Menu
  • HOME
  • TAGS

SELECT within SELECT PDO prepared statement [duplicate]

php,mysql,security,pdo,prepared-statement

To clear any confusion, what i'm doing is this: $pdo = new PDO('..'); $sql = 'SELECT id FROM users WHERE username = :username'; $statement = $pdo->prepare($sql); $statement->bindParam(':username', $_POST['username']); Question is, what if $_POST['username'] contains 'SELECT * FROM users' (or any other query) ? This query would return the ids...

Authenticating plain text passwords against md5 hash in DB using Apache Shiro

java,security,shiro

Removing the below property made this work. I think for a MD5 hash we need not specify the below property. credentialsMatcher.hashIterations=1024 ...

JQuery Add expiration to authentication token stored with HTML5 localStorage?

php,jquery,mysql,security,authentication

The usual php session_start() method is fine to use over HTTPS, and I think it is best solution for you. Let the server handle the session for you. As SilverlightFox has pointed out, it's a good idea to use http only session cookies. Before you start your session use session_set_cookie_params...

salt created by Java SecureRandom has different getBytes() value [duplicate]

java,security,salt

Don't do that: String salt = new String(bytes); You are transforming a series of bytes into a string using the default encoding of the machine. You should keep the byte array as a byte array. If you store the data in a database you can store it in a binary...

Spring Boot MVC non-role based security

java,security,spring-mvc,spring-boot

Maybe @PreAuthorize or @PostAuthorize will be enough for you, it depends what exactly u need. You can try sth like this: @PostAuthorize("returnObject.widget.owner.id == principal.id") public Widget getWidgetById(long id) { // ... return widget; } UPDATE: You can use Pre/Post Authroize since Spring Security 3.0 and as you said it provides...

Unsure if website has been hacked with iframe

javascript,html,security,iframe

Oops! Turns out my domain provider (seperate to my web host) had enabled forwarding "with cloaking" and this caused my site to be shown in an iframe....

shared memory performance and protection from other processes

linux,security,shared-memory

An alternative architecture you might consider is dynamic loading. Instead of 2 processes, you have just the first one; it uses dlopen() to load your newly compiled code. It calls the entry point of this "library", and the code has access to all the space including the persistant variables. On...

Websocket (java ee) how to get role of current user

security,java-ee,websocket,wildfly

For this you will have to modify the Websocket handshake. You can do this as below: 1) Modify you websocket endpoint to use custom configurator @ServerEndpoint(value = "/someWSEndpoint", configurator = SomeCustomConfigurationClass.class) public class SomeWSService { ... } 2) Modify WS Handshake similar to public class SomeCustomConfigurationClass extends ServerEndpointConfig.Configurator { @Override...

Risk of using a persitent XSRF-TOKEN cookie in Angular

javascript,angularjs,security,csrf

What are risks if I make the cookie persistent and manually set the X-XSRF-TOKEN HTTP header? The risk is that an attacker could eventually brute force the token value. The recommendation is to have a new CSRF token per session. If you make this persistent then a malicious site...

Android encryption and decryption of text fails

android,security,encryption,encryption-symmetric

The output type of Cipher#doFinal(byte[]) is byte[], but Arrays don't have a default way in which their contents are printed. By calling byte[].toString() on an array, you're simply printing its type and hash code. (More on this here) What you want is decrypted = new String(cipher2.doFinal(decodedBytes), "UTF-8"); which tells the...

Does ajax increase or decrease security?

javascript,php,ajax,security

AJAX itself will not increase or decrease the security of your site, at least if its implementation is elaborate. The client (browser) will have turned JavaScript on or off. If it is turned on, there may be more insecurities on the client side, bis this won't affect your server and...

Would delayed display of an email address be useful against email scrapers?

javascript,security,spam-prevention,email-spam

It entirely depends on the spambot. This could stop some spambots, but it wouldn't stop a scraper designed specifically to work around this defense. That's how arms races work. It would be pretty straightforward to build a bot that works around this defense you have in mind. You could use...

