Brute Force: An Inside Job

Posted by on March 20, 2013 · Comments Off on Brute Force: An Inside Job
Filed under: Development, Security, Testing 

As a developer, we are told all the time to protect against brute force attacks on the login screen by using a mechanism like account lockouts.  We even see this on our operating systems, when we attempt multiple incorrect logins, we get locked out.   Of course, as times have changed, so have some of the ...

Developers, Security, Business – Lets All Work Together

Posted by on January 10, 2013 · Comments Off on Developers, Security, Business – Lets All Work Together
Filed under: Development, Security 

A few years ago, my neighbors ran into an issue with each other. Unfortunately for one neighbor, the other neighbor was on the board for the HOA. The first neighbor decided to put up a fence, got the proper approvals and started work on it. They were building the fence them selves ...

ASP.Net and CSRF

Posted by on January 7, 2013 · Comments Off on ASP.Net and CSRF
Filed under: Development, Security 

Cross-site request forgery (CSRF) is a very common vulnerability today.  Like most frameworks, ASP.Net is not immune by default.  There are some features that are built-in that can be enabled to help reduce the surface area of this attack, however we need to be aware of how they work and what situations they may not ...

SQL Injection in 2013: Lets Work Together to Remediate

Posted by on January 4, 2013 · Comments Off on SQL Injection in 2013: Lets Work Together to Remediate
Filed under: Development, Security 

We just started 2013 and SQL Injection has been a vulnerability plaguing us for over 10 years.  It is time to take action.  Not that we haven’t been taking action, but it is still prevalent in web applications.  We need to set attainable goals.  Does it seem attainable that we say we will eradicate all ...

Authorization: Bad Implementation

Posted by on January 3, 2013 · Comments Off on Authorization: Bad Implementation
Filed under: Development, Security, Testing 

A few years ago, I joined a development team and got a chance to poke around a little bit for security issues.  For a team that didn't think much about security, it didn't take long to identify some serious vulnerabilities.  One of those issues that I saw related to authorization for privileged areas of the ...

2012 in Review

Posted by on December 31, 2012 · Comments Off on 2012 in Review
Filed under: Development, Security, Testing 

Well here it is, 2012 is coming to an end and I thought I would wish everyone happy holidays, as well as mention some of the topics covered this year on my blog. The year started out with a few issues in the ASP.Net framework. We saw a Forms Authentication Bypass that ...

ViewState XSS: What’s the Deal?

Posted by on September 17, 2012 · Comments Off on ViewState XSS: What’s the Deal?
Filed under: Development, Security, Testing 

Many of my posts have discussed some of the protections that ASP.Net provides by default.  For example, Event Validation, ViewStateMac, and ViewStateUserKey.  So what happens when we are not using these protections?  Each of these have a different effect on what is possible from an attacker’s stand point so it is important to understand what ...

Another Request Validation Bypass?

Posted by on August 29, 2012 · Comments Off on Another Request Validation Bypass?
Filed under: Development, Security 

I stumbled across this BugTraq(http://www.securityfocus.com/archive/1/524043) on Security Focus today that indicates another way to bypass ASP.Net’s built in Request Validation feature. It was reported by Zamir Paltiel from Seeker Research Center showing us how using a % symbol in the tag name (ex. <%tag>) makes it possible to bypass Request Validation and apparently ...

Request Method Can Matter

Posted by on August 15, 2012 · Comments Off on Request Method Can Matter
Filed under: Development, Security 

One of the nice features of ASP.Net is that many of the server controls populate their values based upon the request method.  Lets look at a quick example.   If the developer has created a text box on the web form, called txtUserName, then on a post back the Text property will be populated from the ...

Handling Request Validation Exceptions

Posted by on July 17, 2012 · Comments Off on Handling Request Validation Exceptions
Filed under: Development 

I write a lot about the request validation feature built into .Net because I believe it serves a great purpose to help reduce the attack surface of a web application.  Although it is possible to bypass it in certain situations, and it is very limited to HTML context cross site scripting attacks, it does provide ...

« Previous PageNext Page »