Contents tagged with Security
-
Opting out of anti-forgery validation in Orchard
Anti-forgery tokens are a very important security feature of ASP.NET MVC and Orchard. Most of the time, you should keep them in place, and just let the system work its magic. There are a few rare situations however where it’s not the appropriate protection and you’ll want to disable it. Being too lazy to include the token in your ajax requests or your forms is of course not one of those situations.
-
A storm of fail
It’s OK to not know something. It really is, if you’re willing to admit it, and have a reasonably accurate idea about your own level of competence. Unfortunately, thanks to the Dunning-Kruger effect, we’re all better than average drivers, parents, and… security experts. Through the excellent @InfoSecInsanity, I got pointed to a veritable (and unfortunately, involuntary) repository of ways you can screw up your web site’s security. I don’t want to pick too much on the author, as as far as I know, he’s well-intentioned, but he should really retract his post, as well as any other post he wrote about security, and take a few courses. He might also want to stop calling himself an”expert” about topics on which he has clearly no expertise. Writing crappy code is one thing. Propagating dangerous code through blog posts, that hundreds of clueless people will copy into their own applications, is another.
-
Recovering the admin password in Orchard
These things happen, and it seems hopeless at first: you've locked yourself out of your own site and that's that. Well, not quite. If you still have access to the database there is a way out. Access may be through FTP and WebMatrix or Visual Studio if using SQL CE or through SQL Server Management Studio or whatever is your preferred way to access your database. In this tutorial I'll use WebMatrix over a local SqlCe database but other tools would work just as well with minor differences. -
Please read if you have public ASP.NET sites
Yesterday, a new crypto oracle-type vulnerability was publicly disclosed. It is an important vulnerability that is likely to be exploitable on a large proportion of ASP.NET sites, even those that are using configuration settings that were previously considered safe.
-
More on medium trust: what permission are you missing?
Yesterday, I asked some questions about your usage of medium trust. Thank you all for the great answers and comments (but don’t read too much into that, I’m just playing with stuff). If you haven’t answered yet, feel free to do so.
-
How important is medium trust to you?
I would be very grateful if you could drop me a note in comments answering the following questions: -
How to choose a client template engine
Disclaimer: I worked on the Microsoft Ajax 4.0 template engine, so my criteria are of course heavily influenced by our own design. -
New tools to prevent SQL injection attacks
I've blogged in the past about injection attacks. Microsoft publishes additional new tools to detect and protect against injection attacks. The first tool, developed by HP, crawls web sites to automatically detect possible attacks, the second blocks dangerous requests from being executed, and the last one analyzes code to look for dangerous practice.
-
Please, please, please, learn about injection attacks!