Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Securing PDF file on a Website

from [Andrew van der Stock] Network Security [Permanent Link]
Subject: Re: Securing PDF file on a Website
Date: Sat, 23 Jul 2005 18:36:36 +1000
The Guide 2.0 (plug! plug!) suggests that you stream it back to the user via an action in your code, rather than using security through obscurity.

So instead of

http://www.example.com/foo.pdf

do:

http://www.example.com/viewpdf.{php,aspx,jsp}

and send in a form POST with the necessary details to detail *which* PDF they should be getting, check the authorization status and then create the PDF on the fly using PDFlib (or similar) and shoot it to them by sending HTTP headers like Content-type and so on.

That way:

a) there are no files to be found by any means
b) authorization is enforced
c) you can process the PDFs Just In Time, rather than generating them for everyone and hoping they will download it.

Andrew

On 23/07/2005, at 3:25 PM, echow@videotron.ca wrote:

To all:

Is there a way that I can add access to a pdf file to a website in a secure way? What I was thinking was to require user name and password to access this very confidential file. I was also thinking about requiring the use of tokens and/or certificates.

The user group for this application is pretty low tech so my challenge is to come up with something that is secure but really straightforward to use.

Any thoughts on how I would implement this would be most appreciated.

Regards,



Edmond


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [1/2OT] Training for web-apps and db security, Gunnar Peterson
Next by Date:  Re: Securing PDF file on a Website, Kurt Seifried
Previous by Thread:  Securing PDF file on a Website, echow
Next by Thread:  Re: Securing PDF file on a Website, Kurt Seifried
Indexes:  [Date] [Thread] [Top] [All Lists]