Secret Questions and Answer Design

There is controversy as to whether secret questions and answers really add much to the security of a site. That said many major sites do rely on them. With more connected world and social media, secret answers are often available online with some research. The first decision is whether to use a secret question the […]

Securing Password Change Top 10, well 13

By password change I mean when a logged on user decides to update their password i.e. they know the current password. The following need consider Remember to add the functionality in the first place as it is good practise Make sure the pages and responses are over HTTPS The user should have to enter their original […]

Salt and hash your passwords

Encryption attempts to secure information by passing it through algorithms that are difficult to crack without the appropriate keys. By definition anything encrypted can be reverse engineered by design. Hashing takes a string (A) and passes it through an algorithm to make another string (B) in such in manner that reverse engineering string (B) to […]

Security Stamping

Consider the following scenario: A user logs on to website with device A and does not log off Perhaps they lose the device e.g. a smart phone The user then panics, logs on to device B (laptop) goes to the website and changes their password The user would hope that device A no longer works […]

XSS – Validating User Input

Server\Passive XSS is when a malicious script or HTML is injected by a hacker, usually through your website, and is then persisted or stored somewhere – this is usually in your database. Then another user views a page that references the content, the website passes the malicious script or HTML to the innocent user’s browser and […]

XSS Prevention – Request Validation

Out of the box ASP.NET request validation will check for potentially dangerous input in cookies, url query string or posted form values. If any javascript or html is detected the validation will respond with “potentially dangerous input was detected”. This is the first line of defence. Of course in some cases you may wish to […]

SQL Injection: Use Parameters

The biggest cause of SQL injection is developers not using parameterised statements or stored procedures (which are usually parameterised). For example in c# code it is possible to call SQL commands using the SqlCommand object like below: string selectString = @”select MyColumn from Mytable where MyOtherColumn = ” + value; SqlCommand cmd = new SqlCommand(); cmd.CommandText […]

CSRF – Cross Site Request Forgery

Background: What is a CSRF (Cross site request forgery)? The concept is best explained with an example. Say there is a website (MyBank) with some functionality to transfer money. Say a user logins into the website and transfers money to their friend B. The user then looks at another site (MyFavoriteTeam). Unfortunately the other site […]