asp.net
There are 23 entries for the tag
asp.net
Oh how I have wanted to sing about this for months, now it’s public … Due to the popularity of the Microsoft AntiXSS Library, ASP.NET 4.5 now incorporates core encoding routines from version 4.0 of that library. The encoding routines are implemented by the AntiXssEncoder type in the new System.Web.Security.AntiXss namespace. You can use the AntiXssEncoder type directly by calling any of the static encoding methods that are implemented in the type. However, the easiest approach for using the new anti-XSS routines is to configure an ASP.NET application to use the AntiXssEncoder by...
Last month I was rather pleased to welcome Troy Hunt into my little band of Developer Security MVPs. He’s been doing a bunch of blog posts on the OWASP Top 10 list for ASP.NET developers. Check them out, he’s almost finished. Technorati Tags: MVP,Security,OWASP,ASP.NET
So late Friday two security researchers presented a side channel attack on the encryption and validation methods used on viewstate. This attack allows the attacker to derive the machine key used to encrypt viewstate and thus create their own signed viewstate, possibly compromising the web application. Side channel attacks work by analysing the response from the cryptosystem to infer information, in this case using the error responses from invalid padding. Now that the researchers have presented their work is under investigation; MSRC have an official advisory along with further information. ScottGu has also posted more details including a work around...
When I started off discussing where I would take the Security Runtime Engine with the Developer Security MVPs Raffaele Rialdi asked if there would be a way to inspect raw requests and responses. Whilst I can’t do requests, as I don’t see them until ASP.NET has parsed them I can do responses, via ASP.NET’s filter mechanisms so, despite him tagging someone else as me on Facebook I started to look at how best to do this and came up with IResponseInspector. The response inspector works slightly differently to the other inspectors – by the time it’s called there is no...
The WPL site on CodePlex now has the May CTP code only release for the Web Protection Library and a Word document introducing the new extensibility points for the Security Runtime Engine. I haven’t released binaries because it’s just a preview, it is in no way ready for production and I want to discourage you even thinking of that. So why did I make the source available? Simple – feedback. This represents a rewrite of the Security Runtime and a new way for you to easily write plug-ins for it. Rather than simply decide what’s best for our users...
So now our fit and finish sprint is finished (my PM, Frank, has published the results which demonstrate that, well, fit and finish is never, errr, finished) I’ve been doing some thinking and experimenting. Two things came out of the MVP summit this year, 1) we want logging which isn’t the Enterprise Library and 2) we want to write our own WPL plugins (more specifically a particular Developer Security MVP wanted to write a SQL Injection detector for MySQL). This week was scheduled to be a lazy week, as we work around planning meetings for sprint 2 so I...
You can order it from Amazon and it’s in stock. Even better because I had an American editor you’ll find a severe lack of the letter U in words and the abomination that is the Oxford Comma scattered throughout. In other news despite the continuous hobbit comments Alex Mackey, author of Introducing .NET 4.0 with VS2010 (Amazon US / Amazon UK) has reviewed the book and said nice things, all without payment! Technorati Tags: ASP.NET,Security
Last year Wrox switched from having happy, smiling, chin posing authors on their book covers to, well, to random images with a bit of red. So for those of you that have pre-ordered you’ll be happy to know that you won’t have me smiling out from your book shelf. Instead you’ll get an image which encapsulates my interest in exercise and sports. Errr, well, someone’s interest in exercise and sports. Never fear though, I am on the inside … Note for Americans – this image is from a game called football by the rest of the world. The...
So about an hour ago the last edits to the proof went off to the proof reader, which hopefully means, after a year, it’s all done. You may be pleased to learn that, as I’ve taken so long, it will be published using the new, better quality paper and will not have my mug shot on the cover. (When discovering this my smart assed nephew said “That’s good, people won’t judge the book by its cover”.) The final details are as follows: Beginning ASP.NET Security Wrox Press ISBN : 978-0470743652 Pages :...
To accompany WebsiteSpark (do MS have an internal app called SparkSpark which creates these programmes?) seven Web Application Toolkits have been released. Dinis Cruz asked on twitter if anyone had some spare time to look at them from a security perspective. I was bored, and needed a break from editing the book (that’s right folks it’s nearly done), so I thought I’d download one. I chose the FAQ toolkit (because I need to do something with the securingasp.net domain at some point). Fired up Visual Studio, took a quick look at the code. Nice surprises ...
At the end of the month I’ll be in Dublin delivering “Stop your website being stung” – a guide to the OWASP Top Ten project and how you can secure your ASP.NET site against them at epicenter. There’s a few other MVPs speaking as well including Craig Murphy, the Black Marble boys Richard Fennell and Robert Hogg and that damned Jon “I’m going to answer everything on StackOverflow” Skeet. Two DDD Belfast speakers are reprising their topics, Alex Mackay is giving his standing room only session on VS2010 and Andrea Magnorsky is covering the Monorail MVC package. Tickets are...
