How To Hack WCF – New Technology, Old Hacking Tricks

יום חמישי, מרץ 1, 2007

First of I'd like to thank Guy for his excellent screencast - very convenient, so thanks. Specifically I liked introductory screencast for WCF which can be found here: http://blogs.microsoft.co.il/blogs/bursteg/pages/WCF-Introduction-Demo-_2800_ScreenCast_2900_.aspx It is dubbed in Hebrew, but the screens are flipping in so logical way so that one who does not understand Hebrew will be fine - go for it - recommended a lot for WCF newbies like me. My interest was to understand the pipeline that the WCF Message goes through before it is put on the transport. The idea was to inject some custom modules (Inspectors) in the pipeline. Why? Is not it...
אין תגובות

Performance Gain – Security Risk

יום שישי, פברואר 23, 2007

Consider the following ASPX page: Here is why it cannot be accessed: When trying to navigate there you get:   Great, love URL authorization!!   Now let's examine another ASPX page: When navigating to this page you surprisingly get this: The reason for that is when using Server.Transfer the request to the second page does not go through the whole ASP.NET pipeline which includes URL Authorization module Security part is here http://msdn2.microsoft.com/en-us/library/ms998375.aspx Performance part is here http://msdn2.microsoft.com/en-us/library/ms998549.aspx  Performance and Security has never been good friends - fortunately...
2 תגובות

Web Service Input Validation

יום חמישי, פברואר 22, 2007

I've been blogging on importance of input validatoin some time ago App Architecture with Security in mind - Video, Part I Web Services is not different from ASPX - accept parameters and process it. So the strategy for input validation should be the same as with ASPX - each and every input parameter MUST be checked for goodness (no black list allowed!). The only difference with ASPX is that there is no validation controls for ASMX, so the simplest way would be as follows: from http://msdn2.microsoft.com/en-us/library/ms998375.aspx#pagquestionlist0001_input1 public decimal RetrieveAccountBalance(string accountId) {    if (!Regex.IsMatch(accountId,@"^{1,40}$"))    {       // AccountID does not match expression       // do not process request    }...
תגובה אחת

IIS Webcasts – Coolest Video Resource

יום שני, פברואר 12, 2007

from http://www.iis.net/default.aspx?tabid=2&subtabid=24 IIS Webcast Series Upcoming Webcasts  |  IIS7 |  Security |  Performance |  Management|  Diagnostics|  Deployment|  Microsoft.com Series No comments needed here - JUST GO THERE AND ENJOY WHILE SIPPING GLASS OF <<substitute here with you drink of choice>>
תגיות: , ,
אין תגובות

SOA, Strong Authentication, Standard Authorization – Cool Solution

יום שני, ינואר 29, 2007

I've previously blogged about SOA Security Inside Enterprise walls This time I had couple of pretty interesting requirements from one customer that targeted B2B/Partners scenario. They had a web site that communicates to partner's web services. His concerns were sincere and pretty fair: I want to manage my creds that I use to authenticate with the partner's web service in secure way I want to pass it it over the wire in secure standard way The partner won't do any major changes to his authorization schema inside the web service Authorization schema must be easy to managed and standard Without...
3 תגובות

What Is The Difference Between Environment.UserName and WindowsIdentity.GetCurrent().Name?

יום שלישי, ינואר 2, 2007

I was doing some security code review for WinForms app and the code was trying to get current user for Security Decisions Logic Use. So the code that was used looked like this: string userName = Environment.UserName After that line userName variable would hold current user's name - perfect... Not really. Consider the following code: lblWindowsIdentity.Text = System.Security.Principal.WindowsIdentity.GetCurrent().Name;lblEnvironement.Text = Environment.UserName; This would produce the following result: First one gives me fully qualified name for logged on user including her domain name and the second one only the logon name. Now, if I base my code only on...
אין תגובות

Handling Unhandled Exceptions

In ASP.NET we have our beloved global.asax with its Application_Error to trap all the unhandled errors. This is what might happen to you if you decided not to do global error handler. For non-ASP.NET apps the following code might be useful. from http://msdn.microsoft.com/msdnmag/issues/04/06/NET/default.aspx Handling Unhandled Exceptionsclass App { public static void Main() { try { SubMain(); } catch (Exception e) { HandleUnhandledException(e); } } ...
תגיות: ,
אין תגובות

This is How They Will Discover Secrets You Hide

יום שישי, דצמבר 29, 2006

If you publish your code on the internet then first They will use Google CodeSearch. For example, try looking for "initial catalog": http://www.google.com/codesearch?q=%22initial+catalog%22&hl=en If They are lucky and They have your binaries then Reflector might help looking for juicy hard coded strings but I believe They will chose to get all the strings using simple tool that ships with Windows, FindStr, in conjunction with ILDASM that ships with .Net SDK or Visual Studio Like this: Ildasm.exe secureapp.dll /text | findstr ldstr IL_000c: ldstr "RegisterUser" IL_0027: ldstr...
אין תגובות

Take Virtual Lab for Writing Secure Code

http://msdn.microsoft.com/virtuallabs/teamsystem/ Writing Secure Managed Code with Visual Studio Team System In this lab you will learn to: Fundamental design principles for building secure applications Technologies such as FxCop and code access security To build secure applications using various tools and techniques Take this lab
תגיות: ,
אין תגובות