security

问题 I'm trying to mitigate XSS. How can I shield from this: j&#X41vascript:alert('test2') in the href of a link? I've tried the following, but it just assigns the literal, unresolved value of that above string as a relative path of the href, not a proper javascript: href capable of triggering code execution. I'm wondering how an attacker might be able to exploit this. I've tried the following: a = document.createElement('a'); and then both this: a.href = 'j&#X41vascript:alert('test2')'; and this:

问题 I have to create generator for web tests (using HTML and JavaScript). Test has to work offline and online. Correct answers and score evaluation must be a part of a generated test. The final user's score is then only sent to the server (evaluation cannot be done on the server and server knows nothing about questions - it only saves the final score). Is there any way to have the correct answers as a part of the test and do not allow user easily find them using Firebug? 回答1: theres no realy good

问题 I'm designing a very secure login mechanism using play framework2. Since Play does not have a notion of sessions and keep things in the cookies (which I like) I was wondering what are the security measures I need to think about. We obviously going to use SSL to communicate the login credentials and also the cookie is going to be encrypted value of some of user's information like their email or userid. Is it possible that someone can sniff that cookie or get a hold of it from another user's

问题 So, ok. I have many php files and one index.php file. All files can't work without index.php file, because I include them in index.php. For example. if somebody click Contact us the URL will become smth like index.php?id=contact and I use $_GET['id'] to include contacts.php file. But, if somebody find the file's path, for example /system/files/contacts.php I don't want that that file would be executed. So, I figured out that I can add before including any files in index.php line like this

问题 I have been looking everywhere on how I can implement Spring Security based on a Container Managed Security Model. In my test case, I am using Tomcat and it's corresponding tomcat-users.xml file. The issue is, I cannot get Spring Security to play well (meaning pass authentication over to Tomcat) to let the app server perform the Authentication and have Spring manage the role based security once someone is authenticated. I am using the latest Spring versions, so it's all Java config as I am

问题 I am using .net2.0 and IIS6. When using .net Forms Authentication: How to limit access to resources like pdf files to authenticated users only; so in order to access a file say mysite.com/mydoc.pdf they would have to be authenticated first (go through the login page) It seems that by default only the .aspx pages are protected. E.g. to include the .html, I had to follow the steps described here. EDIT Thanks guys for very quick replies, the answer by Keltex worked perfectly for me as I needed a

问题 I have an old Win32 C++ DCOM Server that I am rewriting to use C# .NET 3.5. The client applications sit on remote Windows XP machines and are also written in C++. These clients must remain unchanged, hence I must implement the interfaces on new .NET objects. This has been done, and is working successfully regarding the implementation of the interfaces, and all of the calls are correctly being made from the old clients to the new .NET objects. However, I'm having problems obtaining the

问题 I'm all in a security funk right now so I'm going through making everything as secure as possible. I got a login going and I'm referencing this: http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/ The first example is that of a login and if you say ?authorization=1 you get in. But if I wrap my code around a if($_POST) then the user MUST make a post. Can a user fake a $_POST ? How do I go about faking a $_POST ? 回答1: A user can simply create a file on their local machine with:

问题 When users create an account in my web application, I generate a GUID and use the first 8 characters as their password which is then sent via email. Is there a security risk I am overlooking in using GUIDs as passwords? I've taken a look at the questionAre GUIDs good passwords?, but that question pertains to personal passwords not random/generated passwords. Ideally, users will login and change their password if they want to. 回答1: Using GUID s as passwords is a very bad idea. GUID s are

问题 Closed . This question is opinion-based. It is not currently accepting answers. Want to improve this question? Update the question so it can be answered with facts and citations by editing this post. Closed 6 years ago . I am building a website and I have a questions with forms on login/registration page. I have a few standard javascript validations on the login page. My questions is should I just disable the login button if javascript is disabled or should I keep PHP validations on the