I would like to ask if it's possible for people to view code I can see in Microsoft debugger.
I'm probably just being paranoid, but can other people see my code using their debugger?
I can't see the password and login when I just enter view code, but I can in debugger. I'm pretty sure that I'm safe, but I cant afford to make a mistake.
In this case I Advice you for limit your client side codes and depend more on server side, Special for the valued algorithms and new ideas.
Php is a good simple way but if you want more security,
better to mix server side codes with ASP C# or java to have the ability of encryption, encoding, secured textString and ... cts.
Obfuscation could be another good option for you if you have client-side code you don't want easily viewed by others.
On the part where you can see login credentials: I believe you'll want to look into storing passwords as Salted Hashes. There are many other ways to ensure passwords stay confidential.
These are certainly not plug and play solutions by any means and I'd highly recommend doing your own research on these topics before doing so.
Related
I am trying to create a simple C++ brute forcing program to crack small passwords-maybe like 3-4 characters long, (as a science fair project) just to show people how it works, i.e. my topic is mainly about cyber security and data breach vulnerability and stuff.
So I got the brute forcing part covered, but what I want to change is that instead of asking users to enter their password within my program itself, I was wondering if it was possible to make a, say, an HTML page with a login screen, and the entered password is then saved to a txt file which I can then open from my program for the brute forcing part.
What I am trying to say is that most people trying this out wont be so convinced entering passwords into an output box. They might wonder if I had just printed out the password they entered. I saw other people's programs but all they did was cin>>password and then started the brute forcing part. The user does not know if his password was cracked or the programmer just did cout<< password.
So it would help me a lot by letting me know of methods in which I can achieve this(not just with HTML, anything is fine, as long as its not an output box).
Sorry for the long question! Just wanted to make sure I covered all the info.
Please help me!!!
P.S: I'm just a student (1 and a half years into C++ :)), so please try to keep it as simple as you can. Thanks in advance!!
I would simply print out as much internal information in the terminal/outputbox as possible. This way, people get a better understanding of the inner workings of your program. For example, you could print out every password that your program tried. On top of that, show your sourcecode to the people who are also interested in that.
Am trying to validate the inputs for a comment box in order to accept only text, and to alert a message if the user entered number (1-0) or symbol (# # $ % ^ & * + _ = ). to prevent SQL injection
is there is a way to do that in html
You can never trust what comes from the client. You must always have a server side check to block something such as an SQL injection.
You can of course add the client side validation you mentioned but it's only to help users not enter junk data. Still can't trust it once it's sent to the server.
On using Javascript/HTML to improve security
is there is a way to do that in html
No. As others have pointed out, you cannot increase security by doing anything in your HTML or Javascript.
The reason is that the communication between your browser and your server is totally transparent to an attacker. Any developer is probably familiar with the "developer tools" in Firefox, Chrome etc. . Even those tools, which are right there in most modern browsers, are enough to create arbitrary HTML requests (even over HTTPS).
So your server must never rely on the validity of any part of the request. Not the URL, not the GET/POST parameters, not the cookies etc.; you always have to verify it yourself, serverside.
On SQL injection
SQL injection is best avoided by making sure never to have code like this:
sql = "select xyz from abc where aaa='" + search_argument + "'" # UNSAFE
result = db.execute_statement(sql)
That is, you never want to just join strings together to for a SQL statement.
Instead, what you want to do is use bind variables, similar to this pseudo code:
request = db.prepare_statement("select xyz from abc where aaa=?")
result = request.execute_statement_with_bind(sql, search_argument)
This way, user input is never going to be parsed as SQL itself, rendering SQL injection impossible.
Of course, it is still wise to check the arguments on the client-side to improve user experience (avoid the latency of a server roundtrip); and maybe also on server-side (to avoid cryptic error messages). But these checks should not be confused with security.
Short answer: no, you can't do that in HTML. Even a form with a single check box and a submit button can be abused.
Longer answer...
