every request. Does this method provide strong protection against user manipulation of query string values? Are there any other downsides/side-effects to doing this? I am not particularly concerned about the 'ugly' urls for this private web application. Url's will still be 'bookmarkable' as the hash will always be the same for the same query string arguments. This is an ASP.NET application.

    Read the article

  • Execute binary from memory in C# .net with binary protected from a 3rd party software

    - by NoobTom
    i've the following scenario: i've a C# application.exe i pack application.exe inside TheMida, a software anti-piracy/reverse engineering. i encrypt application.exe with aes256. (i wrote my own aes encryption/decryption and it is working) Now, when i want to execute my application i do the following: decrypt application.exe in memory execute the application.exe with the following code: BinaryReader br = new BinaryReader(decOutput); byte[] bin = br.ReadBytes(Convert.ToInt32(decOutput.Length)); decOutput.Close(); br.Close(); // load the bytes into Assembly Assembly a = Assembly.Load(bin); // search for the Entry Point MethodInfo method = a.EntryPoint; if (method != null) { // create an istance of the Startup form Main method object o = a.CreateInstance(method.Name); // invoke the application starting point method.Invoke(o, null); the application does not execute correctly. Now, the problem i think, is that this method is only to execute .NET executable. Since i packed my application.exe inside TheMida this does not work. Is there a workaround to this situation? Any suggestion? Thank you in advance.

    Read the article

  • How does XmlSiteMapProvider check user to be in specified role?

    - by abatishchev
    I roll my own SiteMapProvider inheriting System.Web.XmlSiteMapProvider. I want to override logic of checking user to be in a role specified in siteMapNode's property roles: <siteMapNode url="Add.aspx?type=user" title="Add user" roles="admin" /> How can I do that? Which class's member does XmlSiteMapProvider call to check that if securityTrimmingEnabled="true"?

    Read the article

  • How would I access the Windows Login (Authentication) API from a C++ Service Application?

    - by Gabriel
    Let us imagine for a moment that I have a piece of hardware that can act as an authentication for a user on a given system. I want to write an application in C++ to run as a service, look for this device and if found log the appropriate user in. I believe I have found the API's I would need to use to perform the hardware and service portions of the application but am having a hard time nailing down a way to create a "real" user login. Is this possible? If so where would I look to find resources on accomplishing this? I think of it as being an analog to fingerprint scanner login type devices.

    Read the article

  • Password reset by email without a database table

    - by jpatokal
    The normal flow for resetting a user's password by mail is this: Generate a random string and store it in a database table Email string to user User clicks on link containing string String is validated against database; if it matches, user's pw is reset However, maintaining a table and expiring old strings etc seems like a bit of an unnecessary hassle. Are there any obvious flaws in this alternative approach? Generate a MD5 hash of the user's existing password Email hash string to user User clicks on link containing string String is validated by hashing existing pw again; if it matches, user's pw is reset Note that the user's password is already stored in a hashed and salted form, and I'm just hashing it once more to get a unique but repeatable string. And yes, there is one obvious "flaw": the reset link thus generated will not expire until the user changes their password (clicks the link). I don't really see why this would be a problem though -- if the mailbox is compromised, the user is screwed anyway.

    Read the article

  • Framework for adding users/groups/permissions functionality to an application (possibly integrating

    - by vfilby
    I am looking to see if there is a good library or framework that I can use to simplify adding user/group/permission management to a .Net application (4.0 VS2010). If the framework can work on it's own or integrate with Active Directory that would be a huge bonus. So far I have found Visual Guard, if you have any experience using Visual Guard to provide user/group/permission functionality I definitely want to hear your feedback on how you liked working with it, pitfalls and benefits

    Read the article

  • .NET How would I build a DAL to meet my requirments?

    - by Jonno
    Assuming that I must deploy an asp.net app over the following 3 servers: 1) DB - not public 2) 'middle' - not public 3) Web server - public I am not allowed to connect from the web server to the DB directly. I must pass through 'middle' - this is purely to slow down an attacker if they breached the web server. All db access is via stored procedures. No table access. I simply want to provide the web server with a ado dataset (I know many will dislike this, but this is the requirement). Using asmx web services - it works, but XML serialisation is slow and it's an extra set of code to maintain and deploy. Using a ssh/vpn tunnel so that the one connects to the db 'via' the middle server, seems to remove any possible benefit of maintaining 'middle'. Using WCF binary/tcp removes the XML problem, but still there is extra code. Is there an approach that provides the ease of ssh/vpn, but the potential benefit of having the dal on the middle server? Many thanks.

    Read the article

  • How does XmlSiteMapProvider check user to be in specific role?

    - by abatishchev
    I roll my own SiteMapProvider inheriting System.Web.XmlSiteMapProvider. I want to override logic of checking user to be in a role specified in siteMapNode's property roles: <siteMapNode url="Add.aspx?type=user" title="Add user" roles="admin" /> How can I do that? Which class's member does XmlSiteMapProvider call to check that if securityTrimmingEnabled="true"?

    Read the article

  • Prevent Cross-site request forgery - Never Rely on The SessionID Sent to Your Server in The Cookie H

    - by Yan Cheng CHEOK
    I am reading the tutorial at http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ It states Remember - you must never rely on the sessionID sent to your server in the cookie header ; look only at the sessionID that your GWT app sends explicitly in the payload of messages to your server. Is it use to prevent http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics With this mythology, is it sufficient enough to prevent to above attack?

