SEARCH RESULTS
 
Showing 1-10 of 55 records
 
Expand article

Lessons learned from the massive SQL injection attacks against legacy Microsoft ASP apps

The Article has images
2008-07-08 14:32:33 by Chenxi Wang in Security & Risk Management
...ASP applications running on IIS. The latest report has the number of attacked sites at 500,000. The press makes it sound like there is a new vulnerability in IIS or ASP. This cannot be further from the truth. The reality is the attacks are targeting Web applications where user input validation is not done (this is one of the fundamental...
 
Tags: asp, attacks, web applications, legacy web applications, input validation, user input validation, microsoft asp applications, user input, code injection attacks
 
 
 
 
Expand article

ASP.NET Health Monitoring doesn't log inner exception stack trace

2008-08-01 16:21:00 by keith-brown in Security Briefs
 
...ASP.NET's health monitoring system does list the inner exceptions (apparently up to a maximum depth of two, from spelunking the code with reflector ), but it does not emit the stack traces for these exceptions, which would be really helpful . I've spent some time this morning trying to figure out how I'd customize things to emit this, and it...
 
Tags: exception stack trace, exception, stack trace, net, net web event, asp, exceptions, solution, cleaner solution
 
 
 
 
Expand article

Better exception reporting in ASP.NET

2008-08-01 20:30:05 by keith-brown in Security Briefs
 
...ASP.NET health monitoring doesn't output stack traces for inner exceptions, which can be problematic due to its heavy reliance on reflection. I spent the morning doing some further spelunking with reflector , and my first solution was to implement a custom WebEvent that overrides ToString() to format itself with all of the data I care about....
 
Tags: error event, event, provider, default event, email provider calls, event log provider, provider include, custom email provider, output stack traces
 
 
 
 
Expand article

Better exception reporting in ASP.NET part 2

2008-08-04 14:11:14 by keith-brown in Security Briefs
 
...ASP.NET wasn't reporting inner exception stack traces The second post described my solution This post shows the code I used to solve the problem: a custom email provider for the Health Monitoring system in ASP.NET. Enjoy Here's the provider. Note that I opted *not* to build a buffering provider to keep things simple public class...
 
Tags: return, return subjectbuilder, return formatter, exception, formatter, crazy formatter, static void, static void emitprocessinfo, return null
 
 
 
 
Expand article

Two-way formatted data binding in ASP.NET

2008-08-15 20:22:37 by keith-brown in Security Briefs
 
...ASP.NET is easy, just use the Bind expression and data will flow between your web controls and your data source flawlessly. Until that is, you try to use a format string Bind("AmountCharged", "{0:C While this displays just as you'd expect (e.g., $200), it doesn't do so well when you submit an edit that includes the same value ($200 Input...
 
Tags: data, data amountpaid, amountpaid, data-bound control, decimal amountpaid, return decimal, return, data source flawlessly, decimal
 
 
 
 
Expand article

A tip on using ASP.NET validation controls

2008-09-03 17:16:35 by keith-brown in Security Briefs
 
...asp:RequiredFieldValidator ErrorMessage ="Zip/postal code is required" ControlToValidate ='txtPostalCode' ValidationGroup ='BasicInfo' Display ="Dynamic" runat ='server' > * asp:RequiredFieldValidator I've learned a lesson from all of this. In the future when I use validation controls I'll always provide a summary-friendly message in the...
 
Tags: shorter message, message, inline error message, validation control element, control, inline, display inline, errormessage, errormessage property
 
 
 
 
Expand article

New Security Tools for IIS and SQL

2008-06-25 21:45:45 by jrjones in Jeff Jones Security Blog
 
...ASP code susceptible to SQL injection attacks Scrawlr ( see HP's security blog for more ), a free scanner, developed by HP Web Security Research Group in conjunction with Microsoft, which will allow customers to identify whether their Web sites might be susceptible to SQL injection There are already a lot of resources out there available...
 
Tags: sdl blog post, blog, sql injection, sql injection attack, injection attacks, sql injection attacks, security blog, defense blog, sdl blog
 
 
 
 
Expand article

Identity Framework Probable Feature List

The Article has images
2007-12-16 06:42:00 by Keith Brown in Security Briefs
...ASP.NET authentiation pipeline According to Vittorio, this "automates a lot of the validation work in the framework". It's called FederatedAuthenticationModule, which gives a hint as to its function. It probably sets up HttpContext.User like a traditional authn module would. It's probably not specific to building an STS (remember the Fx is...
 
Tags: informationcard login control, login control, information card serializer, information, control, user authentication methods, user, custom sts, card
 
 
 
 
Expand article

SQL Injection Follow-up

2008-05-30 15:58:00 by sdl in The Security Development Lifecycle
 
...ASP sites. Additionally, the Security Vulnerability Research & Defense blog has just posted an analysis of the attack along with guidance recommendations for IT/database admins, web developers, and end users. Finally, if you are looking for classic ASP-specific (not ASP.NET) guidance, Bala Neerumalla has posted a detailed document on...
 
Tags: classic asp-specific, asp, sql injection, asp sites, security vulnerability research, guidance, guidance recommendations, bala neerumalla, web developers