A very serious vulnerability in ASP.NET was revealed this past month that allows attackers to completely compromise ASP.NET Forms Authentication, among other things. When things like this happen, as developersit's important to see what lessons can be learned in order to improve the defensibility of our software. Source: 'Padding Oracle' Crypto Attack Affects Millions of … Continue reading ASP.NET Padding Oracle Vulnerability
I just ran across Jakob Nielsen's Alert Box post titled Stop Password Masking and wanted to provide some feedback from a security vs. usability perspective. I have great respect for Nielsen's contribution to the usability of the web. Back in the early days of the internet (mid 1990's), his books were gospel at my consulting … Continue reading Response to Nielsen's "Stop Password Masking"
In Session Attacks and ASP.NET - Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET's session architecture and authentication architecture. In this post, I'll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures. Attack Scenario: ASP.NET Session with Forms Authentication So understanding the … Continue reading Session Attacks and ASP.NET - Part 2
I've spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven't looked at 4.0 beta yet). Before illustrating how a specific attack works with some specific countermeasures for ASP.NET (in … Continue reading Session Attacks and ASP.NET - Part 1
The Internet is FULL of real life scenarios of how NOT to do web application security...it is unfortunate when a large, popular site shows the rest of the world some form of this inappropriate behavior. Unfortunate because it becomes both a HOW-TO forprogrammers, marketers, decision makers to repeat as well as an illustration of what … Continue reading How Not to Do Web Site User Registration