To content | To menu | To search
2012, Monday February 6
By A.Bouchez on 2012, Monday February 6, 22:05 - mORMot Framework
The prototype of these methods has been modified one more time, to supply an
unique parameter:
This is a CODE BREAK change and you shall refresh ALL your server-side
code to match the new signature.
This unique parameter will let the signature remain untouched in your code implementation, even if the framework evolves (like adding a new parameter).
2011, Friday December 30
By A.Bouchez on 2011, Friday December 30, 10:49 - mORMot Framework
A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.
The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.
Source: #2011-003 multiple implementations denial-of-service via hash algorithm collision
2011, Wednesday November 30
By A.Bouchez on 2011, Wednesday November 30, 06:36 - mORMot Framework
A nice framework user, named esmondb, did write and publish some JavaScript code to handle our RESTful authentication mechanism.
It seems to work well, and implements all secure hashing and
challenging.
Our authentication mechanism is much more advanced than the one used by
DataSnap - which is a basic HTTP authentication with the password
transmitted in clear (this is the reason why it shall better be used over
HTTPS, whereas mORMot can be used over plain HTTP).
Resulting JavaScript code seems not difficult to follow, even for a no
JS expert like me.
2011, Tuesday May 24
By A.Bouchez on 2011, Tuesday May 24, 22:58 - SQLite3 Framework
Commonly, it can be achieved, in the SOA over HTTP world via:
- HTTP basic auth over HTTPS;
- Cookies and session management;
- Query Authentication with additional signature parameters.
We'll have to adapt, or even better mix those techniques, to match our framework architecture at best.
Each authentication scheme has its own PROs and CONs, depending on the purpose of your security policy and software architecture.
2010, Sunday July 4
By A.Bouchez on 2010, Sunday July 4, 16:38 - Pascal Programing
If you want some local communicate between a service software and a front-end GUI application, named pipes are a viable mechanism for this communication. It worked fine until Windows XP, then came Vista, Seven, and the UAC...