Mastodon

ASafaWeb

A 25-post collection

67% of ASP.NET websites have serious configuration related security vulnerabilities

Actually, it’s even worse than that – it’s really 67.37% – but let’s not split hairs over that right now. The point is that it’s an alarmingly high number for what amounts to very simple configuration vulnerabilities. The numbers come courtesy of ASafaWeb [http://asafaweb.com], the Automated Security Analyser for ASP.NET Websites which is a free online scanner at asafaweb.com [http://asafaweb.com]. When I built ASafaWeb, I designed it from the ground up to anonymously log scan results. The anon...

ASafaWeb gets a bit more culturally sensitive

Do you ever get that sense that [insert culture here] seems to totally dominate everything to the total oblivion of everyone else out there? This sort of thing usually gets people a bit cranky but it turns out I’ve kind of being doing it a little bit myself with ASafaWeb [https://asafaweb.com]. You see, ASafaWeb works by looking at how a website responds to certain requests then and from those responses it draws some conclusions about how the thing is configured. For example, if ASafaWeb sees a...

I’m StillAlive (and so is my AppHarbor site) – site monitoring made awesome

As many of you know by now, I’m particularly fond of AppHarbor [https://www.troyhunt.com/search/label/AppHarbor]. They continue to provide a totally awesome integrated CI and hosting environment, continue to offer a means of taking the service up for free (as well as recently adding some commercial offerings), and most importantly to this post, they still have a great selection of very cool add-ons. One of those add-ons is StillAlive [https://stillalive.com] which is awesome for two reasons: Fi...

Shhh… don’t let your response headers talk too loudly

When it comes to our personal security, we’ve all grown a bit accustomed to keeping things on the down-low [http://en.wikipedia.org/wiki/Down-low]. For example, we cover the keypad on the ATM when entering our PIN and we shred our sensitive documents rather than throwing them straight in the trash. We do this not because any one single piece of information is going to bring us undone, but rather we try not to broadcast anything which may be used to take advantage of us. That PIN could be used...

ASP.NET session hijacking with Google and ELMAH

I love ELMAH [http://code.google.com/p/elmah/] – this is one those libraries which is both beautiful in its simplicity yet powerful in what it allows you to do. Combine the power of ELMAH with the convenience of NuGet and you can be up and running with absolutely invaluable error logging and handling in literally a couple of minutes. Yet, as the old adage goes, with great power comes great responsibility and if you’re not responsible with how you implement ELMAH, you’re also only a couple of mi...

Has the hash DoS patch been installed on your site? Check it right now with ASafaWeb!

Back in September last year we saw the emergence of the padding oracle vulnerability [https://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html] which suddenly got a whole lot of ASP.NET developers very nervous. The real concern with this vulnerability was that there really wasn’t much you could do at the code level beyond a couple of little tweaks – what was really needed was for patches to get installed on servers and fast. The problem back then was that, well, you couldn’...

Beyond YSlow - Squeeeezing out website network performance

I’ve had a lot of conversations with folks recently about web app performance. Often these conversations have been around the assertion that a content distribution network (here forth referred to as a CDN), is something you need to deploy early on in the optimisation process of a website. Personally, I see a CDN as a last resort; it’s what you turn to when all other performance tuning alternatives have been exhausted and you need to eke out that last little bit of latency by moving the content c...

Welcome to ASafaWeb

Websites get hacked. Lots. This year alone we’re looking at some absolute whoppers; Sony, EVE Online, Sony, pron.com, Sony, MySQL.com, did I mention Sony? Many times, the gateway to successful website exploits is simple misconfiguration. Custom errors were left off and thus leaked internal code. Or request validation was turned off which opened up an XSS flaw. These risks are often then leveraged to do other nasty stuff. The thing is, many of these are also easily remotely detectable – certain...

To the cloud! Performance testing ASafaWeb with AppHarbor & Blitz

If we can get over Microsoft’s cheesy catchphrase [http://www.microsoft.com/en-us/showcase/details.aspx?uuid=8f01d2e5-0c99-4780-9d1d-e40000179b0e] for a moment, the whole idea of “to the cloud” is actually pretty cool. It’s the promise of taking things that used to be both labour and capital intensive, commoditising them and serving them up on demand. This can very easily sound like PowerPoint presentation rhetoric so let’s move past the warm and fuzzies and actually see it in action. A couple...

Birth of a UX – ASafaWeb gets an identity part 3

Let me preface everything I’m about to write by saying this: I am not a designer. I enjoy design, but I tend to hack away at it a bit. Actually I’ve gone a bit to and from in my career moving from pure code roles to front end roles to web roles where you kind of need a bit of everything, and that’s probably where I’m most comfortable now. So treat everything that followers as the designer-by-default comments of a developer :) Fixed or variable No, not interest rates, web page layouts. Somewhere...