Community Blogs

For the last few years the Liberty Alliance project has published a lot best practices and specifications around identity solutions. Specifically, the Liberty Alliance has had a deep impact on Service Oriented Identity Federation solutions as a complement to well established Standards such as WS-Federation. Even more importantly, the practices and Standards promoted by the Liberty Alliance have served as the foundation for some of the most complex SO Identity Federation solutions in the world. This...( read more ) Read More...

New video series by Microsoft’s Joe Stagner focused on security best practices for ASP.NET websites. Read More...

Please checkout the first videos in my new Web Developer's Security Video Series. http://www.asp.net/learn/security-videos/ I'm hoping to do 100 Videos this year ! PLEASE SEND YOUR REQUESTS !!! Read More...

I was just reading Soma’s blog post How vulnerable are software applications? and it really makes you think about how and what you create as an application designer.  According to a 2005 FIB survey, U.S. businesses lost $67.2 billion because of cyber Read More......( read more ) Read More...

I recently came across this blog post and tool on the The HP Security Laboratory Blogs. The tool is called Scrawlr and I have to say that it is a pretty nifty little tool. I've been playing with it this morning and have been pretty impressed, I will keep it handy to do some testing in the future! Check out the Blog post and tool over at: http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx . With all the SQL Injection press lately, it's worth checking out! Read More...

There seems to be a number of SQL injection attacks happening lately involving adding of <script src=http://www.banner82.org/b.js></script> , adword71.com/b.js (and the likes ) to entries under string/text/varchar columns in the database targetting ASP (classic/3.0) sites and SQL Server. Note, they need not know your table or column names to mess up with you. I definitely do not wish to play cops and robbers here but I wish to contribute a little on this. There are a number of articles on this (read along) and even more for preventing SQL injection and other related exploits such as cross-site scripting so help yourself. As mentioned this is more targeted to ASP (classic/3.0) sites but posting nevertheless. Read full article from...

I've found a serious shortcoming in one of the security methods I've been using. I've inherited two projects in which social security numbers were stored in a database in an unencrypted format. For the web application I don't think the SQL Server 2005 built-in encryption methods are an option because the web hosting company is still using SQL Server 2000. Instead, I used the .NET Framework's built-in cryptography classes found in the System.Security.Cryptography namespace. I used the Rijndael (aka Advanced Encryption Standard (AES)) cipher in a custom assembly which I uploaded to the web server's bin directory without the source code. This encryption method relies on a 128 bit key and an initialization vector (IV) which...

Visual Studio 2008 have still no native WebDAV support. On the other hand Microsoft is stopping Frontpage Server Extensions development. Both of this web publishing protocols are *not* implemented in IIS7 standard installation. You can download the fitting modules on the iis7 website. If you decide to use WebDAV you have to do following configuration steps 1) Download (X86) 2) installation 3) Enable WebDAV on Site level 4) Enable Authentication BASIC 5) create WebDAV authoring rule which allows read, write for specific user Steps are described with screenshots here For visual studio you have to map a file share like net use z: http://www.fileserver.de The explorer redirector (which is included since win 2000) only accepts a) windows authentication...

You may have seen recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week. Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net...( read more ) Read More...

while working with Forms Authentication and Membership services , if the user selects " remember me " check box in the login dialog ,the runtime will create a persistent authentication cookie for him, the persisted cookie is responsible to keep the user logged in for a specified period(even he closed his browser) ,and the default period is 30 minutes in .Net 2.0 or later , and you can change it to some value lets say 50 minutes as follows : in web.config file : <authentication mode="Forms"> <forms timeout="50"></forms> </authentication> Now the problem comes if the administrator deleted the user from the Membership users , the user still authenticated and can access your site ! to override...