Search Results

Search found 15914 results on 637 pages for 'physical security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 177/637 | < Previous Page | 173 174 175 176 177 178 179 180 181 182 183 184  | Next Page >

  • How to make a secure login using UDID or device token?

    - by Erik B
    So I'm making an app where I want the users to be able add, edit and rate content, but I do not want to force them to register. Instead I was planning on just using their device id or device token to identify them. I'm planning on making both an iPhone and Android version, so I'm looking for a general solution, but the iPhone version has higher priority, so an iPhone specific solution would also be welcome. The problem is that I don't want just anyone to be able to use my web service by sending a phony device id or someone else's device id. How would the client prove to the server that it is providing the correct device id?

    Read the article

  • mysqli_stmt_bind_param SQL Injection

    - by profitphp
    Is there still an injection risk when using prepared statements and mysqli_stmt_bind_param? For example: $malicious_input = 'bob"; drop table users'; mysqli_stmt_bind_param($stmt, 's', $malicious_input); Behind the scenes does mysqli_stmt_bind_param pass this query string to mysql: SET @username = "bob"; drop table users"; Or does it perform the SET command through the API, or use some type of protection to keep this from happening?

    Read the article

  • Too much data for RSA block fail. What is PKCS#7?

    - by Tom Brito
    Talking about javax.crypto.Cipher; I was trying to encrypt data using Cipher.getInstance("RSA/None/NoPadding", "BC"); but I got the exception: ArrayIndexOutOfBoundsException: too much data for RSA block Looks like is something related to the "NoPadding", so, reading about padding, looks like CBC is the best approach to use here. I found at google something about "RSA/CBC/PKCS#7", what is this "PKCS#7"? And why its not listed on sun's standard algorithm names?

    Read the article

  • Prevent strings stored in memory from being read by other programs

    - by Roy
    Some programs like ProcessExplorer are able to read strings in memory (for example, my error message written in the code could be displayed easily, even though it is compiled already). Imagine if I have a password string "123456" allocated sequentially in memory. What if hackers are able to get hold of the password typed by the user? Is there anyway to prevent strings from being seen so clearly? Oh yes, also, if I hash the password and sent it from client to server to compare the stored database hash value, won't the hacker be able to store the same hash and replay it to gain access to the user account? Is there anyway to prevent replaying? Thank You!

    Read the article

  • Self signed Certificate Based Authentication

    - by Tadi Vijay Kumar
    Hi All.. I have started a project based on Client server communication in java. What i'm doing is client and server have their own self signed certificates. In initial communication both client and server will exchange their certificates. Server has to verify clients certificate and should grant authentication. Where i struck was on what topic server can validate or invalidate a particular client..? I am unable to proceed from here. So please any of you can give brief explanation about it? if possible some Pseudocode in java..?

    Read the article

  • Is DB logging more secure than file logging for my PHP web app?

    - by iama
    I would like to log errors/informational and warning messages from within my web application to a log. I was initially thinking of logging all of these onto a text file. However, my PHP web app will need write access to the log files and the folder housing this log file may also need write access if log file rotation is desired which my web app currently does not have. The alternative is for me to log the messages to the MySQL database since my web app is already using the MySQL database for all its data storage needs. However, this got me thinking that going with the MySQL option is much better than the file option since I already have a configuration file with the database access information protected using file system permissions. If I now go with the log file option I need to tinker the file and folder access permissions and this will only make my application less secure and defeats the whole purpose of logging. Is this correct? I am using XAMPP for development and am a newbie to LAMP. Please let me know your recommendations for logging. Thanks.

    Read the article

  • Can this be improved? Scrubing of dangerous html tags.