What does “ModLoad” does in python code?

python,security,exploit

You may refer to this: modload It looks like that someone is debugging the python code in windbg. And the 'ModLoad' lines, together with others, are just the debugger output.

Rsa algoritmn generates ? characteres in java

java,android,security,rsa

new String(encriptedSMS,"UTF-8") Your problem is here. encriptedSMS does not contain UTF-8 encoded text, so this is wrong. There is no correct way to "convert" a byte array into a String, unless the byte array contains encoded text (like you would get from someString.getBytes("UTF-8")). However, there are ways to encode a...

PHP: Secure a Rest Service with a Token mixed with Timestamp

php,rest,security,amazon-web-services,token

After you've got token from the client you need to check two things: validity of the token and its timestamp. There are two scenarios: Make timestamp part of the token: function getToken($timestamp) { return $timestamp . encrypt(getPKey(), $timestamp); } $token = genToken(time()); And then validate it: $token = $_POST['token']; function...

Hide sensitive information from git changes

git,security

What you probably are looking for is a filter. You set these up in your .gitattributes file to run one substitution upon adding a file to the staging area, and another substitution upon checkout: The image is from the .gitattributes section of the Git book, which has details on how...

Securing RTP packets without encrypting each packets

security,encryption,sip,voip,rtp

I believe some of your concerns are addressed in the following IETF Spec - https://tools.ietf.org/html/rfc7201 - Options for Securing RTP Sessions But IMO, there is a cost of security w.r.t processing and thats a given for the enhanced layer of protection. I haven't come across any other fancier ways other...

CakePHP - Controller testing failed because of Security component

security,unit-testing,cakephp,cakephp-3.0

That is to be expected, as you're not sending the necessary security token, which is what the security component requires. Just look at your generated form, it will contain hidden inputs for the _Token field, with the subkeys fields and unlocked, where fields will contain a hash and possibly the...

NDK application Signature Check

java,android,security,android-ndk,digital-signature

I will try to answer your first question here: Signature of your application is stored in the DEX(Dalvik executable) file of your APK. DEX files have following structure: Header Data section(contains strings, code instructions, fields, etc) Arrays of method identifiers, class identifiers, etc So, this is the beginning of the...

How to secure a controller on WebAPI for use by only the local machine

c#,security,asp.net-web-api,certificate

If you ONLY wanted to accept requests that originated from the same machine, you could check the IsLocal property of the request context MSDN. HttpRequest.Context.Request.IsLocal You could then build it into a custom authorize attribute and register it globally, enforcing the requirement on all of your Web API controllers. public...

Is client-side java intrinsically less secure than javascript?

java,javascript,security

It's not a matter of language. It's a matter of environment. Running Java applets on a web page currently involves using a Java plug-in, which takes a JVM that includes features to do all kinds of things we wouldn't want a web page to be able to do and runs...

SAML service provider signature verification

security,single-sign-on,saml,pingfederate

From a very high level, yes, your three steps are correct. More specific: 1 will include decoding the base64 encoded response, checking against schema, etc. 2 will be done via signature validation, checking the authority, seeing if it's a response to a sent AuthnRequest and matching it, etc. 3 comes...

phantomjs --web-security=no

security,phantomjs,casperjs

Maybe. Allowing cross domain XHR opens up a few attacks. E.g. see http://stackoverflow.com/a/7615287/841830. See also Is CORS a secure way to do cross-domain AJAX requests? But this tends not to come up with the normal use cases for Phantom: whether you are testing your own web site, or screen-scraping, you...

Forgotten password reset page: should the user need to enter a username/email as well?

security,user-management,forgot-password,reset-password

I don't see any value in doing this. Just make your key secure. Perhaps a 128-bit (that's 22 base 64 encoded characters) secure random. That seems large enough. Also add a timeout to the token life span. 24 hours seems a fine compromise between security and inconvenience. I like the...

