Mastodon

ASafaWeb

A 25-post collection

It's End of Life for ASafaWeb

A lot has changed in the Microsoft technology world in the last 7 years since I launched ASafaWeb in September 2011 [https://www.troyhunt.com/building-safer-web-with-asafaweb/]. Windows XP is no longer the dominant operating system (Win 7 actually caught up the month I launched ASafaWeb [http://gs.statcounter.com/windows-version-market-share/desktop/worldwide/#monthly-201001-201810] ). Internet Explorer is no longer the dominant browser (Chrome was in 3rd place back then [http://gs.statcounter.c...

All your websites using StartCom certificates are about to break

A Twitterer sent me this a few days ago: > .@troyhunt [https://twitter.com/troyhunt] you've got SSL issues in Chrome 58+ on @ASafaWeb [https://twitter.com/ASafaWeb] pic.twitter.com/qtUiMxV9tW [https://t.co/qtUiMxV9tW] — Jonathan (@Eonasdan) April 13, 2017 [https://twitter.com/Eonasdan/status/852523365076267008] Now normally when I get a report about an SSL thing not working (by which we mean TLS, but we say SSL anyway), I jump on over to SSL Labs (see?!) and run a report I can then direct peo...

Understanding (and testing for) view state MAC in ASP.NET web forms

Remember view state? For that matter, do you even remember web forms?! I kid because although MVC is the new hotness in the world of building ASP.NET websites, web forms remains the predominant framework due to both the very long tail of sites already built on it and the prevalence of developers with skills in this area who haven’t made the transition to MVC (indeed some people argue that they can happily cohabit, but that’s another discussion for another day). Anyway, back to view state. When...

Dynamic security misconfiguration scanning with OnCheckin and ASafaWeb

Here’s the thing about security – you can’t just “do it” then move on. What I mean by this is that it’s a continuous process and thinking that you only need to just implement some secure coding standards or scan the website once before go live leaves a great big hole in your process. For example, the other day I wrote about how insecurity is easy [https://www.troyhunt.com/2013/05/security-is-hard-insecurity-is-easy.html] where I talked about how Black and Decker had exposed ELMAH logs. This is...

Hack yourself first – how to go on the offence before online attackers do

The unfortunate reality of the web today is that you’re going to get hacked. Statistically speaking at least, the odds of you having a website without a serious security risk are very low – 14% according to WhiteHat’s State of Web Security [https://blog.whitehatsec.com/the-state-of-web-security/#.UY77SrVTDL9] report from a couple of weeks ago. Have enough websites for long enough (as many organisations do), and the chances of you getting out unscathed aren’t real good. There’s this great TEDx...

C is for cookie, H is for hacker – understanding HTTP only and Secure cookies

Since a very young age, many of us have been taught that C is for cookie [http://www.youtube.com/watch?v=Ye8mB6VsUHw] and that apparently, “That’s good enough for me”. Except it’s not – the hidden depths of the cookie were never really explored so is it any wonder that after being ingrained with such a trivial view of cookies from such a young age that so many of us are handling them in an insecure fashion? You see, there’s far more to cookies than meets the eye and I want to delve into a coupl...

Do you allow XSS in your passwords? You should!

There are two security principles which I hold dearly but are often counterintuitive: 1. Users should be able to create any conceivable password they desire – no limits! 2. All input should be treated as hostile and properly sanitised against a whitelist. This is counterintuitive advice in so far as that second point has always been partially supported natively by ASP.NET request validation. I say “partially” because it’s not the final word in request validation [http://www.asp.ne...

Fixing hash DoS good and proper (and breaking ASafaWeb)

Remember hash DoS [https://www.troyhunt.com/2011/12/has-hash-dos-patch-been-installed-on.html]? This was that very clever yet equally nasty little attack which meant that if you formatted the parameters in a post request juuuuust right you could take down an ASP.NET website with a mere single request. Bugger. This made for a rather unpleasant Christmas and New Year period for a number of people at Microsoft as well as sys admins the world over. Microsoft had rapidly released a the MS11-100 [htt...

Welcome to the ASafaWeb scheduler

I started building ASafaWeb [https://asafaweb.com] – the Automated Security Analyser for ASP.NET websites – about a year back to try and automate processes I found I kept manually doing, namely checking the security configuration of ASP.NET web apps. You see, the problem was that I was involved in building lots of great apps but folks would often get little security configurations wrong; a missing custom errors page, stack traces bubbling up or request validation being turned off among numerous...

Browser URL encoding and website request validation black magic

Let me pose a question: What’s the difference between these two URLs: 1. http://[mydomain]/?foo=<script> 2. http://[mydomain]/?foo=<script> Nothing, right? Let’s plug that into two different browsers and see what they think: Ok, now it’s just getting weird and this brings me to the topic of the day: Recently a friendly supporter of ASafaWeb [https://asafaweb.com] contacted me and said “Hey, how come ASafaWeb isn’t correctly identifying that my site is throwing custom errors?” Naturall...