ASP.Net Insufficient Session Timeout

Posted by on October 6, 2015 · Comments Off on ASP.Net Insufficient Session Timeout
Filed under: Development, Security, Testing 

A common security concern found in ASP.Net applications is Insufficient Session Timeout. In this article, the focus is not on the ASP.Net session that is not effectively terminated, but rather the forms authentication cookie that is still valid after logout. How to Test User is currently logged into the application. User captures the ASPAuth cookie ...

EMV Chip cards: Overview

Posted by on September 21, 2015 · Comments Off on EMV Chip cards: Overview
Filed under: Security 

When you shop at a store with a credit card it is typically done by swiping your card to conduct the transaction. The swiping action allows the credit card terminal to read your credit card number off of a magnetic strip on the back of the card. The downside to the magnetic strip ...

F5 BigIP Decode with Fiddler

Posted by on September 18, 2015 · Comments Off on F5 BigIP Decode with Fiddler
Filed under: Development, Testing 

There are many tools out there that allow you to decode the F5 BigIP cookie used on some sites. I haven't seen anything that just plugs into Fiddler if you use that for debugging purposes. One of the reasons you may want to decode the F5 cookie is just that, debugging. ...

Static Analysis: Analyzing the Options

Posted by on April 5, 2015 · Comments Off on Static Analysis: Analyzing the Options
Filed under: Development, Security, Testing 

When it comes to automated testing for applications there are two main types: Dynamic and Static. Dynamic scanning is where the scanner is analyzing the application in a running state. This method doesn't have access to the source code or the binary itself, but is able to see how things function during runtime. Static ...

A Pen Test is Coming!!

Posted by on October 18, 2014 · Comments Off on A Pen Test is Coming!!
Filed under: Development, Security, Testing 

You have been working hard to create the greatest app in the world.  Ok, so maybe it is just a simple business application, but it is still important to you.  You have put countless hours of hard work into creating this master piece.  It looks awesome, and does everything that the business has asked for.  ...

Are Application Security Certifications Worth It?

Posted by on August 9, 2014 · Comments Off on Are Application Security Certifications Worth It?
Filed under: Security 

In the IT industry there has always been a debate for and against certifications. This is no different than the age old battle of whether or not a bachelors degree is needed to be good in IT. There are large entities that have made a really good profit off the certification tracks. ...

Application Logging: The Next Great Wonder

Posted by on August 2, 2014 · Comments Off on Application Logging: The Next Great Wonder
Filed under: Security 

What type of logging do you perform in your applications? Do you just log exceptions? Many places I have worked and many developers I have talked to over the years mostly focus on logging troubleshooting artifacts. Where did the application break, and what may have caused it. We do this because ...

Future of ViewStateMac: What We Know

Posted by on December 12, 2013 · Comments Off on Future of ViewStateMac: What We Know
Filed under: Development, Security, Testing 

The .Net Web Development and Tools Blog just recently posted some extra information about ASP.Net December 2013 Security Updates (http://blogs.msdn.com/b/webdev/archive/2013/12/10/asp-net-december-2013-security-updates.aspx). The most interesting thing to me was a note near the bottom of the page that states that the next version of ASP.Net will FORBID setting ViewStateMac=false. That is right.. They will ...

ViewStateUserKey: ViewStateMac Relationship

Posted by on November 26, 2013 · Comments Off on ViewStateUserKey: ViewStateMac Relationship
Filed under: Development, Security, Testing 

I apologize for the delay as I recently spoke about this at the SANS Pen Test Summit in Washington D.C. but haven't had a chance to put it into a blog. While I was doing some research for my presentation on hacking ASP.Net applications I came across something very interesting that sort of blew ...

Bounties For Fixes

Posted by on October 11, 2013 · Comments Off on Bounties For Fixes
Filed under: Security 

It was just recently announced that Google will pay for open-source code security fixes (http://www.computerworld.com/s/article/9243110/Google_to_pay_for_open_source_code_security_fixes). Paying for stuff to happen is nothing new, we have seen Bug Bounty programs popping up in a lot of companies. The idea behind the bug bounty is that people can submit bugs they have found and then ...

« Previous PageNext Page »