Authorization Model: Context of Role?

security,authorization,claims-based-identity,abac,role-based-access-control

Actually, you should not attempt to implement a new authorization model. There is already a good model called attribute-based access control (or ABAC - see the SO tag abac and xacml). ABAC is an authorization model that: is defined by NIST, the National Institute of Standards and Technology, the very...

how to secure android-php-mysql connection

php,android,mysql,security

This may be overly simplistic answer, but couldn't you use SSL to encrypt the connection, and POST the keys? This way the POST data would not be visible to a sniffer, and 'outsiders' cannot make meaningful requests that will actually be processed by your script if they did know the...

How can we create our own string encoding-decoding or encryption-decryption script in java without using any given library i.e. Base64, AES, etc?

java,security,encryption,encoding,cryptography

Maintaining a HashMap of Key(the value getting replaced) with a value(the value to be replaced) and just changing the string using a simple function will do. import java.util.HashMap; import java.util.Map.Entry; public class Encrypt { /** * @param args */ static HashMap<String, String> hm = new HashMap(); public static void main(String[]...

How can I make a postgres role that has limited access, no insert update, but can do maintenance tasks like reindex and backups?

postgresql,security,vbscript

You can always wrap the command in a function. Run the function with its definer's privileges. Give execute privileges to someone else. Example: set role roleThatOwnsTable1; /* SECURITY DEFINER tells Postgres to run the function with the privileges of the role that defined the function, as opposed to the privileges...

Is it possible for a user to modify site javascript in browser?

javascript,security

Security is a big topic in the web development world and it is important for you to determine how secure your web application should be. There are 3 parts for you to notice Frontend (the website) everything here is insecure, whatever shown on you in the browser could be changed...

Django user login through api [duplicate]

django,security,django-rest-framework

Keep in mind using a Django form will only allow you to use SessionAuthentication under DRF - more notes here. Short of it is to use the Django LoginViews when creating login pages, and the notes on using CSRF tokens if you do use Session Auth with DRF. http://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication How...

PHP shell input sanitizing

php,git,shell,security

You're on the right track. You can use [^0-9a-f] instead of [^0-9a-z] to prevent someone from passing a non-hexadecimal character. $arg = preg_replace('/[^0-9a-f]/', '', $arg); if (strlen($arg) === 40) { // We have a SHA-1 hash shell_exec("git checkout {$arg}"); } In general cases, escapeshellarg() is what you want to use,...

What stops someone from forging a password reset link?

php,security,passwords,md5

You should opt for a workflow like: Generate a new GUID, save it against the user account, call it PasswordResetToken The email you send should redirect the user to /[email protected]&resetToken=XXXXXXXXXXX You verify that the reset token exists for the user account specified Ask the user to enter a new password...

What are all the methods to delete local-storage data?

javascript,php,security,credentials,web-storage

I'm building a web app that uses HTML-local-storage to replace PHP sessions and cookies. Local storage is a solution aimed at replacing neither. Local storage is for storing data client-side. Cookies are for identifying clients at the HTTP level. PHP sessions are meant for storing data server-side, usually keyed...

Our OAuth2 implemention has security flaws

java,angularjs,security,oauth-2.0,hacking

You've successfully implemented a session hijack. This happens because sessions are based on tokens stored in the web page or cookies rather than IP addresses or something. This makes sense because IP addresses can be spoofed while a cryptographically secure session token is practically impossible to spoof. While you could...

Getting “format not a string literal and no format arguments” warning while using GTK+2

c,security,gcc,gtk,gcc-warning

The answer is quite simple. You have to add "%s" to the arguments of the gtk_message_dialog_new() function like this: static void show_message (gchar *message, GtkMessageType type) { GtkWidget *dialog = gtk_message_dialog_new(NULL, 0, type, GTK_BUTTONS_OK, "%s", message); gtk_dialog_run(GTK_DIALOG(dialog)); gtk_widget_destroy(dialog); } Basically, the lack of "%s" is considered non-secure by gcc. You...

