I’ve been working on code auditing for a project that makes use of the latest ASP.NET MVC api. Turned out that it didn’t benefit from the built-in CSRF mitigation available since preview 5 version of the api. The mitigation is quite simple and generates
Read More...
ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I've implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn't look
Read More...
In my previous post , I provided a list of which ASP.NET HTML control property that offers automatic HTML encoding. As a side note, I was made aware that an older version of that file is available from the support files of the Hunting Security Bugs book.
Read More...
