security

问题 For those in a hurry, this is NOT related to the controversial Dual_EC_DRBG planted inside NIST's SP800-90A. About the two RNGs: The Microsoft BCRYPT layer based one is over their C API. BCryptGenRandom is following NIST SP800-90A's CTR_DRBG (i.e. uses an approved block cipher, AES, to create random bits). However it is unclear if it uses a hardware random source as seed (or part of the seed)... The Microsoft .NET RNGCryptoServiceProvider is C# based. Looking at the .NET source code (or here)

问题 Are there any possible ways by which a malicious user on a web application can manipulate the input that is sent by the front-end of web application (not talking about the FORM DATA, of course) but the requests that are sent like for e.g., when I allow him to edit his profile or his content, he may manipulate the IDs (userId or the contentId) so that he may maliciously do evil with other users content? These inputs are fixed on a webpage & are not editable but still can the users manipulate

问题 I read an article about bookmarklets which says that bookmarklets are so powerful they can be dangerous. For example, a malicious bookmarklet can collect your "cookies", "localStorage", the string in the password input box and then send it to a remote server, which is similar to "script injection". I'm curious about that. Since this article was written in 2007 (8 years ago), is there any limitation for bookmarklets (as well as browser plugins) to improve the security in modern browsers? 回答1:

问题 I would like to get python code for an analysis using Bandit static analyzer. The main emphasis is security, for python 2.7. Can anyone help ? Thx. 回答1: You don't need to write code to test your software using Bandit static analyzer tool. All you need to do (in the most basic scenario) is: Install Bandit with pip3 install bandit (Python3) or pip install bandit (Python2) Navigate to your project in terminal, e.g. cd /home/user/projects/abc/ Run the Bandit on your source code with bandit -r .

问题 My company has a large application we are finishing up. It utilizes WCF as the back-bone with Active Directory for authentication. This works perfectly for one of the two sites as the authentication model is Windows and you have to be part of the domain to sign into the site. The question I have relates to the other site which is externally accessible. It sets ClientCredentials.Windows.ClientCredential for the proxy call with a specific user/pass for impersonation of an AD-user so the full

问题 I was looking for ways to mimic something I've seen, however I'm really not even sure where to start or how to search for it. Lets say my page was: foo.com/ and my index page could take an argument of: index.php?id=5 What I'm wanting to do is create the following: foo.com/5/ rather than placing index.php?id=5 just use the webstring to pass in the parameters, to hide not only the fact its a PHP page, but to clean up the url a bit more. Is this possible? Cheers 回答1: You'll want to look into URL

问题 I'm working on an Java applet that prints a file. The applet is "self-signed". The print function is: //argFilePath : path to file (http://localhost/Teste/pdf1.pdf) //argPrintService : something like PrintServiceLookup.lookupDefaultPrintService() private int print(String argFilePath, PrintService argPrintService){ try { DocPrintJob printJob = argPrintService.createPrintJob(); Doc doc; DocAttributeSet docAttrSet = new HashDocAttributeSet(); PrintRequestAttributeSet printReqAttr = new

问题 I want to calculate the security cost of middlebox traversal when VM migrate from one physical server to another. Middle boxes can be firewalls or IPS/IDS containing rules checking the VM traversing them. Now imagine the most simple scenario that the only problem is to find the cost of checking VM by middlebox rules (this is what I call it security cost), and according to this cost finding the optimum path. However there are already some protocols out there such as BGP or OSPF, but

问题 Is it possible to use C# as a DSL in which the C# source code is edited by the end user in a TextBox, compiled while the application is running, then called by the already-running application? I ask because in the next few months I will be needing to implement a simple math-crunching DSL (similar to somthing Rachel Lim blogged about at http://rachel53461.wordpress.com/2011/08/20/the-math-converter/ I am focused on the math-processing aspect of her code, not the XAML/Converter aspect). I would

问题 I have a JSF2 (GlassFish 3.0) application which security constraints defined (example below). My problem is, I have a "sign up" link that should not be accessible when the user is logged in. That is, if they try to hit "/signup.jsf" they should be able to access is if they are logged; so if the have any roles, they should not be able to see the page. Is there a way to do an "inverse" security constraint like that? Any suggestions are welcome, thanks! Rob Example constraint from my app, in