    - by chobo2
    I been finding that for something that I consider pretty import there is very little information or libraries on how to deal with this problem. I found this while searching. I really don't know all the million ways that a hacker could try to insert the dangerous tags. I have a rich html editor so I need to keep non dangerous tags but strip out bad ones. So is this script missing anything? It uses html agility pack. public string ScrubHTML(string html) { HtmlDocument doc = new HtmlDocument(); doc.LoadHtml(html); //Remove potentially harmful elements HtmlNodeCollection nc = doc.DocumentNode.SelectNodes("//script|//link|//iframe|//frameset|//frame|//applet|//object|//embed"); if (nc != null) { foreach (HtmlNode node in nc) { node.ParentNode.RemoveChild(node, false); } } //remove hrefs to java/j/vbscript URLs nc = doc.DocumentNode.SelectNodes("//a[starts-with(translate(@href, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'javascript')]|//a[starts-with(translate(@href, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'jscript')]|//a[starts-with(translate(@href, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'vbscript')]"); if (nc != null) { foreach (HtmlNode node in nc) { node.SetAttributeValue("href", "#"); } } //remove img with refs to java/j/vbscript URLs nc = doc.DocumentNode.SelectNodes("//img[starts-with(translate(@src, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'javascript')]|//img[starts-with(translate(@src, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'jscript')]|//img[starts-with(translate(@src, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'vbscript')]"); if (nc != null) { foreach (HtmlNode node in nc) { node.SetAttributeValue("src", "#"); } } //remove on<Event> handlers from all tags nc = doc.DocumentNode.SelectNodes("//*[@onclick or @onmouseover or @onfocus or @onblur or @onmouseout or @ondoubleclick or @onload or @onunload]"); if (nc != null) { foreach (HtmlNode node in nc) { node.Attributes.Remove("onFocus"); node.Attributes.Remove("onBlur"); node.Attributes.Remove("onClick"); node.Attributes.Remove("onMouseOver"); node.Attributes.Remove("onMouseOut"); node.Attributes.Remove("onDoubleClick"); node.Attributes.Remove("onLoad"); node.Attributes.Remove("onUnload"); } } // remove any style attributes that contain the word expression (IE evaluates this as script) nc = doc.DocumentNode.SelectNodes("//*[contains(translate(@style, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'expression')]"); if (nc != null) { foreach (HtmlNode node in nc) { node.Attributes.Remove("stYle"); } } return doc.DocumentNode.WriteTo(); }

    Read the article

  • Javascript CS-PRNG - 64-bit random

    - by Jack
    Hi, I need to generate a cryptographically secure 64-bit unsigned random integer in Javascript. The first problem is that Javascript only allows 64-bit signed integers, so 9223372036854775808 is the biggest supported integer without going into floating point use I think? To fix this I can use a big number library, no problem. My Method: var randNum = SHA256( randBigInt(128, 0) ) % 2^64; Where SHA256() is a secure hash function and randBigInt() is defined below as a non-crypto PRNG, im giving it a 128bit seed so brute force shouldn't be a problem. randBigInt(n,s) //return an n-bit random BigInt (n>=1). If s=1, then the most significant of those n bits is set to 1. Is this a secure method to generate a cryptographically secure 64-bit random int? And importantly does taking the 2^64 mod guarantee 100% I have a 64-bit number? An abstract example, say this number is prime (it isn't i know), I will use it in the Galois Field [2^p], where p must be 64bits so that every possible 1-63bit number is a field element. In this query, my random int must be larger than any 63-bit number. And Im not sure im correct in taking the 2^64 mod of a 256bit hash output. Thanks (hope that makes sense)

    Read the article

  • Facebook javascript in address bar, possible to replicate?

    - by DoMx
    This is my first experience with stackoverflow and I'm afraid my question asks of a lot for a first. I was looking at this thread: http://stackoverflow.com/questions/2634159/javascrypt-in-the-adress-bar-is-this-malicious and as you will see SLaks has very kindly deobfuscated the javascript and left us with what appears as the Javascript behind the automatic facebook invite code. As I'm fairly new to javascript, I was wondering, what other components were needed to get this code to work? You of course have the functions there and they are called by the obfuscated javascript but how exactly? Would it be possible to replicate this on a page of my own using the information available or is there more to this script I am missing? I am willing to financially assist somebody who could compile a solution for me. Thank you in advance.

    Read the article

  • How to secure the communication between an MSSQL database and a c# administrative tool?

    - by citronas
    How can I secure the communication between a C# programm running locally on my computer and a MSSQL Server in a hosted environment? I have an asp.net application that is secured by SSL encryption. So using the asp.net from an open wlan connection is no problem. How can I achieve the same kind of encryption for my administrative tool? Would it be best to write a service? But how would that connection to the service be secured?

    Read the article

  • How can I create and use a web service in public but still restrict its use to only my app?

