advanced web statistics

Brinkster Pulls a Fast One

I received this last week.

Dear Valued Customer,

Thank you for using Brinkster as your hosting provider.

Following Microsoft’s recommended best practices, a recent security setting was applied to the server your website is hosted on. This security update may require you to update your code to properly run under Microsoft .Net 2.0.  If required, your DLLs will need to be modified to use the AllowPartiallyTrustedCallersAttribute class and then republished.

Please view the following link for more details on this attribute.

http://msdn2.microsoft.com/en-us/library/system.security.allowpartiallytrustedcallersattribute(VS.80).aspx


Regards,

Brinkster Support

Email: Support@Brinkster.com
Live Chat: http://www.brinkster.com/livechat
Phone: USA: 1-800-345-7084, Outside USA: 1-757-222-3424

This email was sent to emailaddress@willasrari.com, user name xxxxxx, a current Brinkster (www.brinkster.com) customer.

That`s great and all but the funny thing is this e-mail was sent about 15 minutes AFTER the change took place.  Let`s just say it`s been a fun week of reconfiguring my applications and getting them to work again.  If you are a current Brinkster customer and are still offline feel free to e-mail me or leave a comment and I will try to help get you back online.

That explains my lack of posting over the past week.

Tags: Other, Security

Permalink Comments(0) 11/29/2006 6:32:47 PM

Prevent Cross-Site Scripting in ASP.NET

The following Microsoft article is a great resource for those of you wanting to protect your pages from cross-site scripting (XSS) attacks.

I thought that functions for cleaning data was sufficient enough.  Obviously I was wrong.

One fix that was overlooked is using HttpUtility.HtmlEncode to encode user-input strings into HTML strings for  HTTP transmission from the web server to the client (browser).

string Input = HttpUtility.HtmlEncode(tbInput.Text.ToString());

With HtmlEncode above, if a user submits a javascript alert as a comment to a blog entry (like this one) the < and > will get written as &lt; and &gt; instead.

Check out the comments for a working example.

Tags: Security

Permalink Comments(0) 3/3/2006 12:50:40 PM

Input and Data Validation Labs at Channel 9

Found 6 input validation training modules over on Channel 9.  The modules consist of videos and sample code labs.

  1. Canonicalization Lab
  2. Cookies Lab
  3. Cross-Site Scripting Lab
  4. Regular Expressions Lab
  5. SQL-injection Lab
  6. Validation Controls Lab

You can visit the original site to view all of them.

Tags: .NET, Security

Permalink Comments(0) 2/22/2006 6:50:23 PM

Mac OS X Hit by Third Vulnerability

I think it`s funny how Mac users are always talking about how flawed Internet Explorer is.  Hopefully these security flaws they are finding in the new Safari browser will create a short-term cease-fire.

That's now 3 flaws in the last week.  I wonder how many by the end of the week.

According to Dave Cole, director of Symantec Security Response, Symantec has given the new Safari flaw a fairly severe rating of 8.3 out of 10 and an urgency rating of 7.3 out of 10. "We would rate this as a severe vulnerability, to put it succinctly," he said.

Full story here.

Tags: Interesting, Security

Permalink Comments(0) 2/22/2006 4:09:30 PM

Encrypt and Decrypt Passwords using Cryptostream

I posted these functions to my old blog but they are now inaccessible due to the blog crapping out.  Slowly but surely I will resurrect all of my relevant and interesting code snippets and tutorials.

I used these functions in the creation of my blog engine as well as other content management software (i.e. administrative back-end client websites) to avoid saving plain-text passwords and access codes  in a database or configuration file.  Even if you pass information in the querystring this would be ideal because the visitor wouldn't be able to extrapolate information such as client id, employee number, etc...

using System.Security.Cryptography;

Encryption

protected void EncryptIt(string Password)
{
   byte[] data = System.Text.ASCIIEncoding.ASCII.GetBytes(Password);
   byte[] rgbKey = System.Text.ASCIIEncoding.ASCII.GetBytes("56565656");
   byte[] rgbIV = System.Text.ASCIIEncoding.ASCII.GetBytes("78787878");

   //1024-bit encryption
   MemoryStream memoryStream = new MemoryStream(1024);
   DESCryptoServiceProvider desCryptoServiceProvider = 
   new DESCryptoServiceProvider();

   CryptoStream cryptoStream = new CryptoStream(memoryStream,
   desCryptoServiceProvider.CreateEncryptor(rgbKey, rgbIV),
   CryptoStreamMode.Write);

   cryptoStream.Write(data, 0, data.Length);
   cryptoStream.FlushFinalBlock();

   byte[] result = new byte[(int)memoryStream.Position];
   memoryStream.Position = 0;
   memoryStream.Read(result, 0, result.Length);

   cryptoStream.Close();

   string toDecrypt = System.Convert.ToBase64String(result);

   DecryptIt(toDecrypt);
}

Decryption

protected void DecryptIt(string toDecrypt)
{
   byte[] data = System.Convert.FromBase64String(toDecrypt);
   byte[] rgbKey = System.Text.ASCIIEncoding.ASCII.GetBytes("56565656");
   byte[] rgbIV = System.Text.ASCIIEncoding.ASCII.GetBytes("78787878");

   MemoryStream memoryStream = new MemoryStream(data.Length);

   DESCryptoServiceProvider desCryptoServiceProvider =
   new DESCryptoServiceProvider();

   CryptoStream cryptoStream = new CryptoStream(memoryStream,
   desCryptoServiceProvider.CreateDecryptor(rgbKey, rgbIV),
   CryptoStreamMode.Read);

   memoryStream.Write(data, 0, data.Length);
   memoryStream.Position = 0;

   string decrypted = new StreamReader(cryptoStream).ReadToEnd();

   cryptoStream.Close();
}

Tags: .NET, C#, Code, Security

Permalink Comments(0) 2/20/2006 12:04:21 PM