Software and web application security

September 30, 2006

ViewStateUserKey to prevent XSRF (CSRF or cross-site request forgery) in ASP.NET

Filed under: security, web apps — chrisweber @ 1:59 pm

ViewStateUserKey has been around for many years and is an easy solution to prevent the infamous XSRF or cross-site request forgery class of attack.

It’s documented:

http://msdn2.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx

ViewStateUserKey mitigates XSRF by including a unique identifier in the user’s request.

This protection mechanism has been available for many years when Microsoft identified the one-click attack, now more commonly referred to as XSRF.

Advertisements

September 1, 2006

Hunting Security Books

Filed under: general — chrisweber @ 11:18 am

I had the pleasure of working with the Microsoft Office security test team on the new book Hunting Security Books released from MS Press.  My job included technical editor mostly and providing feedback where I could.  The book imparts the authors knowledge of testing software to find security related bugs like buffer overruns, race conditions, format strings, cross-site scripting, sql injection, XSRF, XML issues, repurposing attacks and a bunch more.

This book should be a part of any security researchers collection.

http://www.microsoft.com/MSPress/books/8485.aspx

Blog at WordPress.com.