Code Junkie

Anti-XSS vNext – Web Protection Library

anilkr — Thu, 05 Nov 2009 19:17:20 GMT

Want to know more when you can get your hands on the next version of Anti-XSS library, check out this blog about our upcoming CTP release of Web Protection Library.

http://blogs.msdn.com/securitytools/archive/2009/10/17/web-protection-library-ctp-release-coming-soon.aspx

Thanks

Anil

How to Detect and avoid memory Leaks in .NET applications?

anilkr — Thu, 05 Nov 2009 19:13:56 GMT

Here is an excellent MSDN article on how to detect and avoid memory leaks in .NET applications.

http://msdn.microsoft.com/en-us/library/ee658248.aspx

A must read for Sr. Developers and Testers.

Thanks
Anil

Anti-XSS Library v3.1 is now Live!

anilkr — Wed, 23 Sep 2009 22:08:35 GMT

You can now download the new version of Anti-XSS library v3.1 from Microsoft.com Download Center. For more details check this blog post.

http://blogs.msdn.com/securitytools/archive/2009/09/17/anti-xss-library-v3-1-released.aspx

Thanks
Anil

HTML Sanitization using Anti-XSS Library

anilkr — Wed, 23 Sep 2009 20:14:31 GMT

Now you can filter (sanitize) HTML using Anti-XSS library v3.1 features. More information can be found at http://blogs.msdn.com/securitytools/archive/2009/09/01/html-sanitization-in-anti-xss-library.aspx.

Thanks
RV

Cascading Style Sheet Strings Encoding

anilkr — Wed, 26 Aug 2009 18:53:43 GMT

I recently blogged about encoding cascading style sheet strings. A new feature is being added to the next version of Web Protection Library (anti-xss library).

http://blogs.msdn.com/securitytools/archive/2009/08/21/encoding-cascading-style-sheet-strings.aspx

Thanks
Anil RV

LDAP Injection and Mitigation

anilkr — Tue, 11 Aug 2009 20:37:15 GMT

Yesterday I posted a blog entry on our team blog about LDAP Injection and how to mitigate it using the next version of WPL. You can find it here.

http://blogs.msdn.com/securitytools/archive/2009/08/11/ldap-injection-and-mitigation.aspx

Thanks
RV

Understanding SDL-LOB Blog Series

anilkr — Thu, 30 Jul 2009 22:36:20 GMT

My colleague Anmol has done it again, he has posted more blog entries on specific phases of Security Development Lifecycle for Line-of-Business (SDL-LOB)applications. These posts give you more details on what are the action items in specific phase and associated tools, checklists etc.

Blog Series- Get Familiar with the SDL-LOB Process, Introduction to Phase 1- Requirements for LOB

Blog Series- Get Familiar with the SDL-LOB Process, Introduction to Phase 2- Design for LOB

Blog Series- Get Familiar with the SDL-LOB Process. Introduction to Phase 3- Implementation for LOB

Blog Series- Get Familiar with the SDL-LOB Process. Introduction to Phase 4- Verification for LOB

A must read for security professionals!

Thanks
RV

Security Guidance and Threat Modeling

anilkr — Thu, 30 Jul 2009 22:27:35 GMT

I just posted a blog entry on the main drivers behind CTL in TAM v3.0. You can check it out at IST blog site.

http://blogs.msdn.com/securitytools/archive/2009/07/30/security-guidance-and-threat-modeling.aspx

Thanks
RV

OWASP Seattle Chapter Talk on Anti-XSS

anilkr — Wed, 29 Jul 2009 05:54:19 GMT

Two weeks from now on August 11th in Bellevue I am going to talk about Anti-XSS Library. Talk is not only about the new features but also about the internal workings on Anti-XSS and some tidbits on our new WPL internals. Its going to be in the evening at 6:30 pm in Bellevue Las Margaritas.