Docker for a one shot CLI application

linux,security,docker,workflow,bioinformatics

If users will be able to execute docker run then will be able to control host system just because they could map files from host to container and in container they always could be root if they could use docker run or docker exec. So users should not be able...

iptables put all forwarding rules in prerouting

linux,security,networking,firewall,iptables

If a packet does not match any rules in your PREROUTING chain, there is nothing to prevent it from hitting your FORWARD chain, unless you set the default PREROUTING policy to DROP. Packets only go to the INPUT chain if their destination address is an address that belongs to a...

How to STOP browsers from sharing session amongst tabs?

javascript,jsp,security,browser,spring-security

On successful login put some value in sessionStorage.setItem('userId',userId) and when ever user open new tab and tries to login check if sessionStorage.getItem('userId') is available if null it means it is a new tab / redirect to login page. Session storage is tab specific and data are not shared between different...

Protect video from video from capturing

java,security,web,filesystems,system

I think that it is not possible to prevent user from video capturing. You can make it harder but you will never prevent user from capture screen of his computer. Even if you will control process list of computer (which i guess impossible or impossible for most users) You still...

Headers for security

security,http,header

You definitely don't want to put them in HTML using <meta> tags, as JavaScript can just remove them, and (correct) browsers will ignore them. You need to set them as HTTP response headers on the server, and this depends on your server / framework. You also don't want to do...

Code fails for decrypting without salt or iv in Java

java,security,encryption,aes,password-encryption

You can decrypt the ciphertext in exercise 3.8 by using the simple ECB mode of AES, which does not use an IV. Since you have the key, there is no need for salt (there is no key derivation). Use AES 256 ECB mode in Java, and pass the key as...

Am I safe?? [trying to prevent sql injection] [duplicate]

php,mysql,security,laravel,pdo

The question is somewhat unanswerable (atleast not in a way that will not give you a false sense of security) with the amount of resource provided. Since you are using PDO I'll go right ahead and say that you ought to be using prepared statements. Injection on a whole primarily...

Creating My Symmetric Key in C#

c#,security,encryption,cryptography,aes

for symmetric encryption algorithms most often need a binary array as a key. It raises the following questions: how to get the binary data for the key? The key should be random. If it is not random, it is easier to figure out by others. Unfortunately, it is not that...

How can we improve SSL handshake to increase the security?

security,ssl,encryption,server,cl

I'm not sure that you quite have this right. The connection is supposed to be: client <--> server The client knows that it's talking to the server due to the SSL handshake and validation of the server certificate. Your question is what would happen if: client // MiTM <--> server...

Invalidate user credentials when password changes

asp.net,asp.net-mvc,security,asp.net-identity

Not immediately, it will take 30 minutes by default for old cookies to invalidate in asp.net Identity 2, asp.net identity doesn't check the database on every request for that, it has an interval, use SecurityStamp to change it, you can set it in Startup.Auth.cs, default is 30 minutes, set the...

Smashing the stack example3 ala Aleph One

c,security,pointers,stack-smash

The first, and very important, thing to note: all numbers and offsets are very compiler-dependent. Different compilers, and even the same compiler with different settings, can produce drastically different assemblies. For example, many compilers can (and will) remove buf2 because it's not used. They can also remove x = 0...

How to restrict file copying shared using Content Provider in Android?

android,security

No, sorry. If you hand bytes over to a third-party app, that third-party app can do what it wants with those bytes. So only solution is to use some in-app pdf reader right? This will not completely stop people from copying your PDFs. However, it will limit attacks to those...

MYSQL Access Control

mysql,node.js,security,access-control,row-level-security

There are three approaches you could take: Do it within the app Do it between the app and the db, inside a db proxy Do it inside the database The first option wouldn't really qualify as row-level access control since the application logic is the one responsible for the filtering...

