Sponsored by:

.NET

A 61-post collection

Raygun.io and ignoring specific Web API exception types

In the spirit of “here’s something I couldn’t find an easy answer for so I’m writing it myself”, let me very briefly run you through how to have Raygun.io ignore specific exception types raised by Web API. Firstly, Web API support came a couple of months ago which is rather important given how much stuff is transitioning to APIs these days. I use Web API fairly extensively in Have I been pwned? (HIBP), partly to enable nice light async requests once pages have already loaded and partly as a dedicated API that others can consume at will. Setting up Raygun.io was dead simple and it looks like this in the...

10 things I learned about rapidly scaling websites with Azure

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" This is the traffic pattern that cloud pundits the world over sell the value proposition of elastic scale on: This is Have I been pwned? (HIBP) going from a fairly constant ~100 sessions an hour to… 12,000 an hour. Almost immediately. This is what happened last week when traffic literally increased 60-fold overnight. September 10 – 2,105 sessions. September 11 – 124,036 sessions. Interesting stuff happens when scale changes that dramatically, that quickly so I thought I’d share a few things I learned here, both things I was already doing...

Solving the tyranny of HTTP 403 responses to directory browsing in ASP.NET

You may not know this, but an HTTP 403 response when browsing to an empty directory is a serious security risk. What the?! You mean if I go to my website which has a “scripts” folder where I put all my JavaScript and I have directory browsing disabled (as I rightly should) and the server returns a 403 “Forbidden” (which it rightly should), I’m putting my internet things at risks of being pwned?! Yes, because it discloses the presence of a folder called “scripts” which is a common directory. Well of course there’s a bloody folder called “scripts”, all my HTML source which you can see references it!...

Training the next generation of developer’s to be security conscious at SSW’s FireBootCamp

Heard of SSW’s FireBootCamp before? It’s like those boot camps you see down at the local beaches and parks each morning, you know, the ones where a bunch of (apparently) willing participants are incessantly hammered by some drill-sergeant-like personal trainer for 30 minutes of blood, sweat and tears (I assume). But unlike this mob, the FireBootCamp folks don’t then towel off and chill for the rest of the day, instead they do this day after day, week after week for a whole two months of full-assault level real world coder training. The idea of the FireBootCamp is that it’s intense training for would-be software devs on all the good bits of Microsoft...

Revealing the security secrets within ASP.NET with Pluralsight

Did you know that every time you submit a Web Forms page it sends a hash-based message authentication code with it so that the website can ensure the View State hasn’t been tampered with? Or that every time you use the MVC Razor syntax to emit anything to the page it HTML encodes it? Unless, of course, you’re using the Html.Raw helper – oh and that none of that does you any good in the JavaScript and CSS contexts or the HTML attribute context? Were you aware that ASP.NET limits the size of the request you can make in order to mitigate the risk of a denial of service attack? And, for that matter,...

Working with 154 million records on Azure Table Storage – the story of “Have I been pwned?”

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" I’m one of these people that must learn by doing. Yes, I’m sure all those demos look very flashy and the code appears awesome, but unless I can do it myself then I have trouble really buying into it. And I really want to buy into Azure because frankly, it’s freakin’ awesome. This is not a “yeah but you’re an MVP so you’ve gotta say that / you’re predispositioned to say that / you’re getting kickbacks from Ballmer”. I don’...

Don’t trust the .NET web forms email regex validator (or most others)

I’ve been working on a little project recently that involves handling hundreds of millions of email addresses from various sources. More on that in a later post, but for now let’s just assume that I want to have a reasonable degree of confidence that each of these addresses from an untrusted source is valid. Indeed many of them are just rubbish – beyond the obvious “does it have an @ symbol”, a bunch of them don’t have dots in the domains or contain illegal characters in places where they just shouldn’t be. Clearly it’s time for a regex because you can fix anything with a regex, right? Guys…...

Essential reading for Visual Studio 2013, MVC 5 and Web API 2

It’s here! Visual Studio 2013 has just hit with an announcement here and downloads here plus a launch in four weeks. No, I don’t quite understand what a launch next month means when you can grab it now either but the important thing is that the new software has landed. In times gone by I’ve written my own overviews of what’s new in the VS IDE plus the frameworks and projects templates that launch with it but there’s so much good reading out there now that I’m going to take a little short cut and just link you through to the good stuff with a few brief intros....

Hacking yourself first with Carl and Richard on .NET Rocks!

It’s been a while since I last spoke to Carl and Richard on .NET Rocks where it was all about the OWASP Top 10 and the provisions available in ASP.NET to keep yourself on the happy side of getting hacked. I had a chance to catch up with the guys again a couple of weeks ago to record a new episode all around “Hacking Yourself First” which ties in neatly to much of the writing I’ve been doing lately and my Pluralsight course of the same name. What I love about all the podcasts Carl and Richard do is it feels like a friendly conversation but still gets into the meat of the...

10 ways to make your .NET projects play nice with others

There are few things more frustrating than trying to make other peoples’ code work; broken references, missing dependencies, extraneous and useless files – it’s all part of the joy of sharing the project love around. This is often tricky enough for people on the same team but throw in distance, culture and varying levels of expertise and things get ugly pretty quickly. I come across these issues pretty frequently and the pattern is constant enough that I reckon it deserves just a little bit of effort to jot down some practices to streamline things. The concepts are pretty broad and generally interchangeable across technologies but I’m picking .NET examples because I can share some tangible...