6 posts categoriesd under “security”
Add HTTPS To Any Site For Free
Back in the old days, adding HTTPS/SSL/TLS to secure a web site was a big deal. You had to spend hundreds of dollars for a certificate, then install it on the web server. It had to be specific to the subdomain you were using, or you had to shell out even more bucks for the wildcard cert. And they’d expire sometimes, and your site would go down, and that was never fun. Times have changed. Yes, you…
OWASP Training with Juice Shop Sample Application
If you’re a web developer looking to get better at security (which should be to say, if you’re a web developer), you should check out the OWASP Juice Shop application. It’s a purposely insecure web application that tracks your progress as you attempt to exploit it in various ways. As you do so, you unlock achievements and can track your progress. The various exploits range from the simple to the…
Test Secure Web APIs with Visual Studio Web Tests
A common approach to securing APIs is through the use of bearer tokens, like JWT. If you’re using JWT, you may find this site useful to easily examine JWT token contents. A common scenario when working with APIs secured by bearer tokens is to have to do something like this: Send credentials to token server to get a token (with some limited lifetime)\ Use the token from step 1 in the header of…
Avoid Storing Database Credentials in Source Control
Your application probably needs to communicate with a database of some kind. Naturally, that database isn’t open to the world – it needs to be protected and secured. The typical solution to this is to create a username and password combination (ideally, specific to each application or user that requires access) and configure the application with these credentials. In many cases, they’re simply…
ASP.NET Shared Authentication Problem Solved
Last week I worked with a client to solve an issue they were having with a new ASP.NET 4.x application they had created using Visual Studio 2015. Their site is set up so that all of the authentication occurs through a shared, single-sign on, web site. Individual web projects are then hosted as subdomains which share the authentication cookie. It looks something like this: admin.foo.com (root…
ASP.NET Custom Errors Security Flaw
Updated 5 October 2010: There is now a patch available via Windows Update. Read more about it here, and ensure all ASP.NET web servers have been patched ASAP. Microsoft just released some details on a security flaw that was publicized a few hours ago. On this post, you can learn more about the ASP.NET vulnerability and how to detect whether your web sites might be affected by them. This is a…