Yes, I know, it’s painful. You have to run a cryptic command line tool from the .NET framework directory. You have to mess around with RSA keys and export them if you’re load balancing, or want to encrypt on one machine and use it on another. Or you could use a handy tool from Hugo Bonacci. I know, he has a goatee, so he may in fact be evil, but you pays your money and you takes your choice. Point the tool at your server, choose the section you want to encrypt and press, well, press encrypt. There’s even...
Alex Mackey tweeted yesterday that his book was available for pre-order on Amazon so vanity got the best of me – so I checked and mine is available too. It grows ever more real and scary, although not as scary as the cover (which is now on its third iteration but I still can't convince them to use Oliver's alternative version) … Pre-order from Amazon UK Pre-order from Amazon US Technorati Tags: ASP.NET,Wrox,Vanity
I was emailed the second draft of the book cover today, which makes it scarily real. But not half as scary as what Oliver did with it. Ah the MVP community – we’re a tight bunch of nits … Technorati Tags: Wrox,Book Cover,Books,ASP.NET,Security,MVP
As part of the book I've been developing some sample code for each chapter; and for chapter 4 the code has taken far more time than the chapter itself. That chapter deals with query strings and forms and covers Cross Site Request Forgery (CSRF). CSRF is a exploit where a form request comes from another site and your site proceeds to act upon it because a user is already authenticated. I’ve covered this in more detail previously and released AntiCSRF to codeplex to help you protect against it. One of the things Alex and I discovered whilst going...
As part of the book currently under way I cover Cross Site Request Forgery, a rather fun exploit that numerous web sites have been vulnerable to. In September of this year researchers from Princeton announced the discovery of four major web sites where were susceptible which included ING Direct, a vulnerability which would allow an attacker to transfer money between accounts. CSRF works via persistent authentication. When you logon to a web site an authentication cookie is left on your machine (or if you're using HTTP Authentication your browser remembers and sends the username and password with each request). An...
For the last copy of weeks I've been playing with the new version of Microsoft's AntiXSS package. AntiXSS provides more encoding methods and better implementations of the base HtmlEncode and UrlEncode that comes with the framework.
However there's something new this time around - the Security Runtime Engine. This is an HTTP module which will automatically provide encoding for your legacy apps and act as a second line of defence if you forget to encode your outputs.
It was released on codeplex last night; you can get v3 beta, installers and source from http://www.codeplex.com/AntiXSS - it's well work looking at, they've even...
Well; in a few months anyway. A month or so ago I saw a tweet flit past asking for someone who has ASP.NET security knowledge; someone pointed the user my way. I assumed it was someone just asking for advice, so I sent off something along the lines of "What do you need to know?". It turns out the recipient was part of Wrox Press and he was after knowledge, on the shape of a book. So after some pondering and pointing out I thought it had been done to death we both came up with, what...
The ACE Team at MS have thrown out a beta of XSSDetect, a static analysis tool plugin for VS2005 to, err, detect XSS vulnerabilities in your code. Interesting stuff; it’s a shame it doesn’t detect as you code or add errors into your compile time; which would better enforce good practice just as FXCop does; indeed the tool is part of a bigger internal suite; XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short). CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets...
Be honest, those banks of Wrox Press books you have how often do you look at them? There’s a problem with most technical books, the nuggets of information you need right now are in the middle of some chapter somewhere and the words you’re looking for aren’t in the index. A while back Phil, Jon, Jeff et al blogged about writing a book and in Phil’s great book giveaway I snagged a copy (I’m not feeling that guilty about shipping; I did send him some "cute" baby stuff when Phil 2.0 arrived). When the parcel arrived I pulled it...
During the betas of Atlas Microsoft provided an update for the asp.net validators which allowed them to work in update panels, at release time these vanished much to the consternation of most people. ScottGu ("All hail ScottGu") promised a patch to ASP.NET would be forthcoming, and in the mean time Microsoft published source for sample validators. 6 months later, and still no sign of the patch on WindowsUpdate but it has appeared as a hotfix on Microsoft Connect (not that the Knowledge Base article linked to on the download page, or the extra KB article linked to in the readme inside the...
A while back the call went out for a .NET speakers who would come to Ireland; and now the Irish Microsoft Technology Conference has been finally announced by Claire Dillon. Yes, I am speaking, giving my "Hacking Web Sites for Fun & Profit" talk (which doesn't appear to be as trendy as all the other topics, but Dominick Baier beat me to a CardSpace presentation!). I'm not sure this counts as an international engagement for me as I was born north of the border, but it does give me a a birthday cake, as my birthday is the day after and...
Last Thursday saw Chris Seary and myself presenting at the Microsoft offices in sunny (yes, really) Edinburgh for the Scottish Developers Group. Thanks must go to Craig and John for organising. I presented an updated (trendy white on black) "Hacking Websites for Fun & Profit", "Securing ASP.NET Websites and Applications" and "An Introduction to Windows CardSpace". An audience member (sorry, I didn't catch your name) asked me to put together some resource links on SQL Injection, XSS and so on. Probably the best breakdown of SQL Injection is Chris Anley's PDF, "Advanced SQL Injection In SQL Server Applications". The XSS FAQ is...