Erik Oppedijk - All Comments

re: URL Security flaw - or not?

Joy — Fri, 05 Feb 2010 06:43:27 GMT

Great! The articles so far have been full of great material. Glad to hear the serious will continue. Keep 'em coming!

re: ASP.NET Vulnerability testing with CAT.NET

cat sneezing — Wed, 04 Nov 2009 03:13:12 GMT

i have been also used cat anlysis for some reasons and project it helps me a lot to lessen my load of works.

re: ASP.NET Vulnerability testing with CAT.NET

Rolf Huisman — Thu, 27 Aug 2009 07:18:39 GMT

I've used CAT.Net to analyse some projects in the past and its a great tool for spotting low hanging fruit. It should however be noted that the amount of false positives is quite high in large SAAS applications.

Lucky for us, ASP.NET will stop most of these attacks for

us, by filtering on HTML tags, and unicode attacks, but it is

always a good practice to encode all output

In the default setting ASP 2.0 and higher will filter this. However the filtering isn't perfect (BID 20753) and there have been some patches to address this (always use a fully updated ASP.net instance). However, I still found people turning this security off (by using ValidateRequest="false") because they want another webpart (content editor) to work.

BizTalk 2006 R3 announced

NewsPeeps — Sat, 08 Aug 2009 17:00:26 GMT

Thank you for submitting this cool story - Trackback from NewsPeeps

BizTalk 2006 R2 Deep Dive - 19th may

NewsPeeps — Sat, 08 Aug 2009 17:00:25 GMT

Thank you for submitting this cool story - Trackback from NewsPeeps

RoboChallenge 2008 Kickoff

NewsPeeps — Sat, 08 Aug 2009 17:00:23 GMT

Thank you for submitting this cool story - Trackback from NewsPeeps

Preparing for Robochallenge 2007

NewsPeeps — Sat, 08 Aug 2009 17:00:17 GMT

Thank you for submitting this cool story - Trackback from NewsPeeps

Robotics Studio 1.5 CTP

NewsPeeps — Sat, 08 Aug 2009 17:00:14 GMT

Thank you for submitting this cool story - Trackback from NewsPeeps

New BizTalk User Group (BTUG) meeting

NewsPeeps — Sat, 08 Aug 2009 17:00:12 GMT

Thank you for submitting this cool story - Trackback from NewsPeeps

RTM time, Virtual PC 2007 and SQL 2005 SP2

NewsPeeps — Sat, 08 Aug 2009 17:00:11 GMT

Thank you for submitting this cool story - Trackback from NewsPeeps

re: Cross-Site Request Forgeries (CSRF) explained

Erik Oppedijk — Tue, 28 Jul 2009 12:54:22 GMT

Even with session cookies you are vulnerable during browsing, and the attacker has an extra time window of about 20 minutes if you forget to sign out.

re: Cross-Site Request Forgeries (CSRF) explained

timm — Mon, 27 Jul 2009 18:59:53 GMT

that's one the reasons most secure website's only use browser session based cookies for authentication... baking a persistent cookie can burn your fingers :)

Cross-Site Request Forgeries (CSRF) explained - Erik Oppedijk - blog community

NewsPeeps — Thu, 23 Jul 2009 14:52:44 GMT

Thank you for submitting this cool story - Trackback from NewsPeeps

re: URL Security flaw - or not?

frankg — Wed, 15 Apr 2009 08:45:11 GMT

En het is zeker geen theoretisch probleem. Heb je dit gelezen? www.nu.nl/.../site-geschillencommissie-was-jarenlang-lek.html

re: URL Security flaw - or not?

willemm — Fri, 03 Apr 2009 18:18:07 GMT

It gets even worse: By moving the information to a hidden field, a cookie or what not you create new problems that require an even more complex solution. And that while the real solution to the problem is pretty simple to implement using some roles and a few settings ;)