security

问题 I just recently found out here that it is possible (at least in c#) to look up private fields and properties due to reflection. I was surprised, although I knew that somehow constructs like the DataContractSerializer class need the possibility to access them. The question now is, if anyone can access every field in my classes, this is kind of insecure, isn't it? I mean what if someone has a private bool _isLicensed field. It could be changed easily! Later I found out here that the field

问题 It is possible to do a XSS attack if my input does not allow < and > characters? Example: I enter <script>alert('this');</script> text But it if I delete < and > the script is not text: I enter script alert('this'); script text 回答1: Yes, it could still be possible. e.g. Say your site injects user input into the following location <img src="http://example.com/img.jpg" alt="USER-INPUT" /> If USER-INPUT is " ONLOAD="alert('xss') , this will render <img src="http://example.com/img.jpg" alt=""

问题 While sniffing the Firebase traffic, I have seen that a code is passed to the auth server so that it always returns a 200 status code. This shows that there is some level of optional security at some level in the authentication protocol. Is there a way to cause Firebase authentication to fail with an identical error message when the user enters a non-existent email address as when they enter the wrong password? The INVALID_USER status code gives me concern about the potential for a user

问题 I am fiddling around trying to install an application via ClickOnce - with certain minimum permissions. I'd like to unit test to assert that my application does not use any additional functionality disallowed by the wanted security policy. Can I in my unit test specify that I want to use the specified manifest to regulate permissions, make calls to my library and then assert that no security exceptions are thrown? If so, how? Thanks! 回答1: If you want to unit test (test in isolation) you have

问题 I'm getting an "Error from Debugger: Error launching remote program: security policy error" when I try to run my app on my ipod touch. The provisions look in order, and the app builds to my iphone 3gs just fine. The app used to build just fine to my ipod touch, so I'm flustered what could have changed and wondering if anyone has any thoughts on what might be causing this issue. The build logs are below. Mon Mar 15 14:25:54 unknown com.apple.debugserver-43[449] <Warning>: Connecting to com

问题 I have a page with private properties that are storing a credit card object and a shopping cart object in viewstate so I can maintain a reference to them across postbacks. By the way, the page involved will be using SSL. Is this safe? 回答1: I wouldn't store sensitive information in viewstate ... ever . By doing so, you are delegating security to the implementation of the browser for protecting your customers' data. Vulnerabilities like cross-site scripting (XSS), URL-redirection attacks, and

问题 I'd like to test an application on the iphone simulator which connects to a service using a certificate which is signed by our own CA. I can do this on the actual device by adding a provisioning profile which has the CA certificate. I had thought that having the CA certificate in the standard OSX keychain would work, but it doesn't. So I can access the service via Safari without warning, but I get error when trying to run things in simulator. 回答1: The crypto api's are unavailable to the

问题 Is it possible to write some manner of hook in mercurial that will reject changesets that effect a specific named branch in a repository? We have a managed project and would like to allow any developers to push their changes to our repository so long as they are in their own named branch. This allows us to manage a single buildbot and a shared sandbox in the same repository (by keeping branches separate). We'd like to block any attempts to write to the default branch from outsiders (we would,

问题 I am using this code below to control pagination. It's using $_SERVER['PHP_SELF'] so I wanted to know if its secure this way or what do I have to do to make $_SERVER['PHP_SELF'] secure? <?php if($rows > 10) { echo '<a id=nex href="'.$_SERVER['PHP_SELF'].'?pg='.($startrow+10).'"> Next</a>'; } $prev = $startrow - 10; if ($prev >= 0) { echo '<a id=pex href="'.$_SERVER['PHP_SELF'].'?pg='.$prev.'"> Previous</a>'; } ?> 回答1: To prevent XSS attacks, you should use htmlspecialchars() or filter_input()

问题 My goal is to safely open a web page in a users default browser. The URL for this web page is considered "untrusted" (think of it as a link in a document opened with this software, but the document could be from anywhere and the links in it could be malicious) I want to avoid someone passing "C:\Windows\malicious_code.exe" off as a URL My current thought is to do something like this: Uri url = new Uri(urlString, UriKind.Absolute); if( url.Scheme == Uri.UriSchemeHttp || url.Scheme == Uri