Welcome to MSDN Blogs Sign in | Join | Help
CAT.NET configuration rules

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

This blog posts idea and information about configuration rules of CAT.NET. The following table describes the CAT.NET configuration rules;

Rule Name

Title

Description

Resolution

PagesValidateRequestDisabledRule

Avoid disabling request validation using <pages> element

The validateRequest attribute value set in the configuration file for an ASP.NET application enables ASP.NET to examine input from the browser for dangerous values. For more information on this attribute please check http://msdn.microsoft.com/en-us/library/system.web.configuration.pagessection.validaterequest.aspx.

Set validateRequest attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages validateRequest="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11001:PagesValidateRequestDisabledRule")] in your code.

CompilationDebugEnabledRule

Avoid enabling debug attribute in <compilation> element

In web.config  <![CDATA[<configuration><system.web><compilation debug="true">]]> causes extra information in the binary which is not required for normal execution of the program.

Set debug attribute to false in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><compilation debug="false" /></system.web></configuration>]]>. If debugging is required then suppress this warning using SupressMessageAttribute: [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11002:CompilationDebugEnabledRule")]

FormsAuthenticationRequireSSLRule

Avoid disabling requireSSL attribute in <forms> element

The requireSSL attribute value set in the configuration file for an ASP.NET application determines whether SSL (Secure Sockets Layer) is required to return the forms-authentication cookie. For more information on this attribute please check http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl.aspx.

Set requireSSL attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><authentication><forms requireSSL="true" /></authentication></system.web></configuration>]]>. If SSL cannot be used suppress this warning using SupressMessageAttribute then place this in [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11003:FormsAuthenticationRequireSSLRule")] your code.

PagesViewstateEncryptionModeRule

Set viewstate encryption mode to Always in <pages> element

The viewStateEncryptionMode attribute value set in the configuration file for an ASP.NET application enables the view-state information in a Page object to be encrypted. For more information on this attribute please check http://msdn.microsoft.com/en-us/library/system.web.ui.viewstateencryptionmode.aspx.

Set viewstateEncryptionMode attribute to Always in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages viewstateEncryptionMode="Always" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("WebSecurity.Configuration","WebConfig:PagesViewstateEncryptionMode")] in your code.

PagesEnableViewStateRule

Avoid disabling viewstate using <pages> element

The enableViewState attribute set in the configuration specifies whether view state is enabled and maintained across page requests.

Set enableViewState attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages enableViewState="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11005:PagesEnableViewStateRule")] in your code.

PagesEnableViewStateMacRule

Avoid disabling enableViewStateMac using <pages> element

The enableViewStateMac attribute set in the configuration specifies whether ASP.NET should run a message authentication code (MAC) on the view state for the page when the page is posted back from the client. If True, the encrypted view state is checked to verify that it has not been tampered with on the client.

Set enableViewStateMac attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages enableViewStateMac="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11006:PagesEnableViewStateMacRule")] in your code.

PagesEnableEventValidationRule

Avoid disabling enableEventValidation using <pages> element

The enableEventValidation attribute set in the configuration specifies whether pages and controls validate postback and callback events.

Set enableEventValidation attribute to true in the {0} file at line {1}. Ex: <![CDATA[<configuration><system.web><pages enableEventValidation="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11007:PagesEnableEventValidationRule")] in your code.

AnonymousIdentificationCookielessRule

Avoid using URI to store session identifiers using <anonymousIdentification> element

The cookieless attribute of anonymousIdentification element specifies whether to use cookies for a Web application. The HttpCookieMode enumeration is used to specify the value for this attribute in the configuration section. It is used by all features that support cookieless authentication. When the AutoDetect value is specified, ASP.NET queries the browser or device to determine whether it supports cookies. If the browser or device supports cookies, cookies are used to persist user data; otherwise, an identifier is used in the query string. More information can be found at http://msdn.microsoft.com/en-us/library/91ka2e6a.aspx.

Set cookieless attribute to UseCookies in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><anonymousIdentification cookieless="UseCookies" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11008:AnonymousIdentificationCookielessRule")] in your code.

AnonymousIdentificationCookieProtectionRule

Avoid disabling anonymous identification cookie protection in <anonymousIdentification> element

The cookieProtection attribute of anonymousIdentification element specifies the cookie protection scheme. More information can be found at http://msdn.microsoft.com/en-us/library/91ka2e6a.aspx.

Set cookieProtection to All in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><anonymousIdentification cookieProtection="All" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11009:AnonymousIdentificationCookieProtectionRule")] in your code.

AnonymousIdentificationCookieRequireSSL

Avoid disabling requireSSL attribute in <anonymousIdentification> element

The cookieRequireSSL attribute of anonymousIdentification element specifies whether the cookie requires a Secure Sockets Layer (SSL) connection when it is transmitted to the client. Because ASP.NET sets the authentication cookie property, Secure, the client does not return the cookie unless an SSL connection is in use. More information can be found at http://msdn.microsoft.com/en-us/library/91ka2e6a.aspx.

Set cookieRequireSSL attribute to true in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><anonymousIdentification cookieRequireSSL="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11010:AnonymousIdentificationCookieRequireSSL")] in your code.

BindingSecurityLocalClientDetectReplayRule

Avoid disabling detectReplay attribute in <localClientSettings> element

The detectReplays attribute of localClientSettings is a Boolean value that specifies whether replay attacks against the channel are detected and dealt with automatically.

Set detectReplays attribute to true in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.serviceModel><bindings><customBinding><binding><security><localClientSettings detectReplays="true" /></security></binding></customBinding></binding></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11011:BindingSecurityLocalClientDetectReplayRule")] in your code.