Bellevue Las Margaritas
437 108th Ave NE
Bellevue, WA 98004
(425) 453-0535

For more details on other speakers and abstract, please check.

http://www.owasp.org/index.php/Seattle#Next_Event_11_August_.28Tuesday.29

Thanks
RV

TAM v3.0 beta is live!

anilkr — Tue, 21 Jul 2009 21:33:11 GMT

A new version of threat analysis and modeling tool has been released. This version has significant improvements from previous version as identified in previous posts. You can find more information on the download link and bugs link from TAM 3.0 Beta is Now Live!.

Thanks
RV

TAM v3.0 New Features!

anilkr — Tue, 21 Jul 2009 01:01:03 GMT

Just posted a blog entry on the new threat analysis and modeling release features on our security tools blog site. Check it out at Threat Analysis And Modeling (TAM) v3.0 – Learn about the New Features!.

Thanks
RV

Connection String Injection Attack

anilkr — Tue, 21 Jul 2009 00:58:11 GMT

Today I was looking at some new classes in .NET 2.0 and stumbled across DbConnectionStringBuilder class. This class provides compile time checks around building connection strings with user input. If you are constructing connection string dynamically by accepting server name from the user you could be vulnerable to this attack. Here is an example on how to mitigate that using SqlConnectionStringBuilder class.

System.Data.SqlClient.SqlConnectionStringBuilder builder =
  new System.Data.SqlClient.SqlConnectionStringBuilder();
builder["Data Source"] = "(local)";
builder["Integrated Security"] = true;
builder["Initial Catalog"] = "AdventureWorks";
builder["Persist Security Info"] = "false";
Console.WriteLine(builder.ConnectionString);

If you re using user input to create a connection string, you must use this class. Additionally you should perform input validation before passing data to this class. For more information about this class and generic connection string security check the following links.

Connection String Builders (ADO.NET)
Using the SqlConnectionStringBuilder to guard against Connection String Injection Attacks
Securing Connection Strings

Thanks
Anil

Web Protection Library – new Project

anilkr — Thu, 09 Jul 2009 22:25:07 GMT

Another post on the new security tools blog about WPL.

http://blogs.msdn.com/securitytools/archive/2009/07/09/web-protection-library-wpl-a-brief-introduction.aspx

Thanks
RV

Threat Analysis and Modeling 3.0 Video

anilkr — Tue, 07 Jul 2009 22:14:29 GMT

Here is a video that I did couple of weeks back about TAM 3.0 release. It gives some details on the new features and how we started working on TAM 3.0 release. Will post more details as I get them.

http://channel9.msdn.com/posts/Jossie/Thread-Analysis--Modeling-Tool-TAM-30/

Thanks
Anil RV

Multiple Modal POPUPS and Z-Index

anilkr — Tue, 23 Jun 2009 03:40:09 GMT

AJAX modal popup extender gives developers ability to show javascript based modal windows. This powerful extender can be used to show editing UI, progress bars and/or error messages etc. This does pose some challenges specially when there are two modal popups that get invoked. During some of my tests, popups seemed to be displayed in an order where one popup is hidden beneath other popup. This is specially true when showing progress popups when an popup is already on the page.

This problem can be easily solved by using larger z-index values for popup css classes. Ensure that progress window is always higher than the rest of z-index. Here is a sample css classes for progress and regular popups.

.modalBackground 
{    
    position:absolute;
    z-index:10000;
}

.modalWindow
{
    position:absolute;
    z-index:10001;
}

/* Separate css element for error modals to specify 
z-index to get the popup on top of all existing popups*/
.progressModalWindow
{
    z-index:11000;
    position:absolute;
}

.progressModalBackground 
{
    z-index:10999;
    position:absolute;
}

Additionally I changed the AjaxControlToolkit/ModalPopup/ModalPopupBehavior.js to ensure that these custom values are used for styling. Because toolkit default code contains hardcoded z-index values. Comment the lines 118 and 126.

this._backgroundElement.style.zIndex = 10000; //Comment this line. 118
....
....
....
//Comment this line. 126
this._foregroundElement.style.zIndex = 
$common.getCurrentStyle(this._backgroundElement, 'zIndex', 
this._backgroundElement.style.zIndex) + 1;

Once you comment the two lines, your css elements should take over and should provide the necessary z-index order to the popup div’s.

Thanks
Anil