Did you know that every time you submit a Web Forms page it sends a hash-based message authentication code with it so that the website can ensure the View State hasn’t been tampered with? Or that every time you use the MVC Razor syntax to emit anything to the page it HTML encodes it? Unless, of course, you’re using the Html.Raw helper – oh and that none of that does you any good in the JavaScript and CSS contexts or the HTML attribute context? Were you aware that ASP.NET limits the size of the...

I thought I’d seen it all when it comes to cold call virus scammers, you know, the guys who call you up from “Windows” because they’ve had reports of viruses from your machine? I’ve recorded their audio [https://www.troyhunt.com/2011/10/anatomy-of-virus-call-centre-scam.html], recorded their video [https://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html], antagonised them [https://www.troyhunt.com/2012/04/type-www-ok-w-w-w-d-o-t-antagonising.html], interviewed one of the blo...

Well we almost made it through the first day of the new year without a major data breach; it got to about mid-afternoon my time then wammo! The 2014 breach count was off and racing. If I’m honest, I actually spent some procrastinating over whether this could really be considered a breach and indeed if the data was even of any functional value to an attacker. I came to the conclusion that it is and, well, it is. Let me explain the thinking and why I’ve made it searchable via Have I been pwned? [...

I noticed an odd trend when reviewing the ELMAH [https://code.google.com/p/elmah/] logs in Have I been pwned? [https://www.haveibeenpwned.com/] recently. I was seeing a lot of 404 “Page not found” errors for paths like this: /gen204?client=te-lib-alt&trans=confSum=982,numLowConf=0,numPhrases=1,cB15=1,cB19=1 /gen204?client=te-lib-alt&trans=confSum=4726,numLowConf=0,numPhrases=5,cB15=1,cB19=4 /gen204?client=te-lib-alt&trans=confSum=2000,numLowConf=0,numPhrases=2,cB20=2 Uh, ok, this doesn’t look...

Just under three weeks ago now, I launched Have I been pwned? [https://www.troyhunt.com/2013/12/introducing-have-i-been-pwned.html] which could tell you if you owned one of 154 million email addresses that had been caught up in recent data breaches. Subsequently, the site turned out to be wildly popular [https://www.troyhunt.com/2013/12/introducing-have-i-been-pwned.html] and as with such things, a lot of good ideas came up in terms of features people would like to see. Without doubt, the numbe...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]I had a little problem last week. I built a very small website [http://haveibeenpwned.com] – really just a one pager with a single API – whacked it up on an Azure website and then promptly had a quarter of a million people visit it in three days. Uh, bugger? Ok, what’s behind the...

This is one of those “I’m writing this because it will be useful for someone else when they really need it” posts. The other day, Google Analytics stopped logging traffic to “Have I been pwned?”: The thing had launched with a bang and everything was awesome then… nothing. Heaps of data for Dec 5 (the first full launch day) through 7 then absolutely nothing for the 8th and the day I took the image on the 9th. Odd thing was, I’d just seen the stats during the day on the 8th and when looking at...

I got a lot of requests after launching HIBP for an API and I saw some great ideas come up in terms of how it might be used for very constructive purposes. Truth be told, there was an API from day one insofar as this was precisely what the web UI was hitting every time you searched for an email address anyway, I just hadn’t published any docs on it or promoted its existence. That said, I did give it a bit of tweaking to make it more “RESTful” (this, apparently, is what all APIs must be these da...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]I’m one of these people that must learn by doing. Yes, I’m sure all those demos look very flashy and the code appears awesome, but unless I can do it myself then I have trouble really buying into it. And I really want to buy into Azure because frankly, it’s freakin’ awesome. This...

I often write up analyses of the passwords disclosed in website breaches. For example, there was A brief Sony password analysis [https://www.troyhunt.com/2011/06/brief-sony-password-analysis.html] back in mid-2011 and then our local Aussie ABC earlier this year where I talked about Lousy ABC cryptography cracked in seconds as Aussie passwords are exposed [https://www.troyhunt.com/2013/02/lousy-abc-cryptography-cracked-in.html]. I wrote a number of other pieces looking specifically at the nature...