Browse by Tags
All Tags »
Development (
RSS)
First of I'd like to thank Guy for his excellent screencast - very convenient, so thanks. Specifically I liked introductory screencast for WCF which can be found here: http://blogs.microsoft.co.il/blogs/bursteg/pages/WCF-Introduction-Demo-_2800_ScreenCast_2900_.aspx It is dubbed in Hebrew, but the screens are flipping in so logical way so that one who does not understand Hebrew will be fine - go for it - recommended a lot for WCF newbies like me. My interest was to understand the pipeline that the...
Consider the following ASPX page: Here is why it cannot be accessed: When trying to navigate there you get: Great, love URL authorization!! Now let's examine another ASPX page: When navigating to this page you surprisingly get this: The reason for that is when using Server.Transfer the request to the second page does not go through the whole ASP.NET pipeline which includes URL Authorization module Security part is here http://msdn2.microsoft.com/en-us/library/ms998375.aspx Performance part is here...
I've been blogging on importance of input validatoin some time ago App Architecture with Security in mind - Video, Part I Web Services is not different from ASPX - accept parameters and process it. So the strategy for input validation should be the same as with ASPX - each and every input parameter MUST be checked for goodness (no black list allowed!). The only difference with ASPX is that there is no validation controls for ASMX, so the simplest way would be as follows: from http://msdn2.microsoft...
from http://www.iis.net/default.aspx?tabid=2&subtabid=24 IIS Webcast Series Upcoming Webcasts | IIS7 | Security | Performance | Management | Diagnostics | Deployment | Microsoft.com Series No comments needed here - JUST GO THERE AND ENJOY WHILE SIPPING GLASS OF <<substitute here with you drink of choice>>
I've previously blogged about SOA Security Inside Enterprise walls This time I had couple of pretty interesting requirements from one customer that targeted B2B/Partners scenario. They had a web site that communicates to partner's web services. His concerns were sincere and pretty fair: I want to manage my creds that I use to authenticate with the partner's web service in secure way I want to pass it it over the wire in secure standard way The partner won't do any major changes to his authorization...
I was doing some security code review for WinForms app and the code was trying to get current user for Security Decisions Logic Use. So the code that was used looked like this: string userName = Environment.UserName After that line userName variable would hold current user's name - perfect... Not really. Consider the following code: lblWindowsIdentity.Text = System.Security.Principal.WindowsIdentity.GetCurrent().Name; lblEnvironement.Text = Environment.UserName; This would produce the following result...
In ASP.NET we have our beloved global.asax with its Application_Error to trap all the unhandled errors . This is what might happen to you if you decided not to do global error handler. For non-ASP.NET apps the following code might be useful. from http://msdn.microsoft.com/msdnmag/issues/04/06/NET/default.aspx Handling Unhandled Exceptions class App { public static void Main() { try { SubMain(); } catch (Exception e) { HandleUnhandledException(e); } } public static void SubMain() { // Setup unhandled...
If you publish your code on the internet then first They will use Google CodeSearch. For example, try looking for "initial catalog": http://www.google.com/codesearch?q=%22initial+catalog%22&hl=en If They are lucky and They have your binaries then Reflector might help looking for juicy hard coded strings but I believe They will chose to get all the strings using simple tool that ships with Windows, FindStr, in conjunction with ILDASM that ships with .Net SDK or Visual Studio Like this: Ildasm...
Here: Validating Form Input Controls Securing Your Application Monitoring Your Application Cheers
http://msdn.microsoft.com/virtuallabs/teamsystem/ Writing Secure Managed Code with Visual Studio Team System In this lab you will learn to: Fundamental design principles for building secure applications Technologies such as FxCop and code access security To build secure applications using various tools and techniques Take this lab
It all happens with input that us not properly validated from: http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh04.asp?frame=true#c04618429_006 Input Validation Input validation is a challenging issue and the primary burden of a solution falls on application developers. However, proper input validation is one of your strongest measures of defense against today's application attacks. Proper input validation is an effective countermeasure that can help prevent XSS, SQL injection, buffer...
Forget Google Hacking , introducing Live Search Hacking. First They will Download MSN Search SDK which includes sample app that looks like this: They will also get the MSN search ID here Then They will add some more functionality that will enable them to: 1. Directly navigate to the matching URL 2. Directly navigate to the matching URL while injecting, say, single quote - this should generate errors and hopefully expose implementation details that will help them further attack you 3. Do bullet 2...
From: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0003.asp?frame=true#pagguidelines0003_strongnames If you protect your code with a link demand for a StrongNameIdentityPermission to restrict the code that can call your code, be aware that this only works for partial trust callers. The link demand will always succeed for full trust callers, regardless of the strong name of the calling code. In .NET Framework 2.0, any fully trusted assembly will satisfy any demand , including a...
from: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0003.asp?frame=true · You need to add your assembly to the global assembly cache . If you want your assembly to be shared among multiple applications, then you should add it to the global assembly cache. To add your assembly to the global assembly cache, you need to give it a strong name. Adding an assembly to the global assembly cache ensures that your assembly runs with full trust . · You want to prevent partial trust callers...
SQL injection attack is possible as a result of developer's security bug [ vulnerability ] - Dynamic SQL. I admit it is easiest way to write code that access DB. Once it is discovered by security expert and presented to the developer most obvious question that comes up "what do I do?". Very often [too often] the answer is that I hear is "Use stored procedure". Consider this stored proc [recently seen in some project]: DECLARE @ID NVARCHAR (150) EXEC ( 'USE MSPetShop4; SELECT * FROM PRODUCT WHERE...
More Posts
Next page »