Code Junkie

Another post on the new security tools blog about WPL.

http://blogs.msdn.com/securitytools/archive/2009/07/09/web-protection-library-wpl-a-brief-introduction.aspx

Thanks
RV

Here is a video that I did couple of weeks back about TAM 3.0 release. It gives some details on the new features and how we started working on TAM 3.0 release. Will post more details as I get them.

http://channel9.msdn.com/posts/Jossie/Thread-Analysis--Modeling-Tool-TAM-30/

Thanks
Anil RV

AJAX modal popup extender gives developers ability to show javascript based modal windows. This powerful extender can be used to show editing UI, progress bars and/or error messages etc. This does pose some challenges specially when there are two modal popups that get invoked. During some of my tests, popups seemed to be displayed in an order where one popup is hidden beneath other popup. This is specially true when showing progress popups when an popup is already on the page.

This problem can be easily solved by using larger z-index values for popup css classes. Ensure that progress window is always higher than the rest of z-index. Here is a sample css classes for progress and regular popups.

.modalBackground 
{    
    position:absolute;
    z-index:10000;
}

.modalWindow
{
    position:absolute;
    z-index:10001;
}

/* Separate css element for error modals to specify 
z-index to get the popup on top of all existing popups*/
.progressModalWindow
{
    z-index:11000;
    position:absolute;
}

.progressModalBackground 
{
    z-index:10999;
    position:absolute;
}

Additionally I changed the AjaxControlToolkit/ModalPopup/ModalPopupBehavior.js to ensure that these custom values are used for styling. Because toolkit default code contains hardcoded z-index values. Comment the lines 118 and 126.

this._backgroundElement.style.zIndex = 10000; //Comment this line. 118
....
....
....
//Comment this line. 126
this._foregroundElement.style.zIndex = 
$common.getCurrentStyle(this._backgroundElement, 'zIndex', 
this._backgroundElement.style.zIndex) + 1; 

Once you comment the two lines, your css elements should take over and should provide the necessary z-index order to the popup div’s.

Thanks
Anil

I have been using Windows Media Center for a while now, so naturally I was waiting for the Windows 7 release. With the public RC I finally upgraded my home setup of HDHomeRun + 2 ATI Digital Cable Tuners, XBOX 360 and DMA 2100 to Windows 7. Windows 7 Media Center is way cooler than vista media center, with multiple codec support and clean UI I really enjoy it. After some research around media center themes, I came across www.theme7mc.com which provides themes for Windows 7 media center. I really like Bokeh and Astrotoy7 Black. Windows Media Center backgrounds and color schemes are stored in a resource file. These themes replace the resource file while backing up the original file. It also works on extenders as well. BTW, check out www.hack7mc.com for tips and tricks to customize Media Center for your needs.

Thanks
Anil

If you are writing .NET applications chances are that it could be the next big LOB application in your organization. Securing those applications could be a problem without an objective methodology. SDL-LOB provides a framework for securing Line Of Business (LOB) applications over lays on top of your standard SDLC phases. It defines certain activities for each phase of SDLC. You can get more information about that at http://msdn.microsoft.com/en-us/library/dd831975.aspx.

Good blog entry by my colleague Anmol on getting familiar with SDL-LOB. Keep following www.msinfosec.com for more updates on SDL-LOB.

Thanks
Anil

I am pretty confident most of you people out there have developed web applications for global use which display date time according to the user’s local time zone. Although it is possible to do this on the server side, it is very efficient and easy to do this on the client side specially on the browser as JavaScript inherently provides Date() object which does UTC to Local conversion.

Imagine you have lot of labels and text boxes which require you to convert UTC date and time to local date and time. With the help of AJAX extenders you can do this on the client side very easily. So I have written an AJAX extender which runs on the client side to do the conversion automatically. When attached to a label or text box it will get the date and time in the control and convert it to the local date and time.

Majority of the work is being done in the extender behavior.js file.

Thanks
Anil

Second part of the SecreString blog post. Check it out at http://blogs.msdn.com/cisg/archive/2008/12/17/secure-string-in-net-part-ii.aspx.

Thanks
RV

Published a new blog on how SRE works internally. Kind of a starter course on Anti-XSS SRE code. Check it out at How the Anti-XSS 3.0 SRE Works.

