Security

I love ELMAH [http://code.google.com/p/elmah/] – this is one those libraries which is both beautiful in its simplicity yet powerful in what it allows you to do. Combine the power of ELMAH with the convenience of NuGet and you can be up and running with absolutely invaluable error logging and handling in literally a couple of minutes. Yet, as the old adage goes, with great power comes great responsibility and if you’re not responsible with how you implement ELMAH, you’re also only a couple of mi...

Back in September last year we saw the emergence of the padding oracle vulnerability [https://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html] which suddenly got a whole lot of ASP.NET developers very nervous. The real concern with this vulnerability was that there really wasn’t much you could do at the code level beyond a couple of little tweaks – what was really needed was for patches to get installed on servers and fast. The problem back then was that, well, you couldn’...

Just when you start thinking we’ve seen out the last of the major security breaches for 2011, Christmas day brings us one final whopper for the year: Stratfor [http://en.wikipedia.org/wiki/Stratfor]. Much has already been said about why they might have been hacked and who might [http://www.security-ray.com/2011/12/white-hat-security-firm-stratfor-hacked.html] (or might not [http://pastebin.com/8yrwyNkt]) have done it, but the fact remains that there are now tens of thousands of customer passwo...

This entire series is now available as a Pluralsight course! [http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] Writing this series [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html] was an epic adventure in all senses of the word: Duration – 19 months to complete a blog series, for crying out loud! Content – approaching 50,000 words, not including all the discussion in comments. Effort – some of the posts, su...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] In the final part of this series we’ll look at the risk of an unvalidated redirect or forward. As this is the last risk in the Top 10, it’s also the lowest risk. Whilst by no means innocuous, the OWASP Risk Rating Methodology [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology] has determ...

Websites get hacked. Lots. This year alone we’re looking at some absolute whoppers; Sony, EVE Online, Sony, pron.com, Sony, MySQL.com, did I mention Sony? Many times, the gateway to successful website exploits is simple misconfiguration. Custom errors were left off and thus leaked internal code. Or request validation was turned off which opened up an XSS flaw. These risks are often then leveraged to do other nasty stuff. The thing is, many of these are also easily remotely detectable – certain...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is e...

In the beginning, there was the web and you accessed it though the browser and all was good. Stuff didn’t download until you clicked on something; you expected cookies to be tracking you and you always knew if HTTPS was being used. In general, the casual observer had a pretty good idea of what was going on between the client and the server. Not so in the mobile app world of today. These days, there’s this great big fat abstraction layer on top of everything that keeps you pretty well disconnect...

This is an online reproduction of the letter sent to First State Super today. I was disturbed to read about First State Super’s response to the ethical disclosure of a serious vulnerability in your financial software by Patrick Webster last month. As a fellow Australian software security professional, I’m worried by the dangerous precedent that this sets. As you’d be aware by now, this incident has gained worldwide attention and as you’d also be aware, the public response hasn’t exactly been i...

I just had a call from a very nice women who appeared to be from the subcontinent and wanted to help me remove viruses from my computer. Normally I’d dispense of such callers in a pretty quick, ruthless fashion but given the nature of this one I thought it was worth recording and sharing. It all unravels and the gig is finally up at the 23 minute mark. Enjoy! TL;DR: Here are the steps they wanted followed: 1. Open the event viewer then establish there are errors and warnings (there as v...