No, you cannot reverse SHA-1, that is exactly why it is called a Secure Hash Algorithm. What you should definitely be doing though, is include the message that is being transmitted into the hash calculation. Otherwise a man-in-the-middle could intercept the message, and use the signature (which only contains the sender’s key and the timestamp) … Read more
1 – Reflection (as a concept) is indeed orthogonal to safety/security. There was a big emphasis in the design of java to make it a safe platform, with static typing, security manager, disciplined usage of class loader, and no way to screw pointers/memory. You can read the interview of James Gosling in Masterminds of programming, … Read more
Afraid you’re pretty much stuck using php.ini to disable most of those. However, it gets worse. eval() is technically not a function, it is a language construct, so it CANNOT be disabled using disable_functions. In order to do that, you would have to install something like Suhosin and disable it from there. A good webmaster … Read more
Within your <jre location>\lib\security\java.policy try adding: grant { permission java.security.AllPermission; }; And see if it allows you. If so, you will have to add more granular permissions. See: Java 8 Documentation for java.policy files and http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appA.html
Add the following to a web.config file in the folder containing the files you wish to be served only as static content: <configuration> <system.webServer> <handlers> <clear /> <add name=”StaticFile” path=”*” verb=”*” modules=”StaticFileModule,DefaultDocumentModule,DirectoryListingModule” resourceType=”Either” requireAccess=”Read” /> </handlers> <staticContent> <mimeMap fileExtension=”.*” mimeType=”application/octet-stream” /> </staticContent> </system.webServer> </configuration>
xss_clean() is extensive, and also silly. 90% of this function does nothing to prevent XSS. Such as looking for the word alert but not document.cookie. No hacker is going to use alert in their exploit, they are going to hijack the cookie with XSS or read a CSRF token to make an XHR. However running … Read more
Here’s a summary of my blog post: How to store a password on Windows? You can use the Data Protection API and its .NET implementation (ProtectedData) to encrypt the password. Here’s an example: public static string Protect(string str) { byte[] entropy = Encoding.ASCII.GetBytes(Assembly.GetExecutingAssembly().FullName); byte[] data = Encoding.ASCII.GetBytes(str); string protectedData = Convert.ToBase64String(ProtectedData.Protect(data, entropy, DataProtectionScope.CurrentUser)); return protectedData; … Read more
The short answer is both No, and It Depends. It’s almost never a good idea to store passwords in plain text, especially in a web accessible location, if for no other reason than a simple server misconfiguration or an echo in the wrong place could expose it to the world. If you MUST store a … Read more
In short: Yes. Go with the first example… The hash function can lose entropy if feed back to itself without adding the original data (I can’t seem to find a reference now, I’ll keep looking). And for the record, I am in support of hashing multiple times. A hash that takes 500 ms to generate … Read more
Personally, I store sensitive information such as database connection details in a config.ini file outside of my web folder’s root. Then in my index.php I can do: $config = parse_ini_file(‘../config.ini’); This means variables aren’t visible if your server accidentally starts outputting PHP scripts as plain text (which has happened before, infamously to Facebook); and only … Read more