BindingSecurityLocalServiceDetectReplayRule

Avoid disabling detectReplay attribute in <localServiceSettings> element

The detectReplays attribute of localClientSettings is a Boolean value that specifies whether replay attacks against the channel are detected and dealt with automatically.

Set detectReplays attribute to true in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.serviceModel><bindings><customBinding><binding><security><localServiceSettings detectReplays="true" /></security></binding></customBinding></binding></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11012:BindingSecurityLocalServiceDetectReplayRule")] in your code.

ClearTextConnectionStringRule

Always encryption database connection strings

Connection string defined in the configuration file is in clear text. Always encrypt connection string using aspnet_regiis.exe tool with either RSA or DPAPI.

Encrypt the connection string in the {0} file at line {1}. Connection strings sections can be encrypted using aspnet_regiis.exe tool. More information on how to encrypt with RSA can be found at http://msdn.microsoft.com/en-us/library/ms998283.aspx. More information on how to encrypt with DPAPI can be found at http://msdn.microsoft.com/en-us/library/ms998280.aspx. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11013:ClearTextConnectionStringRule")] in your code.

CustomErrorsDisabledRule

Always enable custom errors to return generic error information

The mode attribute of customErrors element Specifies whether custom errors are enabled, disabled, or shown only to remote clients. More information can be found at http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx.

Set mode attribute to On in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><customErrors mode="On" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11014:CustomErrorsDisabledRule")] in your code.

DenyAnonymousAccessRule

Always deny anonymous access using <deny> element

The users attribute of deny element denies access to the application resources. More information can be found at http://msdn.microsoft.com/en-us/library/8aeskccd.aspx.

Define the authorization deny element with users attribute set to * in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><authorization><deny users="*" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11015:DenyAnonymousAccessRule")] in your code.

DenyUnAuthenticatedUsersRule

Always deny unauthenticated users access using <deny> element

The users attribute of deny element denies access to the application resources. More information can be found at http://msdn.microsoft.com/en-us/library/8aeskccd.aspx.

Define the authorization deny element with users attribute set to ? in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><authorization><deny users="?" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11016:DenyUnAuthenticatedUsersRule")] in your code.

DisableCrossApplicationRedirectRule

Avoid enabling cross application redirect in <forms> element

The enableCrossAppRedirects attribute of forms element indicates whether authenticated users are redirected to URLs in other Web applications. More information can be found at http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx.

Set enableCrossAppRedirects attribute to false in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><authentication><forms enableCrossAppRedirect="false" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11017:DisableCrossApplicationRedirectRule")] in your code.

FormsProtectionAllRule

Always set protection attribute to All in <forms> element

The protection attribute of forms element specifies the type of encryption, if any, to use for cookies. More information can be found at http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx.

Set protection attribute to All in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><authentication><forms protection="All" /></authorization></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11018:FormsProtectionAllRule")] in your code.

HttpCookiesRequireSslRule

Avoid disabling requireSSL attribute in <httpCookies> element

The requireSSL attribute of httpCookies element sets a value indicating whether Secure Sockets Layer (SSL) communication is required. More information can be found at http://msdn.microsoft.com/en-us/library/ms228262.aspx.

Set requireSSL attribute to true in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><httpCookies requireSSL="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11019:HttpCookiesRequireSslRule")] in your code.

HttpCookiesHttpOnlyRule

Avoid disabling httpOnly attribute in <httpCookies> element

The httpOnlyCookies attribute of httpCookies element enables output of the HttpOnlyCookies cookie in browser. More information can be found at http://msdn.microsoft.com/en-us/library/ms228262.aspx.

Set httpOnlyCookies attribute to true in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><httpCookies httpOnlyCookies="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11020:HttpCookiesHttpOnlyRule")] in your code.

HttpRuntimeEnableHeaderCheckingRule

Avoid disabling enableHeaderChecking attribute in <httpRuntime> element

The enableHeaderChecking attribute of httpRuntime element specifies whether ASP.NET should check the request header for potential injection attacks. If an attack is detected, ASP.NET responds with an error. More information can be found at http://msdn.microsoft.com/en-us/library/e1f13641.aspx.

Set enableHeaderChecking attribute to true in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><httpRuntime enableHeaderChecking="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11021:HttpRuntimeEnableHeaderCheckingRule")] in your code.

HttpRuntimeEnableVersionHeaderRule

Avoid enabling enableVersionHeader attribute in <httpRuntime> element

The enableVersionHeader attribute of httpRuntime element specifies whether ASP.NET should output a version header. This attribute is used by Microsoft Visual Studio 2005 to determine which version of ASP.NET is in use. It is not necessary for production sites and can be disabled. More information can be found at http://msdn.microsoft.com/en-us/library/e1f13641.aspx.

Set enableVersionHeader attribute to false in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><httpRuntime enableVersionHeader="false" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11022:HttpRuntimeEnableVersionHeaderRule")] in your code.

HttpWebRequestUseUnsafeHeaderParsingRule

Avoid enabling useUnsafeHeaderParsing attribute in <httpWebRequest> element

The useUnsafeHeaderParsing attribute of httpWebRequest specifies whether unsafe header parsing is enabled. More information can be found at http://msdn.microsoft.com/en-us/library/65ha8tzh.aspx.

Set the useUnsafeHeaderParsing attribute to false in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.net><settings><httpWebRequest useUnsafeHeaderParsing="false" /></settings></system.net></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11023:HttpWebRequestUseUnsafeHeaderParsingRule")] in your code.

IE8XssProtectionDisabledRule

Avoid disabling IE8 XSS protection uisng <customHeaders> element

The custom headers element of httpProtocol element allows application developer to add headers to enable Internet Explorer's browser based Cross Site Scripting attack protection. More information about the header can be found at http://msdn.microsoft.com/en-us/library/dd565647(VS.85).aspx.

