Mastodon

.NET

A 61-post collection

Raygun and ignoring specific Web API exception types

In the spirit of “here’s something I couldn’t find an easy answer for so I’m writing it myself”, let me very briefly run you through how to have Raygun ignore specific exception types raised by Web API. Firstly, Web API support came a couple of months ago [https://raygun.io/blog/2014/08/webapi-exception-tracking/] which is rather important given how much stuff is transitioning to APIs these days. I use Web API fairly extensively in Have I been pwned? [https://haveibeenpwned.com/] (HIBP), partl...

10 things I learned about rapidly scaling websites with Azure

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]This is the traffic pattern that cloud pundits the world over sell the value proposition of elastic scale on: This is Have I been pwned? [https://haveibeenpwned.com] (HIBP) going from a fairly constant ~100 sessions an hour to… 12,000 an hour. Almost immediately. This is what h...

Solving the tyranny of HTTP 403 responses to directory browsing in ASP.NET

You may not know this, but an HTTP 403 response when browsing to an empty directory is a serious security risk. What the?! You mean if I go to my website which has a “scripts” folder where I put all my JavaScript and I have directory browsing disabled (as I rightly should) and the server returns a 403 “Forbidden” (which it rightly should), I’m putting my internet things at risks of being pwned?! Yes, because it discloses the presence of a folder called “scripts” which is a common directory. W...

Training the next generation of developer’s to be security conscious at SSW’s FireBootCamp

Heard of SSW’s FireBootCamp [http://firebootcamp.com/] before? It’s like those boot camps you see down at the local beaches and parks each morning, you know, the ones where a bunch of (apparently) willing participants are incessantly hammered by some drill-sergeant-like personal trainer for 30 minutes of blood, sweat and tears (I assume). But unlike this mob, the FireBootCamp folks don’t then towel off and chill for the rest of the day, instead they do this day after day, week after week for a w...

Revealing the security secrets within ASP.NET with Pluralsight

Did you know that every time you submit a Web Forms page it sends a hash-based message authentication code with it so that the website can ensure the View State hasn’t been tampered with? Or that every time you use the MVC Razor syntax to emit anything to the page it HTML encodes it? Unless, of course, you’re using the Html.Raw helper – oh and that none of that does you any good in the JavaScript and CSS contexts or the HTML attribute context? Were you aware that ASP.NET limits the size of the...

Working with 154 million records on Azure Table Storage – the story of “Have I been pwned?”

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]I’m one of these people that must learn by doing. Yes, I’m sure all those demos look very flashy and the code appears awesome, but unless I can do it myself then I have trouble really buying into it. And I really want to buy into Azure because frankly, it’s freakin’ awesome. This...

Don’t trust the .NET web forms email regex validator (or most others)

I’ve been working on a little project recently that involves handling hundreds of millions of email addresses from various sources. More on that in a later post, but for now let’s just assume that I want to have a reasonable degree of confidence that each of these addresses from an untrusted source is valid. Indeed many of them are just rubbish – beyond the obvious “does it have an @ symbol”, a bunch of them don’t have dots in the domains or contain illegal characters in places where they just s...

Essential reading for Visual Studio 2013, MVC 5 and Web API 2

It’s here! Visual Studio 2013 has just hit with an announcement here [http://blogs.msdn.com/b/somasegar/archive/2013/10/17/visual-studio-2013-available-for-download.aspx] and downloads here [http://www.microsoft.com/visualstudio/eng/downloads] plus a launch in four weeks [http://events.visualstudio.com/]. No, I don’t quite understand what a launch next month means when you can grab it now either but the important thing is that the new software has landed. In times gone by I’ve written my own...

Hacking yourself first with Carl and Richard on .NET Rocks!

It’s been a while since I last spoke to Carl and Richard on .NET Rocks [https://www.troyhunt.com/2012/01/net-rocks-talks-security-with-carl.html] where it was all about the OWASP Top 10 and the provisions available in ASP.NET to keep yourself on the happy side of getting hacked. I had a chance to catch up with the guys again a couple of weeks ago to record a new episode all around “Hacking Yourself First” which ties in neatly to much of the writing I’ve been doing lately and my Pluralsight cour...

10 ways to make your .NET projects play nice with others

There are few things more frustrating than trying to make other peoples’ code work; broken references, missing dependencies, extraneous and useless files – it’s all part of the joy of sharing the project love around. This is often tricky enough for people on the same team but throw in distance, culture and varying levels of expertise and things get ugly pretty quickly. I come across these issues pretty frequently and the pattern is constant enough that I reckon it deserves just a little bit of...