WPL
There are 6 entries for the tag
WPL
When I started off discussing where I would take the Security Runtime Engine with the Developer Security MVPs Raffaele Rialdi asked if there would be a way to inspect raw requests and responses. Whilst I can’t do requests, as I don’t see them until ASP.NET has parsed them I can do responses, via ASP.NET’s filter mechanisms so, despite him tagging someone else as me on Facebook I started to look at how best to do this and came up with IResponseInspector. The response inspector works slightly differently to the other inspectors – by the time it’s called there is no...
The WPL site on CodePlex now has the May CTP code only release for the Web Protection Library and a Word document introducing the new extensibility points for the Security Runtime Engine. I haven’t released binaries because it’s just a preview, it is in no way ready for production and I want to discourage you even thinking of that. So why did I make the source available? Simple – feedback. This represents a rewrite of the Security Runtime and a new way for you to easily write plug-ins for it. Rather than simply decide what’s best for our users...
(And yes, I did mean PlugIns – darned FXCop rules) After a couple of weeks of experimentation with code I think I have the plug-in model complete now. As suggested by Travis in the comments on a previous post as many parameters as possible are now using System.Web.Abstractions. Right now there are three main interfaces: /// <summary>
/// Defines methods that must be implemented for request inspection.
/// </summary>
public interface IRequestInspector : ISecurityRuntimePlugIn
{
/// <summary>
/// Inspects an HTTP request for potential problems.
/// </summary>
/// <param name="request">The...
So now our fit and finish sprint is finished (my PM, Frank, has published the results which demonstrate that, well, fit and finish is never, errr, finished) I’ve been doing some thinking and experimenting. Two things came out of the MVP summit this year, 1) we want logging which isn’t the Enterprise Library and 2) we want to write our own WPL plugins (more specifically a particular Developer Security MVP wanted to write a SQL Injection detector for MySQL). This week was scheduled to be a lazy week, as we work around planning meetings for sprint 2 so I...
Phil Haack has just blogged how to write an encoding provider for ASP.NET 4.0 which uses AntiXSS. He beat me to it – one of the reasons I’ve switched WPL to VS2010 is so I can include an assembly which does this in the next public release. Encoding providers will work for both ASP.NET 4.0 WebForms and MVC applications, but the HttpEncoder class only encodes HTML, HTML attributes, HTTP headers and URL and URL paths. If you’re using the JavaScript encoding bits you’ll still have to do that manually. The decoding functionality will be based down to the .NET framework...
Mark Curphey has obviously been whipping his team into a frenzy and a new version of CAT.NET, along with WPL and WACA have been announced. They’re all in CTP and available from Connect. WPL is the evolution of AntiXSS, which is turning into a nice basis for a web application firewall (ok, it’s a stupid marketing term I know, but with the Security Runtime Engine and the new extensibility features it will allow you to build something that sits between your app and the evil internet and protects you. That’s not an excuse for getting it right in the...