Archive

Archive for the ‘Security’ Category

New Syntax for HTML Encoding Output in ASP.NET 4

August 19, 2011 Leave a comment

Thanks to Scott Guthrie…

Today’s post covers a small, but very useful, new syntax feature being introduced with ASP.NET 4 – which is the ability to automatically HTML encode output within code nuggets.  This helps protect your applications and sites against cross-site script injection (XSS) and HTML injection attacks, and enables you to do so using a nice concise syntax.

HTML Encoding

Cross-site script injection (XSS) and HTML encoding attacks are two of the most common security issues that plague web-sites and applications.  They occur when hackers find a way to inject client-side script or HTML markup into web-pages that are then viewed by other visitors to a site.  This can be used to both vandalize a site, as well as enable hackers to run client-script code that steals cookie data and/or exploits a user’s identity on a site to do bad things.

One way to help mitigate against cross-site scripting attacks is to make sure that rendered output is HTML encoded within a page.  This helps ensures that any content that might have been input/modified by an end-user cannot be output back onto a page containing tags like <script> or <img> elements.

 

Read more…

Advertisements
Categories: ASP.NET, Encoding, Security Tags:

HTTP Status Code Definitions

Status Code Definitions

I thought this information would be helpful, at least even as just a reference. Each Status-Code is described below, including a description of which method(s) it can follow and any metainformation required in the response.

Informational 1xx

This class of status code indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line. There are no required headers for this class of status code. Since HTTP/1.0 did not define any 1xx status codes, servers MUST NOT send a 1xx response to an HTTP/1.0 client except under experimental conditions.

A client MUST be prepared to accept one or more 1xx status responses prior to a regular response, even if the client does not expect a 100 (Continue) status message. Unexpected 1xx status responses MAY be ignored by a user agent.

Proxies MUST forward 1xx responses, unless the connection between the proxy and its client has been closed, or unless the proxy itself requested the generation of the 1xx response. (For example, if a

proxy adds a “Expect: 100-continue” field when it forwards a request, then it need not forward the corresponding 100 (Continue) response(s).)

Read more…

Web Application Security Vulnerabilities

Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.

Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may range from nothing, all the way through putting you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization.

Together, these factors determine the overall risk.

The new OWASP Top Ten can be seen below:

Read more…

SSO – Policy Agent Setup

Implementing a Single-Sign-On solution using Policy Agents was a little easier than i thought. Here is some helpful information that is freely available from Oracle and ForgeRock.com.

 

Downloading and Unzipping the IIS 7.0 Agent Distribution File

 

To Download and Unzip the IIS 7.0 Agent Distribution File

  1. Login into the server where you want to install the agent.
  2. Create a directory to unzip the agent distribution file.
  3. Download and unzip the agent distribution file, depending on your platform:
Platform  Distribution File 
Windows 2008 Server, 32-bit systems iis_v7_WINNT_agent_3.zip
Windows 2008 Server, 64-bit systems iis_v7_WINNT_x64_agent_3.zip

Read more…

Preventing Cross-site scripting attacks using Microsoft Anti-Cross Site Scripting Library

February 16, 2011 Leave a comment

Cross site scripting is one of the biggest threats in web applications. I would like to cover how to prevent Cross-site scripting attacks using Microsoft Anti-Cross Site Scripting Library.

What is Cross-Site scripting(XSS)?

A website is said to be vulnerable for XSS if proper validation/encoding of input is not done before using/rendering the output. For example, you are taking input from a textbox and without validation/encoding you are embedding in response data(as below).

using System;
public partial class _Default : System.Web.UI.Page
{
protected void Button1_Click(object sender, EventArgs e)
{
String Input = TextBox1.Text;

//XSS
Response.Write(Input);
}
}

 

Read more…

%d bloggers like this: