Monthly Archives: July 2006

Joe Kaplan is blogging

Joe Kaplan finally has a blog. He is the author of this great book and you can find a lot of useful LDAP/AD and ADFS related content on his brand new blog. http://www.joekaplan.net/  

Posted in Uncategorized | Leave a comment

The Appendixes

OK – that’s the last book related post for now – if you think this information is useful and you want it at the earliest possible date – you can pre-order here or here :) Appendix A: Building a Custom Protected Configuration … Continue reading

Posted in Uncategorized | Leave a comment

Chapter 3: Input Validation

- What is Input?- The Need for Input Validation  – The Data/Control Channel Problem    – SQL Injection, Cross Site Scripting, Directory Traversal- Input Validation Techniques  – Black Listing  – White Listing    – Data Type Conversion    – Regular Expressions    – XML … Continue reading

Posted in Uncategorized | Leave a comment

Chapter 5: Authentication and Authorization

the biggest chapter in the whole book… Fundamentals – Terminology- Application Design (Trusted Subsystem vs Impersonation/Delegation)- ASP.NET Security Pipeline and Infrastructure  – IPrincipal and IIdentity  – Role-based Authorization (programmatically vs declarative)- Server Authentication Using Windows Accounts – IIS Authentication Methods (Basic, … Continue reading

Posted in Uncategorized | 1 Comment

Manuscript Shipped

Finally! I shipped the complete manuscript to MS Press on Monday….The final book is supposed to hit the shelves in October. With that much spare time, I am almost bored now….  

Posted in Uncategorized | Leave a comment

Eval is not Evil

While working through the ASP.NET security reference implementation (which is good work btw), the following guideline caught my attention: “Additionally, all calls to DataBinder.Eval() have been removed. While Eval is sometimes safe to use on purely static data, it is … Continue reading

Posted in Uncategorized | Leave a comment

How to get Cookieless FormsAuthentication to work with self-issued FormsAuthenticationTickets and custom UserData

This question was asked by Scott recently. Short answer: you can :) The trick is to do a Response.Redirect with an appended query string in the following format: ~/Page.aspx?{0}={1} where {0} = forms ticket name{1} = encrypted forms ticket string … Continue reading

Posted in Uncategorized | Leave a comment

Update for AzMan Bulk Importer

via Joe Langley: UPDATED 7/24/2006:Bug fixed where top level application groups were not copiedOption added so that you can have a patch mode (patch only one application in a store…helpful if you have more than one application in a store) UPDATED … Continue reading

Posted in Uncategorized | Leave a comment

iTunes and Windows 2003 – Update

OK – this is broken. The version of QuickTime that comes with the latest iTunes download is conflicting with MS06-15 (kb908531). The only work around seems to be uninstalling the hotfix (which is a critical, remote exploitable one – so don’t … Continue reading

Posted in Uncategorized | Leave a comment

ASP.NET 2.0 Security Reference Implementation

The patterns&practices group has released a version of Pet Shop that uses and applies all the PAG security guidance. You can download the complete source code + design document here. Interesting read (both the .doc and the source).

Posted in Uncategorized | Leave a comment