Sign in
Sacha Faust Web Security Blog
Translate This Page
Translate this page
Powered by
Microsoft® Translator
Options
Email Blog Author
RSS for posts
Atom
RSS for comments
OK
Search
Tags
ASP.NET
Code Review
CSRF
FxCop
MVC
One-Click
Security
STS
XSS
Archive
Archives
December 2010
(1)
May 2010
(1)
April 2010
(1)
March 2010
(1)
December 2009
(1)
January 2009
(1)
September 2008
(3)
Posts
Subscribe via RSS
Sort by:
Most Recent
|
Most Views
|
Most Comments
Excerpt View
|
Full Post View
Sacha Faust Web Security Blog
FxCop ASP.NET Security Rules release
Posted
over 3 years ago
by
TheFaust
0
Comments
The FxCop ASP.NET security rules have finally been released after being used for quite some time internally. You can read more about it in this month MSDN magazine on http://msdn.microsoft.com/en-us/magazine/gg490350.aspx The rules are available...
Sacha Faust Web Security Blog
Strict Transport Security ASP.NET Module
Posted
over 3 years ago
by
TheFaust
4
Comments
I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online services. For...
Sacha Faust Web Security Blog
Using ValidateRequest to detect when XSS is occuring
Posted
over 3 years ago
by
TheFaust
0
Comments
In a way to limit the risk of Cross-Site Scripting (XSS) attacks, ASP.NET 2.0 introduced a way to detect such attack and automatically reject the request. This functionality is exposed by the PageSections.ValidationRequest and is turned on by default...
Sacha Faust Web Security Blog
Watch out for scheme relative urls
Posted
over 3 years ago
by
TheFaust
2
Comments
Doing my usual random code browsing yesterday I stumbled on a method that peaked my curiosity. The intent of the method is to only allow redirect to relative paths. If the redirect is not a relative path, it is rejected. Let’s look at the implementation...
Sacha Faust Web Security Blog
Lessons Learned at Windows Live by Using ASP.NET MVC
Posted
over 4 years ago
by
TheFaust
0
Comments
We published a new security whitepaper base on our experience with ASP.NET MVC. The whitepaper is available at http://www.microsoft.com/downloads/details.aspx?FamilyID=7606f801-70c5-49ca-a18c-91d4ed725833&displaylang=en
Sacha Faust Web Security Blog
Fxcop rule to verify the use of ASP.NET MVC AntiforgeryTokenAttribute
Posted
over 4 years ago
by
TheFaust
3
Comments
I’ve been working on code auditing for a project that makes use of the latest ASP.NET MVC api. Turned out that it didn’t benefit from the built-in CSRF mitigation available since preview 5 version of the api. The mitigation is quite simple and generates...
Sacha Faust Web Security Blog
Checking for ViewStateUserKey using FxCop
Posted
over 5 years ago
by
TheFaust
0
Comments
ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I've implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn't look...
Sacha Faust Web Security Blog
Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document
Posted
over 5 years ago
by
TheFaust
3
Comments
In my previous post , I provided a list of which ASP.NET HTML control property that offers automatic HTML encoding. As a side note, I was made aware that an older version of that file is available from the support files of the Hunting Security Bugs book...
Sacha Faust Web Security Blog
Which ASP.NET Controls Automatically Encodes?
Posted
over 5 years ago
by
TheFaust
4
Comments
I've had a lot of people ask me which ASP.NET control offers automatic html encoding and the answer I had for a long time was to look at MSDN or even write a quick sample and test the behavior. If you are asking yourself the same question, you can now...
Page 1 of 1 (9 items)