.NET Numeric Overflow
Filed under: Security
When programming with Microsoft .Net, there is not as much concern for overflow vulnerabilities. With the managed runtime, buffer overflows are handled for the most part. However, there is still the possibility for numeric overflows. A numeric overflow exists when arithmetic is performed on two values causing the result to roll past the max or ...
Bypassing ValidateRequest
Filed under: Security
Back in August 2009 (https://jardinesoftware.net/2009/08/27/validaterequest-property-xss/) I wrote about the Validate Request functionality and how it doesn’t do a good job of protecting against Cross Site Scripting in an attribute context. In this post, I am going to explain another technique that can be used to bypass the Validate Request filter in an html ...
ASP.Net 4: Change the Default Encoder
Filed under: Development, Security
In ASP.Net 4.0, Microsoft added the ability to override the default encoder. This is specifically focused on the HTMLEncode, HTMLAttributeEncode, and URLEncode functionality. These functions are used, in the eyes of security, to help mitigate cross-site scripting (XSS). The problem with the built in .Net routines is that they are built on a black-list methodology, ...
Cyber Security Competitions for Students (Fall 2011)
Filed under: Security
As the school hear is wrapping up, it is time for individuals and teams to start preparing for some upcoming cyber security challenges. What does every student want to think about over the summer break? More work, right? The good news: this can be fun and challenging. I am talking about Cyber ...
ASP.Net Value Shadowing
Filed under: Security
Value shadowing occurs when the developer does not specify the specific collection to pull a value from when multiple collections exist in the same context. The Request object is a great example of this. The Request object contains Querystring, Form, Cookies, and ServerVariable collections. Normally, if a developer wanted to access a value from a ...
Microsoft’s SDL Process Guidance 5.1 Released
Filed under: Development, Security
April 14th, Microsoft released their annual update to the SDL Process Guidance. The updated document can be downloaded from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e5ff2f9d-7e72-485a-9ec0-5d6d076a8807&displaylang=en. Microsoft has done a good job of updating their SDL documentation to help cover the most important items. Here are some of the changes made in this release (Not all updates ...
Classic ASP (Data Type Issues)
Filed under: Security
It has been a long time since I have spent any time working with some classic ASP code. After spending so many years focusing more on Microsoft’s .Net platform, I see why people make the switch. My task was to update some old inline SQL calls (yeah, I know) to stored procedures or parameterized queries. ...
Cyber Foundations 2011
Filed under: Security
If you are just hearing about the Cyber Foundations 2011 National Competition, you can start preparing for next year. The deadline to enter into this competition was February 25th, 2011. So what is this competition? It is a talent search for high school students with foundational skills in cyber security. The ...
Reflector Goes Commercial
Filed under: Security
Today appears to be the last day to download Red-Gate's .Net Reflector tool for free. The Reflector tool disassembles .Net assemblies back to .Net code (sort of). This is very useful to be able to grab an assembly, and not only look at the methods it contains, but also to view exactly what ...
DropBox Job Description – A Step in the Right Direction
Filed under: Security
I recently logged into my DropBox account and noticed that the landing screen had a notice about current job openings. I thought I would take a look at what they had available. I clicked on the Web Engineer position (http://www.dropbox.com/position?jvi=orflVfwG,Job) and was impressed to see one of their requirements: “You've seen CSRF and ...
Follow Us
