security

问题 In Azure, if you choose to use internal endpoint (instead of input endpoint), https is not an option. http & tcp are the only options. Does it mean internal endpoint is 100% secure and you don't need encryption. Then it comes to another question. If i choose to use input endpoint between mvc application and wcf service. Is it really necessary to have https between them? Is it OK if i have 2 input endpoints for wcf. One with http on port 80, which is supposed to be used by mvc application.

问题 code speaks a thousand words page.php?id=123 <?php if(is_ajax()){// function that determines whether the request is from ajax (http header stuff) $_SESSION['token'] = md5(rand()); } //some ajax request to ajax.php?id=123 ?> ajax.php?id=123 <?php if($_SESSION['token'] == $_GET['token']){ echo 'Tell me this is for reall'; }else{ echo 'Invalid Request'; } ?> Every thing works fine until the user opens page.php?id=456 on another tab, the ajax returns 'invalid request' on page.php?id=123 How to

问题 On my site, I have an ability for users to upload a file into the server and be able to view all uploaded files in a directory called "public uploads" where users can view all files that's been uploaded by other users. It's the Apache directory page where it says "Index of /uploads". It's sort of a file sharing hub where people can download and share other people's files. Would there be any security issues with this? Can a user, say, upload a malicious PHP script, and execute it from the

问题 I would like to protect my database of secret information with a master key or master password and encrypt the data. Only if the user enters the correct master key, the data will be decrypted. Obviously, when creating the master key, I should only save this as a hash value (e.g. SHA). But then I also need a key to encrypt the data with (e.g. AES). I thought of using the master key's hash value as the key for encryption. But probably, this is not safe, right? If the user enters a key, the hash

问题 On my site, I have an ability for users to upload a file into the server and be able to view all uploaded files in a directory called "public uploads" where users can view all files that's been uploaded by other users. It's the Apache directory page where it says "Index of /uploads". It's sort of a file sharing hub where people can download and share other people's files. Would there be any security issues with this? Can a user, say, upload a malicious PHP script, and execute it from the

问题 I'm not sure , how I can really make a safe inputs with strings. For example I got: $id = intval($_POST['id']); $name = $_POST['name']; $sql->query("UPDATE customers SET name = " . $sql->escape_string($name) . " WHERE id = {$id}"); I'm sure that $name isn't secured enough. How can I secure it, to prevent from XSS vulnerability? Kind Regards, cyclone. 回答1: XSS protection should be done on the output side, not your storage medium (the database). The database does not know where the data is

问题 Receiving this ModSecurity error: ModSecurity: collection_store: Failed to write to DBM file "/tmp/default_SESSION": Invalid argument There is not a Rule ID associated with this error. I know I can disable by rule id using SecRuleRemoveById xxxxxx How can I disable writing to DBM file and/or locating the rules that are specifically causing this error? 回答1: Collections are initialised by rules 900020 and 900021 in the OWASP CRS in the modsecurity_crs_10_setup.conf file. They are primarily used

问题 Receiving this ModSecurity error: ModSecurity: collection_store: Failed to write to DBM file "/tmp/default_SESSION": Invalid argument There is not a Rule ID associated with this error. I know I can disable by rule id using SecRuleRemoveById xxxxxx How can I disable writing to DBM file and/or locating the rules that are specifically causing this error? 回答1: Collections are initialised by rules 900020 and 900021 in the OWASP CRS in the modsecurity_crs_10_setup.conf file. They are primarily used

问题 Looking at an old code of a client, he's using <form action="<?php echo $_SERVER['PHP_SELF']; ?>" /> I was wondering if it was subject to XSS, but when I try : form.php"><script>alert('xss');</script> => 404 NOT FOUND from Apache form.php/"><script>alert('xss');</script> => 404 From my app I must specify that I also use ?action=specific_page in the url for its normal use. Does that mean no XSS is possible using PHP_SELF or does that mean I'm trying it the wrong way? 回答1: If your form is at

问题 I have a web project and I saved my images in Physical folders in hdd Like d:\SecretImages\Imagename . But I can't open the files when I have to? I thought if it can saves for examle d:\SecretImages\Temp.jpg , I can open when I have to but, I can't. Help me please, thanks 回答1: You cannot use file paths to show your images. The browser doesn't know where to find the images and the server wouldn't serve them up anyway due to security concerns. You could/should use an HttpHandler to show the