Parmeshwar's Space !!

CodeFileBaseClass attribute in Page Class (.aspx)

Parmeshwar Arewar — Wed, 29 Nov 2006 23:21:00 GMT

While goining through code,saw this interesting stuff..basically used to specify the typename of a base class and its associated code-behind class. Check this on MSDN .

DOM based XSS attack

Parmeshwar Arewar — Sun, 03 Sep 2006 14:53:00 GMT

We have heard of Cross-Site Scripting attack....basically two types of cross site scripting is normally explained everywhere.. Non-Persistent CSS - which normally occurs when the input is directly echoed on the browser which causes the script in the input to execute. This script can steal the cookie using document.cookie and may post the values to attacker's site. Persistent CSS occurs when the input (from querystring, form variables) is stored in the database and later retrieved to display it on webpage causing the script to execute.

If we can use document.cookie so why not we use document object itself !! DOM based attack works on this principle..If our code uses document.url or document.location.href etc..these can be exploited using this technique.

In .NET, we can use requestValidate=True as page directive to prevent from such kind of attack. However this can also be bypassed, so also use HtmlEncode, UrlEncode to tightly filter input and write output urls. Also, a great library called IOSEC is available which goes further to filter malicious input.

For more info abt CSS:

http://www.webappsec.org/projects/articles/071105.shtml

http://crypto.stanford.edu/cs155/CSS.pdf

http://www.owasp.org/index.php/Category:OWASP_Project

My first post !!

Parmeshwar Arewar — Wed, 28 Jun 2006 16:38:00 GMT

This is my first post. Hope this place will be a great place to explore security!!

Managing Identity

Parmeshwar Arewar — Sun, 03 Sep 2006 17:36:00 GMT

Excellent white paper on “.NET Developer's Guide to Identity“ . This white paper by Keith Brown explains different authentication ,authorization mechanisms, talks abt federated identity,ADFS, security in WCF ..and lot more..This is a kind a boon for developers ..as all material is available at single place !!

InfoCard !!

Parmeshwar Arewar — Sun, 03 Sep 2006 16:55:00 GMT

MS Windows Cardspace Home -

http://msdn.microsoft.com/winfx/reference/infocard/default.aspx

Infocard blog(s):

http://blogs.msdn.com/andyhar/archive/2005/11/22/495649.aspx

Articles:

First look at InfoCard

..will fill up the post as I read more info.. !!

Security Enhancements in .NET framework 2.0

Parmeshwar Arewar — Sun, 03 Sep 2006 15:31:00 GMT

Following are some of the materials explaing security enhancements in .NET framework 2.0

http://blogs.msdn.com/shawnfa/archive/2005/08/24/455581.aspx

http://msdn.microsoft.com/msdnmag/issues/06/00/SecurityBriefs/default.aspx

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGPractices0001.asp

Security Practises in ASP.NET 2.0

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGPractices0001.asp

Basic questions for Security Code Review

Parmeshwar Arewar — Sun, 03 Sep 2006 15:20:00 GMT

Following are the main areas to look for security code review:

SQL injection
CSS
Data Access
Input/Data Validation
Authentication
Authorization
Sensitive data
Unsafe code
Unmanaged code
Hard-coded secrets
Poor error handling
Web.config
CAS
Cryptography
Undocumented public interfaces
Thread Racing problems

For details look into Security Engineering Explained by MS Patterns and Practises !!

One-click attack:How to prevent them?

Parmeshwar Arewar — Sun, 03 Sep 2006 15:09:00 GMT

One click attack normally occurs when attacker creates a prefilled web page(.htm or .aspx) with view state. The view state is generated from a previously created page. ex. shopping cart page with say 50 items. The attacker then lures unsususpecting user to browse the page and causing the page to be sent to server where view state is valid.

To prevent this kind of attack in .NET, use Page.ViewStateUserKey in Page_Init event with unique value per user such as username or configured in web.config.

Some nice articles on Security

Parmeshwar Arewar — Fri, 11 Aug 2006 23:02:00 GMT

Referring 1.1 framework compiled DLLs in 2.0 Application and vice-versa

Parmeshwar Arewar — Thu, 06 Jul 2006 20:39:00 GMT

We can refer the 1.1 framework compiled dlls in Web applications developed in 2.0 without any extra effort. However we can not refer the 2.0 compiled dlls in 1.1 framework application the reason is well illustrated in the thread at ASP.NET Migration forum which says : using COM Interop it won't work because even if it uses COM for "interoperating" it still needs the .NET Framework to run. Since you cannot load 2 versions of the .NET Framework in the same process it will end up running against .NET 1.1 and fail.

However this thread says there is a workaround to refer 2.0 compiled dlls in 1.1 framework application using MSBuild ..!!

Contract-first Service development

Parmeshwar Arewar — Wed, 05 Jul 2006 14:44:00 GMT

Here is a very nice article describing COM, code-first, contract-first service development by Aaron.

VS 2005 Security features and Tools

Parmeshwar Arewar — Wed, 05 Jul 2006 18:05:00 GMT

http://msdn.microsoft.com/security/vs2005security/default.aspx - Lists and provides all security features and tools in VS 2005.

Master pages - heart of Website

Parmeshwar Arewar — Thu, 06 Jul 2006 18:08:00 GMT

With the introduction of Master pages in 2.0, we can now design the page which contains contents repeated on each page -like menus, navigation, logos. We can also combine the functionality used by all web pages at single place and derive all our pages from this master page...

Here is an excellent article on master pages by Scott Allen - providing tips,tricks and traps.

Microsoft also provided 4 design templates based on the category. You can find them here.

Bug Bash 2006 contest for Indian Students !!

Parmeshwar Arewar — Wed, 28 Jun 2006 22:38:00 GMT

This competition has been designed to get user feedback on various real life issues that can happen with an operating system.The contest consists of 2 stages - a preliminary quiz round followed by the final competition at Microsoft premises in Gurgaon. The registration is open till 1st July 2006.For more details click on to: http://www.appinlabs.com/bugbash2006/.