security

问题 In a CMS app I occasionally need to open an iframe of another domain. At the moment I am setting the URL for that iframe to something very obscure. Like http://domain.com/iframe/jhghjg34787386/. This works but theoretically that iframe source url will get saved in the user's history and could be accessed from the outside world. So, I am wondering about using a time-based approach to an ever-changing hash or string that is processed on the request side and is checked on the iframe source side.

问题 I need to understand how to authenticate a REST client (could be Paw, could be an android app, an iOs app using AFNetworking with jHipster and I think, more in general, with spring-boot of which I am no expert). While I am able to obtain a token when logged in a browser, and subsequently use this token in the following requests, I do not understand how I can authenticate in the first place using RESTful best practices. For example, in Paw.app, I can pass a Basic authentication, or Oauth2, but

问题 I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies. Tumblr had some troubles with that, but solved them successfully http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html So I need the solution with no moderation full access to html code of pages for users-authors, don't want white-list filtering and templating language (that is how it works now :( ) no opportunity to steal each others cookies (on pages of other

问题 I'm using Zend_Auth with setCredentialTreatment to set the hash method and salt. I see all examples doing something like this, where the salt seems to be inserted as a text. ->setCredentialTreatment('SHA1(CONCAT(?,salt))' but my salt is stored in the database. I could retrieve it first then use it in setCredentialTreatment but is there a way I could define it directly as a field name, so setCredentialTreatment would know to get it from that field? sort of like the way we define the field name

问题 Setup (using MVC 4) public class MyAuthorizeAttribute : AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase httpContext) { var isAuthorised = base.AuthorizeCore(httpContext); if(isAuthorised) { // retrieve authentication ticket from cookie and // create custome principal and attach to // httpContext.User } return isAuthorised; } } Gloabl.asax.cs: public static void RegisterGlobalFilters(GlobalFilterCollection filters) { filters.Add(new HandleErrorAttribute()); filters

问题 I've heard a lot about trust levels, had people try to explain it to me but still am unable to give a scenario in which I would apply one trust level over another. I've read through MSDN's article but it didn't do much for me. Can someone provide a real world example of when you would want to use the various levels (Full, High, Medium, Low, and Minimal) and explain what kind of security risk I would be exposing myself to if I were to use the wrong one? 回答1: This article might explain it a lot

问题 I'm trying to upgrade an app from JDK7 to JDK8 which uses the following classes from the sun.security.* packages sun.security.x509.X509CertImpl sun.security.pkcs11.SunPKCS11 sun.security.util.DerOutputStream sun.security.util.DerValue sun.security.util.ObjectIdentifier sun.security.pkcs.PKCS10 sun.security.x509.X500Name sun.security.pkcs11.SunPKCS11 sun.security.pkcs11.wrapper.CK_TOKEN_INFO sun.security.pkcs.PKCS10 The usage of these classes generates warnings in all cases except for sun

问题 I've heard a lot about trust levels, had people try to explain it to me but still am unable to give a scenario in which I would apply one trust level over another. I've read through MSDN's article but it didn't do much for me. Can someone provide a real world example of when you would want to use the various levels (Full, High, Medium, Low, and Minimal) and explain what kind of security risk I would be exposing myself to if I were to use the wrong one? 回答1: This article might explain it a lot

问题 Let's imagine that we have a simple php script that should get ssh_host , ssh_username , ssh_port from $_GET array and try to connect using this parameters to SSH. $port = escapeshellcmd($_GET['ssh_port']); $host = escapeshellcmd($_GET['ssh_host']); $username = escapeshellcmd($_GET['ssh_username']); $answer = shell_exec("ssh -p " . $port . " " . $user . "@" . $host); Is escapeshellcmd() enough or I need something more tricky? Or maybe I should use escapeshellarg() in this example? Thank you.

问题 Let's imagine that we have a simple php script that should get ssh_host , ssh_username , ssh_port from $_GET array and try to connect using this parameters to SSH. $port = escapeshellcmd($_GET['ssh_port']); $host = escapeshellcmd($_GET['ssh_host']); $username = escapeshellcmd($_GET['ssh_username']); $answer = shell_exec("ssh -p " . $port . " " . $user . "@" . $host); Is escapeshellcmd() enough or I need something more tricky? Or maybe I should use escapeshellarg() in this example? Thank you.