Remove the HTTP custom header which disables IE XSS Protection in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.webServer><httpProtocol><customHeaders><add X-XSS-Protection="0" /></customHeaders></httpProtocol></system.webServer></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11024:IE8XssProtectionDisabledRule")] in your code.

MachineKeyDecryptionRule

Always set decryption attribute to AES or 3DES <machineKey> element

The decryption attribute of machineKey element specifies the type of hashing algorithm that is used for decrypting data. More information can be found at http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx.

Set decryption attribute to Auto, 3DES or AES in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><machineKey decryption="AES" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11025:MachineKeyDecryptionRule")] in your code.

MachineKeyDecryptionKeyRule

Always set decryptionKey attribute to AutoGenerate,IsolateApps in <machineKey> element

The decryptionKey attribute of machineKey element specifies the key that is used to encrypt and decrypt data or the process by which the key is generated. This attribute is used for forms authentication encryption and decryption, and for view-state encryption when validation is set to the TripleDES field.. More information can be found at http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx.

Set decryptionKey attribute to AutoGenerate,IsolateApps in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><machineKey decryptionKey="AutoGenerate,IsolateApps" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11026:MachineKeyDecryptionKeyRule")] in your code.

MachineKeyValidationRule

Always set validation attribute to SHA1 in <machineKey> element

The validation attribute of machineKey element specifies the type of encryption that is used to validate data. More information can be found at http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx.

Set validation attribute to SHA1 in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><machineKey validation="SHA1" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11027:MachineKeyValidationRule")] in your code.

MachineKeyValidationKeyRule

Always set validationKey attribute to AutoGenerate,IsolateApps in <machineKey> element

The decryption attribute of machineKey element specifies the key used to validate encrypted data. validationKey is used when enableViewStateMAC is true in order to create a message authentication code (MAC) to ensure that view state has not been tampered with. validationKey is also used to generate out-of-process, application-specific session IDs to ensure that session state variables are isolated between sessions. More information can be found at http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx.

Set validationKey attribute to AutoGenerate,IsolateApps in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><machineKey validationKey="AutoGenerate,IsolateApps" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11028:MachineKeyValidationKeyRule")] in your code.

HttpRuntimeMaxRequestLengthRule

Always set maxRequestLength attribute to greater than 4096 in <httpRuntime> element

The maxRequestLength attribute of httpRuntime element specifies the limit for the input stream buffering threshold, in KB. This limit can be used to prevent denial of service attacks that are caused, for example, by users posting large files to the server.  More information can be found at http://msdn.microsoft.com/en-us/library/e1f13641.aspx.

Set maxRequestLength attribute to less than or equal to 4096 in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><httpRuntime maxRequestLength="4096" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11029:HttpRuntimeMaxRequestLengthRule")] in your code.

MembershipProviderMaximumInvalidPasswordAttemptsRule

Always set maxInvalidPasswordAttempts attribute to 5 in <add> element

The maxInvalidPasswordAttempts attribute of add element specifies the number of allowed password or password answer attempts that are not valid. The membership user is locked out when the number of not valid attempts is the configured value. Mroe information can be found at http://msdn.microsoft.com/en-us/library/whae3t94.aspx.

Set maxInvalidPasswordAttempts attribute to 5 or less in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><membership><providers><add maxInvalidPasswordAttempts="5" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11030:MembershipProviderMaximumInvalidPasswordAttemptsRule")] in your code.

MembershipProviderMinimumRequiredNonalphanumericCharactersRule

Always set minRequiredNonalphanumericCharacters attribute to 1 in <add> element

The minRequiredNonalphanumericCharacters attribute of add element specifies the minimum number of special characters that must be present in a valid password. This attribute cannot be set to a value that is less than 0, greater than 128, or greater than the value of the minRequiredPasswordLength. More information can be found at http://msdn.microsoft.com/en-us/library/whae3t94.aspx.

Set minRequiredNonalphanumericCharacters attribute to at least 1 in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><membership><providers><add minRequiredNonalphanumericCharacters="1" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11031:MembershipProviderMinimumRequiredNonalphanumericCharactersRule")] in your code.

MembershipProviderMinimumRequiredPasswordLengthRule

Always set minRequiredPasswordLength attribute to 8 in <add> element

The minRequiredPasswordLength attribute of add element specifies the minimum number of characters that are required in a password. This attribute cannot be set to a value that is less than 0 or greater than 128, which is the maximum length of an unencoded password for the SQL provider. More information can be found at http://msdn.microsoft.com/en-us/library/whae3t94.aspx.

Set minRequiredPasswordLength attribute to at least 8 in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><membership><providers><add minRequiredPasswordLength="8" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11032:MembershipProviderMinimumRequiredPasswordLengthRule")] in your code.

MembershipProviderPasswordAttemptWindowRule

Always set passwordAttemptWindow attribute to 30 in <add> element

The passwordAttemptWindow attribute of Add element specifies the number of minutes during which failed attempts are tracked. The window resets each time another failure occurs. If the maximum number of valid password or password answer attempts that are not valid occurs, the membership user is locked out. More information can be found at http://msdn.microsoft.com/en-us/library/whae3t94.aspx.

Set passwordAttemptWindow attribute to at least 30 minutes in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><membership><providers><add passwordAttemptWindow="30" /></providers></membership></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11033:MembershipProviderPasswordAttemptWindowRule")] in your code.

