Troy Hunt

In case it’s not already pretty obvious by now, there are a bunch of websites out there which have some rather glaringly large vulnerabilities in them. Or at least they did have, then they were hacked in spectacular fashion and security suddenly became important to them. But of course we only hear about the big ones whilst hoards of smaller attacks go by unreported and very often, unnoticed. The thing about web app security is that it can be a complex subject. It’s pretty fair to say that it’s...

For a while now, I’ve been putting off a task to configure a sync process for a particular piece of enterprise data. This data is populated into a single table in a production environment on a nightly basis but also needed to be synced down into the test and development environments every now and then. Without going into too much detail about the nature of the data, it consists of about 700,000 records which change either via updates or insertions. Normally I don’t like taking production data do...

I love a good XKCD comic; Randall Munroe has a unique way of cutting right to the crux of technology issues and always doing it in a humorous fashion. Little Bobby Tables [http://xkcd.com/327/] remains an all-time classic and it’s amazing how many times you’ll see it quoted in security discussions – it’s now well and truly embedded in pop culture (well, at least in the little app-sec corner of the world). Last week’s password strength comic [http://xkcd.com/936/] was no exception; very funny st...

I seem to spend a lot of time involved with web apps which end up having a lot of geographical diversity. Either they sit in a server in one country then get used by folks somewhere else or more often than not, they face audiences of a global nature spread out across varying time zones. And even if they do end up co-located, chances are it won’t always stay that way so there’s always a desire to add in a little future-proofing. When SQL 08 came along there seemed to be some new hope for making...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] As we begin to look at the final few entries in the Top 10, we’re getting into the less prevalent web application security risks, but in no way does that diminish the potential impact that can be had. In fact what makes this particular risk so dangerous is that not only can it be used to very, very...

What do you think of when you see this little guy on a webpage: You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit. The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleadi...

A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis [https://www.troyhunt.com/2011/06/brief-sony-password-analysis.html]. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused password...

Today I had cause to take a slightly different direction with a database that had stood for many years providing a fairly critical business function. The change of direction involved dropping a few columns out of a core table with references across an unknown number of procedures and views. What could go wrong?! Let me start by saying that whilst I spend a lot of time in SQL Server, I’m no DBA and there may well be easier ways of doing this, but in years gone by I would have kicked off by tra...

So my conference presentation on the tyranny of evil is now done and dusted at DDD Sydney [http://www.dddsydney.com]. Given I’m writing this in advance with the intention of making the material available immediately afterwards, I’ll need to rely on others to comment on how it all went. The important bit is that the slides are now available here [http://dl.dropbox.com/u/8529390/Protecting%20your%20web%20applications%20from%20the%20tyranny%20of%20evil.ppsx] and all the code used in the examples...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Cryptography is a fascinating component of computer systems. It’s one of those things which appears frequently (or at least should appear frequently), yet is often poorly understood and as a result, implemented badly. Take a couple of recent high profile examples in the form of Gawker and rootkit.c...