Troy Hunt

When news came through recently about the Bondi Westfield shopping centre’s new “Find my car” feature, the security and privacy implications almost jumped off the page: “Wait – so you mean all I do is enter a number plate – any number plate – and I get back all this info about other cars parked in the centre? Whoa.” If that statement sounds a bit liberal, read on and you’ll see just how much information Westfield is intentionally disclosing to the public. Intended use Let’s begin with how the...

Here’s a new entry for the “stupid things on my part which weren’t obvious because of obscure error messages” book. Actually, the error message makes some sense in retrospect but then again, everything is always a lot clearer after the fact. The scenario in this instance relates to the following three tables in ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html]: What these guys are describing is that when a log entry of a scan is created, it may have many entr...

When I wrote about Building a safer web with ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html] earlier in the week, I talked about using the process to share some experiences. This one made me go a bit cross-eyed and it’s a combination of an idiosyncrasy within ASP.NET routing and a more philosophical question about the semantic intent of a route. The situation was that I needed to construct a URL on the ASafaWeb website which contained the address of the site to...

In case it’s not already pretty obvious by now, there are a bunch of websites out there which have some rather glaringly large vulnerabilities in them. Or at least they did have, then they were hacked in spectacular fashion and security suddenly became important to them. But of course we only hear about the big ones whilst hoards of smaller attacks go by unreported and very often, unnoticed. The thing about web app security is that it can be a complex subject. It’s pretty fair to say that it’s...

For a while now, I’ve been putting off a task to configure a sync process for a particular piece of enterprise data. This data is populated into a single table in a production environment on a nightly basis but also needed to be synced down into the test and development environments every now and then. Without going into too much detail about the nature of the data, it consists of about 700,000 records which change either via updates or insertions. Normally I don’t like taking production data do...

I love a good XKCD comic; Randall Munroe has a unique way of cutting right to the crux of technology issues and always doing it in a humorous fashion. Little Bobby Tables [http://xkcd.com/327/] remains an all-time classic and it’s amazing how many times you’ll see it quoted in security discussions – it’s now well and truly embedded in pop culture (well, at least in the little app-sec corner of the world). Last week’s password strength comic [http://xkcd.com/936/] was no exception; very funny st...

I seem to spend a lot of time involved with web apps which end up having a lot of geographical diversity. Either they sit in a server in one country then get used by folks somewhere else or more often than not, they face audiences of a global nature spread out across varying time zones. And even if they do end up co-located, chances are it won’t always stay that way so there’s always a desire to add in a little future-proofing. When SQL 08 came along there seemed to be some new hope for making...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] As we begin to look at the final few entries in the Top 10, we’re getting into the less prevalent web application security risks, but in no way does that diminish the potential impact that can be had. In fact what makes this particular risk so dangerous is that not only can it be used to very, very...

What do you think of when you see this little guy on a webpage: You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit. The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleadi...

A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis [https://www.troyhunt.com/2011/06/brief-sony-password-analysis.html]. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused password...