Back in September last year we saw the emergence of the padding oracle vulnerability [https://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html] which suddenly got a whole lot of ASP.NET developers very nervous. The real concern with this vulnerability was that there really wasn’t much you could do at the code level beyond a couple of little tweaks – what was really needed was for patches to get installed on servers and fast. The problem back then was that, well, you couldn’...

Just when you start thinking we’ve seen out the last of the major security breaches for 2011, Christmas day brings us one final whopper for the year: Stratfor [http://en.wikipedia.org/wiki/Stratfor]. Much has already been said about why they might have been hacked and who might [http://www.security-ray.com/2011/12/white-hat-security-firm-stratfor-hacked.html] (or might not [http://pastebin.com/8yrwyNkt]) have done it, but the fact remains that there are now tens of thousands of customer passwo...

This entire series is now available as a Pluralsight course! [http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] Writing this series [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html] was an epic adventure in all senses of the word: Duration – 19 months to complete a blog series, for crying out loud! Content – approaching 50,000 words, not including all the discussion in comments. Effort – some of the posts, su...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] In the final part of this series we’ll look at the risk of an unvalidated redirect or forward. As this is the last risk in the Top 10, it’s also the lowest risk. Whilst by no means innocuous, the OWASP Risk Rating Methodology [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology] has determ...

I’ve had a lot of conversations with folks recently about web app performance. Often these conversations have been around the assertion that a content distribution network (here forth referred to as a CDN), is something you need to deploy early on in the optimisation process of a website. Personally, I see a CDN as a last resort; it’s what you turn to when all other performance tuning alternatives have been exhausted and you need to eke out that last little bit of latency by moving the content c...

Websites get hacked. Lots. This year alone we’re looking at some absolute whoppers; Sony, EVE Online, Sony, pron.com, Sony, MySQL.com, did I mention Sony? Many times, the gateway to successful website exploits is simple misconfiguration. Custom errors were left off and thus leaked internal code. Or request validation was turned off which opened up an XSS flaw. These risks are often then leveraged to do other nasty stuff. The thing is, many of these are also easily remotely detectable – certain...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is e...

If we can get over Microsoft’s cheesy catchphrase [http://www.microsoft.com/en-us/showcase/details.aspx?uuid=8f01d2e5-0c99-4780-9d1d-e40000179b0e] for a moment, the whole idea of “to the cloud” is actually pretty cool. It’s the promise of taking things that used to be both labour and capital intensive, commoditising them and serving them up on demand. This can very easily sound like PowerPoint presentation rhetoric so let’s move past the warm and fuzzies and actually see it in action. A couple...

Let me start this post by acknowledging that firstly, I screwed up and that secondly, Virgin Blue were very helpful after the aforementioned screw up. But they’ve still got a major usability issue and it’s one we website folks often face: defaults. Would you like fries with that? The problem with booking airline flights is that they’re always trying to upsize you. Would you like to pay for baggage (remember when that used to be free)?  Would you like to choose your seat (and pay for the privile...

Let me preface everything I’m about to write by saying this: I am not a designer. I enjoy design, but I tend to hack away at it a bit. Actually I’ve gone a bit to and from in my career moving from pure code roles to front end roles to web roles where you kind of need a bit of everything, and that’s probably where I’m most comfortable now. So treat everything that followers as the designer-by-default comments of a developer :) Fixed or variable No, not interest rates, web page layouts. Somewhere...