RoleManagerCookieProtectionRule

Always set cookieProtection attribute to All in <roleManager> element

The protection attribute of roleManager specifies one of the CookieProtection enumeration values. More information can be found at http://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set cookieProtection attribute to All in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><roleManager cookieProtection="All" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11034:RoleManagerCookieProtectionRule")] in your code.

RoleManagerCookieRequireSSLRule

Always set cookieRequireSSL attribute to true in <roleManager> element

The cookieRequireSSL attribute of roleManager specifies whether the role names cookie requires SSL to be setn to the server. For more information http://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set cookieRequireSSL attribute to true in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><roleManager cookieRequireSSL="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11035:RoleManagerCookieRequireSSLRule")] in your code.

RoleManagerCookieSlidingExpirationRule

Always set cookieSlidingExpiration attribute to true in <roleManager> element

The cookieSlidingExpiration attribute of roleManager element specifies whether the expiration date and time of the role names cookie will be reset periodically. More information can be found at http://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set cookieSlidingExpiration attribute to true in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><roleManager cookieSlidingExpiration="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11036:RoleManagerCookieSlidingExpirationRule")] in your code.

RoleManagerCookieTimeOutRule

Always set cookieTimeout attribute to 20 in <roleManager> element

The cookieTimeout attribute of roleManager element specifies the  number of minutes before the role names cookie expires. More information can be found at http://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set cookieTimeout attribute to less than or equal to 20 minutes in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><roleManager cookieTimeout="20" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11037:RoleManagerCookieTimeOutRule")] in your code.

RoleManagerMaximumCachedResultsRule

Always set maxCachedResults attribute to 200 in <roleManager> element

The maxCachedResults attribute of roleManager element specifies the maximum number of role names that are cached in the roles cookie. More information can be found at http://msdn.microsoft.com/en-us/library/ms164660.aspx.

Set maxCachedResults attribute to less than or equal to 200 in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><roleManager maxCachedResults="200" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11038:RoleManagerMaximumCachedResultsRule")] in your code.

HttpRuntimeSendCacheControlHeaderRule

Always enable sendCacheControlHeader attribute in <httpRuntime> element

The sendCacheControlHeader attribute of httpRuntime element specifies whether to send a cache control header, which is set to Private, by default. If True, client-side caching is disabled. More information can be found at http://msdn.microsoft.com/en-us/library/e1f13641.aspx.

Set sendCacheControlHeader attribute to true in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><httpRuntime sendCacheControlHeader="true" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11039:HttpRuntimeSendCacheControlHeaderRule")] in your code.

ServiceBehaviorHttpGetEnabledRule

Avoid enabling httpGetEnabled attribute in <serviceMetadata> element

The httpGetEnabled attribute of serviceMetadata element allows the binding to be used in HTTPS GET scenarios to be specified by name. More information can be found at http://msdn.microsoft.com/en-us/library/ms731317.aspx.

Set httpGetEnabled attribute to false in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceMetadata httpGetEnabled="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11040:ServiceBehaviorHttpGetEnabledRule")] in your code.

ServiceBehaviorHttpsGetEnabledRule

Avoid enabling httpsGetEnabled attribute in <serviceMetadata> element

The httpsGetEnabled attribute of serviceBehavior element specifies whether to publish service metadata for retrieval using an HTTPS/Get request. More information can be found at http://msdn.microsoft.com/en-us/library/ms731317.aspx.

Set httpsGetEnabled attribute to false in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceMetadata httpsGetEnabled="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11041:ServiceBehaviorHttpsGetEnabledRule")] in your code.

ServiceDebugIncludeExceptionDetailInFaultsRule

Avoid enabling includeExceptionDetailInFaults attribute in <serviceDebug> element

The includeExceptionDetailInFaults attribute of serviceDebug element specifies whether to include managed exception information in the detail of SOAP faults returned to the client for debugging purposes. More information can be found at http://msdn.microsoft.com/en-us/library/ms788993.aspx.

Set includeExceptionDetailInFaults attribute to false in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceDebug includeExceptionDetailInFaults="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11042:ServiceDebugIncludeExceptionDetailInFaultsRule")] in your code.

SessionStateCookielessRule

Avoid using UseUri for cookieless attribute in <sessionState> element

The cookieless attribute of sessionState element specifies how cookies are used for a Web application. More information can be found at http://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx.

Set cookieless attribute to UseCookies in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><sessionState cookieless="UseCookies" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11043:SessionStateCookielessRule")] in your code.

SessionStateRegenerateExpiredSessionIdRule

Avoid enabling regenerateExpiredSessionId in <sessionState> element

The regenerateExpiredSessionId attribute of sessionState element specifies whether the session ID will be reissued when an expired session ID is specified by the client. By default, session IDs are reissued only for the cookieless mode when regenerateExpiredSessionId is enabled. More information can be found at http://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx.

Set regenerateExpiredSessionId attribute to false in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><sessionState regenerateExpiredSessionId="false" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11044:SessionStateRegenerateExpiredSessionIdRule")] in your code.

TraceEnabledRule

Avoid enabling tracing using <trace> element

The enabled attribute of trace element specifies whether tracing is enabled for an application. More information can be found at http://msdn.microsoft.com/en-us/library/6915t83k.aspx.

Set enabled attribute to false in the {0} file at line {1}.  Ex: <![CDATA[<configuration><system.web><trace enabled="false" /></system.web></configuration>]]>. If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11045:TraceEnabledRule")] in your code.

EndpointMexAddressDefinedRule

Always disable mex endpoint in <endpoint> element

The address attribute of endpoint element specifies a string that contains the address of the endpoint. The address can be specified as an absolute or relative address. If a relative address is provided, the host is expected to provide a base address appropriate for the transport scheme used in the binding. More information can be found at http://msdn.microsoft.com/en-us/library/ms731320.aspx.

