Welcome to MSDN Blogs Sign in | Join | Help

September 2008 - Posts

Checking for ViewStateUserKey using FxCop
ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I've implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn't look Read More...
Posted: Thursday, September 25, 2008 9:31 PM by sfaust | 0 Comments
Filed under: , , ,
Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document
In my previous post , I provided a list of which ASP.NET HTML control property that offers automatic HTML encoding. As a side note, I was made aware that an older version of that file is available from the support files of the Hunting Security Bugs book. Read More...
Posted: Thursday, September 18, 2008 9:30 PM by sfaust | 2 Comments
Filed under: , , ,
Which ASP.NET Controls Automatically Encodes?
I've had a lot of people ask me which ASP.NET control offers automatic html encoding and the answer I had for a long time was to look at MSDN or even write a quick sample and test the behavior. If you are asking yourself the same question, you can now Read More...
Posted: Tuesday, September 02, 2008 6:20 AM by sfaust | 4 Comments
Filed under: , ,
Page view tracker