DotNetKicks.com : Stories kicked by Robr

Finding SQL Injection with Scrawlr

Fri, 27 Jun 2008 13:51:22 GMT

Microsoft worked with the HP Web Security Research group to release the Scrawlr tool. The tool will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities.

Hybrid Analysis - The Answer to Static Code Analysis Shortcomings

Wed, 21 May 2008 01:33:13 GMT

Follow-up post to "Static Code Analysis Failures" and introduction to the concept of Hybrid Analysis.

Static Code Analysis Failures

Wed, 21 May 2008 01:31:35 GMT

Static code analysis failures are costing enterprises money and reputation. White-box security testing is inherently a flawed proposition for many reasons -but it all comes down to a very simple concept: Machines do not execute source code, they execute machine code (compiled code).

Official BlogEngine.NET Security Patch

Tue, 15 Apr 2008 22:46:04 GMT

Over the weekend, we were alerted to a security flaw in BlogEngine.NET 1.3.0.0. We have created a new release 1.3.1.0 which corrects this issue and are making a patch available here for users running 1.3.0.0. For those people running development version of BlogEngine.NET (from the source tab on CodePlex), please note that the latest release 1.3.0.29 has the security fix as well.

In "cyberspace"... no one can hear your database scream

Thu, 10 Apr 2008 03:24:26 GMT

It's 2:34am, local time. You're snoring up a storm after a hard day at the office. You've patched all your servers, your lockdown scripts have been verified, and your IDS is humming along perfectly. Oh, and by the way, someone named "R0kk1t" just stole your customer database. A quick check of the "Security Dashboard" when you get in at 8:00am will show everything is green... You have a serious problem.

OWASP Enterprise Security API

Wed, 09 Apr 2008 02:27:17 GMT

The purpose of the ESAPI is to provide a simple interface that provides all the ordinary security functions a developer is likely to need in a clear, consistent, and easy to use way. The ESAPI architecture is very simple, just a collection of classes that encapsulate the key security operations most applications need.

Phishing Holes

Wed, 09 Apr 2008 02:25:23 GMT

ASP.NET preventing phishing with SafeRedirect implementation behind Response.Redirect. Calls to SafeRedirect.Redirect will only succeed if the specified URL belongs to a predefined "whitelist" of known good domains specified in the application's configuration file.

"Security Vulnerability" != "Defect" ; why?

Wed, 02 Apr 2008 04:20:30 GMT

What is an application defect? How is that different from a security vulnerability? Historically, security vulnerabilities have been in a class all their own. In an attempt to put some urgency to the matter, security professionals have labeled defects in the security of their projects as an entirely different thing than a functional defect.

ASP.NET ValidateRequest does not mitigate XSS completely

Tue, 23 Oct 2007 22:34:08 GMT

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions.

The WaterHobo

Fri, 19 Oct 2007 05:31:03 GMT

Guy built a motion sensing water gun to scare rabbits out of his garden. AForge.NET used. Awesome!

Top 10 Security Vulnerabilities in Web.config Files Part 1

Sat, 13 Oct 2007 00:02:52 GMT

These days, the biggest threat to an organization's network security comes from its public Web site and the Web-based applications found there. Unlike internal-only network services such as databases-which can be sealed off from the outside via firewalls-a public Web site is generally accessible to anyone who wants to view it, making application security an issue.

Top 10 Security Vulnerabilities in Web.config Files Part 2

Sat, 13 Oct 2007 00:01:51 GMT

Some of the most common and dangerous application security vulnerabilities that exist in ASP.NET Web-based applications come not from the C# or VB.NET code that make up its pages and service methods, but instead from the XML code that makes up its Web.config files.

Mastering GUIDs with Occam's Razor

Tue, 09 Oct 2007 23:14:29 GMT

Do you love GUIDs?

Home Automation with Windows Workflow

Tue, 09 Oct 2007 01:30:13 GMT

There are some pretty good Home Automation packages out there on the market. Some of these are made for installers and are thus closed to easy customization by the end user. Then there are packages that are made for hobbyists. These have good core automation systems, and provide some add-in points for customization.

Implement Yahoo's YSlow in your Asp.net pages

Sun, 29 Jul 2007 12:16:02 GMT

Enhanced version of Combining Multiple JS and CSS files into one. Now supports Compression, Minifier for JS and CSS files.

The Least You Need to Know about C# 3.0 (Beta 2 Edition)

Mon, 30 Jul 2007 16:46:02 GMT

A lot of people (myself included) have written about LINQ in the next version of C#. LINQ is indeed an empowering technology. However, even without LINQ, C# 3.0 would be a compelling upgrade. Now that Beta2 is publicly available, here's my personal list of the most useful features in the next release.

50 Silverlight Applications

Tue, 10 Jul 2007 16:01:02 GMT

50 Silverlight applications, many with source code available

Unit Test Web Code Without A Web Server Using HttpSimulator

Wed, 20 Jun 2007 18:16:01 GMT

Haacked introduces a new HttpSimulator class that he put together to help you unit test your asp.net code. Fluent interface, access to session and application variables, a working MapPath... wow!

See search results as you type - An ASP.NET Ajax Control

Wed, 20 Jun 2007 16:46:01 GMT

An ASP.NET Ajax Control that enables delayed postback from a Textbox after the user stops typing for a moment. This allows for the automatic update of searchresults shown below. It's almost like an Auto-Complete Box, just with the results in the page.

Highlighting keywords in text using Regex.Replace (Perfect for SEO)

Mon, 18 Jun 2007 22:01:01 GMT

I needed to take some text and bold certain keywords before returning the data to the web browser (this was to enhance Search Engine Optimization). The following example shows how I achieved it.