security

问题 I understand that CSRF is a major security concern for HTTP(S)-based applications. From the looks of it, most frameworks send the CSRF token as part of the request body. However, in my case that is somewhat inelegant for several reasons; most importantly I don't want to mess with the transport layer which might send POST requests in many different formats, not necessarily all are JSON or x-www-form-urlencoded . As a solution, I was thinking of a much less intrusive alternative; particularly,

问题 I understand Cross-Site Request Forgery and found numerous blogs,articles on web to handle it in asp.net mvc,but have not got a decent links,helpful solutions to deal with CSRF attacks in asp.net web applications.I have ran a security tool on my website,and its reporting the cross site request forgery and showing the risk It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records,

问题 I have been reading up on htmlspecialchars() for escaping user input and user input from the database. Before anyone says anything, yes, I am filtering on db input as well as using prepared statements with bindings. I am only concerned about securing the output. I am confused as to when to use ENT_COMPAT , ENT_QUOTES , ENT_NOQUOTES . I came across the following excerpt while doing my research: The second argument in the htmlspecialchars() call is ENT_COMPAT . I've used that because it's a

问题 how can i hide my json request URL from firebug console? It appears full as anyone can take it and retrieve our data to their website note i am talking to a third party and i can't do restricted calling domains on it 回答1: In principle, you can't, and you must design your system so that you don't need to. You can try to obfuscate the request itself, but only if you control the protocol (which it sounds like you may not). But even then you're going to send all the javascript required to

问题 I have applet which loads form. The form has text, textarea, dropdown, checkbox controls. After upgrading to JRE 1.7 Im not able to right click inside my text fields to copy/paste any content. My JAR file is dually signed and security permissions set. I have also tried the workaround by changing settings in .java.policy file : // "standard" properies that can be read by anyone permission java.awt.AWTPermission "accessClipboard"; Interestingly enough I can do copy/paste by right click inside

问题 I am storing user logon encrypted passwords in a database (SQL Server). Because of an API restriction, the passwords need to be encrypted on the C# end of things, so I can't use the database's built-in encryption. what is the fastest/easiest way to encrypt these passwords so I can compare them to what the user would have typed in to a third-party service later? I am new to C# and I understand that passwords should never be in plain text so that's why I want to make sure I have the highest

问题 When running with Kerberos tickets, I have noticed that every firefox request has a different Authorization line in the HTTP header. I loaded a simple page, then hit the reload button several times and it was never the same. What causes this behavior? I would have thought that the Authorization line would stay constant for the duration of the Kerberos credentials. (Note that I got the credentials via the kinit command before firing up firefox.) When the authentication method is Basic, then

问题 We're currently in the process of re-creating a brand new security model that dwarfs our existing process. Right now, we plan on grabbing a user's roles during the login process and then using a Base Page class to check if the user has the role of the corresponding page the user is navigating to. We can limit the menu's options by the user's roles as well, but we have had problems with users navigating to pages in our system by typing them in or having old bookmarks. Obviously, we need some

问题 I can see a hack in the header of my Wordpress site for viagra in a hidden div but I don't know where to remove it. I have looked at some of the php files but I can't see code. I can see the hack on a mobile (android) and firefox. see website 回答1: Look everywhere. If one file has been compromised, then there's no reason to suppose that your other files are all safe. Your best bet is to delete WordPress entirely, check your database thoroughly for content added by the hackers, change all your

问题 I have a webapp that consumes a REST API. I'd like share the API with the wider world, but before doing so, I need to add rate limiting to prevent abuse / high load from buggy clients. I'd like to make an exception for my own webapp so it has a higher limit. Is there a reasonable way to do this? Not looking for a 100% bulletproof solution, but maybe something that just makes the API a little more difficult to exploit. Bear in mind that the webapp is publicly exposed, so I can't just rely on