    - by Glenn
    I'm creating a web service with create/update/delete calls. But for now I'd like to restrict use of it on my own web app and no other clients. How can I have clear text javascript code that makes these calls but still be confident the credentials won't be used elsewhere? My idea is to use server side generated nonces for each request. But I am open to different ideas you guys may have. Thanks.

    Read the article

  • How to protect applications ?

    - by haansi
    My Boss have given me assignment to find how a web based application developed in dot net can be protected. As per agreement products developed in our company are asset of company and even not developers can gave the code. But still he wants to know how he can protect products in case a developer theft code and try to launch it from his home ? Please guide how this can be controlled.

    Read the article

  • Java - store sensitive data

    - by Mike
    Hello. I develop application with Java. I need to store some initial configuration data in some kind of file. I want my app to be able to read this data, but I don't want user to do so. Example : application loads IP from encrypted file. User sees like "dsda@#21da@" so he won't bother doing anything :) How should I do such a thing? Thanx!

    Read the article

  • Attack from anonymous proxy

    - by mmgn
    We got attacked by some very-bored teenagers registering in our forums and posting very explicit material using anonymous proxy websites, like http://proxify.com/ Is there a way to check the registration IP against a black list database? Has anyone experienced this and had success?

    Read the article

  • Which Happens First? Anyone Know Exactly How The Apache Server Will Handle This Request?

    - by user310594
    Hello, To keep things simple, please allow the "assumption" that some code requires the use of a full URL, even though the domain is on the same server, i.e. a simple file path cannot be used. TCP/IP?? Question: If a form action target = "http://this-full-URL.com/postdata" (for example) and that URL is also on the same server, then which happens first? A) Data is sent "out onto the web", and then returns to the same server, or B) Before sending any (possibly sensitive) data, the server (Linux, Apache, PHP), first "discovers" the target address is local, so (clearly) no data is sent over the net? Thank you.

    Read the article

  • SSL Authentication with Certificates: Should the Certificates have a hostname?

    - by sixtyfootersdude
    Summary JBoss allows clients and servers to authenticate using certificates and ssl. One thing that seems strange is that you are not required to give your hostname on the certificate. I think that this means if Server B is in your truststore, Sever B can pretend to be any server that they want. (And likewise: if Client B is in your truststore...) Am I missing something here? Authentication Steps (Summary of Wikipeida Page) Client Server ================================================================================================= 1) Client sends Client Hello ENCRIPTION: None - highest TLS protocol supported - random number - list of cipher suites - compression methods 2) Sever Hello ENCRIPTION: None - highest TLS protocol supported - random number - choosen cipher suite - choosen compression method 3) Certificate Message ENCRIPTION: None - 4) ServerHelloDone ENCRIPTION: None 5) Certificate Message ENCRIPTION: None 6) ClientKeyExchange Message ENCRIPTION: server's public key => only server can read => if sever can read this he must own the certificate - may contain a PreMasterSecerate, public key or nothing (depends on cipher) 7) CertificateVerify Message ENCRIPTION: clients private key - purpose is to prove to the server that client owns the cert 8) BOTH CLIENT AND SERVER: - use random numbers and PreMasterSecret to compute a common secerate 9) Finished message - contains a has and MAC over previous handshakes (to ensure that those unincripted messages did not get broken) 10) Finished message - samething Sever Knows The client has the public key for the sent certificate (step 7) The client's certificate is valid because either: it has been signed by a CA (verisign) it has been self-signed BUT it is in the server's truststore It is not a replay attack because presumably the random number (step 1 or 2) is sent with each message Client Knows The server has the public key for the sent certificate (step 6 with step 8) The server's certificate is valid because either: it has been signed by a CA (verisign) it has been self-signed BUT it is in the client's truststore It is not a replay attack because presumably the random number (step 1 or 2) is sent with each message Potential Problem Suppose the client's truststore has certs in it: Server A Server B (malicous) Server A has hostname www.A.com Server B has hostname www.B.com Suppose: The client tries to connect to Server A but Server B launches a man in the middle attack. Since server B: has a public key for the certificate that will be sent to the client has a "valid certificate" (a cert in the truststore) And since: certificates do not have a hostname feild in them It seems like Server B can pretend to be Server A easily. Is there something that I am missing?

