AntiXSS is an open source .NET assembly available for download from Microsoft (source here). This library provides much more flexible XSS protection in .NET applications than the built-in Server.HTMLEncode() approach, as it adds support for XML and LDAP filter encoding in addition to HTML encoding. By allowing flexible and secure encoding and decoding of strings for these types of data, application developers can breathe a little easier when accepting data across trust boundaries. Libraries such as AntiXSS that perform string processing are incredibly useful for developers, for several reasons. First, they are maintained separately from your code base, so any updates to the string processing functions for emerging threats can be applied without much hassle. Second, by using a code[…]
Category: Technology & Tool Thursday
Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions.
Fuzzing is a fairly recent term for what pen testers (and testers in general) have been doing for years – feeding invalid data to a program/web page/etc and seeing what happens. When you wrote your first C program that had to take command line arguments – did you ever mash on the keyboard and see what happens? You were fuzzing even if you didn’t know it at the time. The old Christmas tree packet in networking was a sort of fuzzing. Fuzzing can get kinda boring though, so there are several tools that will help you with it. They work on various kinds of inputs – some are for networks, some are for web pages, some are for the HTTP[…]
Source In early October, Microsoft will be making the Microsoft Security Essentials suite free for small businesses (i.e., fewer than 10 computers) in addition to home users. This is a good thing – MSSE is a good suite of security tools, and the price tag is just right for individual and small business users. However, has anyone ever read the language in the EULA for the tool? The installer itself only checks that you have a genuine copy of Microsoft Windows before allowing the installation to proceed; there are no license keys or anything to deal with. The source article indicates that the types of business that will now be allowed to use MSSE for free already were using it[…]
MD5 is a hashing algorithm created in 1991 and still used by many applications for certain features. But MD5 is no longer recommended for many cases due to weaknesses discovered in the last few years, opening up some scary possibilities. At the end of this year, NIST standards for cryptography used by the federal government will no longer permit 160-bit SHA1 hashes or 1024-bit RSA signature keys, since concerns over the long-term security of these technologies are rising. With cryptographers constantly working on new algorithms and breaking old algorithms, one may get nervous about whether the foundations of today’s secure transactions are really that secure. But despite the occasional ominous forecast of a cryptographic meltdown, you can remain fairly confident[…]
Risk assessment gets a bad rap these days, thanks in large part to a checkered past colored by qualitative analyses. Historically, risk assessments have been fuzzy, at best, and down-right inaccurate and misleading at worst. You know the ones I’m talking about: some hot shot consultant comes in, pokes around, maybe runs a couple scans, and then churns out a report with a bunch of High, Medium, and Low findings. However, as you dig into the results – particularly the so-called “High Risk” findings – you start finding extreme squishiness with no connection to reality, rational thought, or logic. And this is what we’re supposed to use to “better manage” security? Don’t think so… Enter Factor Analysis of Information Risk[…]
Every year during the Black Hat conference, something crazy happens that makes me paranoid about things I use during my everyday life without really thinking too much about it. Last year, it was the MD5 Collision Attack that allowed the attackers to create a rogue Certification Authority. This year, it’s ATMs. A researcher by the name of Barnaby Jack developed his own custom rootkit for ATM machines that could be installed by dialing into the devices and exploiting the remote management software. This rootkit allowed him to make the machines dispense money on command, which, I’m reasonably sure, is not how they are intended to function. Lest you think this only allows the attacker to steal from the device and[…]