I’ve been writing and speaking about OWASP for long enough now that it was probably about time I contributed to the podcast so when Jim Manico [http://twitter.com/manicode] invited me to talk, it was a no-brainer! I had a good chat with Jim about a range of aspects related to ASP.NET; good stuff in the framework, not such good stuff in the framework, where I’m seeing people go wrong with .NET security and then a bit about some of the things I’m doing in terms of writing the OWASP Top 10 for .NET...

If you live in a western country and have a landline telephone with a listed phone number, chances are you’ve been “cold called” by someone on the other side of the world with an introduction that goes something like this: > “Hello, I am from the Microsoft technical support division and I am calling you because we have detected some problems with your computer. This is very important – I need you to go and turn your computer on right away…” It doesn’t matter if you have a computer, in fact i...

This ain’t my first rodeo, this ain’t the first I’ve seen this dog and pony show. I first wrote about virus call centre scammers back in October along with my recording titled Anatomy of a virus call centre scam [https://www.troyhunt.com/2011/10/anatomy-of-virus-call-centre-scam.html]. I followed up a couple of months ago with Scamming the scammers – catching the virus call-centre scammers red-handed [https://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html] which screen recor...

It already seems like a lifetime ago, but it was only last month that I was over in Seattle at the 2012 MVP Summit. While I was there, I had a short chat on video with Dave Giard [https://twitter.com/#!/DavidGiard] for his Technology and Friends blog. We predominantly spoke about ASP.NET security and in particular, cryptographic storage of credentials and transport layer security so it’s a little more focussed than many of my talks. The original post is over on Dave’s blog under Episode 207: Tr...

This is a rant; an unapologetic, no holds barred rant on why something that I hold in such high esteem – my iOS devices – could have come from the evildoers who created this spawn of Satan: iTunes. I love my Apple TV, my iPad, my iPhone, my wife loves her iPhone, heck, even our two year old loves his hand-me-down iPhone. They all rock – big time. They’re the best damn devices I’ve ever owned, without exception. But the otherwise joyous experience of ownership is continually crippled by the sear...

Fresh from the 2012 MVP summit with lots of enthusiasm and grand ideas, I thought it would be worthwhile repeating my 25 illustrated examples of Visual Studio 2010 and .NET 4 post [https://www.troyhunt.com/2009/10/25-illustrated-examples-of-visual.html] with the technologies of today (or should that be tomorrow?) albeit a few weeks later than I had planned. There are some very, very exciting new things in the pipeline which I’d like to share while they’re fresh in my mind and analogous with that...

A few weeks back there was a great document released by Verizon (yep, the big American telco) titled Verizon 2012 Data Breach Investigations Report [http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf] . This weekend at the OWASP Appsec Asia Pacifica Conference [https://www.owasp.org/index.php/AppSecAsiaPac2012], I sat in on a talk from Mark Goudie from Verizon [https://www.owasp.org/images/6/65/Mark_goudie.pdf] who helped put the whole report in...

A couple of days back I wrote about how 67% of ASP.NET websites have serious configuration related security vulnerabilities [https://www.troyhunt.com/2012/04/67-of-aspnet-websites-have-serious.html]. In the post, I drew on figures collected by ASafaWeb [https://asafaweb.com] and observed that small misconfigurations in config files could very easily disclose information that could be leveraged to exploit the application. Quite a bit of discussion ensued through the comments, via Twitter and on...

Let me pose a question: What’s the difference between these two URLs: 1. http://[mydomain]/?foo=<script> 2. http://[mydomain]/?foo=<script> Nothing, right? Let’s plug that into two different browsers and see what they think: Ok, now it’s just getting weird and this brings me to the topic of the day: Recently a friendly supporter of ASafaWeb [https://asafaweb.com] contacted me and said “Hey, how come ASafaWeb isn’t correctly identifying that my site is throwing custom errors?” Naturall...

Actually, it’s even worse than that – it’s really 67.37% – but let’s not split hairs over that right now. The point is that it’s an alarmingly high number for what amounts to very simple configuration vulnerabilities. The numbers come courtesy of ASafaWeb [http://asafaweb.com], the Automated Security Analyser for ASP.NET Websites which is a free online scanner at asafaweb.com [http://asafaweb.com]. When I built ASafaWeb, I designed it from the ground up to anonymously log scan results. The anon...