Monthly Archives: July 2006

Joe Kaplan finally has a blog. He is the author of this great book and you can find a lot of useful LDAP/AD and ADFS related content on his brand new blog. http://www.joekaplan.net/  

OK – that’s the last book related post for now – if you think this information is useful and you want it at the earliest possible date – you can pre-order here or here :) Appendix A: Building a Custom Protected Configuration … Continue reading →

– What is Input?– The Need for Input Validation  – The Data/Control Channel Problem    – SQL Injection, Cross Site Scripting, Directory Traversal– Input Validation Techniques  – Black Listing  – White Listing    – Data Type Conversion    – Regular Expressions    – XML … Continue reading →

the biggest chapter in the whole book… Fundamentals – Terminology– Application Design (Trusted Subsystem vs Impersonation/Delegation)– ASP.NET Security Pipeline and Infrastructure  – IPrincipal and IIdentity  – Role-based Authorization (programmatically vs declarative)– Server Authentication Using Windows Accounts – IIS Authentication Methods (Basic, … Continue reading →

Finally! I shipped the complete manuscript to MS Press on Monday….The final book is supposed to hit the shelves in October. With that much spare time, I am almost bored now….  

While working through the ASP.NET security reference implementation (which is good work btw), the following guideline caught my attention: “Additionally, all calls to DataBinder.Eval() have been removed. While Eval is sometimes safe to use on purely static data, it is … Continue reading →

This question was asked by Scott recently. Short answer: you can :) The trick is to do a Response.Redirect with an appended query string in the following format: ~/Page.aspx?{0}={1} where {0} = forms ticket name{1} = encrypted forms ticket string … Continue reading →

via Joe Langley: UPDATED 7/24/2006:Bug fixed where top level application groups were not copiedOption added so that you can have a patch mode (patch only one application in a store…helpful if you have more than one application in a store) UPDATED … Continue reading →

OK – this is broken. The version of QuickTime that comes with the latest iTunes download is conflicting with MS06-15 (kb908531). The only work around seems to be uninstalling the hotfix (which is a critical, remote exploitable one – so don’t … Continue reading →

The patterns&practices group has released a version of Pet Shop that uses and applies all the PAG security guidance. You can download the complete source code + design document here. Interesting read (both the .doc and the source).