DotNetKicks.com - Stories tagged with Security

Session Attacks and ASP.NET - Part 2

Wed, 24 Jun 2009 19:00:00 GMT

In Session Attacks and ASP.NET - Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET's session architecture and authentication architecture. In this second post, I'll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures specific to ASP.NET for protecting against session attacks in ASP.NET

Session Attacks and ASP.NET - Part 1

Thu, 18 Jun 2009 17:30:01 GMT

I've spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+. Part 1 explores ASP.NET session management, authentication, and session attacks against ASP.NET with a comparison of how ASP.NET stacks up against mitigation techniques against these attacks.

NVelocity and XSS

Mon, 15 Jun 2009 11:08:12 GMT

Is Nvelocity XSS proof?

Create Logos

Fri, 12 Jun 2009 05:49:36 GMT

Logosmartz provides you pre-defined logo templates and add special effects like shadow, Bevel, Outline and Gradient to create logos.

AzMan Bulk Import

Tue, 09 Jun 2009 22:34:49 GMT

The AzMan bulk import tool that many of us have used. The author is finally blogging.

Security Certificate problem

Sat, 06 Jun 2009 07:29:12 GMT

If you are using a computer without the connector (console) software on it (e.g. at work trying to access your home server) and you try to connect to the web interface of WHS then the following error appears: If you are using a computer without the connector (console) software on

How to reg 64-bit assembly using VS2005 setup on 64-bit

Fri, 05 Jun 2009 20:08:01 GMT

eg 64-bit assembly using VS2005 setup on 64-bit

Security Vulnerability Analysis for Fiddler

Sat, 23 May 2009 09:12:31 GMT

Fiddler Plugins for Site Spider, Fuzzer, XSS/CSRF vulnerability detection, SQL Injection detection, Session Tampering, Information Leakage detection, etc. A ViewState decoder proof-of-concept has been completed. Looking for contributors as well.

The Geneva framework

Fri, 15 May 2009 06:01:02 GMT

The "Geneva", while being a very interesting framework developed by Microsoft, isn't getting much buzz on the blogs. A beta 2 version was just recently released and the final version is planned somewhere in 2009.

XSRF Attacks in AJAX enabled apps

Thu, 14 May 2009 19:56:42 GMT

A bit of research and a brief P.O.C. demonstrating a cross site request forgery against an AJAX enabled application...

Code Access Security Cheat Sheet

Thu, 07 May 2009 21:46:05 GMT

A full page cheat sheet on Code Access Security (CAS). Includes screenshots of the .NET Framework 2.0 Configuration tool. Describes the following terms: Permission, PermissionSet, Code Group, Policy Level, Assembly Instance, Evidence; and Evidence Type.

Certificate Authentication & Transport Security in WCF

Thu, 07 May 2009 07:50:52 GMT

I think I understand more about setting up a WCF service from this article then from about 10 links I found previously; and that's saying something coming from an MSDN article.

ELMAH: Error Logging Modules and Handlers for ASP.NET (and MVC too!)

Fri, 24 Apr 2009 22:01:11 GMT

ELMAH has been one of the most useful tools for ASP.NET developers to log errors on their web applications. Now Scott has a nice talk on how to use it even in your ASP.NET MVC applications. Cool!

8 Ways To Make Your Software Hacker-Proof and Crack-Proof.

Thu, 23 Apr 2009 16:18:17 GMT

This article provides some useful tips and guidelines for designing effective licenses and writing effective license validation code. The philosophy is simple: to make it as difficult as possible for the hacker to 'crack' your software and cause the hacker to lose interest in your software or not make it worthwhile for him/her.

Data Validation - Step One in Improving the Security of Your Web Appli

Tue, 21 Apr 2009 20:52:12 GMT

Security MVP Article - April 2009, Data Validation By Rudolph Araujo, Microsoft MVP - Developer Security

CryptoLicensing For .Net 2009 released

Mon, 20 Apr 2009 19:46:06 GMT

CryptoLicensing for .Net is a 100% .Net solution to add licensing, copy-protection and activation capabilities to your .Net, Windows Forms (WinForms) and WPF applications, components and controls and ASP.Net web sites. CryptoLicensing uses the latest military strength, state-of-the-art cryptographic technology to generate secure and unbreakable licenses to ensure that your software and intellectual property is protected.

Simple String Encryption using DPAPI and Extension Methods

Fri, 17 Apr 2009 14:53:55 GMT

Extension methods that encyrpt / decrypt strings through the Windows Data Protection API (DPAPI) with optional usage of secure strings that protect data in memory.

Creating an Elevated Button Control

Tue, 07 Apr 2009 03:11:03 GMT

When using Microsoft Windows Vista, administrative tasks are restricted by the user account control (UAC) system. Buttons that require elevated permissions are displayed with the command text and a shield icon to indicate that permission will be required.

Check if a Program is Running as an Administrator

Sat, 28 Mar 2009 19:09:35 GMT

User Account Control (UAC) protects Vista by preventing programs from performing administrative or system functions without prior permission. Before attempting such a function, you should check whether your software is running with elevated privileges.

Localized Service Names and How to get Around It

Thu, 19 Mar 2009 04:54:21 GMT

Using built in windows account names like NT AUTHORITY\Network Service in code can be tricky especially if we are dealing with different locales. This article describes how to get around it and write generic code that will work on all localized versions of windows.

22,000 Strong Botnet: BBC Crosses the Line

Fri, 13 Mar 2009 01:15:38 GMT

The BBC is running a story about just how easy it is for hackers to install and manage a botnet. The problem is that they used unsuspecting users computers to demonstrate it!

Cracking .NETZ executables

Sat, 07 Mar 2009 06:23:51 GMT

.NETZ is a free open source tool that compresses and packs the Microsoft .NET Framework executable (EXE, DLL) files in order to make them smaller. Smaller executables consume less disk space and load faster because of fewer disk accesses. Today we are going to show you how to extract assemblies from them, so we can crack them!

Security: Store strings in-memory securely.

Thu, 05 Mar 2009 01:55:30 GMT

Lots of developers are not familiar with the fact that string variables are stored in memory as a plain text and can be stolen with simple memory dump. Therefore they are revealed to anyone who has an access to a server.

Security Vulnerability of the Week #1: SQL Injection

Wed, 04 Mar 2009 01:01:13 GMT

This article begins a semi-regular series that will explores the most common vulnerabilities and the mind-set of the developers that create them and also explore how to deal with them. The first post in the series takes a look at the OWASP top number 2 vulnerability, Injection (specifically SQL Injection) - which has been a known and solved problem for over 10+ years, yet for some reason, it's still as common as ever.

Password Limitations May Mean Your Password is Unsafe

Sat, 28 Feb 2009 02:05:46 GMT

Another security post about how badly so many people treat passwords, especially online.