Fight Back Hacking by Jesper Johansson from the Winter 2005 issue of TechNet Magazine.
A nice article on some of the common doors that are often left open to intruders -
http://www.microsoft.com/technet/technetmag/issues/2005/01/AnatomyofaHack/default.aspx
Power Collections on GotDotNet Featured Sites
Power Collections project has made it to the “Featured Sites” on GotDotNet.
http://www.gotdotnet.com/content/featuredsite/powercollections/default.aspx
Power Collections is a community open source library of advanced collection classes and algorithms.
Alan Smith has created a great resource called "The Bloggers Guide to BizTalk". He created a help file (.chm file) where he has incorporated some great content from many of the BizTalk Bloggers. These include:
Alan Smith
Scott Woodgate
Christof Claessens
Lee Graber
Jeff Lynch
Stephen Kaufman
Jan Tielens
Darren Jefford
Kevin B Smith
Mike Holdorf
Peter Himschoot
Eldar Musayev
Kevin Lam
Gilles Zunino
The Bloggers Guide to BizTalk is a free resource and can be downloaded from the GotDotNet Workspace
We all are aware about canonicalization issues with ASP.NET and know that the ASP.NET team is continuing to work on this problem. I my past posts, I had posted one of the options suggested by Microsoft to get rid of it.
One of te options is to add code to global.asax.
To use this option, add one of the following code samples to global.asax:
Global.asax code sample (Visual Basic .NET)
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) Then
Throw New HttpException(404, "Not Found")
End If
End Sub
Global.asax code sample (C#)
void Application_BeginRequest(object source, EventArgs e)
{
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath)
{
throw new HttpException(404, "not found");
}
}
Another option is to install the HTTP Handler
Microsoft has released an ASP.NET HTTP module that Web site administrators can apply to their Web server. This module will protect all ASP.NET applications against all potential canonicalization problems known to Microsoft.
You can download VPModule.msi at
http://www.microsoft.com/downloads/details.aspx?familyid=DA77B852-DFA0-4631-AAF9-8BCC6C743026&displaylang=en
I received a mail from somebody saying that he was having an ASP app that uses VB6 component to upload files to a server. He has recently migrated to IIS6 and now if he tries to upload a file bigger than ~300k it returns an unspecified error.
I just recalled: AspMaxRequestEntityAllowed. The AspMaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of an ASP request. If a Content-Length header is present and specifies an amount of data greater than the value of AspMaxRequestEntityAllowed, IIS returns a 403 error response. This property is related in function to MaxRequestEntityAllowed, but is specific to ASP request. Whereas you might set the MaxRequestEntityAllowed property to 1 MB at the general World Wide Web Publishing Service (WWW Service) level, you may choose to set AspMaxRequestEntityAllowed to a lower value, if you know that your specific ASP applications handle a smaller amount of data.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/ref_mb_aspmaxrequestentityallowed.asp
Programmatically check for canonicalization issues with ASP.NET
What You Should Know About a Reported Vulnerability in Microsoft ASP.NET...
Check here:
http://www.microsoft.com/security/incident/aspnet.mspx published on 10/6/2004
Microsoft KB article: http://support.microsoft.com/?kbid=887459 published on 10/5/2004