ASP.Net Custom Headers
Filed under: Development, Security
Have you ever taken the time to look at the headers that are returned from your ASP.Net application? If you have, you may have noticed the following two headers that are added for ASP.Net: X-Powered-By: ASP.Net X-AspNet-Version: x.x.xxxx (the version of .Net used for the application) Many people ask how to remove these two headers from the ...
Security Abstraction: How much is too much?
Filed under: Development, Security
I was having a conversation the other morning with a colleague and we were discussing how much security an enterprise web application developer should be exposed to. This topic has come up in numerous conversations over the past year or so and it is still debatable. The question is how much abstraction should, ...
Simplified SDL
Filed under: Development, Security
Last week Microsoft provided a document outlining a 'Simplified Implementation of the Microsoft SDL'. This document provides the required information for minimum SDL compliance. At 17 pages, it is a quick, yet detailed, read. The Secure Development Lifecycle is not just for Microsoft projects, and can be used with any language. Microsoft has even updated ...
Securing If Statements
Filed under: Development, Security
While recently reviewing the details of the GSSP-.NET certification, I came across the topic of “securely formed if and while statements.†At first, I was a little confused about what this really meant. I believe that a securely formed ‘if’ statement would be one that has the constant on the left, rather than the right. ...
HTMLAttributeEncode Framework differences
Filed under: Development, Security
I have done a few posts regarding Cross Site Scripting and how to protect against it. I came across an interesting item today comparing the output of HTMLAttributeEncode between .Net 1.1 and 2.0+. I thought it would be a good idea to dig a little deeper into how the encoding really works. The .Net 1.1 ...
Microsoft Introduces Quick Security References
Filed under: Security
Yesterday, Microsoft released two new Quick Security References (QSR’s) to help application development teams understand Security issues. These new guides are the first part of a continuing series to help multiple roles within the team understand common vulnerabilities. Not only do they provide great detail on the security issues, but they also help teams move ...
Protecting against Cross Site Scripting
Filed under: Security
One of the most important defenses against cross site scripting is encoding the output. The .Net framework provides built in routines for you. These methods, HTMLEncode and HTMLAttributeEncode, can be found in the HTTPUtility class. It is very easy to implement these methods and they should be used on all output that is un-trusted (ie, ...
CAT.NET Microsoft’s Code Analysis Tool
Filed under: Security
Microsoft has introduced a new code analysis tool called CAT.NET to help analyze source code for security flaws within managed applications. This is a visual studio add-in that works directly within Visual Studio, so there is no need for separate programs. The tool will trace through all statements, methods, and assemblies referenced within the application. ...
OWASP Top 10 RC
OWASP is getting ready to finalize a new Top 10 list for 2010. The request for comments ends on December 31, 2009. In the beta version, there are a few items worth noting about the new list. Injection vulnerabilities look like they will overtake the number one spot on the list. Here ...
IE8 XSS Protection
Filed under: Security
While testing a cross site scripting vulnerability I ran into an interesting feature in Internet Explorer 8, the Cross Site Scripting filter. I was surprised when the browser popped up this message: “Internet Explorer has modified this page to help prevent cross-site scripting.†This really intrigued me, so I started looking at the source of ...
Follow Us
