Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » ASP.NET   (RSS)
Fxcop rule to verify the use of ASP.NET MVC AntiforgeryTokenAttribute
I’ve been working on code auditing for a project that makes use of the latest ASP.NET MVC api. Turned out that it didn’t benefit from the built-in CSRF mitigation available since preview 5 version of the api. The mitigation is quite simple and generates Read More...
Posted: Wednesday, January 07, 2009 9:56 PM by sfaust | 2 Comments
Filed under: , , ,
Checking for ViewStateUserKey using FxCop
ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I've implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn't look Read More...
Posted: Thursday, September 25, 2008 9:31 PM by sfaust | 0 Comments
Filed under: , , ,
Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document
In my previous post , I provided a list of which ASP.NET HTML control property that offers automatic HTML encoding. As a side note, I was made aware that an older version of that file is available from the support files of the Hunting Security Bugs book. Read More...
Posted: Thursday, September 18, 2008 9:30 PM by sfaust | 2 Comments
Filed under: , , ,
Which ASP.NET Controls Automatically Encodes?
I've had a lot of people ask me which ASP.NET control offers automatic html encoding and the answer I had for a long time was to look at MSDN or even write a quick sample and test the behavior. If you are asking yourself the same question, you can now Read More...
Posted: Tuesday, September 02, 2008 6:20 AM by sfaust | 4 Comments
Filed under: , ,
Page view tracker