# Saturday, 18 September 2010

A couple of days ago I became aware of the following article: Security Hack Exposes Forms Authentication in ASP.NET. That never sounds good and Microsoft swiftly crafted a workaround to mitigate the attack. It simply consists of changing your web.config and adding a file with some piece of code in it.

For ASP.NET 1.0 to 3.5 use this adjustment:

<configuration>        
   <system.web>
      <customErrors mode="On" defaultRedirect="~/error.html" />
   </system.web>       
</configuration>

For ASP.NET 3.5SP1 and 4.0 use this adjustment:

<configuration>
   <system.web>
     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
   </system.web>
</configuration>

You’ll also need to put that error.aspx page on your server with the following content:

VB version:

<%@ Page Language="VB" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
    Sub Page_Load()
        Dim delay As Byte() = New Byte(0) {}
        Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
       
        prng.GetBytes(delay)
        Thread.Sleep(CType(delay(0), Integer))
       
        Dim disposable As IDisposable = TryCast(prng, IDisposable)
        If Not disposable Is Nothing Then
            disposable.Dispose()
        End If
    End Sub
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        Sorry - an error occured
    </div>
</body>
</html>

C version:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
       
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>

Grz, Kris.

Saturday, 18 September 2010 13:49:57 (GMT Daylight Time, UTC+01:00)  #    Disclaimer  |  Comments [15]  | 
# Thursday, 22 May 2008

Just found out about this site about security: Hellosecureworld. Take a look at it. It's in Silverlight (always a good reason to check something out) and it has comics (another good reason). What are you waiting for: click the link!

Grz, Kris.

Thursday, 22 May 2008 20:35:39 (GMT Daylight Time, UTC+01:00)  #    Disclaimer  |  Comments [0]  | 
# Thursday, 07 February 2008
Just read that Scott Mitchel has started another series on ASP.NET articles. This time he'll be covering security in ASP.NET. Be sure to check it out: Security tutorials.

Grz, Kris.
Thursday, 07 February 2008 09:47:35 (GMT Standard Time, UTC+00:00)  #    Disclaimer  |  Comments [0]  | 
# Monday, 03 December 2007

To build software that meets your security objectives, you must integrate security activities into your software development lifecycle. This handbook captures and summarises the key security engineering activities that should be an integral part of your software development processes.

These security engineering activities have been developed by Microsoft patterns & practices to build on, refine and extend core lifecycle activities with a set of security-specific activities. These include identifying security objectives, applying design guidelines for security, threat modelling, security architecture and design reviews, security code reviews and security deployment reviews.

It's not a book that you would read but rather a security best practices checklist. Download the free eBook if you're interested.

Grz, Kris.

MSDN | PnP | Security
Monday, 03 December 2007 12:03:54 (GMT Standard Time, UTC+00:00)  #    Disclaimer  |  Comments [0]  | 
# Friday, 18 May 2007

I'm already subscribed for that event and if you would like to come to you can go to this page: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340308&Culture=en-US.

Hope to see you there!

Grz, Kris.

Friday, 18 May 2007 09:07:54 (GMT Daylight Time, UTC+01:00)  #    Disclaimer  |  Comments [0]  | 
# Monday, 15 January 2007

Hi,

last saturday I already wrote about the new anti XSS library and I just found out there's a dedicated forum for all your question available. Take a look here: Anti-Cross Site Scripting Library.

Grz, Kris.

Monday, 15 January 2007 08:19:48 (GMT Standard Time, UTC+00:00)  #    Disclaimer  |  Comments [0]  | 
# Saturday, 13 January 2007

Microsoft recently release the new version of their Anti-Cross Site Scripting (XSS) Library, currently at version 1.5. You can download and find more information about it here. If you're concerned about security in ASP.NET give this library a try.

Grz, Kris.

kick it on DotNetKicks.com

Saturday, 13 January 2007 11:08:37 (GMT Standard Time, UTC+00:00)  #    Disclaimer  |  Comments [0]  |