Security

Remember view state? This was the massive kludge of hidden input data in an ASP.NET web forms page which tried to create quasi-persistence between requests in what is otherwise the stateless world of HTTP. Actually saying “was” isn’t that fair as indeed web forms apps make up the vast majority of ASP.NET sites out there today, but Microsoft’s implementation of MVC tends to be viewed as the new shiny thing that many of us have gravitated towards in recent years. That said, when I created my recen...

Ever notice how in hindsight, most of the online attacks we see could have been easily prevented? Granted, we tend to have 20:20 vision when we’re looking back, but take something like the Bell telco in Canada and their SQL injection attack the other day [https://www.troyhunt.com/2014/02/heres-how-bell-was-hacked-sql-injection.html]. Guys, it’s a simple matter of validating the untrusted data and parameterising the SQL statements. We know this – we’ve (the software community) had this discussion...

How much really changes in only three short years in the world of application security? Ok, a few sites get owned and some nasty hackers come up with some new ways of making some poor developers lives a misery but that’s about the extent of it, right? Yeah, turns out it’s a lot more complex than that. The very first course I wrote for Pluralsight and the one that continues to be the most popular is the OWASP Top 10 Web Application Security Risks for ASP.NET [http://pluralsight.com/training/Cour...

Day 16: The news headlines continue. Conspiracy theories keep emerging. The FUD evolves as people take further liberties with the truth (no mate, you didn’t get done by Heartbleed, you just chose a crap password). A few days ago I caught up with Richard Campbell of RunAs Radio fame to talk about Heartbleed [http://www.runasradio.com/default.aspx?showNum=365]. You may remember Richard from such .NET Rocks episodes as talking security with Carl, Richard and Troy [https://www.troyhunt.com/2012/01/...

If I’m honest, I’ll admit to a certain degree of schadenfreude when Tesco got hacked recently [http://www.bbc.com/news/technology-26171130], I mean I did call these risks out a long time ago [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html] and they did choose to largely ignore them. What struck a bit of a nerve though was not just that they got hacked after turning a blind eye to the issues I’d found, it’s that by all accounts, they were compromised by very well-known ri...

Massive. Huge. Catastrophic. These are all headlines I’ve seen today that basically say we’re now well and truly screwed when it comes to security on the internet. Specifically though, it’s this [http://heartbleed.com/]: > The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Every now and then in the world of security, something rather serious and broad-reaching happens and we all run around like head...

A little while back I caught up with Rob Sobers [https://twitter.com/rsobers] at Varonis [http://varonis.com] and had a good chat [http://blog.varonis.com/podcast-wi-fi-security-firesheep-pineapples-troy-hunt/] about wifi, XSS and various other bits and pieces related to security on the web today. I find chats like this are great for getting a candid sense of what’s going on in the industry; no scripting, no editing just straight talk on how we’re getting pwned online. Your browser does not s...

You know how the saying goes – if the product is free then you’re the product! This works for the likes of Facebook or Google because you get hit with targeted ads. It works for LinkedIn because they can then sell premium services that grant people access to the data they collect. Question is though, how do you become the product in an era of free wifi? The other day I noticed this for the first time in my local Woolworths supermarket down here in Australia: Free wifi makes a lot of sense i...

And now for my fourth Pluralsight instalment: more OWASP [http://pluralsight.com/training/courses/TableOfContents?courseName=web-security-owasp-top10-big-picture] ! Wait – hasn’t this been done already?! Yes and no. My first course from April last year was OWASP Top 10 Web Application Security Risks for ASP.NET [http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] and as the title suggests, it contains a heap of stuff on how OWASP applies to...

Heard of SSW’s FireBootCamp [http://firebootcamp.com/] before? It’s like those boot camps you see down at the local beaches and parks each morning, you know, the ones where a bunch of (apparently) willing participants are incessantly hammered by some drill-sergeant-like personal trainer for 30 minutes of blood, sweat and tears (I assume). But unlike this mob, the FireBootCamp folks don’t then towel off and chill for the rest of the day, instead they do this day after day, week after week for a w...