Browse by Tags

Tagged Content List
  • Blog Post: FxCop ASP.NET Security Rules release

    The FxCop ASP.NET security rules have finally been released after being used for quite some time internally. You can read more about it in this month MSDN magazine on http://msdn.microsoft.com/en-us/magazine/gg490350.aspx The rules are available on codeplex at http://fxcopaspnetsecurity.codeplex...
  • Blog Post: Fxcop rule to verify the use of ASP.NET MVC AntiforgeryTokenAttribute

    I’ve been working on code auditing for a project that makes use of the latest ASP.NET MVC api. Turned out that it didn’t benefit from the built-in CSRF mitigation available since preview 5 version of the api. The mitigation is quite simple and generates tokens and validates them inside controller actions...
  • Blog Post: Checking for ViewStateUserKey using FxCop

    ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I've implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn't look at what is assigned to the property and only looks...
  • Blog Post: Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document

    In my previous post , I provided a list of which ASP.NET HTML control property that offers automatic HTML encoding. As a side note, I was made aware that an older version of that file is available from the support files of the Hunting Security Bugs book. I initially received this document from Tom Gallagher...
Page 1 of 1 (4 items)