Alik Levin's
Consulting - Stories from Trenches, Case Studies, and Tech Notes
Browse by Tags
All Tags
»
Input Validation
(RSS)
AJAX
Code Inspection
Development Phase
Fuzzing
Implementation
Security
Test Phase
Tools
WCF
Security Code Review – String Search Patterns For Finding Input Validation Vulnerabilities
Well defined set of search patterns helps significantly reduce time (cost) when performing security code inspections. This post focuses on input validation vulnerabilities commonly found in ASP.NET web applications. SQL Injection and Cross Site Scripting
Read More...
WCF Security - Input/Data Validation Using Schemas
WCF offers very flexible approach of Input and Data Validation based on XML Schemas. The approach is flexible since the validation rules are expressed in form of XML schema and can be changed at any time without recompiling the solution. I followed the
Read More...
WCF Security - Input/Data Validation Sample Visual Studio Project
Input and Data Validation is one of the core security principles . WCF is no exception . To get most out of WCF in secure way one must implement proper Input and Data Validation. I was following instructions on How To – Perform Input Validation
Read More...
Quickly Find And Fix Cross Site Scripting (XSS) Vulnerabilities In Your ASP.NET Application.
Want to quickly check your ASP.NET Web application for Cross Site Scripting (XSS) vulnerability ? It is pretty easy with the knowledge and tools you already have. This post describes how to quickly find and fix most of XSS vulnerabilities in your code.
Read More...
AJAX Security - Client Side Validation Is For Usability Only, Not For Security
“As to methods there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.” Ralph Waldo Emerson AJAX is another
Read More...
Creating a Parameterized Query In Visual Studio
Creating parameterized queries is one of the major countermeasures to SQL Injection attacks (not the ultimate but major). I always did it in old fashion way - using code only and I am ashamed I never utilize advanced productivity features of Visual Studio.
Read More...
Security Code Inspection - Eternal Search For SQL Injection
Here are couple of techniques I used for searching hints of SQL Injections in .Net apps. The basic approach is described here http://msdn2.microsoft.com/en-us/library/ms998399.aspx . It is basically split into two major parts - preliminary scan and the
Read More...
XSS? - Do not Make Me Laugh, We Use WinForms
Reposted from XSS? - Do not Make Me Laugh, We Use WinForms I find myself sometimes (actually too many times...) in situation explaining people of impact of Cross Site Scripting (attack) attacks as a result of importer encoding of user input (vulnerability)
Read More...
Good Chance For Canonicalization Attack When Using Path.Combine()
In my previous post, .Net Assembly Spoof Attack , I've described potential DLL hijacking/spoof attack when using reflection for dynamically loaded assemblies. Today I was reviewing some project where I stumbled on exactly such case. One thing that caught
Read More...
How To Hack WCF - New Technology, Old Hacking Tricks
First of I'd like to thank Guy for his excellent screencast - very convenient, so thanks. Specifically I liked introductory screencast for WCF which can be found here: http://blogs.microsoft.co.il/blogs/bursteg/pages/WCF-Introduction-Demo-_2800_ScreenCast_2900_.aspx
Read More...
