I recently presented a TechNet Webcast on the topic “Configuring with Least Privilege in SQL Server 2008”. The topics covered in the Webcast are:- 1. Configuring SQL Server service accounts with least privilege. Service isolation is also explained. 2...

If you can find the security issue with this piece of code, write about it by adding a comment to this blog post. This is the scenario:- 1. There is a Web site that allows end users to upload their pictures. 2. On the Web server, the Web site is physically...

Microsoft Virtual TechDays is starting from the 18th February 09. In the security track , I will be presenting on the topic “Top 5 Web Application Security bugs in custom code”. As a security engineer in the ACE Team , I have been reviewing line-of-business...

In my last post , I showed input validation code that uses RegularExpressionValidators improperly. Thanks to Mathew Grabau and Marius Cristian CONSTANTIN for pointing out that the Page’s IsValid property has not been checked before using the input. As...

A lot of web applications use RegularExpressionValidators for performing input validation [1]. Sometimes these validators are not implemented properly, which can lead to potential flaws. See if you can catch the flaw here:- Code for Default.aspx:- 1:...

Identify as many security issues as you can with this piece of code:- 1: [WebMethod] 2: public string GetEmpName( string empid) 3: { 4: SqlConnection con = new SqlConnection( "server=.;database=test;uid=sa;pwd=PassW2rd12" ); 5: SqlCommand cmd =...

My colleague Sagar and I will be conducting an application security workshop at the NASSCOM – DSCI Information Security Summit 2008 on the 1st December in IIIT, Hyderabad, India. More information can be found here:- http://www.nasscom.in/Nasscom/Templates...

1. Consider a Microsoft Office SharePoint Server 2007 site that will be used as a “Document Approval System”. Certain users will be “Editors” and they will be able to upload documents for approval. Another set of users will be “Approvers”. These users...

Quite a few web applications encrypt query string values. This is generally done as an added measure to prevent unauthorized access. Since the end user cannot chose a value and then encrypt it, changing parameters becomes difficult. But encryption is...

Modern symmetric block encryption algorithms need to satisfy a number of properties to be considered strong. One such property is the property of “Confusion”. What it means is that if an attacker is conducting an exhaustive key search, and if the key...

In my previous “Catch the Security Flaw” post I wrote about a flawed CAPTCHA implementation. In this post I discuss what are the flaws in that implementation and how to prevent them. Before I go into the exact flaws, let us agree upon a standard notation...

Consider a fictional web site that lets you create new accounts (as shown below). This site implements CAPTCHA to prevent a malicious user from creating large number of false accounts by running an automated script. The following code is used...

It is time to discuss the flawed code that I posted a couple of weeks back. The comments posted were good and in essence summarize the flaw. The circled part is an example of an embedded code block. The query string parameter “id” will be inserted...

I will be from time to time, putting up flawed code as an open question on this blog. Those who can catch the flaw please do post about it in the comments section (preferably with the repro steps). After a few days, I will post the flaw and its countermeasure...

I have seen quite a few web applications that rely on disabling controls for authorization. Consider this code:- The scenario may be that the page has to be displayed in a read-only manner for certain roles, or after submission of some details but...

About a month back, ACE Engineering released " XSSDetect ", a stripped down version of the "Code Analysis Tool for .NET code bases (CAT.NET)". A Cross site scripting (XSS) vulnerability exists in a web application whenever user controlled input, without...

This is nothing new, but I just wanted to document it on my blog. Block ciphers encrypt data in blocks of bits. These blocks are generally 64 or 128 bits long. In the ECB (or Electronic Code Book) mode, each block is encrypted independently of the other...

In its own words, " ClubHACK is one of its kind hacker's convention in India which serves as a meeting place for hackers, security professionals, law enforcement agencies and all other security enthusiasts." At ClubHACK, I will talk about some interesting...

The concept of perfect secrecy is that given the cipher text, and any resources and amount of time, the adversary has no way of getting to the plain text. Having the cipher text makes no difference and provides absolutely no additional information. The...

Consider the following architecture for an intranet application. A thick client installed on the user’s machine connects to a web service which in turn connects to the database. The web service authenticates the caller using windows authentication. It...

In the year 1995, there were eight options for the “type” attribute of the “input” element. These were “CHECKBOX”, “RADIO”, “HIDDEN”, “TEXT”, “PASSWORD”, “IMAGE”, “RESET” AND “SUBMIT”. The “FILE” option was added later on to the HTML DTD (Document type...

I assess software security for a living, but I almost missed this one. < connectionStrings > < add name = " Conn " connectionString = " server=server1; database=database1; Integrated Security=True " Encrypt = " True " /> </ connectionStrings...

Most resources on the internet concentrate on dynamic SQL in the data access code as the cause of SQL injection. Although lesser known, SQL injection is also possible if the stored procedure itself constructs dynamic SQL and executes it with the “exec...

How to: Run Sql Server Agent service under an account which is not a member of the local administrators group 1. Add the account under which you want to run the Sql Server agent service in the SQLServer2005SQLAgentUser$ ComputerName $MSSQLSERVER group...