Secret Questions and Answer Design

There is controversy as to whether secret questions and answers really add much to the security of a site. That said many major sites do rely on them. With more connected world and social media, secret answers are often available online with some research. The first decision is whether to use a secret question the […]

Securing Password Change Top 10, well 13

By password change I mean when a logged on user decides to update their password i.e. they know the current password. The following need consider Remember to add the functionality in the first place as it is good practise Make sure the pages and responses are over HTTPS The user should have to enter their original […]

Salt and hash your passwords

Encryption attempts to secure information by passing it through algorithms that are difficult to crack without the appropriate keys. By definition anything encrypted can be reverse engineered by design. Hashing takes a string (A) and passes it through an algorithm to make another string (B) in such in manner that reverse engineering string (B) to […]

Security Stamping

Consider the following scenario: A user logs on to website with device A and does not log off Perhaps they lose the device e.g. a smart phone The user then panics, logs on to device B (laptop) goes to the website and changes their password The user would hope that device A no longer works […]

XSS – Validating User Input

Server\Passive XSS is when a malicious script or HTML is injected by a hacker, usually through your website, and is then persisted or stored somewhere – this is usually in your database. Then another user views a page that references the content, the website passes the malicious script or HTML to the innocent user’s browser and […]

XSS Prevention – Request Validation

Out of the box ASP.NET request validation will check for potentially dangerous input in cookies, url query string or posted form values. If any javascript or html is detected the validation will respond with “potentially dangerous input was detected”. This is the first line of defence. Of course in some cases you may wish to […]

Using Components with Known Vulnerabilities

OWASP lists “Using Components with Known Vulnerabilities” as a major issue. Developers tend to pull in libraries from nuget and other sources rather than writting their own components. In general these components are probably of a better quality than an individual would write. However as they are in the public domain once a weakness is […]

Unvalidated Redirects and Forwards

An unvalidated redirect or a forward is when your website for whatever reason redirects a user to a different webpage. There is a risk is that a hacker somehow takes control of where the redirection takes the user. If the redirect is unvalidated (i.e. you don’t check where it is going) then there is a danger […]

CSRF – AntiForgeryToken and AJAX

Below shows how to apply an Cross Site (anti) Forgery – CSRF) token to MVC page that posts data using Ajax. This is converted from the following stackoverflow question here. First wire up the ajax call and check it works. Then add the [ValidateAntiForgeryToken] and [HttpPost] attribute to your action in the controller. At this […]