Where can I configure groups like “stock.group_stock_user” with Open ERP?

security,openerp-7,groups

Groups is the key role in Odoo (formally OpenERP) Security based on the user security group is the major role for implement any module for specifically user access. How to create the Group and update with the existing group in OpenERP : I am just updating the existing security Group...

Client side password hash versus plain text

security,hash,passwords,client,password-hash

Most websites will send the password plain-text over an encrypted connection SSL/HTTPS. Hashing the password client-side can be done, but the advantage is small and often client-side languages (JavaScrypt) are slow so you can calculate less rounds in the same time, what weakens the hash. In every case the server...

What is HTTP Parameter Pollution attack in NodeJS/ExpressJs

javascript,node.js,security,express

What they say is that the mechanism of transforming a simple value parameter into an array parameter can be exploited. If you expect name to be a string: ?name=hello They can transform it into an array like this: ?name=hello1&name=hello2 You will not get a string but an array: [ "hello1",...

Is it considered bad practice to reference the Microsoft.AspNet.Identity in the service layer of a multi layered web application?

c#,asp.net,asp.net-mvc,security,asp.net-identity

Is it okay to set the Thread.CurrentPrincipal in the PostAuthenticationRequest method? Yes it is ok to assign Principal object (HttpContext.Current.User) to current thread. Is it okay to reference the using Microsoft.AspNet.Identity in my service layer? It is not a good practice, although you can access it. The reasons are...

Spring boot security with 3 fields authentication and custom login form

spring,security,spring-security,spring-boot

Actually i manage to find a solution to my issue. I added successHandler on successfulAuthentication was missing ! And a failureHandler too on unsuccessfulAuthentication methods. Here is my new Authentication filter : public class TwoFactorAuthenticationFilter extends UsernamePasswordAuthenticationFilter { private static final String LOGIN_SUCCESS_URL = "{0}/bleamcards/{1}/home"; private static final String LOGIN_ERROR_URL...

RSA encryption in Android and Java

java,android,security,encryption,rsa

It looks like you've been undone by relying on defaults. Never do that if you hope for interoperability. Here are the two examples of mistakenly relying on defaults in your code that I've found. final Cipher cipher = Cipher.getInstance("RSA"); The tranformation string is supposed to be of the form "algorithm/mode/padding"...

AWS S3 The security of a signed URL as a hyperlink

security,hyperlink,amazon-s3,download

AWS Security Credentials are used when making API calls to AWS. They consist of two components: Access Key (eg AKIAISEMTXNOG4ABPC6Q): This is similar to a username. It is okay for people to see it. Secret Key: This is a long string of random characters that is a shared secret between...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods

java,security,authentication,x509

This methods reads from two different fields in certificate. It may returns the same result in your case but not in common. Please refer to getIssuerDN() and getSubjectDN()....

Wordpress: Changed HTTP to HTTPS, now security certificate error

wordpress,security,https

After several hours of trying to fix this problem, I found a great youtube video. "Fix WordPress Site URL: General Settings Change, Cant Login" I will say how to fix this though in case anyone ever does what I did. You login to you CPanel>Databases>phpMyAdmin. Go to the database for...

When a security update is applied as a patch, does the product name change?

security,patch

No, the installed OS name will not change as the result of a patch. Only an OS upgrade/reinstall does that (and service packs change the service pack level).

Why is this SQL injection 'sleep' attack an effective denial of service?

mysql,security,sql-injection

Not sure on the ettiquette here but I just wanted to mark this as solved with the help of PM77-1's comment here Basically the SLEEP(5) happens for every record since the conditional must be evaluated for each. In my test table, I only had one record, so I could not...

HTTP Basic authentication (Java / Jersey)

java,web-services,rest,security

That's because the basic authentication scheme is an implicit authentication scheme. Once authenticated, the browser will automatically include the credential on subsequent requests. The only way to prevent this is to open an anonymous session or close the browser. These authentication schemes are vulnerable to CSRF attacks. There are other...

