# Saturday, September 18, 2010
Important: ASP.NET Security Vulnerability

A couple of days ago I became aware of the following article: Security Hack Exposes Forms Authentication in ASP.NET. That never sounds good and Microsoft swiftly crafted a workaround to mitigate the attack. It simply consists of changing your web.config and adding a file with some piece of code in it.

For ASP.NET 1.0 to 3.5 use this adjustment:

<configuration>        
   <system.web>
      <customErrors mode="On" defaultRedirect="~/error.html" />
   </system.web>        
</configuration>

For ASP.NET 3.5SP1 and 4.0 use this adjustment:

<configuration>
   <system.web>
     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
   </system.web>
</configuration>

You’ll also need to put that error.aspx page on your server with the following content:

VB version:

<%@ Page Language="VB" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
 
<script runat="server">
    Sub Page_Load()
        Dim delay As Byte() = New Byte(0) {}
        Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
        
        prng.GetBytes(delay)
        Thread.Sleep(CType(delay(0), Integer))
        
        Dim disposable As IDisposable = TryCast(prng, IDisposable)
        If Not disposable Is Nothing Then
            disposable.Dispose()
        End If
    End Sub
</script>
 
<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        Sorry - an error occured
    </div>
</body>
</html>

C version:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
 
<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();
 
      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
        
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
</script>
 
<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>

Grz, Kris.

ASP.NET | Security | Vulnerability
Saturday, September 18, 2010 1:49:57 PM (GMT Daylight Time, UTC+01:00)  #    Disclaimer  |  Comments [15]  | 
# Thursday, May 22, 2008
Hello Secure World

Just found out about this site about security: Hellosecureworld. Take a look at it. It's in Silverlight (always a good reason to check something out) and it has comics (another good reason). What are you waiting for: click the link!

Grz, Kris.

Links | Microsoft | Security | Silverlight
Thursday, May 22, 2008 8:35:39 PM (GMT Daylight Time, UTC+01:00)  #    Disclaimer  |  Comments [0]  | 
# Thursday, February 07, 2008
Learning ASP.NET security
Just read that Scott Mitchel has started another series on ASP.NET articles. This time he'll be covering security in ASP.NET. Be sure to check it out: Security tutorials.

Grz, Kris.
ASP.NET | Security
Thursday, February 07, 2008 9:47:35 AM (GMT Standard Time, UTC+00:00)  #    Disclaimer  |  Comments [0]  | 
# Monday, December 03, 2007
Developer Highway Code book

To build software that meets your security objectives, you must integrate security activities into your software development lifecycle. This handbook captures and summarises the key security engineering activities that should be an integral part of your software development processes.

These security engineering activities have been developed by Microsoft patterns & practices to build on, refine and extend core lifecycle activities with a set of security-specific activities. These include identifying security objectives, applying design guidelines for security, threat modelling, security architecture and design reviews, security code reviews and security deployment reviews.

It's not a book that you would read but rather a security best practices checklist. Download the free eBook if you're interested.

Grz, Kris.

MSDN | PnP | Security
Monday, December 03, 2007 12:03:54 PM (GMT Standard Time, UTC+00:00)  #    Disclaimer  |  Comments [0]  | 
# Friday, May 18, 2007
MSDN Evening: Securing ASP.NET AJAX enabled web applications, lessons from the field

I'm already subscribed for that event and if you would like to come to you can go to this page: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340308&Culture=en-US.

Hope to see you there!

Grz, Kris.

MSDN | Personal | Presentation | ASP.NET AJAX | Security
Friday, May 18, 2007 9:07:54 AM (GMT Daylight Time, UTC+01:00)  #    Disclaimer  |  Comments [0]  | 
# Monday, January 15, 2007
Anti-Cross Site Scripting forum

Hi,

last saturday I already wrote about the new anti XSS library and I just found out there's a dedicated forum for all your question available. Take a look here: Anti-Cross Site Scripting Library.

Grz, Kris.

ASP.NET | Security
Monday, January 15, 2007 8:19:48 AM (GMT Standard Time, UTC+00:00)  #    Disclaimer  |  Comments [0]  | 
# Saturday, January 13, 2007
Anti-Cross Site Scripting Library

Microsoft recently release the new version of their Anti-Cross Site Scripting (XSS) Library, currently at version 1.5. You can download and find more information about it here. If you're concerned about security in ASP.NET give this library a try.

Grz, Kris.

kick it on DotNetKicks.com

ASP.NET | Security
Saturday, January 13, 2007 11:08:37 AM (GMT Standard Time, UTC+00:00)  #    Disclaimer  |  Comments [0]  |