Security

Threat Modeling Web Applications

Michael Falconer — Wed, 18 May 2005 13:28:00 GMT

Well, felt it was finally time to start posting again. I've been working on quite a few interesting applications over the past few months, so I hope to add some useful posts soon.

In the meantime there's an interesting new series of posts on MSDN about developing threat models for web applications. While you may be aware of most of the threats, and the steps to prevent them becoming attacks, it's always good to review your knowledge, and to read about formalising the processes you hopefully already go through.

ViewStateUserKey

Michael Falconer — Sun, 13 Feb 2005 12:04:00 GMT

While reading through an article titled 'Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks' on MSDN recently, I came across a new property for the Page class I'd never noticed before: ViewStateUserKey. The documentation for this property states:

Assigns an identifier to an individual user in the view state variable associated with the current page

It turns out what this can be used for is to add a user specific string to the ViewState of a Page which can be verified on PostBack. Why? This means you can be sure that any form information submitted came from the same user who requested the original page, thus preventing one-click attacks.

I highly recommend you read the article above for more information, and for techniques to prevent other common attacks...

ASP.NET security vulnerability

Michael Falconer — Thu, 07 Oct 2004 10:57:00 GMT

As everyone by now hopefully knows, there is a vulnerability in ASP.NET that could allow an attacker to bypass security and access secured content.

The fix is relatively straightforward, and there will hopefully be a proper patch from MS soon...

MSDN Lab : SQL injection protection

Michael D. Falconer — Mon, 12 Jul 2004 13:16:00 GMT

I was just reading Scott's post on Stefan Demetz's suggestion to change the default behavious of textboxes to only allow AlphaNumeric charcters by default. Personally, this is a shockingly bad idea, as I posted in my comment on the MSDN Lab site:

'This is a really bad idea. So suddenly, by default, a user cannot complete an online form if their name contains and apostrophe of a dash. No more Peter O'Toole, or Camilla Parker-Bowles. If you want this functionality, why not just create a custom validator. Or create a new inherited TextBox object that strips out unwanted characters as required and/or throws an exception.'

As Scott rightly says, a developer should be aware of these issues, and address them accordingly. To change such a fundamental feature of one of the most basic form building blocks is bound to end up causing massive headaches, particularly when there are simple steps to follow to prevent SQL injection attacks.

Microsoft post patch for Download.Ject

Michael D. Falconer — Fri, 02 Jul 2004 21:25:00 GMT

Everyone has (hopefully) heard about the Download.Ject security issue that affect both IIS and IE. Microsoft have just released a patch which work by disabling ADODB.Stream.

So, go to the Microsoft Security Site to read more and get more details, or just go to directly to the Windows Update Site to download the patch.