By tag: security
0
kicks
WYSIWYG Html Editor and XSS Attack Prevention
How to prevent cross site scripting (XSS) attack due to html editors.
0
kicks
Remove unwanted headers in the HTTP response
Article to remove unwanted response headers in the http response. includes a walk through of using registry setting and a walk through of using URLScan to remove the Server header.
0
kicks
Modeling the four-eye principle
Working in a financial domain over the last year, it was only a matter of time before I would be confronted with one of the variations of the two-man rule: the four-eye principle. Satisfying the principle is simple enough; an extra pair of eyes needs to approve of requested changes before they're ap...
0
kicks
Some important ASP.NET 4.5 security improvements
ASP.NET 4.5 brings some notable security improvements, but you'll need to enable them in config. This blog post gives an overview of the improvements and instructions on how to enable them!
0
kicks
Creating a Secure Textbox
The SecureString class holds confidential information in an encrypted format, reducing the risk that the information could be obtained by reading a computer's memory directly. However, there is no easy way to obtain the secure information from a user.
0
kicks
Up Log Creek Without a Paddle – Part 1: Windows Audit Logs
Much like having a good backup and restore plan, being able to filter and scan log files for what you need to help draw conclusions on how a situation occurred or by whom it was conducted, is an important part of your security plan. However if you have a heavily traffic’d website, network share or p...
0
kicks
Is Stack Overflow “secure”? Kind of…
I had an interesting question pop up on my “SSL is not about encryption” blog post this weekend:
"I have a question about logging to site like StackOverflow which doesn't use SSL at all. If I am login to SO via Google. Is this secure in this case?"
This is actually a very good questi...
0
kicks
Generating secure Guids
This blog post explains how you can generate Guids based on random numbers from the RngCryptoServiceProvider, including a code sample.
0
kicks
Stronger password hashing in .NET with Microsoft’s universal providers
Last month I wrote about our password hashing having no clothes which, to cut to the chase, demonstrated how salted SHA hashes (such as created by the ASP.NET membership provider), offered next to no protection from brute force attacks. I’m going to assume you’re familiar with the background story o...
0
kicks
Our password hashing has no clothes
Many of us rely on the use of salt in the belief it will make our passwords “secure” when hashed with a variant of the SHA algorithm. Unfortunately, processing power has progress to the point where even salted hashes are now near useless, particularly when using a GPU in an attempt to crack them.
...
0
kicks
Generating Random Pronounceable Passwords
The use of passwords as a security measure is increasingly common for technical and non-technical users alike. Generating passwords that are both strong and memorable can be difficult. This article describes one method to alleviate this problem.
0
kicks
ASP.NET session hijacking with Google and ELMAH
ELMAH is one those libraries which is both beautiful in its simplicity yet powerful in what it allows you to do. Combine the power of ELMAH with the convenience of NuGet and you can be up and running with absolutely invaluable error logging and handling in literally a couple of minutes.
Yet, as t...
0
kicks
Why software isn't secure
High level view of what happens on software projects that leads to software insecurity
0
kicks
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target ...
0
kicks
OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer
When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is e...