security

问题 Hi I am look for a proven java security web-library which is a bit more low-level and therefore less intrusive than the well known frameworks spring-security and apache shiro. Just something which has best-practive utility-apis for example to encode a remember-me cookie or for dighest authentication, accessing ldap. All the sutff which is so useful in the above frameworks but without needing to follow the frameworks filters and indriections an application-context or yet another ini file etc.

问题 I'm desperate : I'm using Symfony for years, and today I'm stuck on a basic stuff. As FOSUserBundle is not implemented for Sf4 yet, I decided to create a really basic User entity in DB to load user. But when I enter my username/password in the BasicAuth windows in my web browser (chrome) it's not logging me and loops over and over. Here is my security file : security: encoders: App\Entity\User: algorithm: bcrypt providers: native_provider: entity: class: App\Entity\User property: username

问题 I think I understand CSRF and how using form keys can prevent that, but this is can only be useful for POST data coming from a form, right? In my website I let logged in users delete some items by clicking on a Delete button which sends them to delete.php?id={item_id}. On delete.php I check if the item belongs to the user, if it does than the script deletes it. How can I stop some other site posting a link like www.mysite.com/delete.php?id=3. I understand that the attacker will have to guess

问题 I'm writing a PowerShell script that, every few months, a third-party app will automatically call to do the following among other things: Use [System.Web.Security.Membership]::GeneratePassword() to randomly-generate a password then use that password with Export-PfxCertificate and OpenSSL's passin . Use a static password to authenticate via COM API to a third-party system that doesn't support API keys or anything. What's the best way to do this securely? As far as I'm aware, there's nothing

问题 I have two ASP.NET pages: site.com/foo/bar.aspx that should be world accessible and site.com/foo/baz.aspx that I want to password protect. I want any un-authenticated users to see a username/password page and then, once they pass that, I want them to see the real thing. I'm looking for the simplest possible solution (this looked good till it stated asking me to move things), even at the cost of flexibility. What I'd love to see would be a control that does nothing if the user is authenticated

问题 i have a question in android documentation it is mentioned that android process can communicate using local sockets. does it mean that two applications with different user id can communicate using local sockets and by that "bypass" the sandbox? 回答1: It is indeed possible to do IPC using local sockets on Android, see LocalSocketServer and LocalSocket classes. These translate to UNIX sockets in the abstract namespace. A word of warning though: Samsung has started restricting local socket use in

问题 Nowadays I am learning about web security, XSS, etc. As XSS basically targets a client-agent (web browser) by injecting some malicious code that is executed by the web browser as it was inserted by an authenticated user. Now the question is Why can't we have a tag in html that just shows literals and prevents the execution of anything inside it? Something like: <!-- The code below will not be executed and just treated as literal content by a web browser --> <ltrl> <script type="text

问题 I am using WebMatrix and stuck at the first place while trying to create users in MySQL database. The error message is in line: var token = WebSecurity.CreateAccount(email, password, requireEmailConfirmation); Error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[UserId] FROM [UserProfile] WHERE (UPPER([Email]) = 'TE3ST@TEST.DE')' I can fully understand that the server is trying to use SQL

问题 What is most efficient method to making sure that get/post parameters won't provide any security vulnerability. I am familior of htmlentities for javascript code injection prevention and addslashes to prevent sql injection. so.. for now i'm using them both on each get/post parameter. are there any other functions i can use to prevent these vulnerabilities better or are there any other security issues that i should worry about related to my php code ? 回答1: htmlentities (or htmlspecialchars )

问题 I have a program. It accepts an input of a alphanumeric string (which I already do checks for). So a valid input would be www.example.com/myfile.php?input=John1 However, if someone were to type in www.example.com/myfile.php?input[] then it breaks my entire program's logic breaks because I don't accept input as an array. How can I unsure the thing a user enters is just a string. Not an array, or any other data types/structures? 回答1: There is the slow and tedious way of solving this problem,