ViewStateUserKey to prevent XSRF (CSRF or cross-site request forgery) in ASP.NET
ViewStateUserKey has been around for many years and is an easy solution to prevent the infamous XSRF or cross-site request forgery class of attack. It’s documented:...
View ArticleUsing ASP.Net session handling with secure sites (set the secure flag)
One of the common problems we see with many web applications is reliance on ASP.Net sessionID without understanding the security ramifications. ASP.Net provides web developers with a powerful means of...
View ArticleuseUnsafeHeaderParsing = what?
As software security people we usually like input restrictions to be tight. With .Net's HttpWebRequestElement.UseUnsafeHeaderParsing Property you can loosen up the way HTTP requests get parsed....
View ArticlePreventing Security Development Errors: Lessons Learned at Windows Live by...
Casaba had the opportunity to contribute to a new Microsoft paper regarding ASP.NET MVC security. It's online through the SDL pages, and here's the paper's direct link. A short summary of the paper...
View ArticleAsp .Net MVC Security Review Checklist
Here’s a little checklist I put together for ASP .Net MVC. It includes the high level stuff to look at when reviewing a MVC application. In order to fully understand/consume the info it requires at...
View Article
