ASP.NET session hijacking with Google and ELMAH(www.troyhunt.com)

submitted by troyhunt(696) 1 month, 3 days ago

ELMAH is one those libraries which is both beautiful in its simplicity yet powerful in what it allows you to do. Combine the power of ELMAH with the convenience of NuGet and you can be up and running with absolutely invaluable error logging and handling in literally a couple of minutes. Yet, as the old adage goes, with great power comes great responsibility and if you’re not responsible with how you implement ELMAH, you’re also only a couple of minutes away from making session hijacking of your ASP.NET app – and many other exploits – very, very easy. read more...

1 comment |category: Security |Views: 263

tags: Security another

Why software isn't secure(www.threenine.co.uk)

submitted by threenine39(299) 1 month, 5 days ago

High level view of what happens on software projects that leads to software insecurity read more...

add a comment |category: Security |Views: 2

tags: Security another

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege(technet.microsoft.com)

submitted by pwhe23(845) 1 month, 6 days ago

This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name. read more...

3 comments |category: Security |Views: 131

tags: Security another

OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer (www.troyhunt.com)

submitted by troyhunt(696) 2 months, 15 days ago

When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is encrypted over the network and you know it hasn’t been manipulated in transit. But unfortunately we often find sites lacking and failing to implement proper transport layer protection. Sometimes this is because of the perceived costs of implementation, sometimes it’s not knowing how and sometimes it’s simply not understanding the risk that unencrypted communication poses. Part 9 of this series is going to clarify these misunderstandings and show to implement this essential security feature effectively within ASP.NET. read more...

add a comment |category: Security |Views: 33

tags: Security another

Keep it secret, keep it safe - Eric Lippert on Crypto(blogs.msdn.com)

submitted by dpeterson(3464) 4 months, 15 days ago

Eric Lippert discusses cryptography, its difference from security, and discusses some of the different types of cryptography using the Bob and Alice (and a few extras) scenarios to explain how the different types work. read more...

add a comment |category: Security |Views: 9

tags: Security another

Checking Password Strength(www.blackwasp.co.uk)

submitted by BlackWasp(4024) 4 months, 23 days ago

Many computer systems require that a password is provided before permitting access to sensitive data. As some passwords are easy to crack using brute force techniques, it is common to give the user feedback to show the strength of their selected password. read more...

add a comment |category: Security |Views: 13

tags: Security another

Securing Strings in Memory(www.beckshome.com)

submitted by thbst16(26) 5 months ago

I recently had the opportunity to look into and make use of the Microsoft System.Security.SecureString class. This class is one of those dark corners of the .NET Framework that you don’t think about on a day-to-day basis but are really glad that it’s there when your security auditor starts asking questions about how PII data such as social security numbers are protected while resident in memory. The SecureString class takes care of this problem, helping you avoid a situation where unencrypted sensitive String data is left lingering around on the .NET heap. However, since this class does reference unmanaged memory buffers, its use is not entirely intuitive. I’ve attempted to demystify things with the explanation, drawing and code snippets in this post. read more...

3 comments |category: Security |Views: 32

tags: Security another

Security in Software(www.dotnetblocks.com)

submitted by DotNetBlocks(384) 5 months, 14 days ago

The term security has many meanings based on the context and perspective in which it is used. Security from the perspective of software/system development is the continuous process of maintaining confidentiality, integrity, and availability of a system, sub-system, and system data. This definition at a very high level can be restated as the following: Computer security is a continuous process dealing with confidentiality, integrity, and availability on multiple layers of a system. read more...

add a comment |category: Security |Views: 1

tags: Security another

How to Implement 2-Step Verification in ASP.NET MVC(www.nayyeri.net)

submitted by keyvan(4086) 6 months, 1 day ago

In this post Keyvan walks through an example to show how to implement 2-step verification (with phone) in ASP.NET MVC applications. read more...

