[Guest Blogger] Tatiana Zamachnaia on Security Paranoia Revisited: Do Not Trust Even Gurus
[Guest Bloggers] Security Paranoia Revisited: Do Not Trust Even Gurus
My latest consulting gig called for a reporting solution. I tried the GridView and other ASP.NET 2.0 controls but this solution needed a custom ASP.NET Server Control that would be extremely light weight in nature. The custom control needed to be similar to the repeater with extra features and functionality such as the ability to do paging on demand.
I went online to take a look at what the best of the best recommend. I run into the Pager control by one of the best .NET researchers.
I downloaded the code and tested it and it was a good match. The license allowed incorporating it in the project and I was really happy about this little pager control.
Never on earth I would question author’s expertise. His prestige is high and his leadership in ASP.NET is unquestionable. I’ve never seen any article from him that wouldn’t offer valuable stuff. I am just raving about his work, to everybody: my students, .NET friends, developers. However, when I test, I test. After I was satisfied with the functionality, I wanted to break the thing. The very first thing I did is I used my friend View State Decoder by Fritz Onion.
Lo and behold! I could see the connection string staring at me (which of course I suspected when I looked at the code, but again, I though that this couldn't happen to the guru’s component).
Unfortunately, I thought that there would be issues with the original design if I tried to fix it (of course, the first thing I thought of is to encrypt the connection string).
This issue was discovered in the beginning of January and sent to the Microsoft. I got the response that it was resent and things will be taken care of.
It looks like an article is still dated and has not been updated. Or at least from what I can see.
My concern is that many developers might be using this control without questioning security. Again, prestige of the author of the control is extremely high, and I really admire what he does. So does everybody. I am afraid developers would just blindly grab the control as it is.
During my security seminar in Ottawa I showed .NET Developers a view state piece by viewing the page source. I sounded enthusiastic when I was commenting on the garbagey look of it. So, when I asked whether it is encrypted, most of the people said: yes. So, you get idea about how many people think they are safe. (For reference: it is encoded, but not encrypted).
Morale: Do Not Trust Anything (Or Anybody) Unless Proved Harmless
 |
|
Tatiana Zamachnaia is an independent consultant who specializes in ASP.NET architecture and has a passion for ASP.NET security. She has been working with .NET since early beta and became interested in ASP.NET security in late 2003. Tatiana is a .NET evangelist and has mentored .NET developers and taught .NET in academic settings. Tatiana aspires to public speaking on the subject of security and had started regionally by making presentations in Ottawa area. |