While I strongly disagree that there's nothing you can do in HTML and JavaScript to enhance security, a full discussion of that goes way beyond the bounds of a post here.
But ultimately you cannot assume that any data coming from a computer system you do not control is in any way safe (indeed, in a lot of applications you should not assume that data from a machine you do control is safe).
Your primary defence against any attack is to convert the data to a known safe format for both the sending and receiving components before passing it between components of your system. Here, we are specifically talking about passing data from your server-side application logic to the database. Neither HTML nor JavaScript are involved in this exchange.
Moving out towards the client, you have a choice to make. You can validate and accept/reject content for further processing based on patterns in the data, or you can process all the data and put your trust in the lower layers handling the content correctly. Commonly, people take the first option, but this gives rise to new security problem; it becomes easy to map out the defences and find any gaps. In an ideal world that would not matter too much - the deeper defences will handle the problem, however in the real world, developers are limited by time and ability. If it comes down to a choice of where you spend your skills/time budget, then the answer should always be on making the output safer over validating input.
The question seems to be more straight forward, but i keep my answer the same as before:
Never validate information on the clientside. It makes no sense, because you need to validate the same information with the same (or even better) methods on the server! Validating on Clientside only generates unnecessary overhead as the information from a client can not be trusted. Its a waste of energy.
If you have problems with users sending many different Symbols but no real messages, you should shut down your server immideately! Because this could mean that your users try to find a way to hack into the server to gain control!
Some strange looking special character combinations could allow this if the server doesn't escape user input properly!
In short:
HTML is made for content display, CSS for design of the content, Javascript for interactivity and other Languages like Perl, PHP or Python are made for processing, delivering and validation of information. These last called Languages normally run on a server. Even if you use them on a server you need to be very carefull, as there are possible ways to render them useless too. (For instance if you use global variables the wrong way or you dont escape user input properly.)
I hope this helps to get the right direction.
I'm pretty new to this so I'm not sure if this is a simple request or not but here goes:
I am working on a school website and under each program page is a list of course codes. What I'm looking for is when I click on said course code (ex. HEL2106), to have a lightbox-type of popup that displays program info about said course code. What I have is a .dat file that has all the course codes and descriptions in it, so I would like to use some sort of HTML/CSS/JS that will pop this up and display the correct info about the clicked course from the .dat file.
I'm not 100% sure on how to go about this so if anyone has any suggestions at all, that would be really helpful.
If you need any other details from me, let me know.
Thanks,
(File Info* The .dat file is pretty much just a notepad document with each course code & description in sequence)
Just to let you know, you need to search and learn about a lot of things first.
For data access on a website, you need access to a database. If you don't know about SQL (or any other query language), Query, Database, Tables, Server ... then you should start there.
To read those databases, you need to write code (ASP.NET, PHP, etc) that runs on a web server (Apache, IIS, etc).
If you want to create a website, I recommend you start working with WordPress, Joomla or other CMS (Content Management System) for you to familiarize with a lot of things before jumping to the advance stuff.
YouTube is a very good friend and teacher! :) Start by looking some tutorials there. Hope this will guide you to what you need.
I have no idea what your level of experience is based off your question so I will assume you have a basic understanding of HTML,CSS and JS. If not, then I would recommend Exel Gamboa's answer.
It sounds like you're looking for something like http://fancybox.net/
Of course, it is typically used for displaying images but it could be easily modified for your purpose.
Now about your .dat file. When storing data for large websites, it's typically best to use SQL for databases. This allows you to access data and store it in an organized manner.
As a final recommendation I'd take a look at using a CMS for your website. (Wordpress, WolfCMS, perch, etc...)
Hope this helps.
Before anyone has a chance: Yes, i know it's a bad idea. Please, don't give me a lecture on how i should use a web service instead. Thanks.
So, how could this be done?
