Securing the Forms Authentication Cookie with Secure Flag

Posted by James Jardine on March 25, 2024 · Comments Off
Filed under: Development, Security

One of the recommendations for securing cookies within a web application is to apply the Secure attribute. Typically, this is only a browser directive to direct the browser to only include the cookie with a request if it is over HTTPS. This helps prevent the cookie from being sent over an insecure connection, ...

Tags: Application Security, appsec, forms authentication, pentest, qa, secure development, Security, Testing, training

Does ASP:Textbox TextMode Securely Enforce Input Validation?

Posted by James Jardine on December 11, 2023 · Comments Off
Filed under: Development, Security

When building .Net Webform applications, the ASP:Textbox has a TextMode property that you can set. For example, you could indicate that the text should be a number by setting the property below: <asp:TextBox ID="txtNumber" runat="server" TextMode="Number" /> As you can see in the above example, we are specifically setting the TextMode attribute to Number. You can see ...

Tags: asp.net security, input validation, secure development, Security, security testing, textmode

Disabling SpellCheck on Sensitive Fields

Posted by James Jardine on January 18, 2023 · Comments Off
Filed under: Development, Security

Do you know what happens when a browser performs spell checking on an input field? Depending on the configuration of the browser, for example with the enhanced spell check feature of Chrome, it may be sending those values out to Google. This could potentially put sensitive data at risk so it may be a good idea ...

Tags: Application Security, appsec, html, privacy, secure development, Security

What is the difference between encryption and hashing?

Posted by James Jardine on August 29, 2022 · Comments Off
Filed under: Development, Security

Encryption is a reversible process, whereas hashing is one-way only. Data that has been encrypted can be decrypted back to the original value. Data that has been hashed cannot be transformed back to its original value. Encryption is used to protect sensitive information like Social Security Numbers, credit card numbers ...

Tags: Application Security, Development, Secure Code, secure development, Security, Testing

XmlSecureResolver: XXE in .Net

Posted by James Jardine on August 22, 2022 · Comments Off
Filed under: Development, Security, Testing

tl;dr Microsoft .Net 4.5.2 and above protect against XXE by default.It is possible to become vulnerable by explicitly setting a XmlUrlResolver on an XmlDocument.A secure alternative is to use the XmlSecureResolver object which can limit allowed domains.XmlSecureResolver appeared to work correctly in .Net 4.X, but did not appear to work ...

Tags: .Net, Application Security, ASP.Net, Development, Secure Code, secure development, Security

Input Validation for Security

Posted by James Jardine on August 22, 2022 · Comments Off
Filed under: Development, Security

Validating input is an important step for reducing risk to our applications. It might not eliminate the risk, and for that reason we should consider what exactly we are doing with input validation. Should you be looking for every attack possible? Should you create a list of every known malicious payload?...

Tags: applicaiton security, Application Security, developer security, Development, input validation, request validation, Secure Code, secure coding, secure development, secure testing, Security

Chrome is making some changes… Are you Ready?

Posted by James Jardine on February 10, 2020 · Comments Off
Filed under: Development, Security

Last year, Chrome announced that it was making a change to default cookies to SameSite:Lax if there is no SameSite setting explicitly set. I wrote about this change last year (https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/). This change could have an impact on some sites, so it is important that you test this out. The changes are supposed ...

Tags: Application Security, appsec, Secure Code, secure defaults, secure development, security testing

SameSite By Default in 2020?

Posted by James Jardine on October 28, 2019 · Comments Off
Filed under: Development, Security, Testing

If you haven't seen, Cross Site Request Forgery (CSRF) is getting a big protection by default in 2020. Currently, most protections need to be implemented explicitly. While we are seeing some nonces included and checked by default (Razor Pages), you typically still need to explicitly check the nonce. This requires that the developers understand that ...

Tags: app testing, applicaiton security, SDL, secure, Secure Code, secure development

XXE DoS and .Net

Posted by James Jardine on May 6, 2019 · Comments Off
Filed under: Development, Security

External XML Entity (XXE) vulnerabilities can be more than just a risk of remote code execution (RCE), information leakage, or server side request forgery (SSRF). A denial of service (DoS) attack is commonly overlooked. However, given a mis-configured XML parser, it may be possible for an attacker to cause a denial of service attack and ...

Tags: .Net, .Net Core, Application Security, appsec, ASP.Net, developer security, maxcharactersfromentities, Security, security training

Overview of Web Security Policies

Posted by James Jardine on June 27, 2018 · Comments Off
Filed under: Development, Security, Testing

A vulnerability was just identified in your website. How would you know? The process of vulnerability disclosure to an organization is often very difficult to identify. Whether you are offering any type of bounty for security bugs or not, it is important that there is a clear path for someone to notify you of a potential ...

Tags: Application Security, developer, researcher, secure development, secure software, secure testing, security research, security training, security.txt, white hat

Blogroll

Archives