Remove the mex address from the {0} file at line {1}.  If you want to suppress this warning using SupressMessageAttribute then place this [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11046:EndpointMexAddressDefinedRule")] in your code.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Thursday, February 04, 2010 2:38 AM by syedab | 0 Comments
Filed under: ,
CAT.NET Data Flow Rules

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

This blog posts and the next one gives idea about data flow rules and configuration rules of CAT.NET. The following table describes the data flow rules;

Rule Name

Title

Description

Resolution

SqlInjectionRule

Untrusted input in dynamic SQL can result in SQL Injection vulnerabilities

A SQL injection attack exploits vulnerabilities in input validation to run arbitrary commands in the database. It can occur when your application uses input to construct dynamic SQL statements to access the database. It can also occur if your code uses stored procedures that are passed strings that contain raw user input. Using the SQL injection attack, the attacker can execute arbitrary commands in the database. The issue is magnified if the application uses an over-privileged account to connect to the database. In this instance it is possible to use the database server to run operating system commands and potentially compromise other servers, in addition to being able to retrieve, manipulate, and destroy data.

Use parameterized SQL instead of dynamic SQL. Parameterized SQL statements will accept characters that have special meaning to SQL (like single quote) without breaking the SQL statement and causing SQL injection. Parameterized sql statements automatically escape characters which cause SQL injection. More information can be found at http://msdn.microsoft.com/en-us/library/ms998271.aspx.

XSSDataFlowRule

Untrusted input should be encoded to avoid potential Cross Site Scripting vulnerabilities

User input when used in web outputs without sanitization or encoding can result in Cross Site Scripting vulnerabilities. Cross-site scripting (XSS) attacks can occur whenever users input is echoed back to the browser without adequate validation, sanitization or encoding, enabling an attacker to supply input which the victim's browser interprets as client-side script originating from the vulnerable application.

Encode the input before rendering it on the page. Anti-XSS Library is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. User appropriate method in the library to encode input for specific context. More information can be found at http://msdn.microsoft.com/en-us/library/aa973813.aspx.

FileCanonicalizationRule

Untrusted input in file handling routines can cause File Canonicalization vulnerability

User input used in the file handling routines can potentially lead to File Canonicalization vulnerability. Code is particularly susceptible to canonicalization issues if it makes any decisions based on the name of a resource that is passed to the program as input. Files, paths, and URLs are resource types that are vulnerable to canonicalization because in each case there are many different ways to represent the same name.

Sanitize the file path prior to passing it to file handling routines. Use Path.GetInvalidFileNameChars or Path.GetInvalidPathChars to get the invalid characters and remove them from the input. More information can be found at http://msdn.microsoft.com/en-us/library/system.io.path.getinvalidfilenamechars.aspx.

InformationDisclosureRule

Always return generic error information to the user

Unsafe exception handling can result in information disclosure vulnerability which can reveal application components.

Ensure that all exceptions are caught and only generic messages are returned to the user.

LdapInjectionRule

Untrusted input in LDAP Queries can result in LDAP Injection vulnerabilities

User input used in constructing LDAP queries can result in LDAP Injection vulnerabilities. A LDAP (Lightweight Directory Access Protocol) injection attack exploits vulnerabilities in input validation to run arbitrary LDAP statements against information directories. It can occur when your application uses input to construct dynamic LDAP statements to access directory services. Using the LDAP injection attack, the attacker can execute arbitrary statements against the directory services.

Input should be validated against an inclusion list. Either sanitize or encode the input before constructing the LDAP query. When handling non-DN values use WPL library's Encoder.LdapEncode method to properly encode the input. For each input, define what is acceptable through either a regular expression, a list of acceptable characters, domain constrains or type casting and enforce this validation on the server side.

ProcessCommandExecutionRule

Untrusted input in process execution routines can result in Command Injection vulnerabilities

User input when used to run system level command can result in Command Injection vulnerabilities. It is also commonly known as Shell Injection vulnerability which could allow an attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input. A remote attacker could send a specially-crafted request to inject and execute malicious commands with the privileges of the application.

Sanitize the input prior to constructing the command. For each input, define what is acceptable through either a regular expression, a list of acceptable characters, domain constrains or type casting and enforce this validation on the server side.

UserControlledRedirectionRule

Untrusted input in user redirection can result in uncontrolled redirection

User input when used directly to redirect can cause this vulnerability.

Do not allow off-site redirections to absolute URLs that can be specified by the user.

XPathInjectionRule

Untrusted input in XPATH Queries can result in XPATH Injection vulnerabilities

User input used to construct XPATH queries can result in XPATH injection vulnerabilities. If an application uses run-time XPath query construction, embedding unsafe user input into the query, it may be possible for the attacker to inject data into the query such that the newly formed query will be parsed in a way differing from the programmer's intention.

Sanitize the user controlled input before using it in an XPath query. For each input, define what is acceptable through either a regular expression, a list of acceptable characters, domain constrains or type casting and enforce this validation on the server side.

XmlInjectionRule

Untrusted input should be encoded to avoid potential Xml Injection vulnerabilities

User input when used to construct dynamic XML without encoding can result in XML injection vulnerabilities. An XML injection attack exploits vulnerabilities in input validation to create a new node to alter the program decision/flow. It can also be used to insert malicious characters into XML and break functionality. It occurs when the application uses input from the user to construct dynamic XML to send it to the backend database or does transformation to display it back to the user.

Encode the input before using it to construct XML nodes. Anti-XSS Library is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. Use the XmlEncode method to encode input. More information can be found at http://msdn.microsoft.com/en-us/library/aa973813.aspx.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Thursday, February 04, 2010 2:34 AM by syedab | 0 Comments
Filed under: ,
How To: Use CAT.NET V2.0 Beta

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You should have Visual studio 2010 Beta 2 for this tool to work. After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Thursday, February 04, 2010 2:24 AM by syedab | 0 Comments
Filed under: ,
CAT.NET V2.0 released to Beta

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

CAT.NET is released to beta, this beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to ist-cat@microsoft.com.  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Thursday, February 04, 2010 2:14 AM by syedab | 0 Comments
Filed under: ,
How To: View header of EXE/DLL

Syed Aslam Basha here. I am a tester on the Information Security Tools Team.

At times we may want to know the target platform (i.e. x86 or x64) of EXE/DLL. Visual studio provides corflags.exe tool to identify the target platform as;

  • Launch visual Studio command prompt in admin mode
  • Type CorFlags Assembly File Path and press enter
  • Example

    • C:\Windows\system32>corflags "C:\Program Files\Microsoft Information Security\Microsoft Code Analysis Tool for .NET (CAT.NET) v2.0\FxCopCmd.exe"
    Microsoft (R) .NET Framework CorFlags Conversion Tool.  Version  3.5.21022.8
    Copyright (c) Microsoft Corporation.  All rights reserved.

    Version      : v4.0.21008
    CLR Header: 2.5
    PE              : PE32
    CorFlags     : 3
    ILONLY       : 1
    32BIT         : 1
    Signed       : 1

  • The PE and 32BIT flags gives details about type of the assembly;
    Any CPU : PE = PE32 and 32BIT = 0
    x86         : PE = PE32 and 32BIT = 1
    x64         : PE = PE32+ and 32BIT = 0

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Tuesday, January 19, 2010 3:03 PM by syedab | 0 Comments
Filed under: , , , ,
Delay between actions feature in CUIT

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

The CUIT code is executed at a very fast pace, at times you may want to execute the code a bit slow or with a delay between actions.

We have playback API which helps to achieve this as shown below;

Playback.PlaybackSettings.DelayBetweenActions = 1000;

The value is in milliseconds, use the above code as the first line in your CUIT methods to get a delay between actions of one second during playback.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Monday, January 18, 2010 10:28 AM by syedab | 0 Comments
Filed under: , , , ,
How To: Data Drive CUIT Scripts

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

One of the major feature for any automation tool is support for data driven test cases, CUIT too supports data driven testing. Let me show an example of data driving CUIT scripts.

Suppose you want to validate login feature of an application with different users.

  • Select test menu and click on windows –> Test View
  • Select the required test name say validatehomepage
  • image
  • Click on ellipse button next to data connection string in properties window
  • You can configure the required data source, select CSV file, click on Next
  • image
  • Click on Finsh
  • image
  • Click on yes for “Copy the database file into the current project and add as deployment item”
  • image
  • You can see data source code being added to the Validatehomepage file

    • [DataSource("Microsoft.VisualStudio.TestTools.DataSource.CSV", "|DataDirectory|\\UserNames.csv", "UserNames#csv", DataAccessMethod.Sequential), DeploymentItem("PortalAutomation\\UserNames.csv"), TestMethod]

    public void ValidateHomePage()

  • Data source is added to the project, now assign the values from data source to parameters of CUIT
  • this.UIMap.LoginAdminParams.UsernameEditText = testContextInstance.DataRow[0].ToString();
  • Run the tests, it runs for two iterations and shows the results

Likewise you can data drive any of the test cases, if you think out of the box you can apply the concept to validate all links present in web page.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Monday, January 18, 2010 10:14 AM by syedab | 0 Comments
Filed under: , , , ,
How To: Customize CUIT scripts

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

In the previous blog posts I have shown how to automate functional test cases using CUIT and adding check points/ assertions to CUITs. Lets see with an example “how to customize the CUIT scripts”.

Lets take a close look at the files that are generated after recording;

  • codedUITest1.cs file which has the method calls which we have recorded
  • UIMap.cs at this stage it has nothing much than empty UIMap class which we will modify in the due course
  • UIMap.Designer.cs contains code generated by CUIT builder
  • UserControls.cs contains definitions of specialized classes used in CUIT
  • image
  • UIMap.Designer.cs and UIMap.cs contains partial UIMap class. The designer file contains auto-generated code. As with any of the designer file, the modifications done to it would be lost if the code is regenerated.
// ------------------------------------------------------------------------------
//  <auto-generated>
//      This code was generated by coded UI test builder.
//      Version: 10.0.0.0
//
//      Changes to this file may cause incorrect behavior and will be lost if
//      the code is regenerated.
//  </auto-generated>
// ------------------------------------------------------------------------------

Suppose we have recorded sanity test cases and like to use to test production site. All you need is to modify the UIMap.cs file as shown below. Here we are updating the launch portal site params variable BlankPageWindowsInteWindowUrl to https://productionSite;

   1: public partial class UIMap
   2:     {
   3:  
   4:         public void ProductionValues()
   5:         {
   6:             this.LaunchPortalSiteParams.BlankPageWindowsInteWindowUrl = "https://productionSite";
   7:         }
   8:     }

Call this function from CUIT before any other function is called as;

   1: public void CodedUITest1()
   2:         {
   3:  
   4:             // To generate code for this test, select "Generate Code for Coded UI Test" from the shortcut menu and select one of the menu items.
   5:             this.UIMap.ProductionValues();
   6:             this.UIMap.LaunchPortalSite();
   7:             this.UIMap.ValidateHomePageLinks();
   8:             this.UIMap.ClosePortalSite();
   9:         }

Now you are good to test production site, likewise you can set values to any of the variables defined in UIMap.Designer.cs.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Monday, January 18, 2010 7:15 AM by syedab | 0 Comments
Filed under: , , ,
How Do I: Configure Runtime Version

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

At times I need to test application with different versions of .NET. We can configure application config file and make the application to use the .NET version specified in the config file.

