March 2007 - Posts

Security Code Inspection - Eternal Search For SQL Injection
Here are couple of techniques I used for searching hints of SQL Injections in .Net apps. The basic approach is described here http://msdn2.microsoft.com/en-us/library/ms998399.aspx . It is basically split into two major parts - preliminary scan and the Read More...
Posted 31 March 07 09:04 by alikl | 6 Comments   
Filed under , , , ,
Different Ways To Get Hold On Certificates - Net FX 1.1, 2.0
Net FX 1.1: First, one need to export certificate to file (no private keys exported), from http://msdn2.microsoft.com/en-us/library/aa302408.aspx // TODO: Replace with a valid path to your certificate string certPath = @"C:\WSClientCert.cer" // create Read More...
Posted 30 March 07 09:41 by alikl | 1 Comments   
Filed under , , ,
Lifetime Decision is Tomorrow
I am trying hard to post purely technical articles to my blog but today I am overwhelmed with strong personal feeling I want to share with the world - tomorrow I am going to negotiate the prices and conditions for the house of my dreams. I know it may Read More...
Posted 29 March 07 09:45 by alikl | 0 Comments   
Do Not Get Scared - I Changed My Skin...
I used to have MSDN skin for my blog. I am playing to be less "official" and more "readable". I got these complaints few times. So I am experimenting. Better now? :) :) Thanks Read More...
Posted 29 March 07 01:03 by alikl | 0 Comments   
patterns & practices Guidance Explorer - The New Wave
Guidance Explorer is not only very powerful security (and performance) guidance tool - recently it met VSTS guidance launched on CodePlex . To make the long story short, Guidance Explorer seems to serve as the solid framework to build and extend guidance Read More...
Posted 28 March 07 08:57 by alikl | 0 Comments   
Filed under , ,
Performance Testing For The Masses
"FAST is cool, huh" - good friend of mine told me. No doubt. How do I identify the bottleneck with architecture like this? Is it Browser starving resources for client side JavaScript/AJAX heavy processing? Is it jumbo Http Responses (ViewState for example)? Read More...
Posted 28 March 07 06:16 by alikl | 10 Comments   
Filed under , ,
Performance Gain - Security Risk
Reposted from Performance Gain - Security Risk Good intention for better performance may lead to flawed design and bring in more security risks. Consider the following ASPX page: Here is why it cannot be accessed: When trying to navigate there you get: Read More...
Posted 27 March 07 03:26 by alikl | 4 Comments   
Filed under , , , ,
Security .Net Code Inspection Using Outlook 2007
In my previous post, Code Inspection - First Look For What To Look For , I've described how to look for sensitive data and hints in the compiled assemblies. The other challenge I was looking to solve is boosting my productivity. So with little magic of Read More...
Posted 26 March 07 03:04 by alikl | 8 Comments   
Filed under , , , ,
XSS? - Do not Make Me Laugh, We Use WinForms
Reposted from XSS? - Do not Make Me Laugh, We Use WinForms I find myself sometimes (actually too many times...) in situation explaining people of impact of Cross Site Scripting (attack) attacks as a result of importer encoding of user input (vulnerability) Read More...
Posted 25 March 07 10:16 by alikl | 2 Comments   
Filed under , , , ,
Scriptomania - Scripting Tools and Utilities
From http://www.microsoft.com/technet/scriptcenter/createit.mspx Scriptomatic 2.0 Do-It-Yourself Script Center Kit WMI Code Creator ADSI Scriptomatic Tweakomatic Log Parser 2.2 Portable Script Center HTA Helpomatic Scriptomatic 1.0 Read More...
Posted 23 March 07 09:49 by alikl | 2 Comments   
Filed under
Security Language That Every One Understands
Although Michael Howard has some arguments about comparing software stuff with physical world I will take a chance on that one. As for me, language is designed to serve as communication channel between the parties, English for two English speakers, C# Read More...
Posted 22 March 07 06:20 by alikl | 3 Comments   
Filed under ,
Security Deployment Inspection Using Office.
I am a big fun of small time savers to be more productive. JD has the whole category for Effectiveness tag - worth checking on these gems. So I am looking always how to reuse my practices across disciplines I am trying to combine my security engineering Read More...
Posted 22 March 07 08:30 by alikl | 1 Comments   
Filed under , , ,
VSTS How To's - patterns&practices
It is not about what it does but how to use it (read this to understand the difference Driver's Guide vs. Owner's Manual ) VSTS Guidance Check these comprehensive step-by-step walk through's with pictures: Want to know how to integrate VSTS into your Read More...
