Checking for ViewStateUserKey using FxCop

ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I’ve implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn’t look at what is assigned to the property and only looks if something is assigned…

0

Fxcop HtmlSpotter – Spotting ASP.NET XSS using Fxcop and Html encoding document

In my previous post, I provided a list of which ASP.NET HTML control property that offers automatic HTML encoding. As a side note, I was made aware that an older version of that file is available from the support files of the Hunting Security Bugs book. I initially received this document from Tom Gallagher team and made…

3

Which ASP.NET Controls Automatically Encodes?

I’ve had a lot of people ask me which ASP.NET control offers automatic html encoding and the answer I had for a long time was to look at MSDN or even write a quick sample and test the behavior. If you are asking yourself the same question, you can now use the attached document to…

6