3 comments |category: ASP.NET |Views: 137

tags: MVC ASP.NET Security another

OWASP Top 10 for .NET devs part 8: Failure to Restrict URL Access(www.troyhunt.com)

submitted by troyhunt(696) 6 months, 11 days ago

What makes this particular risk so dangerous is that not only can it be used to very, very easily exploit an application, it can be done so by someone with no application security competency – it’s simply about accessing a URL they shouldn’t be. On the positive side, this is also a fundamentally easy exploit to defend against. ASP.NET provides both simple and efficient mechanisms to authenticate users and authorise access to content. In fact the framework wraps this up very neatly within the provider model which makes securing applications an absolute breeze. read more...

add a comment |category: Security |Views: 18

tags: Security another

The padlock icon must die(www.troyhunt.com)

submitted by troyhunt(696) 6 months, 24 days ago

What do you think of when you see the padlock icon on a webpage? You're probably thinking something along the lines of "it means the page is secure". The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit. The problem is that it doesn't mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it's downright misleading. read more...

add a comment |category: Security |Views: 2

tags: Security another

Secure user authentication with one way password hash(galratner.com)

submitted by galratner(309) 7 months, 6 days ago

eeping users passwords in your database is a part of almost every application, yet securing passwords is rarely being done correctly. I recently read an article by Coda Hale about the ineffectiveness of password salts. Coda Suggested using bcrypt to store passwords. He reasoned his argument by explaining bcrypt is extremely slow to compute, therefore making it slow to hack. I completely agree, however, I wanted to add another way of safely storing passwords in a more conventional way by hiding the salt in the hash. The idea wasn’t mine. It belongs to a DBA named Scott Hulberg. It’s pretty simple and for the sake of this blog post I am not going to implement it completely. I am going to prepend the salt to the password hash, making it invisible to a hacker. You can go further by writing an algorithm to plant the salt in the hash array as you see fit. Since the only way to match a one way hashed password is to use the salt we used to generate this hash, if a hacker cannot get to the salt, they cannot retrieve the original password. Let’s begin by composing the method to create our hash and prefix it with the salt: read more...

add a comment |category: Security |Views: 2

tags: Security another

Getting up and started with the Windows Phone Developer Tools 7.1 Beta(michaelcrump.net)

submitted by mbcrump(940) 7 months, 13 days ago

Windows Phone Developer Tools 7.1 Beta 2 was released on 6/29/2011. Are you ready for it? If not then let my guide help you get your system prepared and go through a few new features. Download links: Web Installer of Windows Phone 7.1 Beta 2 SDK ISO Image of Windows Phone 7.1 Beta 2 SDK - (723 MB) To get started you are going to need to remove the previous version of your Windows Phone Developer Tools 7.1 Beta 1. read more...

add a comment |category: Security |Views: 2

tags: Security another

Windows Phone 7 vs Windows Phone Mango: Getting Device Information(www.windowsphonegeek.com)

submitted by winphonegeek(2132) 7 months, 20 days ago

Windows Phone 7 vs Windows Phone 7.1 Mango: Getting Device Information read more...

add a comment |category: Security |Views: 3

tags: Security another

OWASP Top 10 for .NET developers part 7: Insecure Cryptographic Storag(www.troyhunt.com)

submitted by troyhunt(696) 7 months, 29 days ago

In the 7th part of the series on addressing the OWASP Top 10 within ASP.NET, we look at how cryptographic storage can be implemented securely. The post looks at how poorly implemented hashing can be easily broken with rainbow tables then moves onto secure hash algorithms, proper use of salts and the implementation of symmetric encryption. read more...

add a comment |category: Security |Views: 15

tags: Security another

RSA private key import from PEM format in C#(khason.net)

submitted by tamir(580) 7 months, 29 days ago

Source code and explanations about how to use asymmetric encryption for mutual authenticated SSL protocol by importing and using RSA OpenSSL private keys and client certificates into C#.NET application. read more...

add a comment |category: Security |Views: 14

tags: Security another