Home / ASP.NET Weblogs

June 2008 - Posts

Posted to:

SOS: Upcoming release has a few new commands – DumpXmlDocument

If you have done much debugging with XML data, you know how difficult it can be to look at a System.Xml.XmlDocument.  They don’t just show up in the debugger as XML.  This is where this command comes into play.  It will take a XmlDocument...
Filed under: , , , ,
Posted to:

ASP.NET MVC Tip #10 - Prevent URL Manipulation Attacks

In this tip, Stephen Walther explains how hackers can steal sensitive information from an ASP.NET MVC website by manipulating URLs. I also discuss how you can build unit tests to prevent this type of attack by mocking the ControllerContext....( read more ) Read More...
Filed under: , ,
Posted to:
06-26-2008, 12:41 PM

Data focused Silverlight demo

Yet still more time on traveling , I thought I'd do a little demo of a data oriented scenario with Silverlight. Here is what we are after: The data for the app is loaded from a Linq model and sent to the Silverlight client via a WCF services. As the user makes changes to the grid, we asynchronously update the Linq model on the service. The app uses local storage to cash the data on the local machine to reduce network calls. Create a new Silverlight application and associated web site. Let's start by creating a data model in the web site. Then drag over the Employees table.  Then, Select Photo and delete it.  It is a large binary blob that we don't want to be sending back and forth.    Then, because we are going...
Filed under: ,
Posted to:

SQL Injection – some tools to help

Joe Stagner posted about some great tools that you can use to help with SQL Injection.  This is the topic of our blog chat coming up, I haven’t set a firm date as I am trying to get as many folks to attend as I can from the Microsoft side. Check...
Posted to:

ASP.NET MVC Tip #9 – Create a GridView View User Control

In this tip, Stephen Walther demonstrates how to build an ASP.NET MVC View User Control that accepts a set of database records and renders the records in an HTML table automatically. The advantage of using a View User Control is that you can customize the rendering of particular columns. ...( read more ) Read More...
Filed under: , ,
Posted to:

Security Tip: Blocking Access to ASP.NET MVC Views Using Alternative View Engines

When you create a new ASP.NET MVC project using our default templates, one of the things you might notice is that there is a web.config file within the Views directory. This file is there specifically to block direct access to a view. Let’s look at the relevant sections. For IIS 6 (and Cassini) < add path ="*.aspx" verb ="*" type ="System.Web.HttpNotFoundHandler" /> For IIS 7 < add name ="BlockViewHandler" path ="*.aspx" verb ="*" preCondition ="integratedMode" type ="System.Web.HttpNotFoundHandler" /> What these sections do is block all access to any file with the .aspx extension within the Views directory (or subdirectories). Note that access is blocked...
Posted to:

New tools to prevent SQL injection attacks

I've blogged in the past about injection attacks . Microsoft publishes additional new tools to detect and protect against injection attacks. The first tool, developed by HP, crawls web sites to automatically detect possible attacks, the second blocks dangerous requests from being executed, and the last one analyzes code to look for dangerous practice. http://www.microsoft.com/technet/security/advisory/954462.mspx Read More...
Posted to:

ASP.NET Memory Leak: Byte arrays rooted in System.Security.Policy.Evidence

Today I got a question from a reader (Chris) about a memory leak they are seeing in their application When we do a '!dumpheap -min 85000 -type Byte[]' we can see 100s of byte array objects using up ~545MB of memory. A majority of the objects are the same size (either 4.5 or 9MB in size). Looking at the memory addresses, they all appear to be different copies of our assemblies. And when we do !GcRoot on those addresses they all either have no results returned, or show a rooted System.Security.Policy.Evidence object: DOMAIN(000FDC18):HANDLE(Strong):-:Root:-(System.Security.Policy.Evidence)-> (System.Collections.ArrayList+SyncArrayList)-> (System.Collections.ArrayList)-> (System.Object[])-> (System.Security.Policy.Hash)->...
Posted to:

My Secure Development Interview from TechEd 2008

While at TechEd 2008 I got to spend some time in the "Fish Bowl" with Georgeo Pulikkathara . Georgeo interviewed me on Microsoft's Secure Development Lifecycle (SDL) and my upcoming Developer Security Activities. Please [ click HERE ] to check out Georgeo's blog post and [ Click HERE ] to have a listen to the show. Read More...
Posted to:

ComponentArt releases Charting 2008.1

ComponentArt releases Charting 2008.1, introducing advanced AJAX interactivity, dual 3D rendering engines, and a wealth of core charting features. Grate for AJAX style data visualization ! Visit the Charting Gallery for live demos . Read More...

< Previous 1 2 3 4 5 Next > ... Last »