ASP.NET 2.0 and the new HTTP-only property

To minimize the threat of Cross Site scripting attacks ASP.NET 1.1 introduced the ValidateRequest=”true” on the @ Pages element.  Recently, Microsoft improved the HttpUtility.HtmlEncode with the new Anti-XSS tool.  But another subtle and equally important addition in ASP.NET 2.0 is the HTTP-only option.  HTTP-only is a flag that you can append to cookies and helps…

1

Least Privilege Development in Microsoft Windows Vista

In my last Webcast on Least Privilege I eluded to the fact that this was going to change with the release of Windows Vista.  In fact it is going to change significantly.  Here is a white paper that provides an understanding of User Account Protection (UAP) in Windows Vista.  The paper was written a few…

1

Thoughts on Security Analogies

I thought I would share Michael Howard’s recent blog on “Security Analogies are Wrong”.  I agree with Michael take on Security Analogies as I hear them all the time but I thought his post was hilarous as he turns the tables with his counter analogy: If cars operated in an environment like the Internet, they…

1

Microsoft Threat Analysis & Modeling tool v 2.0 (Beta 2)

Today Microsoft released Beta 2 of the second version of the Threat Modeling and Analysis Tool for download.  Microsoft has been using the Threat Modeling methodology as part of our Security Development Lifecycle for a few years now.    Threat Modeling is a security-based analysis of an application to find “anti-scenarios”.  This is probably one…

1

Answer to the Trivial Question

The answer to the trivial question from my blog based upon the March 8, 2006 WebCasts “Least Privilege Development and New System.Security Features” is below:   Question:  The KeyInfo element can consist of either a <KeyName/> or a <RetrievalMethod/> child element.  What is the purpose of each element and what are the differences between the…


Developing as Non Admin with Admin Access on a Server

Here is another cool trick for running under Non Admin that was shared to me be by Aaron and works like a charm.  The scenario is if you require Administrative privileges on an IIS Server but you still want to develop and design as non-admin on your local machine then you can do the following: ·       …


WebCast’s Notes: Least Privilege and New System.Security Features

In today’s Webcast we first started off with a continuation from last week.  Last week we explored how to setup a development and design environment that closely emulates your production environment to make your testing more effective and efficient.  This was accomplished by enabling Debug in Zone and using tools such as permcalc.  This week…

6

Microsoft Updated Anti-XSS Tool

In a recent post I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.  However, at the time the library only worked with ASP.NET 2.0 applications.  Today, the Library has been updated and now works with .NET Framework 1.0, 1.1 and 2.0.  You can download the updated Library at:  http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en


Input Validation in ASP.NET? Bug or Not?

Recently I was pinged by a colleague in the security field and he asked me a question on why the Regular Expression Validator was not validating against Null values in a ASP.NET control.  I was able to reproduce the same behaviour on both Visual Studio 2003 and Visual Studio 2005 and it appears that Regular Expression…

2