K# - Security

ASP.NET Security Vulnerability Or Not

20 September 2010 |

Last week two security researchers, Thai Duong and Juliano Rizzo, have discovered a bug in the default encryption mechanism used to protect the cookies normally used to implement Forms Authentication in ASP.NET. Using their tool (the Padding Oracle Exploit Tool or POET), they can repeatedly modify an ASP.NET Forms Authentication cookie encrypted using AES and, by examining the errors returned, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site. Everyone immediately focused on the bug not mentioning what is commonly known as...

View comments (3)

posted @ Monday, September 20, 2010 12:36 PM | Feedback (3)

Posted in C# , Security , ASP.NET , Web ,

New Microsoft Anti-Cross Site Scripting library published

18 January 2007 |

The Microsoft Anti-Cross Site Scripting library is an encoding library designed to protect ASP.NET applications from cross-site scripting (XSS) attacks. This library differs from other encoding libraries in that it uses the the principle of inclusions technique to provide a high degree of protection against XSS attacks. For those of you that build Web Applications this is a library that should always be used.

View comments (0)

posted @ Thursday, January 18, 2007 10:15 PM | Feedback (0)

Posted in MS Application Blocks , Security , ASP.NET , Web ,

When everything else fails blame the spammer!

04 December 2006 |

Recently I came to realize the real threat spammers pose to the Internet community. After trying for two days (30 hours) to find out why a web application, that was up to recently flawless, was not responding on a non deterministic basis, I discovered (the hard way) that it had been exploited by spammers, in order to send their emails. Sending thousands of emails each day the spammers have actually accomplished a DOS (Denial of service) attack on it. So what’s the lessons learned here… a) Design your web applications having security always (I don’t...

View comments (0)

posted @ Monday, December 04, 2006 4:51 AM | Feedback (0)

Posted in Security , ASP.NET ,

MSI installation under Vista

11 June 2006 |

Continuing my Vista setup and exploration, I begun installing all the software and components I used in order to develop software. Most of the MSI installation packages (including Microsoft's CAB) though failed to complete under Vista.It seems that some kind of privileged action needed in order to complete the installation, which is probably write access to the program files directory in order to write an InstallerState file is not allowed not even when the executable is running under an administrative account. The error message says that “Access to the path c:\program files\program\programInstall.InstallState is denied (P.S not event the administrator can change the access...

View comments (7)

posted @ Sunday, June 11, 2006 6:44 AM | Feedback (7)

Posted in Operating System , Security ,