Posted 21 March 07 11:47 by alikl | 0 Comments   
Filed under
Code Inspection - First Look For What To Look For
Reposted from Security Code Inspection - First Look For What To Look For for further reuse on this blog. I found it extremely productive to first look for strings in the code. But what strings to look for? And how to look for the strings? Looking into Read More...
Posted 20 March 07 10:13 by alikl | 8 Comments   
Filed under , , , , , ,
SecureString Class Two Real Usages And Counting!
SecureString Class "Represents text that should be kept confidential. The text is encrypted for privacy when being used, and deleted from computer memory when no longer needed. This class cannot be inherited. " I first was very excited about SecureString Read More...
Posted 19 March 07 04:03 by alikl | 0 Comments   
Filed under , , ,
I Think I Found Workaround For Live Writer Images
EDIT: PLEASE SEE COMMENTS. Will , do not be sorry for the pingbacks (I've noticed you added this in the end of LiveWriter needs fixing ). I also like Live Writer very much and I also suffer bad images it renders. After reading your post I played around Read More...
Posted 18 March 07 09:18 by alikl | 2 Comments   
Filed under ,
Good Chance For Canonicalization Attack When Using Path.Combine()
In my previous post, .Net Assembly Spoof Attack , I've described potential DLL hijacking/spoof attack when using reflection for dynamically loaded assemblies. Today I was reviewing some project where I stumbled on exactly such case. One thing that caught Read More...
Posted 15 March 07 11:31 by alikl | 0 Comments   
Filed under , , , ,
.Net Assembly Spoof Attack
To be honest I am not sure about the name of such attack, but in the nutshell it is attack where the original good code is replaced by bad one with the same interface but very bad implementation - may be Trojan DLL? Anyway... My Australia based teammate Read More...
Posted 12 March 07 08:51 by alikl | 8 Comments   
Filed under , , , , , ,
How I Create Videos Using Free Tools - Screen And Sound Capture At Once
Please visit landing page for these series How I Create Videos Using Free Tools where I explain the overall process for Video creation I use. In this last post I've show you how to create screencast video including sound capture at once. Start Media Encoder Read More...
Posted 10 March 07 08:09 by alikl | 3 Comments   
Filed under ,
I Invite You To Rob Me
Is not it usual OOF message we put? "OOF until <<here comes date>> visiting customers in <<12 hours flight from home>>" In other words, until the date you are invited to break into my office, house, and car. Here are some guidelines Read More...
Posted 09 March 07 04:26 by alikl | 1 Comments   
Filed under , , ,
How I Create Videos Using Free Tools
I've recently been hooked on doing some video stuff for demo purposes. For example in this post I captured screen to show how to intercept web services http traffic with Fiddler - App Architecture with Security in mind - Video, Part I There are plenty Read More...
Posted 06 March 07 10:09 by alikl | 5 Comments   
Filed under ,
Google Hacking
It is not hacking Google but using Google to hack others Got practical guide? - Sure: Got some tooling? - Sure: SiteDigger™ Can I do it with Live Search? - Sure: This is How They will Hack Your Web Site What do I do to get protected????! Proactive Security Read More...
Posted 06 March 07 07:33 by alikl | 3 Comments   
Filed under , ,
Google Code Search - Different Perspective
Google launches a special treat just for developers ... I'd like to present it from some different perspective. Imagine you provide search criteria as follows: " Initial Catalog " - try it. What do you see? More like these here Doesn't it make you want Read More...
Posted 05 March 07 08:56 by alikl | 1 Comments   
Filed under , , ,
How To Hack WCF - New Technology, Old Hacking Tricks
First of I'd like to thank Guy for his excellent screencast - very convenient, so thanks. Specifically I liked introductory screencast for WCF which can be found here: http://blogs.microsoft.co.il/blogs/bursteg/pages/WCF-Introduction-Demo-_2800_ScreenCast_2900_.aspx Read More...
Posted 04 March 07 08:11 by alikl | 12 Comments   
Filed under , , , ,
alikl.Blogging.Reload()
switching here from here http://blogs.microsoft.co.il/blogs/alikl Read More...
Posted 03 March 07 06:15 by alikl | 0 Comments   

Search

Go

This Blog

ads

. My Personal Blog .

.Net Performance How To's

.Net Security How To's

Design Patterns

Impactful

Lifecycle Phases

Popular

Tools

Syndication

Page view tracker