Let me pose a question: What’s the difference between these two URLs: 1. http://[mydomain]/?foo=<script> 2. http://[mydomain]/?foo=<script> Nothing, right? Let’s plug that into two different browsers and see what they think: Ok, now it’s just getting weird and this brings me to the topic of the day: Recently a friendly supporter of ASafaWeb [https://asafaweb.com] contacted me and said “Hey, how come ASafaWeb isn’t correctly identifying that my site is throwing custom errors?” Naturall...

Actually, it’s even worse than that – it’s really 67.37% – but let’s not split hairs over that right now. The point is that it’s an alarmingly high number for what amounts to very simple configuration vulnerabilities. The numbers come courtesy of ASafaWeb [http://asafaweb.com], the Automated Security Analyser for ASP.NET Websites which is a free online scanner at asafaweb.com [http://asafaweb.com]. When I built ASafaWeb, I designed it from the ground up to anonymously log scan results. The anon...

Around this time last year I was talking about becoming an accidental MVP [https://www.troyhunt.com/2011/04/accidental-mvp.html]. Not this year; instead of it sneaking up on me, I – like many I know – was counting down the days. My now annual April Fool’s Day email made its way through last night: > Congratulations! We are pleased to present you with the 2012 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world e...

Do you ever get that sense that [insert culture here] seems to totally dominate everything to the total oblivion of everyone else out there? This sort of thing usually gets people a bit cranky but it turns out I’ve kind of being doing it a little bit myself with ASafaWeb [https://asafaweb.com]. You see, ASafaWeb works by looking at how a website responds to certain requests then and from those responses it draws some conclusions about how the thing is configured. For example, if ASafaWeb sees a...

[http://tv.ssw.com/] There’s an excellent home-grown Aussie free learning resource which I suspect is a bit new to a lot of developers: SSW TV [http://tv.ssw.com/]. SSW is a local Sydney development shop headed up by Adam Cogan [http://www.adamcogan.com/], a Microsoft Regional Director and ALM MVP. I offered to talk a little about web app security to their user group a couple of months back and we recorded Protecting your Web Apps from the Tyranny of Evil with OWASP [http://tv.ssw.com/1492/pr...

As many of you know by now, I’m particularly fond of AppHarbor [https://www.troyhunt.com/search/label/AppHarbor]. They continue to provide a totally awesome integrated CI and hosting environment, continue to offer a means of taking the service up for free (as well as recently adding some commercial offerings), and most importantly to this post, they still have a great selection of very cool add-ons. One of those add-ons is StillAlive [https://stillalive.com] which is awesome for two reasons: Fi...

I absolutely love coming to China. It’s a country that manages to hold onto a long, rich history whilst also moving into the future at an extraordinarily rapid pace. We also all know that China heavily censors the websites that can be accessed via the Internet. I work quite frequently with a number of people in China and I’m always conscious that there is certain material I’d like to share with them which they won’t be able to access. I’m not talking about anything politically or culturally sub...

Being awarded an MVP title and attending the annual summit is a little like getting your hands on one of these: Suddenly you feel all Charlie Bucket [http://en.wikipedia.org/wiki/Charlie_and_the_Chocolate_Factory], ready to gorge on the wonders that exist behind the doors of the mysterious Ballmer Wonka chocolate factory. Whilst an extensive amount of the information shared remains under NDA (more on that shortly), I’d like to share some insight from the program and the event which might shed...

Well this was a very nice email to receive: > Congratulations on being awarded MVP of the Year based on your contributions in 2011! It seems I must have done something(s) pretty right in my first year of MVPdom and word has it that my free OWASP Top 10 for .NET devs eBook [https://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html] tilted the voting in my favour. So for everyone who downloaded, RT’d, +1’d, liked, emailed and otherwise said nice things about my work, a heartfelt “t...

Last week I had the pleasure of catching up with fellow Aussie MVP Robert Crane [https://mvp.support.microsoft.com/profile=55EEF824-B195-49EC-A6EF-80D864CCC840] and recording an episode for his CIAOPS [http://ciaops.podbean.com] (the Computer Information Agency) “Need to Know” podcast. The podcast caters to those working in SMBs (small to medium businesses) and Robert and I have a good chat about a whole range of security considerations these folks should try to keep in mind. You can find the...