asp.net
There are 16 entries for the tag
asp.net
Last year Wrox switched from having happy, smiling, chin posing authors on their book covers to, well, to random images with a bit of red. So for those of you that have pre-ordered you’ll be happy to know that you won’t have me smiling out from your book shelf. Instead you’ll get an image which encapsulates my interest in exercise and sports. Errr, well, someone’s interest in exercise and sports. Never fear though, I am on the inside … Note for Americans – this image is from a game called football by the rest of the world. The...
So about an hour ago the last edits to the proof went off to the proof reader, which hopefully means, after a year, it’s all done. You may be pleased to learn that, as I’ve taken so long, it will be published using the new, better quality paper and will not have my mug shot on the cover. (When discovering this my smart assed nephew said “That’s good, people won’t judge the book by its cover”.) The final details are as follows: Beginning ASP.NET Security Wrox Press ISBN : 978-0470743652 Pages :...
To accompany WebsiteSpark (do MS have an internal app called SparkSpark which creates these programmes?) seven Web Application Toolkits have been released. Dinis Cruz asked on twitter if anyone had some spare time to look at them from a security perspective. I was bored, and needed a break from editing the book (that’s right folks it’s nearly done), so I thought I’d download one. I chose the FAQ toolkit (because I need to do something with the securingasp.net domain at some point). Fired up Visual Studio, took a quick look at the code. Nice surprises ...
At the end of the month I’ll be in Dublin delivering “Stop your website being stung” – a guide to the OWASP Top Ten project and how you can secure your ASP.NET site against them at epicenter. There’s a few other MVPs speaking as well including Craig Murphy, the Black Marble boys Richard Fennell and Robert Hogg and that damned Jon “I’m going to answer everything on StackOverflow” Skeet. Two DDD Belfast speakers are reprising their topics, Alex Mackay is giving his standing room only session on VS2010 and Andrea Magnorsky is covering the Monorail MVC package. Tickets are...
Yes, I know, it’s painful. You have to run a cryptic command line tool from the .NET framework directory. You have to mess around with RSA keys and export them if you’re load balancing, or want to encrypt on one machine and use it on another. Or you could use a handy tool from Hugo Bonacci. I know, he has a goatee, so he may in fact be evil, but you pays your money and you takes your choice. Point the tool at your server, choose the section you want to encrypt and press, well, press encrypt. There’s even...
Alex Mackey tweeted yesterday that his book was available for pre-order on Amazon so vanity got the best of me – so I checked and mine is available too. It grows ever more real and scary, although not as scary as the cover (which is now on its third iteration but I still can't convince them to use Oliver's alternative version) … Pre-order from Amazon UK Pre-order from Amazon US Technorati Tags: ASP.NET,Wrox,Vanity
I was emailed the second draft of the book cover today, which makes it scarily real. But not half as scary as what Oliver did with it. Ah the MVP community – we’re a tight bunch of nits … Technorati Tags: Wrox,Book Cover,Books,ASP.NET,Security,MVP
As part of the book I've been developing some sample code for each chapter; and for chapter 4 the code has taken far more time than the chapter itself. That chapter deals with query strings and forms and covers Cross Site Request Forgery (CSRF). CSRF is a exploit where a form request comes from another site and your site proceeds to act upon it because a user is already authenticated. I’ve covered this in more detail previously and released AntiCSRF to codeplex to help you protect against it. One of the things Alex and I discovered whilst going...
As part of the book currently under way I cover Cross Site Request Forgery, a rather fun exploit that numerous web sites have been vulnerable to. In September of this year researchers from Princeton announced the discovery of four major web sites where were susceptible which included ING Direct, a vulnerability which would allow an attacker to transfer money between accounts. CSRF works via persistent authentication. When you logon to a web site an authentication cookie is left on your machine (or if you're using HTTP Authentication your browser remembers and sends the username and password with each request). An...
For the last copy of weeks I've been playing with the new version of Microsoft's AntiXSS package. AntiXSS provides more encoding methods and better implementations of the base HtmlEncode and UrlEncode that comes with the framework.
However there's something new this time around - the Security Runtime Engine. This is an HTTP module which will automatically provide encoding for your legacy apps and act as a second line of defence if you forget to encode your outputs.
It was released on codeplex last night; you can get v3 beta, installers and source from http://www.codeplex.com/AntiXSS - it's well work looking at, they've even...
Well; in a few months anyway. A month or so ago I saw a tweet flit past asking for someone who has ASP.NET security knowledge; someone pointed the user my way. I assumed it was someone just asking for advice, so I sent off something along the lines of "What do you need to know?". It turns out the recipient was part of Wrox Press and he was after knowledge, on the shape of a book. So after some pondering and pointing out I thought it had been done to death we both came up with, what...
The ACE Team at MS have thrown out a beta of XSSDetect, a static analysis tool plugin for VS2005 to, err, detect XSS vulnerabilities in your code. Interesting stuff; it’s a shame it doesn’t detect as you code or add errors into your compile time; which would better enforce good practice just as FXCop does; indeed the tool is part of a bigger internal suite; XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short). CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets...
Be honest, those banks of Wrox Press books you have how often do you look at them? There’s a problem with most technical books, the nuggets of information you need right now are in the middle of some chapter somewhere and the words you’re looking for aren’t in the index. A while back Phil, Jon, Jeff et al blogged about writing a book and in Phil’s great book giveaway I snagged a copy (I’m not feeling that guilty about shipping; I did send him some "cute" baby stuff when Phil 2.0 arrived). When the parcel arrived I pulled it...
During the betas of Atlas Microsoft provided an update for the asp.net validators which allowed them to work in update panels, at release time these vanished much to the consternation of most people. ScottGu ("All hail ScottGu") promised a patch to ASP.NET would be forthcoming, and in the mean time Microsoft published source for sample validators. 6 months later, and still no sign of the patch on WindowsUpdate but it has appeared as a hotfix on Microsoft Connect (not that the Knowledge Base article linked to on the download page, or the extra KB article linked to in the readme inside the...
A while back the call went out for a .NET speakers who would come to Ireland; and now the Irish Microsoft Technology Conference has been finally announced by Claire Dillon. Yes, I am speaking, giving my "Hacking Web Sites for Fun & Profit" talk (which doesn't appear to be as trendy as all the other topics, but Dominick Baier beat me to a CardSpace presentation!). I'm not sure this counts as an international engagement for me as I was born north of the border, but it does give me a a birthday cake, as my birthday is the day after and...
Last Thursday saw Chris Seary and myself presenting at the Microsoft offices in sunny (yes, really) Edinburgh for the Scottish Developers Group. Thanks must go to Craig and John for organising. I presented an updated (trendy white on black) "Hacking Websites for Fun & Profit", "Securing ASP.NET Websites and Applications" and "An Introduction to Windows CardSpace". An audience member (sorry, I didn't catch your name) asked me to put together some resource links on SQL Injection, XSS and so on. Probably the best breakdown of SQL Injection is Chris Anley's PDF, "Advanced SQL Injection In SQL Server Applications". The XSS FAQ is...