How sanitize and store user input, that contains HTML regex pattern in WordPress

php,html,wordpress,security,html-sanitizing

From the comments, it sounds like you are concerned about two separate issues (and possibly unaware of a third one that I will mention in a minute) and looking for one solution for both: SQL Injection and Cross-Site Scripting. You have to treat each one separately. I implore you to...

Checking if the file is rar through its bytes

c#,security,byte

This is because you have just copied a function from somewhere for a different filetype and not every filetype has any notion of a "subheader". You only need to check the main header in the case of RAR. I also suggest modifying the naming of the variables, it is quite...

Android how to handle sensitive data in memory

android,security,passwords

Please how do I prevent this from happening? I wear tin-foil hats on a professional basis (besides, I think they look spiffy...), and this is beyond what I normally worry about. I'd worry about making your HTTPS code won't be the victim of a Martian-in-the-middle (MITM) attack, as that's...

ensure I'm working with my software and not an imposter. Windows, Java, Hardware

java,windows,security,malware,integrity

Your best bet is to follow a standard procedure for this. In a nutshell, here's what you can do. On your machine: Place your code into a jar file Digitally sign jar file with a private key Distribute your public key to the code runner machine On code runner machine...

Mass Assignment Vulnerability

ruby-on-rails,security,ruby-on-rails-4,mass-assignment

First and foremost, this line num_users = A.where(:name => "NEW").count works fine with or without using mass-assignment. This is because where method do not assign data to a model record. On the other hand, it is rare to see a question with ruby-on-rails-4 and mass-assignment tags (there are only 7...

Android NullPointer Exception in method kpg.initializate

java,android,security,rsa

The problem is calling findViewById(R.id.tViewPUK) before setContentView(R.layout.activity_main);.

server listens on 127.0.0.1, do I need firewall?

security,networking,localhost,firewall

127.0.0.1 is only for local computer "loopback". They are required to be dropped if they come from outside the local computer. So no firewall is required if the app is only listening on 127.0.0.1.

Limiting a Web Worker's resources and permissions

javascript,html5,security,iframe,web-worker

Google has done most of that heavy lifting for you with Caja. They use this to create a safe 'sandbox' for adverts to run on the page while isolating them from doing too much damage....

Trojan(Simple Client-Server in C)

c,security,firewall,virus,trojan

Avira : AMES is using the Avira engine for virus detection. If the Avira engine is not able to detect a virus, then the most likely cause could be that this virus is brand new and cannot be detected yet. We would greatly appreciate if you submit the suspicious file...

Hashing passwords even when password is server-generated?

php,mysql,security,hash

Security is something done in layers and each layer is designed to raise the cost of doing something you don't want them to. Do security guards prevent robberies? No, but they raise the cost of committing one to where most people won't bother. Hashes don't prevent people from hacking your...

SMTP ports - SSL vs non-SSL

security,ssl,phpmailer

It may be possible to encrypt all traffic with SASL as they say, but the distinction is academic because PHPMailer doesn't support SASL for either authentication or any subsequent traffic, but does support SSL and TLS. So if you're using PHPMailer to send to them and you're not using SSL...

how to custom spring-security authentication process with my own mechanism

java,spring,security,spring-mvc,spring-security

First of all. Taking password from database from server side application is not vulnerable. Because if you can access the table data then there is no use of it. Wrong concepts - Spring security is not about returning result code from database. Its about authentication and authorization. You can enable...

searchable row level encryption using java?

java,database,security,encryption,bouncycastle

One of the most important properties of good encryption is that similar plaintexts are encrypted into vastly different ciphertexts. Roughly half of the bits of two ciphertexts will match. This property makes it hard (impossible) to formulate any kind of query that looks for substrings through LIKE or determines whether...

