The SSL certificate file contains the X.509 certificate (which, in turn, contains a public key used for encryption). The SSL Certificate Key File contains the private key corresponding to the public key in the certificate. In order for the webserver to encrypt and decrypt traffic, it must have both the public key (certificate) and corresponding … Read more
In general, it suffices to have just one token per session, a so called per-session token: In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires. If you … Read more
The idea is to not give hackers extra information. If you say wrong password, you’ve told a hacker that they have a correct username, and vice-versa. Although what you’ve said is true, on some sites it is possible to determine if you’ve guessed a username via other means.
Leave the password as the user entered it. You should never change silently a field put by a user, overall a password.
Kill all instances and try again. Had the same problem today and after I killed chrome it works.
I don’t think you can do that with the WCF Test Client. It’s a fairly limited and simplistic tool – works great in simple scenarios, but stops fairly quickly. If you need more features and abilities, you might want to look at SoapUI which is a SOAP/web services testing tool and works quite well – … Read more
It works perfectly if it is configured properly: <Directory /var/www/denied_directory> Order allow,deny <Files test.php> Order deny,allow </Files> </Directory>
One solution would be to open the form’s action in a frame like an iframe: <iframe style=”display:none” name=”csrf-frame”></iframe> <form method=’POST’ action=’http://vulnerablesite.com/form.php’ target=”csrf-frame” id=”csrf-form”> <input type=”hidden” name=”criticaltoggle” value=”true”> <input type=”submit” value=”submit”> </form> <script>document.getElementById(“csrf-form”).submit()</script>
Here are the character sets that Steve Gibson uses for his “Perfect Paper Password” system. They are “characters to allow” rather than “characters to avoid”, but they seem pretty reasonable for what you want: A standard set of 64 characters !#%+23456789:=?@ABCDEFGHJKLMNPRS TUVWXYZabcdefghijkmnopqrstuvwxyz A larger set of 88 characters !”#$%&'()*+,-./23456789:;<=>?@ABCDEFGHJKLMNO PRSTUVWXYZ[\]^_abcdefghijkmnopqrstuvwxyz{|}~ For pronounceable passwords, I’m not … Read more
From Ian Oxley’s Sitepoint article – Improving Web Security with the Content Security Policy, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration file. The example given in the linked post, <system.webServer> <httpProtocol> <customHeaders> <add name=”Content-Security-Policy” value=”default-src ‘self’;” /> </customHeaders> </httpProtocol> </system.webServer> demonstrates … Read more