FxCop ASP.NET Security Rules release

The FxCop ASP.NET security rules have finally been released after being used for quite some time internally.  You can read more about it in this month MSDN magazine on http://msdn.microsoft.com/en-us/magazine/gg490350.aspx The rules are available on codeplex at http://fxcopaspnetsecurity.codeplex.com/


Strict Transport Security ASP.NET Module

I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online services. For the majority of the cases, the browser is used to connect to the services and…


Using ValidateRequest to detect when XSS is occuring

In a way to limit the risk of Cross-Site Scripting  (XSS) attacks, ASP.NET 2.0 introduced a way to detect such attack and automatically reject the request. This functionality is exposed by the PageSections.ValidationRequest and is turned on by default.  This should not be considered an s a full proof solution against XSS but a good…


Watch out for scheme relative urls

Doing my usual random code browsing yesterday I stumbled on a method that peaked my curiosity. The intent of the method is to only allow redirect to relative paths. If the redirect is not a relative path, it is rejected. Let’s look at the implementation. public static void SafeRedirect(HttpResponse response, string rawRelativeUrl) {     Uri…


Lessons Learned at Windows Live by Using ASP.NET MVC

We published a new security whitepaper base on our experience with ASP.NET MVC. The whitepaper is available at http://www.microsoft.com/downloads/details.aspx?FamilyID=7606f801-70c5-49ca-a18c-91d4ed725833&displaylang=en  


Fxcop rule to verify the use of ASP.NET MVC AntiforgeryTokenAttribute

I’ve been working on code auditing for a project that makes use of the latest ASP.NET MVC api. Turned out that it didn’t benefit from the built-in CSRF mitigation available since preview 5 version of the api. The mitigation is quite simple and generates tokens and validates them inside controller actions. As usual, I rather…


Checking for ViewStateUserKey using FxCop

ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I’ve implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn’t look at what is assigned to the property and only looks if something is assigned…


Fxcop HtmlSpotter – Spotting ASP.NET XSS using Fxcop and Html encoding document

In my previous post, I provided a list of which ASP.NET HTML control property that offers automatic HTML encoding. As a side note, I was made aware that an older version of that file is available from the support files of the Hunting Security Bugs book. I initially received this document from Tom Gallagher team and made…


Which ASP.NET Controls Automatically Encodes?

I’ve had a lot of people ask me which ASP.NET control offers automatic html encoding and the answer I had for a long time was to look at MSDN or even write a quick sample and test the behavior. If you are asking yourself the same question, you can now use the attached document to…