There are two security principles which I hold dearly but are often counterintuitive: 1. Users should be able to create any conceivable password they desire – no limits! 2. All input should be treated as hostile and properly sanitised against a whitelist. This is counterintuitive advice in so far as that second point has always been partially supported natively by ASP.NET request validation. I say “partially” because it’s not the final word in request validation [http://www.asp.ne...

Remember hash DoS [https://www.troyhunt.com/2011/12/has-hash-dos-patch-been-installed-on.html]? This was that very clever yet equally nasty little attack which meant that if you formatted the parameters in a post request juuuuust right you could take down an ASP.NET website with a mere single request. Bugger. This made for a rather unpleasant Christmas and New Year period for a number of people at Microsoft as well as sys admins the world over. Microsoft had rapidly released a the MS11-100 [htt...

As many readers and followers will know, I’ve had a bit of fun with scammers [https://www.troyhunt.com/2012/04/type-www-ok-w-w-w-d-o-t-antagonising.html] in the past. Remember those guys who call you up while you’re sitting down for dinner and tell you your computer has all sorts of nasties in it? Yeah, those guys. The blog posts I’ve made have been part of the story and inevitably the one most people are familiar with, but there are a few other things happening which I think some of you would...

It was three weeks ago now that I wrote about Lessons in website security anti-patterns by Tesco [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html] where I pointed out a whole raft of basic, flawed practices which jeopardised the security and privacy of shoppers. These practices in and of themselves were (are) bad, but what really seemed to fire up a lot of people was Tesco’s response when I first flagged it with them: [https://twitter.com/UKTesco/status/22954214101210726...

It happened again. After 6pm, unlisted number, foreign accent. I’ve heard this before [https://www.troyhunt.com/2012/04/type-www-ok-w-w-w-d-o-t-antagonising.html]. And again before that [https://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html]. And again before that too [https://www.troyhunt.com/2011/10/anatomy-of-virus-call-centre-scam.html]. And again a bunch of other times where I either didn’t record it, came on a bit strong or, uh, tried to teach them some new words they...

I had an interesting question pop up on my “SSL is not about encryption” blog post [https://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html#comment-607771998] this weekend: > I have a question about logging to site like StackOverflow which doesn't use SSL at all. If I am login to SO via Google. Is this secure in this case? This is actually a very good question for a number of reasons so I thought it deserved a little more attention than just the short response I gave on the blog....

I started building ASafaWeb [https://asafaweb.com] – the Automated Security Analyser for ASP.NET websites – about a year back to try and automate processes I found I kept manually doing, namely checking the security configuration of ASP.NET web apps. You see, the problem was that I was involved in building lots of great apps but folks would often get little security configurations wrong; a missing custom errors page, stack traces bubbling up or request validation being turned off among numerous...

Update, 14 Feb 2014: A year and a half on from writing this, Tesco has indeed suffered a serious security incident almost certainly as a result of some of the risks originally detailed here. Read more about it in The Tesco hack – here’s how it (probably) happened [https://www.troyhunt.com/2014/02/the-tesco-hack-heres-how-it-probably.html]. -------------------------------------------------------------------------------- Let me set the scene for this post by sharing a simple tweet from last nig...

Last month I wrote about our password hashing having no clothes [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html] which, to cut to the chase, demonstrated how salted SHA hashes (such as created by the ASP.NET membership provider), offered next to no protection from brute force attacks. I’m going to assume you’re familiar with the background story on this (read that article before this one if not), but the bottom line was that cryptographic hashing of passwords needs to...

It happened again last week. No, not Yahoo! Voices [https://www.troyhunt.com/2012/07/what-do-sony-and-yahoo-have-in-common.html], not the Phandroid Android forums [http://www.zdnet.com/android-forums-hacked-1-million-user-credentials-stolen-7000000817/] , not NVidia [http://www.zdnet.com/nvidia-confirms-hackers-swiped-up-to-400000-user-accounts-7000000903/] and not Formspring [http://www.zdnet.com/formspring-resets-millions-of-passwords-amid-breach-7000000643/] , this time it was Billabong, ou...