    Read the article

  • Multiple login locations for an online app.

    - by Goro
    Hello, I am working on a browser based application that will have many users. The catch is that every user should have their own customized login page, but the actual application is the same for everyone, and needs to be in a central location. What is the most secure way of doing this? Would it make more sense to have a copy of the application for each user, and keep the database centralized? The projected number of users is not very high, probably around 20-80. Thank you,

    Read the article

  • Running shell scripts with sudo through my web app

    - by nfm
    I have some functionality that interfaces with the server's OS in my web application. I've written a bash script and am able to run it from within my app. However, some functionality of the script requires superuser privileges. What is the most sane way to run this script securely? It is being passed arguments from a web form, but should only be able to be called by authenticated users that I trust not to haxxor it.

    Read the article

  • Should I be worried about a ReDOS attack?

    - by PeeHaa
    Can the following code be use to ReDOS attack my site? Or will it just be ended when the max_execution_time is exceeded or is it a problem of the past? I use the following code to validate emailaddresses on my sites (by Douglas Lovell): function validate_email($email) { $isValid = true; $atIndex = strrpos($email, "@"); if (is_bool($atIndex) && !$atIndex) { $isValid = false; } else { $domain = substr($email, $atIndex+1); $local = substr($email, 0, $atIndex); $localLen = strlen($local); $domainLen = strlen($domain); if ($localLen < 1 || $localLen > 64) { // local part length exceeded $isValid = false; } else if ($domainLen < 1 || $domainLen > 255) { // domain part length exceeded $isValid = false; } else if ($local[0] == '.' || $local[$localLen-1] == '.') { // local part starts or ends with '.' $isValid = false; } else if (preg_match('/\\.\\./', $local)) { // local part has two consecutive dots $isValid = false; } else if (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain)) { // character not valid in domain part $isValid = false; } else if (preg_match('/\\.\\./', $domain)) { // domain part has two consecutive dots $isValid = false; } else if(!preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/', str_replace("\\\\","",$local))) { // character not valid in local part unless // local part is quoted if (!preg_match('/^"(\\\\"|[^"])+"$/', str_replace("\\\\","",$local))) { $isValid = false; } } if ($isValid && !(checkdnsrr($domain,"MX") || checkdnsrr($domain,"A"))) { // domain not found in DNS $isValid = false; } } return $isValid; }

    Read the article

  • How to securely communicate with a database using a java applet

    - by WarmWaffles
    I have been writing web applications for quite sometime in PHP with MySQL. I always stored my database connection information into a configuration variable and connected to the database that way. A client wants a java applet for their website to communicate with their database. I'm very hesitant on this because the applet is going to be public and I am not sure how I would go about storing the database connection information. I'm paranoid that someone would decompile my application or find some way to extract my database connection information and use it maliciously. Any suggestions on how to do this securely?

    Read the article

  • How to process AJAX requests more securely in PHP?

    - by animuson
    Ok, so I want to send AJAX requests to my website from my Flash games to process data, but I don't want people downloading them, decompiling them, then sending fake requests to be processed, so I'm trying to figure out the most secure way to process in the PHP files. My first idea was to use Apache's built in Authorization module to require a username and password to access the pages on a separate subdomain of my website, but then you'd have to include that username and password in the AJAX request anyway so that seems kind of pointless to even try. My current option looks pretty promising but I want to make sure it will work. Basically it just checks the IP address being sent using REMOTE_ADDR to make sure it's the IP address that my server runs on. <? $allowed = new Array("64.120.211.89", "64.120.211.90"); if (!in_array($_SERVER['REMOTE_ADDR'], $allowed)) header("HTTP/1.1 403 Forbidden"); ?> Both of those IP addresses point to my server. Things I'm worried about: 1) If I send a request from Flash/ActionScript, will that affect the IP address in any way? 2) Is it possible for malicious users to change the IP address that is being sent with REMOTE_ADDR to one of my IP addresses? Any other ways you would suggest that might be more secure?

    Read the article

  • ASP.NET MVC Authorize by Group

    - by Jimmo
    I have what seems like a common issue with SaaS applications, but have not seen this question on here anywhere. I am using ASP.NET MVC with Forms Authentication. I have implemented a custom membership provider to handle logic, but have one issue (perhaps the issue is in my mental picture of the system). As with many SaaS apps, Customers create accounts and use the app in a way that looks like they are the only ones present (they only see their items, users, etc.) In reality, there are generic controllers and views presenting data depending on their account. When calling something like ValidateUser, I have access to their affiliation in the User object - what I don't have is the context of the request to which to compare it. As an example, One company called ABC goes to abc.mysite.com Another company called XYZ goes to xyz.mysite.com When an ABC user calls http://abc.mysite.com/product/edit/12 I have an [Authorize] attribute on the Edit method in the ProductController to make sure he is signed in and has sufficient permission to do so. If that same ABC user tried to access http://xyz.mysite.com/product/edit/12 I would not want to validate him in the context of that call. In the ValidateUser of the MembershipProvider, I have the information about the user, but not about the request. I can tell that the user is from ABC, but I cannot tell that the request is for XYZ at that point in the code. How should I resolve this?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 157 158 159 160 161 162 163 164 165 166 167 168  | Next Page >