Doomed software developers that do not understand security

| 0 comments

Say for a moment you have a software development task to notify end users of a specific event and this notification is critical for a number of reasons. Would the average development team understand the best architectural design? What if I told you that you development team goes off and creates the software and it is a success, but in no time the network becomes unstable and eventually crashes. Sound impossible? Not if the software essentially performed a denial-of-service (DoS) attack. In a DoS attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts, or other services that rely on the affected computer. The most common and obvious type of DoS attack occurs when an attacker “floods” a network with information. When you type a URL for a particular website into your browser, you are sending a request to that site’s computer server to view the page. The server can only process a certain number of requests at once, so if an …

Continue reading

How to defend against Cross Site Scripting with Microsoft .NET 4.5 AntiXss

| 0 comments

One of the most common threats to websites is cross site scripting (XSS) which is the idea that a malicious user is attempting to load content into your website. Examples include JavaScript and HTML. This attack is carried out typically via a form input or query string. XSS can result in very nasty results which include content modification or worse hijacking user account information. If you’re asking yourself how you can possibly reduce the likelihood of this threat, the answer is simple. Encode and never trust user input under any circumstance. It is not that all users are attackers, but mistakes do happen and for this reason if you never trust the input you will find that you are ahead of the game. There are three basic types of XSS vectors. Reflected: This type of attack is the act of injecting code either thru input or output as part of the request. Stored: This type of attack stores the injection in a persistent state on the target server. Typically this often is a database. DOM: The document object model attack is delivered via the HTTP response which typically resulted from the stored attack vulnerability. A1-Injection description A1-Injection Injection flaws, such …

Continue reading

.NET Security Inspection Questions

| 0 comments

Application security encompasses measures taken throughout the application’s life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application. Applications only control the use of resources granted to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security. The next time you begin a project stop and ask yourself the following questions. The best way to be successful is to prepare in advance and know what to look for. Here’s a checklist to help you get the most out of your Web application security testing, trust me, you will be in a better position if you do. SQL Injection Is the application susceptible to SQL injection? Does the code use parameterized stored procedures? Does the code use parameters in SQL statements? Does the code attempt to filter input? Cross-Site Scripting Does the code echo user input or URL parameters back to a Web page? Does the code persist user input or URL parameters to a data store that could later be displayed on a Web page? Input/Data …

Continue reading

Series DropDownList: Cascading DropDownList

| 0 comments

This is the second article on the subject of DropDownList. If for any reason you missed the earlier post titled Series DropDownList: Binding XML Data to a DropDownList, I would recommend that you take the time and read that post as well. In part two of this series I will focus on accomplishing cascading selections with your DropDownList. Since the bulk of the work was accomplished in DropDownList: Binding XML Data to a DropDownList we will pick up from there. Web Form Here we will incorporate a small change from the previous example. Notice that in this example I have added a new event titled OnSelectedIndexChanged. <label for=”ddlCountry”>Country:</label> <asp:DropDownList ID=”ddlCountry” runat=”server” AutoPostBack=”True” OnSelectedIndexChanged=”ddlCountry_SelectedIndexChanged” Width=”160px”> </asp:DropDownList> <label for=”ddlRegion”>Region:</label> <asp:DropDownList ID=”ddlRegion” runat=”server” AutoPostBack=”True” OnSelectedIndexChanged=”ddlRegion_SelectedIndexChanged” Width=”160px”> </asp:DropDownList> <label for=”ddlCity”>City:</label> <asp:DropDownList ID=”ddlCity” runat=”server” Width=”160px”> </asp:DropDownList> Code Behind Each selected index change event fires the appropriate method which in turns makes a call back to the server and reads in the appropriate data to return and bound to out DropDownList. protected void ddlCountry_SelectedIndexChanged(object sender, EventArgs e) { ddlRegion.Items.Clear(); string strCountry = string.Empty; strCountry = ddlCountry.SelectedValue; List<string> list = null; if (ddlCountry.SelectedIndex != 0) { list = RetrieveDataFromXml.GetRegionByCountry(strCountry); if (list != null && list.Count != 0) …

Continue reading

Series DropDownList: Binding XML Data to a DropDownList

| 0 comments

Who doesn’t love XML? Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards.  The design goals of XML emphasize simplicity, generality, and usability over the Internet. It is a textual data format with strong support via Unicode for the languages of the world. Although the design of XML focuses on documents, it is widely used for the representation of arbitrary data structures, for example in web services. Bottom line XML is easily created, consumed, and understood. In this article we will focus on the basic idea of binding XML data to a DropDownList. When it is all said and done your DropDownList will look similar to the following example. XML Source First we need a XML file. In this example we have XML that contains countries, regions, and cities. <?xml version=”1.0″ encoding=”utf-8″ ?> <Countries> <Country name=”Korea”> <Region name=”South Korea”> <City> Seoul </City> <City> Taegu </City> <City> Songtan </City> </Region> </Country> <Country name=”USA”> <Region name=”California”> <City> Los Angeles </City> <City> Bakersfield </City> <City> …

Continue reading