I’ve been a little bit busy the last few months and here’s why – my first Pluralsight course, the OWASP Top 10 Web Application Security Risks for ASP.NET [http://www.pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] . Actually, if I’m honest, it’s been a lot longer than that in the making as my writing about the OWASP Top 10 goes all the way back to right on three years ago now. It begin with the blog series [https://www.troyhunt.com/2010/05/owasp...

Just over a year ago to the day, my wife and I walked into the Apple store in Sydney’s CBD and bought her a shiny new MacBook Air. Macs weren’t familiar territory for us so we happily accepted the offer for a staff member to walk us through some of the nuts and bolts of OSX. That was a handy little starter and we left the store none the wiser that the machine now had a serious security risk that wouldn’t become apparent for another year. A couple of weeks ago I wrote about my new favourite devi...

You know how security people get all uppity about SSL this and SSL that? Stuff like posting creds over HTTPS isn’t enough, you have to load login forms over HTTPS as well and then you can’t send auth cookies over HTTP because they’ll get sniffed and sessions hijacked and so on and so forth. This is all pretty much security people rhetoric designed to instil fear but without a whole lot of practical basis, right? That’s an easy assumption to make because it’s hard to observe the risk of insuffic...

HTTPS or SSL or TLS or whatever you want to call it can be a confusing beast. Some say it’s just about protecting your password and banking info whilst the packets are flying around the web but I’ve long said that SSL is not about encryption [https://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html]. As an indication of how tricky the whole situation is, OWASP talks about insufficient transport layer security [https://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html...

Despite the anniversary continually falling on that most foolish of days, it appears I have indeed been renewed and will now go into my third year of MVP’dom. For those of you not familiar with the process, every year as an MVP’s renewal date approaches, the powers that be at Microsoft look at what you’ve done and work out if you’ve aligned closely enough with the MVP ethos [http://mvp.microsoft.com/en-us/becoming-an-mvp.aspx] to deserve a renewal. As part of the process, MVPs keep track of t...

Since a very young age, many of us have been taught that C is for cookie [http://www.youtube.com/watch?v=Ye8mB6VsUHw] and that apparently, “That’s good enough for me”. Except it’s not – the hidden depths of the cookie were never really explored so is it any wonder that after being ingrained with such a trivial view of cookies from such a young age that so many of us are handling them in an insecure fashion? You see, there’s far more to cookies than meets the eye and I want to delve into a coupl...

Here’s a little magic trick in .NET: In ASafaWeb [https://asafaweb.com] I have a facility to schedule scans at a certain time of day. Because I want to be all warm and fuzzy and user friendly, when people sign up to the service I ask for their time zone then whenever they schedule a scan they enter the time of day they’d like it to happen in their local time and I pull some magic tricks to make it happen. The process has been working flawlessly since the middle of last year – until this weekend...

Browsing through my Facebooks the other day, I came across an interesting little sponsored ad: Banking, you say? In your Facebook, you say? What could possibly go wrong?! The overriding concern that immediately sprung to mind was that you’re mixing two domains of a very, very different nature. On the one hand we have our social media, frequently the source of status updates about our breakfast, commentary on the latest lolcats [http://en.wikipedia.org/wiki/Lolcat] and as I’ve written on nume...

I don’t know how Evernote stored my password, you know, the one they think might have been accessed by masked assassins (or the digital equivalent thereof). I mean I know that their measures are robust [http://evernote.com/corp/news/password_reset.php] but then again, so were Tesco’s [https://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html] and according to their definition, “robust” means storing them in plain text behind a website riddled with XSS and SQL injection (among oth...

45 seconds. That’s how long it took to crack 53% of the ABC’s now very public password database. That’s more than half of the almost 50,000 passwords that were publically exposed today [http://www.cyberwarnews.info/2013/02/27/abc-australia-hacked-49561-moderator-and-user-credentials-leaked/] . How the passwords (among other data) were exposed is yet to play out, but what we now know for sure is that the mechanism the ABC used to protect these credentials was woefully inadequate. Here’s how it wa...