Thanks
RV

On January 9th there will be a webcast on technet about Anti-XSS v3.0. This will showcase some of the improvements done to the Anti-XSS library. The webcast registration url is http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032398771&Culture=en-US.

Thanks
RV

Deployment Reviews is a process to check a host for security settings, mostly those affect the applications that are hosted on that. A technet webcast has been scheduled to reveal an automated tool to check for deployment security settings. The webcast is on 12/15/2008 from 10:30 AM to 11:30 AM and the following is the registration link for the webcast.

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032396517&Culture=en-US

Thanks
RV

The M language is awesome, I have been experimenting with it for quite some time now. it allows you to create models of types in a descriptive language. The idea behind M language is to capture developers intent in a descriptive language for modeling purposes. Additionally, it converts these types into SQL schema for application storage. Imagine if you have a type called Developer you could then create data for the types, write methods for the types etc. All of this will be automatically converted into T-SQL Tables, Views and Functions to be created in SQL Server. Once you have these tables and views, you can use any middle ware to write data to these views. In essence, you no longer need to create sql tables using sql management studio, just create the types in M language and you are good to go. M language syntax also supports LINQ expressions which could be used to write powerful methods which are created as functions in SQL. The following is a sample type, and attached is the SQL code for it which was automatically generated.

module CISGType
{
    type Developer
    {
        FirstName : Text where value.Count <=255;
        LastName : Text;
        ID : Integer32 = AutoNumber();
    } where identity(ID);
   

    Developers : Developer*
    {
        { FirstName="Anil",LastName="Revuru" },
        { FirstName="Anil", LastName="Chintala" },
        { FirstName="Mark", LastName="Curphey" }
    };
}

As shown in above example you can do bunch load of things with this, you could put constraints on the type members, auto generate identifiers, specify identity columns etc. Check the full list in M Language reference. Here are some more links for M language. If you want to get started look at the PDC 2008 video and download the SDK.

M Grammar in nutshell
M Language Reference
Oslo Developer MSDN Page
Oslo SDK Download
PDC 2008 OSLO video

Thanks
Anil RV

From a security perspective what's wrong with this code?

   1: <html>

   2: <head>

   3: <title>Welcome Page</title>

   4: <script language="JavaScript">

   5: function openNewWindow()

   6: {

   7:    window.open('<%=Server.HtmlEncode(Request.QueryString["URL"])%>');

   8: }

   9: </script>

  10: </head>

  11: <body>

  12: Welcome <%=Context.User.Identity.Name %>

  13: <br/>

  14: Click <a href="javascript:openNewWindow();">here</a> 

  15: to open the link in new window.  15: </body>  16: </html>

Answer: 2 bugs. I always start with input and see where it is going. We have two inputs here, one is from a query string (line 7) and the other one is from context (line 12). First lets start with line 7, it is very obvious that QueryString data is untrusted so the developer is encoding it using Server.HtmlEncode. But Server.HtmlEncode does not work inside JavaScript as it does not encode all bad characters, thus this is a bug. For more information on what Server.HtmlEncode does check this http://blogs.msdn.com/cisg/archive/2008/08/28/output-encoding.aspx. Second input seems to be benign as it is just username which is usually simple. Wrong, in cases where user registers on the site, and wishes to give any username he wants he could very well put javascript in it which will in turn be returned by Identity.Name. Line 12 also need to be output encoded using AntiXss library.

More AntiXss Library blogs:

What is the Microsoft Anti-XSS Library-

Real World XSS Vulnerabilities in ASP.NET Code

There is a very good article on MSDN magazine about security bugs. A good Q&A to determine your security IQ. Check it out at http://msdn.microsoft.com/en-us/magazine/cc982154.aspx.

In this spirit I will try to post some security Q&A specially on web and windows applications.

This Tuesday I was spoke at the OWASP MN mini conference at the University of Minnesota's St. Paul Student Center. Had some very impressive speakers, Brian Chess, Richard Stallman and Jeff Williams. I spoke about our CISF framework and tools.

http://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference

Thanks
RV

We have been working on this project for some time now. It is a http module to protect web applications from certain attacks.

http://blogs.msdn.com/cisg/archive/2008/10/24/a-sneak-peak-at-the-security-runtime-engine.aspx

Thanks
RV