Search
This Blog
Home
Email
Twitter Updates
follow me on Twitter
Books I recommend
The 22 Immutable Laws of Branding
The 21 Irrefutable Laws of Leadership: Follow Them and People Will Follow You
The 4-Hour Workweek: Escape 9-5, Live Anywhere, and Join the New Rich
Raving Fans: A Revolutionary Approach To Customer Service
The Tipping Point: How Little Things Can Make a Big Difference
The Leadership Pill: The Missing Ingredient in Motivating People Today
The Handbook of Emotionally Intelligent Leadership: Inspiring Others to Achieve Results
The Power of Full Engagement: Managing Energy, Not Time, is the Key to High Performance and Personal Renewal
Overachievement: The New Model for Exceptional Performance
The Dream Manager
Swim with the Sharks Without Being Eaten Alive: Outsell, Outmanage, Outmotivate, and Outnegotiate Your Competition
Weinberg on Writing: The Fieldstone Method
Gemba Kaizen: A Commonsense, Low-Cost Approach to Management
The One Minute Manager
Kaizen: The Key To Japan’s Competitive Success
Secrets of Consulting: A Guide to Giving and Getting Advice Successfully
The Dip: A Little Book That Teaches You When to Quit (and When to Stick)
Tags
Agile
AJAX
Application Lifecycle Management
Architecture
Auditing and Logging
Authentication
Authorization
Azure
CardSpace
CAS
Code Inspection
Consulting
Deployment Inspection
Deployment Phase
Development Phase
End User
Exception Handling
Fuzzing
IIS 7
Implementation
Inception Phase
Information Gathering
Input Validation
Interop
MVC
Operations
Performance
Planning Phase
Practices
Reflection
Security
Sensitive Data
SharePoint
Test Phase
Threading
Threat Modeling
Tools
Video
Vista
VSTS
WCF
Archives
June 2009 (4)
May 2009 (4)
April 2009 (2)
March 2009 (7)
February 2009 (8)
December 2008 (2)
November 2008 (9)
October 2008 (6)
September 2008 (4)
August 2008 (1)
July 2008 (7)
June 2008 (5)
May 2008 (4)
April 2008 (4)
March 2008 (3)
February 2008 (3)
January 2008 (10)
December 2007 (6)
November 2007 (4)
October 2007 (11)
September 2007 (4)
August 2007 (6)
July 2007 (8)
June 2007 (3)
May 2007 (21)
April 2007 (25)
March 2007 (25)
. My Personal Blog .
Practice This
.Net Performance How To's
Improving .NET Application Performance and Scalability
Exceptional Performance
Performance Testing Guidance How-To's
Fiddler PowerToy - Part 2: HTTP Performance
Performance Testing with Fiddler
Bottleneck-Detection Counters
Troubleshooting Performance Problems in SQL Server 2005
Performance Frame - v2
12 Steps To Faster Web Pages With Visual Round Trip Analyzer
.Net Security How To's
patterns & practices Security How To's Index
ASP.NET 2.0 Security Questions and Answers
Tamper detection
Authentication Hub
VSTS Resources
Architecture and Design checklists
Securing Sites with IP Address Restrictions
WCF - XSD validation for WCF services
WCF - Message Inspectors
Using Credential Management in Windows XP and Windows Server 2003
WCF - Common Security Scenarios
WCF - Authorization
Validating XML Data with XmlReader
Input Validation - XML Data
Validation - Web Client Software Factory
patterns & practices WCF Security Application Scenarios
Microsoft Identity and Access Management Series
Design Patterns
data & object factory
Yahho Design Pattern Library
Sample .Net 3.0 app
Application Architecture for .NET: Designing Applications and Services
Litware HR - A Multitenant sample application
Microsoft .NET Pet Shop 4.0
Responsive Composite Web Client Reference Implementation
Table of Contents: Introduction to CAB/SCSF
ASP.NET Quickstarts
Microsoft Identity and Access Management Series
Software design patterns
Impactful
Super Size Me
Billy Eliot
The Legend of 1900
The Terminal
The Counterfeiters
Lifecycle Phases
5. Deployment Phase
3. Development Phase
4. Test Phase
1. Inception Phase
2. Planning Phase
Popular
My Favorite Shortcuts
My Pipeline Is My Inbox
Security .Net Code Inspection Using Outlook 2007
Security Code Inspection - Eternal Search For SQL Injection
.Net Assembly Spoof Attack
Code Inspection - First Look For What To Look For
How To Hack WCF - New Technology, Old Hacking Tricks
Generate Documents Out Of Mail Items Directly From Outlook 2007
ARCast With Ron Jacobs - Defending the Application
How to Use Outlook 2007 RSS To Effectively Aggregate And Distill Information
Tools
Fiddler2 Web Debugger - Freeware HTTP(S) debugging tool
Microsoft Network Monitor 3
FxCop Team Page
Microsoft Threat Analysis & Modeling
Windows Sysinternals tools
Log Parser 2.2
p&p Practices Checker - performance
Microsoft ® Windows Server ™ 2003 Performance Advisor
Ajax View
WCat 6.3 (x86)
Funnel Web Analyzer 5.0 for Windows
Syndication
RSS 2.0
Atom 1.0
