Request Validation in ASP.Net 4.5 Beta
Filed under: Security
The next version of Microsoft’s ASP.Net framework is currently in Beta and there are some pretty cool changes to how Request Validation works in version 4.5. Up until now, there were two ways to enable or disable request validation: Globally – This controls request validation for the entire application. ...
ASP.Net: Tampering with Event Validation – Part 2
In part 1 of this series I demonstrated how to modify the values of a list box and access data I was not given access to by manipulating the view state and event validation parameters. Remember, the key to this is that ViewStateMac must be disabled. In this post, I will be demonstrating ...
ASP.Net Webforms CSRF Workflow
Filed under: Security, Testing
An important aspect of application security is the ability to verify whether or not vulnerabilities exist in the target application. This task is usually outsourced to a company that specializes in penetration testing or vulnerability assessments. Even if the task is performed internally, it is important that the testers have as much knowledge about vulnerabilities ...
ASP.Net: Tampering with Event Validation – Part 1
Filed under: Development, Security
UPDATED 12/13/2012 - This post was updated to include a video demonstration of tampering with data with Event Validation enabled. The video is embedded at the bottom of the post. My last post brought up the topic of tampering with Event Validation (__EVENTVALIDATION) and how it is protected with the ViewStateMAC property. This post, and the ...
ViewStateMAC: Seriously, Enable It!
Filed under: Development, Security
I have been doing a lot of research lately around event validation and view state. I have always been interested in how Event Validation worked under the covers and if it could be tampered with. I will attempt to explain that it is, in fact, possible to tamper with the Event Validation field in a ...
ASP.Net Insecure Redirect
Filed under: Development, Security
It was recently discovered that there was a vulnerability within the ASP.Net Forms Authentication process that could allow an attacker to force a user to visit a malicious web site upon success authentication. Until this vulnerability was found, it was thought that the only way to allow the Forms Authentication redirect (managed by the ReturnUrl ...
ASP.Net Forms Authentication Bypass
Filed under: Security
It was recently announced that there is a vulnerability in ASP.Net Forms Authentication. The vulnerability allows an attacker to assume the identity of another user within the application without the need to know the victim’s password. This is a critical vulnerability as it could allow users to execute commands they do not have access to. ...
When Should I Encode?
Filed under: Security
A common question I hear from developers is when should they encode their data. Protecting against cross-site scripting can actually be difficult, and it is good to hear the enthusiasm to properly encode. I have seen developers HTML encode their data before storing it in the database, right as they pull it from the database, ...
Commenting Server Controls in ASP.Net
Filed under: Security
How often do you just use an HTML comment to remove old code, or new functionality that isn’t ready yet? Are HTML comments effective for ASP.Net server controls? From a pure development context, they probably are. When we factor in security, they no longer provide the functionality that was intended. This post will explain an ...
XSS Validation vs. Encoding
Filed under: Security
I came across an excellent post by Chris Schmidt on this topic which can be found at http://yet-another-dev.blogspot.com/2011/09/xss-validation-vs-encoding.html. I think he has done an excellent job describing the problem and his point and I recommend you read his post. I would like to take a moment to add some additional thoughts around ...
Follow Us
