TechNet Webcast: Configuring with Least Privilege in SQL Server 2008

I recently presented a TechNet Webcast on the topic “Configuring with Least Privilege in SQL Server 2008”. The topics covered in the Webcast are:- 1. Configuring SQL Server service accounts with least privilege. Service isolation is also explained. 2. Configuring accounts connecting to SQL Server from a Web application (Principals) with least privilege. 3. Running…


Catch the security flaw #6

If you can find the security issue with this piece of code, write about it by adding a comment to this blog post. This is the scenario:- 1. There is a Web site that allows end users to upload their pictures. 2. On the Web server, the Web site is physically located at C:\Inetpub\wwwroot\sampleapp, which…


Virtual techdays: Top 5 Web Application security bugs in custom code

Microsoft Virtual TechDays is starting from the 18th February 09. In the security track, I will be presenting on the topic “Top 5 Web Application Security bugs in custom code”. As a security engineer in the ACE Team, I have been reviewing line-of-business applications for the past two years. In this presentation, I will talk…


catch the security flaw #5 (flaw and its countermeasure)

In my last post, I showed input validation code that uses RegularExpressionValidators improperly. Thanks to Mathew Grabau and Marius Cristian CONSTANTIN for pointing out that the Page’s IsValid property has not been checked before using the input. As a result, effectively, the code performs only client side validation, which can easily be bypassed. As a…


Catch the security flaw #5

A lot of web applications use RegularExpressionValidators for performing input validation [1]. Sometimes these validators are not implemented properly, which can lead to potential flaws. See if you can catch the flaw here:- Code for Default.aspx:- 1: <%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" CodeFile="Default2.aspx.cs" Inherits="Default2" %> 2: <html xmlns="" > 3: <body> 4: <form id="form1" runat="server">…


Catch the Security Flaw(s) #4

Identify as many security issues as you can with this piece of code:- 1:     [WebMethod] 2: public string GetEmpName(string empid) 3: { 4: SqlConnection con = new SqlConnection(“server=.;database=test;uid=sa;pwd=PassW2rd12”); 5: SqlCommand cmd = new SqlCommand(“select username from users where id = ” + empid, con); 6: con.Open(); 7: string empname = (string)cmd.ExecuteScalar(); 8: con.Close(); 9: return…


NASSCOM – DSCI Information Security Summit 2008 Security Tutorial

My colleague Sagar and I will be conducting an application security workshop at the NASSCOM – DSCI Information Security Summit 2008 on the 1st December in IIIT, Hyderabad, India. More information can be found here:-  The agenda is here:-


How To: Configure permissions in Out-of-the-box MOSS 2007 Approval Workflow such that “Approvers” cannot edit or delete the item to be approved

1. Consider a Microsoft Office SharePoint Server 2007 site that will be used as a “Document Approval System”. Certain users will be “Editors” and they will be able to upload documents for approval. Another set of users will be “Approvers”. These users can either approve or reject the uploaded documents. The security requirement is that…


Catch the Security Flaw #3

Quite a few web applications encrypt query string values. This is generally done as an added measure to prevent unauthorized access. Since the end user cannot chose a value and then encrypt it, changing parameters becomes difficult. But encryption is not a panacea. See if you can spot this bug. The code behind file looks…


Confusion property of symmetric block ciphers

Modern symmetric block encryption algorithms need to satisfy a number of properties to be considered strong. One such property is the property of “Confusion”. What it means is that if an attacker is conducting an exhaustive key search, and if the key being tested is incorrect only in a few bits, the decrypted text should…