Browse by Tags

Tagged Content List
  • Blog Post: WCF Authorization with Custom Principal

    Hi, I am Syam Pinnaka, Sr. SDE in InfoSec tools team. In AuthZ component of CISF, we have a requirement to perform authorization checks in a WCF service. Since CISF AuthZ module has a custom implementation of IPrincipal called as CISFPrincipal, Its looks little tricky to use the CISFPincipal in a WCF...
  • Blog Post: What’s happening with CAT.NET 2.0?

    RV here... Our pre alpha release included a command line tool showcasing newer version of CAT.NET based on tainted data flow analysis engine using Phoenix compiler infrastructure. It also included a configuration analysis engine which was capable of identifying insecure configuration in .config files...
  • Blog Post: How To: Use CAT.NET V2.0 CTP

    Syed Aslam Basha here. I am a tester on the Information Security Tools team responsible for testing CAT.NET v2.0. As the installer name suggests CATNETV20CMD, CAT.NET V2.0 CTP is command line version only. CAT.NET v2.0 CTP analyses assemblies for vulnerabilities and configuration files for misconfigurations...
  • Blog Post: WCF Security – Impersonation

    Hi, Gaurav Sharma here, I’m a developer with the Information Security Tools (IST) team. In today’s post I’ll concentrate on the topic of Impersonation in WCF.  Impersonation By definition , Impersonation is the act of assuming a different identity on a temporary basis so that a different security...
  • Blog Post: The CAT.NET 2.0 Configuration Analysis Engine

    Maqbool Malik here… One of the most significant update to CAT.NET in v2.0 is the addition of a configuration engine. The goal of the engine is to identify insecure configuration at all layers of the application (configuration files, code level configuration, etc.) which should be remediated prior to...
  • Blog Post: How to Configure WPL v1.0 SRE

    RV here... With the release of Web Protection Library v1.0 (WPL) Security Runtime Engine (SRE) has been significantly updated. It now includes a SQL Injection Detection module which can detect certain attack vectors. It also include re-designed configuration editor which enables you to easily configure...
  • Blog Post: How to Run CAT.NET 2.0 CTP

    RV here... With the new build of CAT.NET available on connect.microsoft.com you must have noticed that the new version includes only a command line tool. We we will be releasing the Visual Studio rules as part of Beta1 release. So lets look at how we can use the command line version to analyze binaries...
  • Blog Post: Web Application Configuration Analyzer – WACA CTP Release Coming Soon

    RV here... Last year we developed an internal tool to review servers for security configuration issues. Microsoft offers several enterprise options for doing this such as Systems Center Configuration Manager but the requirements were for a lightweight stand-alone tool focused towards developers and testers...
  • Blog Post: Double Hop Windows Authentication with IIS Hosted WCF Service

    Hello, Randy Evans here.  I am a principal developer on the Information Security Tools Team.  In a recent project, we had a intranet web site that called an IIS hosted WCF service.  The WCF service, in turn, called a SQL Server Reporting Services (SSRS) web service. We wanted to utilize...
  • Blog Post: How To: Use VSTS Code Profiler

    Syed Aslam Basha here. I am a tester on the Information Security Tools team. This blog post is in continuation with website performance testing simplified blog post. The final step in performance testing is to narrow down the faulty code which is taking lot of time or memory or CPU usage. I will show...
  • Blog Post: Web Protection Library – CTP Release Coming Soon

    RV here... Over the last couple of months we have been actively developing the next version of Anti-XSS library and Security Runtime Engine (SRE). We have added new mitigations that go way beyond the original Cross Site Scripting (XSS) protections of the Anti-XSS Library hence the change in name to the...
  • Blog Post: SQL Server 2008 Security - Policy Example

    Hi, Gaurav Sharma here, I’m a developer with the Information Security Tools (IST) team. A few months ago I posted a blog, SQL Policy Based Management (PBM) and posted a follow up introductory “ How Do I” video on the same topic. Since then I’ve received a lot of feedback and questions regarding how to...
  • Blog Post: Anti-XSS Library v3.1 Released!

    The Microsoft Information Security Tools (IST) team has released the latest Microsoft Anti-Cross Site Scripting (Anti-XSS) Library version 3.1 .  Read more about Anti-XSS v3.1 on the Information Security blog and watch the video, “ Anti-XSS 3.0 Released ,” as Vineet Batta and Anil Revuru (RV), Senior...
  • Blog Post: HTML Sanitization in Anti-XSS Library

    RV here... For a while now, I have been talking about various types of encodings and how they protect web applications from cross site scripting attacks. In most cases input is simply passed through AntiXss.HtmlEncode or similar methods to transform it into safely displayable HTML entities. In some cases...
  • Blog Post: Application Health Monitoring (in ASP.NET 2.0 and above)

    Vineet Batta here, A little known but excellent features of ASP.NET is it’s ability to give support teams the ability to monitor the health of ASP.NET applications. In this article I will dwell on out of box features. No custom classes or code to be written. All the configuration setting for enabling...
  • Blog Post: Hash Functions in .NET – Right Tool for the Right Job

    Hi, Ch etan Bhat here. I’m a developer with the Security Tools Team. In this post I will talk about common mistakes developers make when when using hash functions. Any hash function is required to meet the following two requirements. It must be easy to calculate for any possible message. It must return...
  • Blog Post: Encoding Cascading Style Sheet Strings

    RV here... Cascading Style Sheets provide developers ways to change the UI theme of a website and this provides many opportunities for malicious users to change the UI if the application uses dynamic data inside style tags or in HTML style attributes. Additionally keywords like expression can be used...
  • Blog Post: Application Portfolio Management (APM)

    Vineet Batta here….This is a short introduction to the Application Portfolio Management (APM) component of the Connected Information Security Framework or CISF that we hope to reach the CTP milestone in next 2-3 weeks.  The APM component is designed to let you couple this lightweight application...
  • Blog Post: Object.GetHashCode()

    Gaurav Sharma here, I’m a developer with the Information Security Tools team. Today I want to share something about FCL’s GetHashCode method. System.Object provides a virtual GetHashCode method so that an Int32 hash code can be obtained for any and all objects. Below is a code snippet which takes a string...
Page 1 of 1 (19 items)