ASP.NET AJAX Team Blogs : Security

JSON Hijacking and How ASP.NET AJAX 1.0 Avoids these Attacks

ScottGu's Blog : Atlas — Wed, 04 Apr 2007 18:39:55 GMT

Recently some reports have been issued by security researchers describing ways hackers can use the JSON wire format used by most popular AJAX frameworks to try and exploit cross domain scripts within browsers. Specifically, these attacks use HTTP GET requests invoked via an HTML <script src=""> include element to circumvent the "same origin policy" enforced by browsers (which limits JavaScript objects like XmlHttpRequest to only calling URLs on the same domain that the page was loaded from), and then look for ways to exploit the JSON payload content. ASP.NET AJAX 1.0 includes a number of default settings and built-in features that prevent it from being susceptible to these types of JSON hijacking attacks. Below are some details of how...(read more)

AJAX Security

Public Sector Developer Weblog : AJAX — Fri, 12 Jan 2007 17:32:59 GMT

Just about every time I do an ASP.NET AJAX presentation, someone asks me about some question about AJAX security. I always start of by saying, "I'm not an AJAX security expert, but I will do my best to answer your specifc questions..." Well, thanks to Joe Stagner , there are a bunch of upcoming AJAX security talks as part of the Live From Redmond series. They're on my calendar! -Marc Read More......(read more)

SQL Server 2005 Label Security Toolkit

Public Sector Developer Weblog — Thu, 16 Nov 2006 18:38:00 GMT

As referenced at the 2006 PASS conference this week, the Label Security Toolkit for SQL Server 2005 can be downloaded here [update: the file is attached to this post too]. This toolkit demonstrates how to combine the capabilities of SQL Server 2005 to implement a label-based row and/or cell level security framework in an application database. The toolkit includes a utility which allows you to logically define the security labeling scheme to be used in your app's database. Based on this, at the click of a button the tool generates an implementation of the supporting framework. All you need to do is create a simple view over the table(s) you wish to protect. Support for insert/update/delete is added by writing instead-of triggers to capture these...(read more)

My ASP.NET 2.0 Tips, Tricks, Recipes and Gotchas "Highlights Page"

ScottGu's Blog : Atlas — Tue, 01 Aug 2006 23:32:00 GMT

Several people have sent me email lately asking for a suggested short-list of my best/favorite past blog posts to read (I’ve done 200 posts over the last 12 months and apparently it takes too long to read them all <g>). I’ve put together a summary page of ASP.NET 2.0 Tips, Tricks, Recipes and Gotchas that you can check out here . It currently contains links to 37 posts that I’ve done in the past that I think are interesting and worth spending sometime to read. I’ve organized the list by area topic (UI, Data, Security, Visual Studio, etc). My goal is to post at least 1-2 new/original ASP.NET Tips/Tricks/Recipes to my blog each week going forward. I’ll also make sure to update the summary page above as I add...(read more)

Microsoft Federal Architect Forum 06 content

Federal Developer Weblog : Atlas — Fri, 12 May 2006 07:12:00 GMT

The content for the 2006 Microsoft Federal Architect Forum will be posted on Federaldeveloper.com (link is here: http://tinyurl.com/luawt ) For those who were able to attend, thank you! - Keith Read More......(read more)