When Should I Encode?
Filed under: Security
A common question I hear from developers is when should they encode their data. Protecting against cross-site scripting can actually be difficult, and it is good to hear the enthusiasm to properly encode. I have seen developers HTML encode their data before storing it in the database, right as they pull it from the database, ...
Commenting Server Controls in ASP.Net
Filed under: Security
How often do you just use an HTML comment to remove old code, or new functionality that isn’t ready yet? Are HTML comments effective for ASP.Net server controls? From a pure development context, they probably are. When we factor in security, they no longer provide the functionality that was intended. This post will explain an ...
XSS Validation vs. Encoding
Filed under: Security
I came across an excellent post by Chris Schmidt on this topic which can be found at http://yet-another-dev.blogspot.com/2011/09/xss-validation-vs-encoding.html. I think he has done an excellent job describing the problem and his point and I recommend you read his post. I would like to take a moment to add some additional thoughts around ...
.NET Numeric Overflow
Filed under: Security
When programming with Microsoft .Net, there is not as much concern for overflow vulnerabilities. With the managed runtime, buffer overflows are handled for the most part. However, there is still the possibility for numeric overflows. A numeric overflow exists when arithmetic is performed on two values causing the result to roll past the max or ...
Bypassing ValidateRequest
Filed under: Security
Back in August 2009 (https://jardinesoftware.net/2009/08/27/validaterequest-property-xss/) I wrote about the Validate Request functionality and how it doesn’t do a good job of protecting against Cross Site Scripting in an attribute context. In this post, I am going to explain another technique that can be used to bypass the Validate Request filter in an html ...
ASP.Net 4: Change the Default Encoder
Filed under: Development, Security
In ASP.Net 4.0, Microsoft added the ability to override the default encoder. This is specifically focused on the HTMLEncode, HTMLAttributeEncode, and URLEncode functionality. These functions are used, in the eyes of security, to help mitigate cross-site scripting (XSS). The problem with the built in .Net routines is that they are built on a black-list methodology, ...
Cyber Security Competitions for Students (Fall 2011)
Filed under: Security
As the school hear is wrapping up, it is time for individuals and teams to start preparing for some upcoming cyber security challenges. What does every student want to think about over the summer break? More work, right? The good news: this can be fun and challenging. I am talking about Cyber ...
ASP.Net Value Shadowing
Filed under: Security
Value shadowing occurs when the developer does not specify the specific collection to pull a value from when multiple collections exist in the same context. The Request object is a great example of this. The Request object contains Querystring, Form, Cookies, and ServerVariable collections. Normally, if a developer wanted to access a value from a ...
Microsoft’s SDL Process Guidance 5.1 Released
Filed under: Development, Security
April 14th, Microsoft released their annual update to the SDL Process Guidance. The updated document can be downloaded from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e5ff2f9d-7e72-485a-9ec0-5d6d076a8807&displaylang=en. Microsoft has done a good job of updating their SDL documentation to help cover the most important items. Here are some of the changes made in this release (Not all updates ...
Classic ASP (Data Type Issues)
Filed under: Security
It has been a long time since I have spent any time working with some classic ASP code. After spending so many years focusing more on Microsoft’s .Net platform, I see why people make the switch. My task was to update some old inline SQL calls (yeah, I know) to stored procedures or parameterized queries. ...
Follow Us
