Alik Levin's

Clarity, Technology, and Solving Problems | PracticeThis.com

Browse by Tags

Tagged Content List
  • Blog Post: Automating Code Review for Common ASP.NET Performance & Security Anti-Patterns

    In this post I will share with you how to automate code review when searching MSIL for common performance and security anti-patterns. Scenario You are an application performance/security consultant who’s been asked to review a large application for common security and performance anti-patterns. You are...
  • Blog Post: Security Code Review – Use Visual Studio Bookmarks To Capture Security Findings

    How to streamline the process of capturing security flaws during security code review? How to save time and avoid switching between the tools? How to stay focused? In this post I will show my simple technique to capture security flaws using Bookmarks in Visual Studio. Create bookmark folders. Hit Ctrl...
  • Blog Post: Use DIR Command To Generate List Of Files And Store It In File

    DIR /S /B /A:-D I use simple DIR command to generate file lists. It serves me in many scenarios. For example, I use it to generate .Net assemblies list when I conduct preliminary scan as part of code inspection process. Here are the explanations to the switches: /S - search sub folders /B - bare format...
  • Blog Post: XSSDetect Public Beta now Available!

    XSSDetect public beta is now available for download on MSDN. Overview XSSDetect is a static code analysis tool that helps identify Cross-Site Scripting security flaws found within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from...
  • Blog Post: Visual Studio 2005 As General Code Search Tool

    Visual Studio 2005 has powerful search capabilities. One of my favorites is "Find in Files". Just hit Ctrl+Shift+F (more shortcuts - My Favorite Shortcuts ). Essentially it uses FindStr utility that sits in System32 folder and comes for free with Windows OS. FindStr is a command line utility and those...
  • Blog Post: Security Code Inspection - Eternal Search For SQL Injection

    Here are couple of techniques I used for searching hints of SQL Injections in .Net apps. The basic approach is described here http://msdn2.microsoft.com/en-us/library/ms998399.aspx . It is basically split into two major parts - preliminary scan and the detailed scan. The keyword is hotspot - find...
  • Blog Post: Performance Gain - Security Risk

    Reposted from Performance Gain - Security Risk Good intention for better performance may lead to flawed design and bring in more security risks. Consider the following ASPX page: Here is why it cannot be accessed: When trying to navigate there you get: Great, love URL authorization!! Now let's examine...
  • Blog Post: Security .Net Code Inspection Using Outlook 2007

    In my previous post, Code Inspection - First Look For What To Look For , I've described how to look for sensitive data and hints in the compiled assemblies. The other challenge I was looking to solve is boosting my productivity. So with little magic of scripting (more magic here Scriptomania - Scripting...
  • Blog Post: Code Inspection - First Look For What To Look For

    Reposted from Security Code Inspection - First Look For What To Look For for further reuse on this blog. I found it extremely productive to first look for strings in the code. But what strings to look for? And how to look for the strings? Looking into the source files? My good friend FindStr is of great...
  • Blog Post: Good Chance For Canonicalization Attack When Using Path.Combine()

    In my previous post, .Net Assembly Spoof Attack , I've described potential DLL hijacking/spoof attack when using reflection for dynamically loaded assemblies. Today I was reviewing some project where I stumbled on exactly such case. One thing that caught my eyes was that path to reflected DLL, the...
  • Blog Post: .Net Assembly Spoof Attack

    To be honest I am not sure about the name of such attack, but in the nutshell it is attack where the original good code is replaced by bad one with the same interface but very bad implementation - may be Trojan DLL? Anyway... My Australia based teammate Rocky posted sometime ago coolest screencast...
Page 1 of 1 (11 items)