For example, suppose we have application built with .NET 3.5 and want to check the compatibility with .NET 4.0 follow the below steps;

  • Open applicationname.exe.config file which will be under application path
  • Update supported runtime version to appropriate value as shown below
  • If config file not present create a one as applicationname.exe.config
  • Add  the following xml node 
   1: <configuration>
   2:   <startup>
   3:       <supportedRuntime version="v4.0.21006"/>
   4:   </startup>
   5: </configuration>
  • Save the file
  • Now run the application, it runs on .NET 4.0

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Friday, January 15, 2010 2:47 PM by syedab | 0 Comments
Filed under: , , , ,
How To: Add assertions in Coded UI Tests

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

As continuation to my previous post, let me show adding check point which is adding assertions to coded UI test scripts.

For example, after launching portal site you want to validate user name.

  • Press enter after this.UIMap.LaunchPortalSite(); (continuation from the previous blog post) , right click and select first option “use coded UI test builder”
  • image
  • Click on cross hair (third button) and drag and drop on the control you want to validate
  • image
  • Add assertions form will be shown, you can navigate through the controls and reach the top most control or form and see its properties. You can add assertion to any of the properties shown.
  • image
  • Right click on the inner text which we are interested in and click on add assertion
  • image
  • Select comparator and comparison value and click on Ok
  • image
  • Click on generate code button. Enter appropriate method name say ValidateUser and you are ready to validate the user name.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Friday, January 15, 2010 10:58 AM by syedab | 0 Comments
Filed under: , , , ,
How To: Functional Testing Automation Using Visual Studio 2010

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

Thanks to Anil Chintala and Rajesh Gopisetty, I got an opportunity to test and automate portal site. I want to share first hand experience of automating functional test cases using coded UI Test, a feature in visual studio (VS) 2010 in next few blog posts.

In this blog post let me show an example of recording a scenario of

  • launching web browser
  • open the portal site
  • Navigate in portal site
  • Close the browser

and playback using VS 2010.

  • Launch VS 2010
  • Select File –> New Project
  • Select Visual C#, Test and Test project, give appropriate project name as shown below and click on ok
  • image
  • This will create portal automation project along with default cs files
  • Right click on portalautomation project name and select add coded UI Test
  • image
  • It will launch Generate code for coded UI test select the first option and click on ok
  • image
  • A small form called coded UI test builder is shown at the right hand bottom cornerr of your screen. Now you can record actions, add assertion (we will discuss in upcoming blog posts) and generate code
  • image
  • Click on start recording button in the coded UI Test Builder, launch browser.
  • Type in the site name and press enter
  • Click on pause recording in Coded UI test Builder. You can view the steps recorded and edit by clicking on show recorded steps button in coded UI test builder
  • Click on Generate code, enter method name as “LaunchSite”. Its always a good practice to have modular reusable steps (we can record all steps till the end of the test case, but we will divide test steps into modular reusable components to increase reusability) You can call this function wherever required.
  • Click on start recording and record actions. Click on links in home page.
  • Click on pause recording in coded UI test builder. Click on Generate Code, enter appropriate method name.
  • Click on start recording and close the browser
  • Click on pause recording in coded UI test builder. Click on Generate Code, enter appropriate method name.
  • Lets see the code generated. You can see 
    • public void CodedUITest1()
        {

            // To generate code for this test, select "Generate Code for Coded UI Test" from the shortcut menu and select one of the menu items.
            this.UIMap.LaunchPortalSite();
            this.UIMap.ValidateHomePageLinks();
            this.UIMap.ClosePortalSite();
        }
  • Rename codedUITest1 to ValdiateHomePageLinks, to make it more meaningful and easy to understand. From your code you can clearly make out you are launching portal site, validating homepage links and closing thte site.
  • Press F5 or right click above launchportalsite method and select run tests to run/ playback.
  • You will see the output in test results as passed or failed.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Posted: Wednesday, January 13, 2010 6:38 AM by syedab | 0 Comments
Filed under: , ,
Features of Web Protection Library v1.0

Syed Aslam Basha here. I am a tester on the Information Security Tools team responsible for testing web protection library v1.0 (WPL).

WPL v1.0 has got the following features:

  • AntiXSS library (It has got deprecated methods of AntiXSS)
  • Encoder Library (It has got AntiXSS methods provided in the new namespace)
  • Security runtime engine (SRE) configuration editor
  • SRE modules
    • Cross-site scripting protection module
    • SQL injection partial protection module

For more information on usage refer to the my earlier blog posts.

- Syed

Posted: Tuesday, December 15, 2009 2:45 PM by syedab | 2 Comments
Filed under: , , , , , , , ,
How To: Configure your application to use WPL – SRE modules

Syed Aslam Basha here. I am a tester on the Information Security Tools team responsible for testing web protection library v1.0 (WPL).

In order to use security runtime engine (SRE) in your application, you need to configure web.config. Currently SRE has got two modules, cross-site scripting protection module and SQL injection partial protection module.

  • Launch security runtime engine configuration editor from start – >  All programs –> Microsoft Information security –> Web protection library v1.0 –> security runtime engine configuration editor
  • Click on file – > Open, select your websites web.config file
  • Select configuration node
  • Click on configuration – > new –> cross site scripting protection module
  • Similarly you can add SQL injection partial protection module
  • Click on save
  • Click on File – > Exit
  • Copy SRE binaries to bin folder of your application 

You are good to use the SRE modules!

