Security Requirements for Software Development
Posted on June 6, 2008 - Filed Under programming | Leave a Comment
For PHP, use mysql_real_escape_string() if using MySQL, or preferably use PDO which does not require escaping If language is J2EE, documentation of the J2EE Security Manager settings should be provided Do not use GET requests (URLs) for …
Read More..>>Lets examine security.
Posted on May 28, 2008 - Filed Under security | Leave a Comment
Encode all posts or user inputed data. You’ll have to sanitize user input, by disabling users the ability to put HTML tags & Javascript on pages, this is called escaping. Javascript escape(); Parse all HTML data as to make sure code …
Read More..>>wiki:plugins:security - Add some material on XSS
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
It is usually safer to parse the users input to check that they are only using the permitted attributes, rather than to try to parse out the prohibited attributes. This is often referred to as \”whitelisting\” the permitted things in …
See more here: wiki:plugins:security - Add some material on XSS
Hoogle 3 Security Bug
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
Enhanced security is one of the many advantages that Haskell offers. It is not possible to overrun a buffer and conduct stack smashing attacks on a Haskell program. Passing query strings will not overwrite global variables, and escaping …
View original here: Hoogle 3 Security Bug
[XSS Info] Re: all lowercase javascript without parenthesis
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
The escape() method doesn\’t seem to work. i tried this and it didn\’t work: \’e setter=eval;u setter=unescape;e=u=\’%61%6c%65%72%74%28%27%58%53%53%27%29\’\’ I tried doubly escaping it and it didn\’t work, either: \’e setter=eval;u …
See the original post: [XSS Info] Re: all lowercase javascript without parenthesis
[XSS Info] Re: < and >
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
You know about attribute injection right? Occurs when a site echoes back user supplied input into a tags attributes. If you can escape the attribute you can attach a style tag that takes malicious action.
See the original post: [XSS Info] Re: < and >
Firefox 2.0.0.12 Security Release
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
Security researchers hong and Gregory Fleisher each reported a variant on earlier reported bugs regarding focus shifting in file input controls. Their variants used file input controls nested inside …
View original here: Firefox 2.0.0.12 Security Release
linux security 2
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
Simply input names, and if the user exists, you will get back an RFC822 email address with the @ sign. If the user doesn’t exist, you’ll get back a “user unknown†error message. Although a username is not enough for access, …
Originally posted here: linux security 2
Preventing a Bioagent Great Escape
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
Or have input in vetting biotech R&D projects that A*Star brings in? Does it have the powers to conduct surprise mandatory inspections? If so, what has been the compliance rate? Or are researchers only subject to self-regulation …
Excerpted from:Preventing a Bioagent Great Escape
CORE-2007-0930 Path Traversal vulnerability in VMware's shared …
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
information security posture due to the implied isolation between multiple virtualized systems (referred as Guest systems) and the non-virtualized systems controlling the virtualization hardware and software (the Host system) [1]. …
Read the original here: CORE-2007-0930 Path Traversal vulnerability in VMware's shared …