.NET

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is e...

If we can get over Microsoft’s cheesy catchphrase [http://www.microsoft.com/en-us/showcase/details.aspx?uuid=8f01d2e5-0c99-4780-9d1d-e40000179b0e] for a moment, the whole idea of “to the cloud” is actually pretty cool. It’s the promise of taking things that used to be both labour and capital intensive, commoditising them and serving them up on demand. This can very easily sound like PowerPoint presentation rhetoric so let’s move past the warm and fuzzies and actually see it in action. A couple...

In case you’ve been living under a rock this year, AppHarbor [https://appharbor.com/] is one of the hottest things to hit .NET since, well, just about ever. It packages up the entire app lifecycle of source control, build, deployment and hosting and makes it dead simple; in fact it couldn’t be easier. It then adds a comprehensive collection of add-ons [https://appharbor.com/addon] to do everything from persisting data (MS SQL, MySQL, MongoDB) to caching services (Memcacher) to load testing (blit...

Consider this guidance now deprecated! The membership provider stored passwords as a salted SHA1 hash which is insufficient by today's standards and easily cracked [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html]. Refer instead to ASP.NET identity [http://www.asp.net/identity] which is a sufficient stronger and more modern implementation. -------------------------------------------------------------------------------- Often times I’ll have a discussion with a softwa...

Here’s a new entry for the “stupid things on my part which weren’t obvious because of obscure error messages” book. Actually, the error message makes some sense in retrospect but then again, everything is always a lot clearer after the fact. The scenario in this instance relates to the following three tables in ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html]: What these guys are describing is that when a log entry of a scan is created, it may have many entr...

When I wrote about Building a safer web with ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html] earlier in the week, I talked about using the process to share some experiences. This one made me go a bit cross-eyed and it’s a combination of an idiosyncrasy within ASP.NET routing and a more philosophical question about the semantic intent of a route. The situation was that I needed to construct a URL on the ASafaWeb website which contained the address of the site to...

In case it’s not already pretty obvious by now, there are a bunch of websites out there which have some rather glaringly large vulnerabilities in them. Or at least they did have, then they were hacked in spectacular fashion and security suddenly became important to them. But of course we only hear about the big ones whilst hoards of smaller attacks go by unreported and very often, unnoticed. The thing about web app security is that it can be a complex subject. It’s pretty fair to say that it’s...

I seem to spend a lot of time involved with web apps which end up having a lot of geographical diversity. Either they sit in a server in one country then get used by folks somewhere else or more often than not, they face audiences of a global nature spread out across varying time zones. And even if they do end up co-located, chances are it won’t always stay that way so there’s always a desire to add in a little future-proofing. When SQL 08 came along there seemed to be some new hope for making...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] As we begin to look at the final few entries in the Top 10, we’re getting into the less prevalent web application security risks, but in no way does that diminish the potential impact that can be had. In fact what makes this particular risk so dangerous is that not only can it be used to very, very...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Cryptography is a fascinating component of computer systems. It’s one of those things which appears frequently (or at least should appear frequently), yet is often poorly understood and as a result, implemented badly. Take a couple of recent high profile examples in the form of Gawker and rootkit.c...