For more information on the SRE modules refer to my earlier blog posts.

- Syed

Posted: Tuesday, December 15, 2009 2:36 PM by syedab | 0 Comments
Filed under: , , , , , , , ,
How To: Turn off Strong Name Validation

Syed Aslam Basha here. I am a tester on the Information Security Tools team.

In one of my application testing I faced issue of “strong name validation failed” for a assembly, had to figure out a way to turn off strong name validation so that I can carryout testing on the given assembly while I get appropriate assembly.

The actual error is

“Unhandled exception: System.IO.FileLoadException: Could not load file or assembly ‘application name, version=4.0.0.0, culture=neutral, publickeytoken=b03f5f7f11d50a3a’ or one of its dependencies. Strong name validation failed.<Exception from HRESULT: 0x8013141A>”

Steps to turn off strong name validation:

Launch visual studio command prompt in admin mode and run the following command

sn –Vr *,b03f5f7f11d50a3a

-Vr <assembly> [<userlist>] [<infile>]
   Register <assembly> for verification skipping (with an optional, comma separated list of usernames for which this will take effect and an optional test public key in <infile>).
<assembly>    can be specified as * to indicate all assemblies or *,<public key token> to indicate that all assemblies with the given public key token. Public key tokens should be specified as a string of hex digits.

Similarly you can remove verification skipping entries,

sn –Vu *,b03f5f7f11d50a3a
-Vu <assembly>
   Unregister <assembly> for verification skipping. The same rules for <assembly> naming are followed as for -Vr.

sn -Vx
-Vx
   Remove all verification skipping entries.

- Syed

Posted: Tuesday, December 08, 2009 2:59 PM by syedab | 0 Comments
Filed under: , , ,
How To: Use CAT.NET V2.0 CTP

Syed Aslam Basha here. I am a tester on the Information Security Tools team responsible for testing CAT.NET v2.0.

As the installer name suggests CATNETV20CMD, CAT.NET V2.0 CTP is command line version only. CAT.NET v2.0 CTP analyses assemblies for vulnerabilities and configuration files for misconfigurations. You can open the rules files present at C:\Program files\Microsoft Information Security tools\Microsoft Code Analysis for .NET(CAT.NET) v2.0\Rules\ConfigRules, to get an understanding of configuration rules. Example, configrule for trace, if trace is enabled it will be shown in report.

   1: <?xml version="1.0" encoding="utf-8"?>
   2: <ConfigurationRule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" typeName="Microsoft.InformationSecurity.CodeAnalysis.Engines.RulesModel.ConfigurationRule, Microsoft.InformationSecurity.CodeAnalysis.Engines.RulesModel, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b9ded31be328441b" enabled="false" comparisionType="AttributeCheck" isAndConditions="false">
   3:   <Information cultureName="en-US">
   4:     <Category>Web Security</Category>
   5:     <Certainity>50</Certainity>
   6:     <Description>Trace is enabled which can lead to information disclosure</Description>
   7:     <Email>anilkr@microsoft.com</Email>
   8:     <Name>Trace enabled attribute is set to true</Name>
   9:     <Owner>Anil Revuru</Owner>
  10:     <Resolution>Set enabled attribute to false</Resolution>
  11:     <RuleId>WEBCONFSEC07</RuleId>
  12:     <SeverityLevel>High</SeverityLevel>
  13:     <Url></Url>
  14:     <Problem>Enabled attribute is set to true</Problem>
  15:   </Information>
  16:   <Conditions>
  17:     <Condition conditionId="42C400DF-5130-4FDB-9EE3-8C944D92BBC8" configurationPath="/configuration/system.web/trace" attributeName="enabled" attributeValue="true" comparisionOperator="Equals" />
  18:   </Conditions>
  19: </ConfigurationRule>
  20: 

Steps to use CAT.NET v2.0:

  • Launch command prompt in administrator mode and go to C:\Program files\Microsoft Information Security tools\Microsoft Code Analysis for .NET(CAT.NET) v2.0.
  • Enter

    CATNetCmd.exe /file:"D:\MyApplication\bin\Application.dll" /configdir:"D:\MyApplication" /report:"D:\MyApplication\ApplicationReport.xml" /reportxsloutput:"D:\MyApplicaiton\ApplicationReport.htm"

  • /file and /configdir switches are mandatory, file is the path to the assembly to analyze and configdir path to the web.config file to analyze. It analyzes all web.configuration files under the folder and reports the issues. Total 40 rules are loaded, 33 config rules and 7 data flow rules.
  • Following are the command-line options available

    /file:<target>
    Required. The path of an assembly file to analyze. Multiple file paths and wildcards are not supported. This is a required parameter.

    /configdir:<target directory>
    Required. The path to a directory which contains .NET configuration files for analysis.

    /rules:<directory>
    Optional. The path to a file or directory that contains analysis rule(s).  The engine will use the default rules included with the product by default.

    /report:<file>
    Optional. The file to store the analysis report in.  By default, the report will be saved in 'MicrosoftCodeAnalysisReport.xml' in the current working directory.

    /reportxsl:<file>
    Optional. The XSL file to use to transform the report.  By default, the packaged XSL transform included in the product will be used.

    /reportxsloutput:<file>
    Optional. The output file to store the XSLT transform output in.  By default, the HTML report will be saved in 'report.html' in the current working directory.

    /verbose
    Optional. Enables flag to display verbose message when displaying results.

  • The CAT.NET report contains detailed information about dataflow and configuration analysis errors along with line numbers.
  • CATNETBlog1 

- Syed

Posted: Tuesday, December 08, 2009 9:53 AM by syedab | 0 Comments
Filed under: , , ,
More Posts Next page »
Page view tracker