AppSec Blog

ASP.Net Forms Authentication Bypass

It was recently announced that there is a vulnerability in ASP.Net Forms Authentication. The vulnerability allows an attacker to assume the identity of another user within the application without the need to know the victim's password. This is a critical vulnerability as it could allow users to execute commands they do not have access to. … Continue reading ASP.Net Forms Authentication Bypass


ASP.Net Insecure Redirect

It was recently discovered that there was a vulnerability within the ASP.Net Forms Authentication process that could allow an attacker to force a user to visit a malicious web site upon successful authentication. Until this vulnerability was found, it was thought that the only way to allow the Forms Authentication redirect (managed by the ReturnUrl … Continue reading ASP.Net Insecure Redirect


Seven Tips for Picking a Static Analysis Tool

Stephen J, who is a member of our software security mailing list, asked a while back, "Do you have any recommendations on static source code scanners?" James Jardine and I started talking and came up with the following tips. There are so many commercial static analysis tools from vendors like Armorize, Checkmarx, Coverity, Fortify (HP), … Continue reading Seven Tips for Picking a Static Analysis Tool


Apple's iCloud: Thoughts on Security and the Storage APIs

This is a guest post from security researcher Nitesh Dhanjani which follows his previous iOS articles. At the 2011 World Wide Developer Conference in San Francisco, Steve Jobs revealed his vision for Apple's iCloud: to demote the desktop as the central media hub and to seamlessly integrate the user's experience across devices. Apple's iCloud service … Continue reading Apple's iCloud: Thoughts on Security and the Storage APIs


Real and useful security help for software developers

There's lots of advice on designing and building secure software. All you need to do is: Think like an attacker. Minimize the Attack Surface. Apply the principles of Least Privilege and Defense in Depth and Economy of Mechanism. Canonicalize and validate all input. Encode and escape output within the correct context. Use encryption properly. Manage … Continue reading Real and useful security help for software developers