Last week I wrote about Gootkit’s futile attack on ASafaWeb [https://www.troyhunt.com/2011/09/gootkits-futile-attack-on-asafaweb.html] and then a funny thing happened: Suddenly my Google Analytics keyword results become very Gootkit-centric: I see this as meaning either there is a lot of interest in Gootkit at the moment or there is not a lot of information available on what it is. Or both. Interestingly though, the activity appears to have ramped up right about the time of my initial post. T...

With the private beta testing of ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html] having gone quite nicely and a good whack of time then dedicated to both fixing stuff and implementing new features, it’s time to do something about this ugly duckling. I truly believe that the user experience is an absolutely fundamental factor in the success of a site and it really deserves some serious attention so rather than just hack it out, I’m going to approach it quite meth...

On Saturday morning I woke up to 120 emails from ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html], not because it really likes me but because it was in pain! One thing I did very early on with the project was to implement elmah [http://code.google.com/p/elmah/] and make sure I get an email notification when anything happens that shouldn’t. It won’t stay this way (for reasons you’re about to see), but it’s a good way of keeping an eye anything that goes wrong very...

When news came through recently about the Bondi Westfield shopping centre’s new “Find my car” feature, the security and privacy implications almost jumped off the page: “Wait – so you mean all I do is enter a number plate – any number plate – and I get back all this info about other cars parked in the centre? Whoa.” If that statement sounds a bit liberal, read on and you’ll see just how much information Westfield is intentionally disclosing to the public. Intended use Let’s begin with how the...

Here’s a new entry for the “stupid things on my part which weren’t obvious because of obscure error messages” book. Actually, the error message makes some sense in retrospect but then again, everything is always a lot clearer after the fact. The scenario in this instance relates to the following three tables in ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html]: What these guys are describing is that when a log entry of a scan is created, it may have many entr...

When I wrote about Building a safer web with ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html] earlier in the week, I talked about using the process to share some experiences. This one made me go a bit cross-eyed and it’s a combination of an idiosyncrasy within ASP.NET routing and a more philosophical question about the semantic intent of a route. The situation was that I needed to construct a URL on the ASafaWeb website which contained the address of the site to...

In case it’s not already pretty obvious by now, there are a bunch of websites out there which have some rather glaringly large vulnerabilities in them. Or at least they did have, then they were hacked in spectacular fashion and security suddenly became important to them. But of course we only hear about the big ones whilst hoards of smaller attacks go by unreported and very often, unnoticed. The thing about web app security is that it can be a complex subject. It’s pretty fair to say that it’s...

For a while now, I’ve been putting off a task to configure a sync process for a particular piece of enterprise data. This data is populated into a single table in a production environment on a nightly basis but also needed to be synced down into the test and development environments every now and then. Without going into too much detail about the nature of the data, it consists of about 700,000 records which change either via updates or insertions. Normally I don’t like taking production data do...

I love a good XKCD comic; Randall Munroe has a unique way of cutting right to the crux of technology issues and always doing it in a humorous fashion. Little Bobby Tables [http://xkcd.com/327/] remains an all-time classic and it’s amazing how many times you’ll see it quoted in security discussions – it’s now well and truly embedded in pop culture (well, at least in the little app-sec corner of the world). Last week’s password strength comic [http://xkcd.com/936/] was no exception; very funny st...

I seem to spend a lot of time involved with web apps which end up having a lot of geographical diversity. Either they sit in a server in one country then get used by folks somewhere else or more often than not, they face audiences of a global nature spread out across varying time zones. And even if they do end up co-located, chances are it won’t always stay that way so there’s always a desire to add in a little future-proofing. When SQL 08 came along there seemed to be some new hope for making...