security

问题 Was wondering whether this would be a potential security risk. I have a java servlet web app and at the bottom of every page, I generate a "report page problem" link which includes the original url request as well as the path to the JSP that the request was forwarded to. The thing is the JSP pages are sometimes in the WEB-INF folder. Is this a potential security risk? As I might be showing the contents of WEB-INF? It might show that the request was forwarded to /WEB-INF/views/user/ViewUser

问题 I am developing an application in which I am displaying products in a grid. In the grid there is a column which have a disable/enable icon and on click of that icon I am firing a request through AJAX to my page manageProduct.aspx for enabling/disabling that particular product. In my ajax request I am passing productID as parameter, so the final ajax query is as http://example.com/manageProduct.aspx?id=234 Now, if someone (professional hacker or web developer) can get this URL (which is easy

问题 I have one main controller for my app - AppCtrl and use ui-router. How can I make secured states? $rootScope.$on('$stateChangeStart',function(event, toState, toParams, fromState, fromParams){ var authorization = toState.data.authorization; if(!Security.isAuthenticated() && authorization != false) $location.path('/login'); }); For example I want to make books and authors states secured, and login state not secured. .state('login', { url: '/login', templateUrl: /**/, controller: /**/, data: {

问题 we have an activex object which implements IObjectSafety to indicate that it is safe for scripting. It installs from a trusted site. but we still get the IE complaint that the control on this page is not safe for scripting. The admins for the site that are running our activex are reluctant to enable controls not marked safe for scripting even though its the trusted zone. our cab and all its components are signed (we finally made the uverified publisher go away by signing every dll that went

问题 I have a requirement to specify the cipher suite to be used for transport level security on a wsHttpBinding in WCF. I have problems finding what kind of cipher is used by default on TLS by WCF in the first place, let alone set it. This question is due to operation in an environment where most systems are build on Java, which apparently allows for setting the cipher programmatically. Is there any way to see what cipher is used, and even better set it to a different one? Apologies for a

问题 To make the question clear: is the proposal below considered 'secure'? (i.e. doesn't introduce any significant security risks). I haven't seen any clear reason why the following proposal would be considered completely insecure (as in, 'don't even bother', which seems to be the quick answer to anything with the words 'local storage' and 'secure' in the title). Fundamentally, it's based on the premise that: either you have access to the sensitive data in memory AND the cache, or you have access

问题 I'm trying to write a log file from an ASP.NET application under IIS7, but keep getting the following exception: UnauthorizedAccessException "Access to the path 'C:\Users\Brady\Exports' is denied." I have given write access to the iis_iusrs, iis_wpg, and aspnet users, based on various advices found by Google, but still get the error. Can someone please explain how I can create a log file in that directory, or, will creating a log directory under the web application itself automatically allow

问题 Hybrid apps are obviously a bit new, so it's hard to find good information on this. I know that I need to allow cross origin resource sharing on my server side pages, but this clearly adds a security flaw. On a phonegap/cordova app, I only have client-side control with ajax calls to my server-side page. This means that anyone can access my php pages. This means that anyone can essentially mimic my app by accessing all my data like account info, etc. My question is how can I confirm that only

问题 Currently I'm developing an REST API my API access are only between my server and my client server(B2B, business to business). example : myserverapi.com(My REST API Server) and myclientserver.com(My Client Server who access My API) *no 3rd connection/application we are implementing api_key(of course it a must), and domain name(so the client specific the domain name that he will access the api, so my server api will only accept from that) for myserverapi.com, how to only receive connection

问题 In my app I start an Intent to pick a video file like this Intent intent = new Intent(Intent.ACTION_GET_CONTENT); intent.setType("video/*"); startActivityForResult(intent, kVideoPickerRequestCode); When it comes back i get the Uri like this: if(resultCode == RESULT_OK) { if (requestCode == kVideoPickerRequestCode) { Uri selectedVideoURI = data.getData(); } } This Uri seems to be fine for my VideoView. It plays back the picked video perfectly. But now I'd like to upload the video to a server