Using s3 in a healthcare application, private links

ruby-on-rails,security,amazon-s3,privacy

From the Documentation,you should use one of Amazon's "canned" ACLs. Amazon accepts the following canned ACLs: :private :public_read :public_read_write :authenticated_read :bucket_owner_read :bucket_owner_full_control You can specify a the ACL at bucket creation or later update a bucket. # at create time, defaults to :private when not specified bucket = s3.buckets.create('name', :acl...

Placing secure data in Java web application

java,security,tomcat

Using a servlet does not make anything secure by itself. You dont need a Java tool to connect, you can even use Telnet, any scripting language or create your own socket. Just use a download servlet from somewhere and at least Basic authentication ("information hiding" is no security aspect ;)....

Configure Apache web server to perform SSL authentication

linux,apache,security,ssl,xampp

Bitnami developer here, In XAMPP the SSL configuration is located at /opt/lampp/etc/extras/httpd-ssl.conf file, where there is a default VirtualHost already configured in port 443, and you are trying to bind again the same port. Please, try to modify this file instead. You can check if there is any other process...

Run Golang as www-data

security,go

Expanding on @JimB's answer: Use a process supervisor to run your application as a specific user (and handle restarts/crashes, log re-direction, etc). setuid and setgid are universally bad ideas for multi-threaded applications. Either use your OS' process manager (Upstart, systemd, sysvinit) or a standalone process manager (Supervisor, runit, monit, etc)....

How is rails CSRF generated token useful?

ruby-on-rails,security,csrf

Let's say you want to hack your friends paypal account and make him buy you something. You can make an email that will tell him click on this button to get a free cookie. Your friend being fooled by the email will click the button. If you make this button...

Can I use plone.protect 3.0 with Plone 4.3?

forms,security,plone,csrf,plone-4.x

I have only a little experience with it and played around with plone.protect 3.x and Plone 4.3.2, but nothing serious. I had also a lot of addons installed, so I cannot say if there were problems with Plone itself, or an addon. Here are my notes: Yes you can enable...

“Invalid use of a side-effecting operator 'OPEN SYMMETRIC KEY' within a function.” error while opening a symmetric key

sql-server,sql-server-2008,security,sql-server-2012,encryption-symmetric

There are several things you can do inside a procedure but can't do inside a function. Based on Ben Cull's blog, you can get around this limitation by creating a procedure that handles opening the keys and call that before using the function. The procedure: CREATE PROCEDURE OpenKeys AS BEGIN...

Preventing brute-force login attempts [closed]

security,server,accounts

My team just tackled this exact same problem and, given how ultimately simple our solution was, it was a long road to get there. There are so many factors that need to be taken into consideration here, most of which you have already covered. Luckily for us, all the DDoS/DoS...

PHP token security

php,security,login,token

There is no vulnerability inherent to using GET instead of, for example, POST from a network perspective. The only caveat you should keep in mind is that a GET request is more likely to be stored on the client (e.g. browser history) in a way you might not intend. For...

ClickOnce, reflection and security

.net,security,clickonce,appdomain

I found the problem. This is the solution for anyone on my situation: I missed to set the domain permision: Dim permissions As New Security.PermissionSet(Security.Permissions.PermissionState.Unrestricted) Dim adSetup As New AppDomainSetup() adSetup.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory Dim dom As AppDomain = AppDomain.CreateDomain(Guid.NewGuid.ToString, AppDomain.CurrentDomain.Evidence, adSetup, permissions) ...

User process can't see global shared memory created by service

c++,windows,security,winapi,memory-mapped-files

Your service is closing its handle to the file mapping immediately after creating it, thus the mapping is being destroyed before the app has a chance to open its handle to the mapping. Your service needs to leave its handle to the mapping open, at least until after the app...

Role concept in the authorization

java,security,authorization

I would strongly suggest against implementing your own logic. Just search around in SO for many failed attempts. There are plenty of frameworks that let you do just the right level of access control you are looking for. Some are even mentioned in the comments. Have a look at: Spring...

