Security

Consider this guidance now deprecated! The membership provider stored passwords as a salted SHA1 hash which is insufficient by today's standards and easily cracked [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html]. Refer instead to ASP.NET identity [http://www.asp.net/identity] which is a sufficient stronger and more modern implementation. -------------------------------------------------------------------------------- Often times I’ll have a discussion with a softwa...

Last week I wrote about Gootkit’s futile attack on ASafaWeb [https://www.troyhunt.com/2011/09/gootkits-futile-attack-on-asafaweb.html] and then a funny thing happened: Suddenly my Google Analytics keyword results become very Gootkit-centric: I see this as meaning either there is a lot of interest in Gootkit at the moment or there is not a lot of information available on what it is. Or both. Interestingly though, the activity appears to have ramped up right about the time of my initial post. T...

On Saturday morning I woke up to 120 emails from ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html], not because it really likes me but because it was in pain! One thing I did very early on with the project was to implement elmah [http://code.google.com/p/elmah/] and make sure I get an email notification when anything happens that shouldn’t. It won’t stay this way (for reasons you’re about to see), but it’s a good way of keeping an eye anything that goes wrong very...

When news came through recently about the Bondi Westfield shopping centre’s new “Find my car” feature, the security and privacy implications almost jumped off the page: “Wait – so you mean all I do is enter a number plate – any number plate – and I get back all this info about other cars parked in the centre? Whoa.” If that statement sounds a bit liberal, read on and you’ll see just how much information Westfield is intentionally disclosing to the public. Intended use Let’s begin with how the...

In case it’s not already pretty obvious by now, there are a bunch of websites out there which have some rather glaringly large vulnerabilities in them. Or at least they did have, then they were hacked in spectacular fashion and security suddenly became important to them. But of course we only hear about the big ones whilst hoards of smaller attacks go by unreported and very often, unnoticed. The thing about web app security is that it can be a complex subject. It’s pretty fair to say that it’s...

I love a good XKCD comic; Randall Munroe has a unique way of cutting right to the crux of technology issues and always doing it in a humorous fashion. Little Bobby Tables [http://xkcd.com/327/] remains an all-time classic and it’s amazing how many times you’ll see it quoted in security discussions – it’s now well and truly embedded in pop culture (well, at least in the little app-sec corner of the world). Last week’s password strength comic [http://xkcd.com/936/] was no exception; very funny st...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] As we begin to look at the final few entries in the Top 10, we’re getting into the less prevalent web application security risks, but in no way does that diminish the potential impact that can be had. In fact what makes this particular risk so dangerous is that not only can it be used to very, very...

What do you think of when you see this little guy on a webpage: You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit. The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleadi...

A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis [https://www.troyhunt.com/2011/06/brief-sony-password-analysis.html]. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused password...

So my conference presentation on the tyranny of evil is now done and dusted at DDD Sydney [http://www.dddsydney.com]. Given I’m writing this in advance with the intention of making the material available immediately afterwards, I’ll need to rely on others to comment on how it all went. The important bit is that the slides are now available here [http://dl.dropbox.com/u/8529390/Protecting%20your%20web%20applications%20from%20the%20tyranny%20of%20evil.ppsx] and all the code used in the examples...