I found this bit http://www.karlkraft.com/index.php/2010/09/17/mysql-for-iphone-and-osx/ and thought it might do the trick. I got a bunch of ARC error messages, cleaned those out and got this error at runtime:
Detected an attempt to call a symbol in system libraries that is not
present on the iPhone: pthread_cond_init$UNIX2003 called from function
my_thread_init in image oms.
Do i need to use something like ODBC/C?
I know that the solution might be a lengthy one, that's fine. Would be great if someone could at least point me in the right direction.
EDIT:
Since people are keen to know the reason for opting not to use a web service, here it is:
If you're creating an in-house app, the added security of a web service is next to nothing. Working directly with the DB means i need to maintain less code. Plus i don't need to create hacky PHP scripts to get things done.
FINAL CONCLUSION:
I wanted to leave a message for people who're about to do the same thing: Don't :)
Essentially your options are hacky server side scripts or Oracle proprietary mysql client you built yourself (and thus a hacky solution as well). Your choice but i'd strongly advice against it.
This might be the sort of thing that you are looking for:
mysql for iphone and osx
I found it on this iphonedevsdk thread access mysql remote database iphone
Personally I would be only doing this if you really really wanted to.
If you wanted a canned solution, I also found this: Flipper
Or to do it yourself: Build MySql client library for iPhone/iPad
Its not really that hard to find a number of solutions
I needed the same thing (I understand your lecture-pain ;) ) so I wrote this: https://github.com/ciaranj/MySqueakQl it doesn't link to the mysql client libraries so no GPL issues, but it is a very minimal ... very 'fresh' i.e. untested implementation ... just my 2c.
I faced the same problem as you did. I searched and find this.
In http://www.acapela-for-iphone.com/ios-4-2-gm-small-problem-with-simulator
Jean-Michel Reghem Says:
"It seems that Apple changes (again) something into the simulator (as in iOS 4.0)."
Also some people in that page say that this problem didn't show up in device, you can try.
The author has updated his code, and it worked.
Here is the link: http://www.karlkraft.com/index.php/2011/06/07/mysql-for-iphone-and-osx-version-2-0/
We found some code being inserted into emails sent by our proprietary email system and have no idea of its provenance.
My company sends a lot of bulk email for clients. (We follow all the best practice protocols to ensure we're not spammers.) The system is proprietary, based on open source code. Customers have a GUI to enter content, similar to the big guys like MailChimp and the like.
A staff member brought a UI challenge with the GUI to me, using a client's bulk email as an example. I dug into the source to see if they had some exotic CSS that might be affecting my interface, when I noticed the following tag:
<custom name="opencounter" type="tracking"> </custom>
My interface certainly doesn't insert that code into an email.
What is opencounter? Who's technology is it? Does it have a valid reason for being used on our (proprietary) email system?
It appears that "opencounter" is a proprietary counting mechanism used by Exact Target's bulk mailing system. Apparently, the client was copy/pasting from an old campaign done on ExactTarget to move the design to our system. It is therefore safe for me to remove.
My best guess is that it is something that is auto-substituted to put in some tracking information into the individual e-mails. I'd suggest doing some tests on "bulk" e-mails you've set up just to yourself. Put some known content immediately either side of it and then send yourself this e-mail and view the source to see if its been substituted with anything. e.g.
XXX<custom name="opencounter" type="tracking"> </custom>YYY
If the final output has XXXYYY or something then you'll know its a tracker in the bulk e-mailer. If it outputs as is you can probably safely assume you can get rid of it. If it gets rid of it completely then it may be used for some kind of processing on the server but I'm not sure what that might be...
The other thing you can do is to do a search of your entire codebase for "opencounter" to see if there are any references to it.
One final thought: Does your customer interface allow them to put in HTML directly or is it just a gui? It occurs to me that if they used a previous bulk e-mailer then it might be something specific to that one that got copied over if its not in yours.
We had a similar situation and traced it back to a user who was utilizing a third-party WYSIWYG tool to develop code that they then pasted into our CMS. It's a harmless issue, but it points to the need to improve our tool so that others don't feel like they have to use another editor.