Which layer of an application should keep security logic (permissions, authorization)?

security,business-logic,n-tier-architecture

I think the answer to this question is complex and worth a bit of thought early on. Here are some guidelines. The service layer is a good place for: Is a page public or only open to registered users? Does this page require a user of a specific role? Authentication...

Is secure to let access to ip-based blocked website to 127.0.0.1?

security,ip,localhost

127.0.0.1 is simply your localhost. Allowing this IP simply says that you allow this machine (and only this if 127.0.0.1 is the only IP you whitelisted) to access the Network so no, there wouldn't be any issue with allowing access to your localhost so long as that machine itself isn't...

File security System in java? [on hold]

java,file,security,encryption

So to encrypt an aspect of the file you may want to gather it's bytes in an array*, That can either be done using the class Files from java or a stream to do it manually. For now lets say you got the byte array obtained using Files.readAllBytes(Path file); So...

How create a custom response when spring-security receives null credentials (username and password)?

spring,security,spring-security,basic-authentication,postman

Use the standard exception of spring security, it will handle by itself if you already have an exception handler to transform the messages into Json response. catch (Exception exception) { throw new AuthenticationCredentialsNotFoundException("Fields must not be empty", exception); } ...

Better regex for security and auditing?

php,regex,security

Both the regex in the question and answer look for variable assignment expressions; if you are only looking for the first assignment, this will complicate matters and you better - as @mario says - use the PHP_Parser. There are a lot of weird aspects with this regex. First of all...

Is a site with html and javascript secure

javascript,html,css3,security

It will most likely be safe as far as your files, but it can still be hacked if the server exposes some kind of scripts that you're not aware of and don't have any control over, or if it runs unpatched versions of OS/Web server/etc. If another hack happens and...

What does the security implications for default character set in mysqli_real_escape_string() means?

php,security,mysqli

How SQL queries are parsed is dependent on the connection character set. If you did this query: $value = chr(0xE0) . chr(0x5C); mysql_query("SELECT '$value'"); then if the connection character set was Latin-1 MySQL would see the invalid: SELECT 'à\' whereas if the character set were Shift-JIS, the byte sequence 0xE0,0x5C...

Protect images download theory

javascript,html5,image,security

If a picture is displayed on someone's screen, there is no way you can avoid them to save it on their computer (even if you disable everything). Trying to obfuscate the images will only result in a loss of time, performance, and could make your website much less user-friendly....

Reverse ^ operator for decryption

c,algorithm,security,math,encryption

This is not a power operator. It is the XOR operator. The thing that you notice for the XOR operator is that x ^ k ^ k == x. That means that your encryption function is already the decryption function when called with the same key and the ciphertext instead...

Generating an MD5 Hash with a char[]

java,security,hash,md5,message-digest

NOTE: The MD5 Hashing Algorithm should never be used for password storage, as it's hashes are easily cracked. However, I will use it for simplicity. The quick/easy/UNSECURE fix would be to convert the char array to a string. However, this is unsecure because strings are immutable and can't be cleared...

Securing JWT tokens in a AJAX call

security,jwt

Yes, user may access JWT token on his browser - this is no different as with cookies. For the scenarios where user of B authorizes your application A to access the B on his behalf, there is no need to protect JWT token from the user himself - just from...

What damage can a website do?

security,web

The main risk is encountering a drive-by download. A drive-by download isn't necessarily a file download in the usual sense, it could be a browser exploit that allows executable code to download and execute on your system (known as the payload). One example is the Microsoft Internet Explorer colspan Element...

How to secure configuration file containing database username and password

php,security

As @Darkbee stated, the simplest way is to have the file outside your website root. This would be accessible on the server, but not to the public under any circumstances. The alternative is to set the permissions to 400 on the file. .htaccess could block access, but not blocking access...