Security « Mahdi Taghizadeh

15Dec/0822

Microsoft Released Anti-XSS 3.0 Beta and CAT.NET CTP

Recently Microsoft released a beta edition of Anti-XSS library V3.0. Here’s a list of some new features which were added in this release:

An expanded white list that supports more languages
Performance improvements
Performance data sheets (in the online help)
Support for Shift_JIS encoding for mobile browsers
A sample application
Security Runtime Engine (SRE) HTTP module

Also as you can read on Microsoft Connected Information Security Group blog they have also released a CTP version of CAT.NET (Microsoft Code Analysis Tool .NET) which is a managed code static analysis tool for finding security vulnerabilities such as Cross Site Scripting - SQL Injection - Process Command Injection - File Canonicalization - Exception Information, etc.

Downloads:

Filed under: .NET General, ASP.NET, Download, Microsoft, Security 22 Comments

11Dec/0812

Receive your free 1-year license for McAfee Virus Scan Plus 2009

McAfee, the famous security products vendor, offers a %100 discount on McAfee Virus Scan Plus 2009 + 1 year free subscription (a $40 value). To receive your own free license just go here and enter VSPPROMOCF as coupon code and click on checkout; now you have a $0 shopping card!

Offer is valid through December 31, 2008. You can download your copy for Windows 2000, Windows XP and Windows Vista.

+ [via Labnol]

+ It seems that free Anti Virus offers is going to be expanded after Microsoft announced free Anti Virus offer in near future!

Filed under: Download, Freebies, Security, Software 12 Comments

5Jul/081

Find Your Web site SQL Injection Vulnerabilities Using Scrawlr

One of the basic but important security issues in web development that you should pay attention to is SQL Injection. Recently HP released a free tool called Scrawlr to test such vulnerabilities.

This tool checks your pages using a simple crawler or Google query and find any SQL Injection problems. This tool can only check issues on GET parameters.

You can check up to 1500 URL in each web site using this free tool.

Download: https://download.spidynamics.com/Products/scrawlr/

Filed under: Download, Security, Software, Tools 1 Comment

1Jul/081

How to use ASP.NET Membership in a Console Application

It’s so easy to use powerful ASP.NET Membership, Role and Profile provider in a Windows or Console application. Only one key point remains here; you should add an app.config file to your Console or Windows application and include these nodes in that:

<?xml version='1.0' encoding='utf-8'?>
<configuration>
    <connectionStrings>
        <add name="SQLConnString" connectionString="SERVER=(local);DATABASE=SampleApp;UID=sa;PWD=123"/>
    </connectionStrings>
    <system.web>

        <membership defaultProvider="SampleAppMembershipProvider">
            <providers>
                <add name="SampleAppMembershipProvider"
                     connectionStringName="SQLConnString"
                      applicationName="SampleAppMembership"
                      enablePasswordReset="true"
                      enablePasswordRetrieval="false"
                      passwordFormat="Hashed"
                      maxInvalidPasswordAttempts="100"
                      minRequiredPasswordLength="5"
                      minRequiredNonalphanumericCharacters="0"
                      requiresQuestionAndAnswer="false"
                      requiresUniqueEmail="true"
                      passwordAttemptWindow="5"
                      passwordStrengthRegularExpression=""
                      type="System.Web.Security.SqlMembershipProvider" />
            </providers>
        </membership>

        <profile defaultProvider="SampleAppProfileProvider">
            <providers>
                <add name="SampleAppProfileProvider"
                type="System.Web.Profile.SqlProfileProvider"
                connectionStringName="SQLConnString"/>
            </providers>
            <properties>
                <add name="FirstName" type="System.String" />
                <add name="LastName" type="System.String" />
                <add name="Email" type="System.String" />
                <add name="Website" type="System.String" />
                <add name="Address" type="System.String" />
                <add name="Note" type="System.String" />
                <add name="Phone" type="System.String" />
                <add name="Fax" type="System.String" />
                <add name="Feature" type="System.Int32" />
            </properties>
        </profile>

        <roleManager enabled="true" cacheRolesInCookie="true" defaultProvider="SampleAppSqlRoleProvider"                  cookieName=".ASPXSampleAppROLES" cookiePath="/" cookieTimeout="30" cookieRequireSSL="false"                  cookieSlidingExpiration="true" createPersistentCookie="false" cookieProtection="All">
            <providers>
                <clear/>
                <add name="SampleAppSqlRoleProvider" type="System.Web.Security.SqlRoleProvider,                       System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"                       connectionStringName="SQLConnString" applicationName="SampleAppRoles"/>
            </providers>
        </roleManager>
    </system.web>
</configuration>

Filed under: .NET General, ASP.NET, Security 1 Comment

15Oct/076

reCAPTCHA: Free CAPTCHA Solution For Your Website

Recently (and specially after Web 2.0 revolution) many websites started to use more complicated CAPTCHA solutions on their websites in order to prevent spam and bot attacks. There are many free solutions and tools for users and developers to implement CAPTCHA technology in their applications. There are also many ASP.NET controls and components for this approach but many of them are so simple to hijack or don't offer features that these days we see on professional websites (some features like reload function, voice, etc.).

A few days ago I found a link to reCAPTCHA on Yahoo!. reCAPTCHA is a free (but professional) tool for basic users and also developers. To use this service you should first signup, receive an API Key for your website (you can receive as many as you need) and use one of easy-to-install plugnins provided. And good news for ASP.NET developers is that you can download and use a server side control and enjoy reCAPTCHA with two lines of code! The API Key guarantees your website and prevents attackers collect answers from visitors and use them. There are three different themes to choose.

If you want to use reCAPTCHA on a Web 2.0 website you can use AJAX API just by adding this line of code to you html or webform file:

I strongly suggest you download and test this tool in your web applications.

Filed under: .NET General, AJAX, Security, Web, Web 2.0, Web Services 6 Comments

Older Entries »

Follow @mahdi

I'm Mahdi Taghizadeh, software architect and developer living in Tehran, Iran. Read more about me on About page.

Scan the QR below to grab my contact information.

On th Web

Topics

Twitter

Iran conducts airborne war games. http://t.co/pemyltow #Iran 3 hours ago
Among all these fucking problems I'm facing these days, some assholes have attacked our server in Germany :-( 12 hours ago
Tehran, -2°C; but if feels like -6° C! 12 hours ago
I'm worried, I'm worried, I'm worried about everything. 13 hours ago
@asadsafari I asked @shaho and hopefully he will help us. He's invited to the group of board. 13 hours ago
The sound of distances... 13 hours ago
Press Release - Pentaho. http://t.co/W8TPWyHy #NoSQL 16 hours ago
Why an Agile Project Manager is Not a Scrum Master. http://t.co/V6c5CDEU #Agile 16 hours ago
Why an Agile Project Manager is Not a Scrum Master. http://t.co/V6c5CDEU #Scrum 16 hours ago
Poor cellular network coverage at the new office :-( 17 hours ago

Mahdi Taghizadeh I'm who I'm!