Creating the Reply With Meeting OL2007 Add-In (Part 1)
Filed under: Development
Note: This is the first part, in a multi-part series to create this add-in. I chose to break this up into multiple parts so some parts (like this one) could be used by anyone creating an add-in. This post will only create the add-in shell and will not show how to reply with a meeting. ...
Protecting against Cross Site Scripting
Filed under: Security
One of the most important defenses against cross site scripting is encoding the output. The .Net framework provides built in routines for you. These methods, HTMLEncode and HTMLAttributeEncode, can be found in the HTTPUtility class. It is very easy to implement these methods and they should be used on all output that is un-trusted (ie, ...
CAT.NET Microsoft’s Code Analysis Tool
Filed under: Security
Microsoft has introduced a new code analysis tool called CAT.NET to help analyze source code for security flaws within managed applications. This is a visual studio add-in that works directly within Visual Studio, so there is no need for separate programs. The tool will trace through all statements, methods, and assemblies referenced within the application. ...
OWASP Top 10 RC
OWASP is getting ready to finalize a new Top 10 list for 2010. The request for comments ends on December 31, 2009. In the beta version, there are a few items worth noting about the new list. Injection vulnerabilities look like they will overtake the number one spot on the list. Here ...
Solving the Unknown
Filed under: Uncategorized
As a developer, I run into new things everyday. I mostly work with Microsoft .Net technologies and it feels like an endless pit of information. Most developer’s feel confident about what they know, and tend to leave the unknown alone until they need it. Although I feel pretty knowledgeable about .Net, I have no problem ...
IE8 XSS Protection
Filed under: Security
While testing a cross site scripting vulnerability I ran into an interesting feature in Internet Explorer 8, the Cross Site Scripting filter. I was surprised when the browser popped up this message: “Internet Explorer has modified this page to help prevent cross-site scripting.†This really intrigued me, so I started looking at the source of ...
ViewState: Encrypted or Encoded?
Filed under: Security
One of the many ways to maintain state within an ASP.Net application is to use the ViewState. ViewState is sent to the client embedded in the HTML response. The ViewState can be found by viewing the page source and looking for the hidden __VIEWSTATE tag (seen below). <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzDxYCHglGaXJzdE5hbWUFBUphbWVzZGTh6rDFbP6RwQU6igzX8 vn5IrEPyQ==" /> Looking at the ViewState above ...
IE8 Not Saving Login Credentials
Filed under: Uncategorized
IE has always been able to save and automatically log in to sites requiring your domain credentials. In previous versions of Internet Explorer, you would set the site as a Trusted site in Tools…Options…Security by clicking the Trusted Sites icon and adding the url to the sites list. Once entering your credentials and checking the ...
ValidateRequest Property (XSS)
There is no doubt that while working with ASP.Net you have run into the ValidateRequest property for a web form. This is a feature that has been around since version 1.1. It prevents the server from accepting un-encoded HTML data, which can be used to exploit client-side attacks like Cross Site Scripting (XSS). The most ...
CSSLP Certification
Filed under: Uncategorized
This week I achieved the CSSLP certification. This is a new certification by (ISC)2 for Certified Secure Software Lifecycle Professionals. The focus of this certification is on building security into the software lifecycle to help build more secure software. I have been focusing on security during software development over the past 5 or so years ...
Follow Us