    Read the article

  • Best evidence to offer a sandboxed appdomain for a C# evaluator.

    - by scope-creep
    I have a c# evaluator which uses the (I think) the .Net 4 new simplified sandboxed appdomain model to host the c# assembly, with remoting doing the rest. The call to create the appdomain is Evidence ev = new Evidence(); ev.AddHostEvidence(new Zone(SecurityZone.Trusted)); PermissionSet pset = SecurityManager.GetStandardSandbox(ev); AppDomainSetup ads = new AppDomainSetup(); ads.ApplicationBase = "C:\\Sandbox"; // Create the sandboxed domain. AppDomain sandbox = AppDomain.CreateDomain( "Sandboxed Domain", ev, ads, pset, null); The c# eval is embedded in a server app, but I don't want give the sandbox to much control unless it bo bo's the caller. What i'm looking for is regarding some clarification as to what to provide as Evidence from the caller. I'm looking for advice and guidance. Any help would be appreciated.

    Read the article

  • How to inject dependencies into a CustomUserNamePasswordValidator in WCF?

    - by Dannerbo
    I'm using a UserNamePasswordValidator in WCF along with Unity for my dependency injection, but since WCF creates the instance of the UserNamePasswordValidator, I cannot inject my container into the class. So how would one go about this? The simplest solution I can think of is to create a static proxy/wrapper class around a static instance of a UnityContainer, which exposes all the same methods... This way, any class can access the container, and I don't need to inject it everywhere. So I could just do UnityContainerWrapper.Resolve() anywhere in code. So basically this solution solves 2 problems for me, I can use it in classes that I'm not creating an instance of, and I can use it anywhere without having to inject the container into a bunch of classes. The only downside I can think of is that I'm now potentially exposing my container to a bunch of classes that wouldn't of had access to the container before. Not really sure if this is even a problem though?

    Read the article

  • Password checking in dojo

    - by Richard
    I want to check that two passwords are the same using Dojo. Here is the HTML I have: <form id="form" action="." dojoType="dijit.form.Form" / <pPassword: <input type="password" name="password1" id="password1" dojoType="dijit.form.ValidationTextBox" required="true" invalidMessage="Please type a password" /</p <pConfirm: <input type="password" name="password2" id="password2" dojoType="dijit.form.ValidationTextBox" required="true" invalidMessage="This password doesn't match your first password" /</p <div dojoType="dijit.form.Button" onClick="onSave"Save</div </form Here is the JavaScript I have so far: var onSave = function() { if(dijit.byId('form').validate()) { alert('Good form'); } else { alert('Bad form'); } } Thanks for your help. I could do this in pure JavaScript, but I'm trying to find the Dojo way of doing it.

    Read the article

  • c# Sending emails with authentication. standard approach not working

    - by Ready Cent
    I am trying to send an email using the following very standard code. However, I get the error that follow... MailMessage message = new MailMessage(); message.Sender = new MailAddress("[email protected]"); message.To.Add("[email protected]"); message.Subject = "test subject"; message.Body = "test body"; SmtpClient client = new SmtpClient(); client.Host = "mail.myhost.com"; //client.Port = 587; NetworkCredential cred = new NetworkCredential(); cred.UserName = "[email protected]"; cred.Password = "correct password"; cred.Domain = "mail.myhost.com"; client.Credentials = cred; client.UseDefaultCredentials = false; client.Send(message); Mailbox unavailable. The server response was: No such user here. This recipient email address definitely works. To make this account work I had to do some special steps in outlook. Specifically, I had to do change account settings - more settings - outgoing server - my outgoing server requires authentication & use same settings. I am wondering if there is some other strategy. I think the key here is that my host is Server Intellect and I know that some people on here use them so hopefully someone else has been able to get through this. I did talk to support but they said with coding issues I am on my own :o

    Read the article

  • How to prevent arbitrary code execution vulnerability in our programs?

    - by Calmarius
    You always read in changelogs when your system or browser or any program updates that they fixed a bug that made possible that an attacker can execute any code in your computer with a forged website, or attacking your computer with carefully forged packets, etc... Because you read it so often that means any program can have similar vulnerabilites... What causes this? how to design our programs to prevent similar issues?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 173 174 175 176 177 178 179 180 181 182 183 184  | Next Page >