.Net

If you take security seriously…

and you program in .Net then the following tools are must…

Microsoft Anti-Cross Site Scripting Library V3.0 Beta -
AntiXSS 3.0 helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine.
The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include: - An expanded white list that supports more languages - Performance improvements - Performance data sheets (in the online help) - Support for Shift_JIS encoding for mobile browsers - A sample application - Security Runtime Engine (SRE) HTTP module.

Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP - 32 bit
CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.
CAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application — module-by-module — and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application’s source code where those issues were found. The following rules are currently support by this version of the tool. - Cross Site Scripting - SQL Injection - Process Command Injection - File Canonicalization - Exception Information - LDAP Injection - XPATH Injection - Redirection to User Controlled Site.

And I highly recommend reading MS08-078 and the SDL. and subscribing to SDL (Security Development Lifecycle)’s RSS feed.

If you take security seriously…

nUrlRewriter - IIS7 Url Rewriter

nUrlRewriter is a ASP.NET Http Module written in managed C# code which examines incoming Http requests and applies user defined criteria which may result in a Http request being redirected or rewritten. Web pages within existing web sites are often archived or retired, however many Internet based hyperlinks may exist for such web pages. nUrlRewriter solves this problem by providing a facility which can easily redirect or rewrite such Http requests to other web site web pages or web applications. For example, a discontinued product web page may be redirected to a general product category web page. nUrlRewriter differentiates itself from other redirectors/rewriters in that nUrlRewriter also supports the IIS7 Integrated ASP.NET Pipeline, enabling nUrlRewriter to redirect/rewrite any incoming web application URL supported by the IIS7 web server, such as but not limited to native HTML applications (htm, html), classic ASP applications (asp), PHP applications (php) as well as ASP.NET (aspx) applications.

nUrlRewriter works equally as well with IIS5 and IIS6.

Home Page

I was thinking of reading some source code of open source projects, I thought I will start with this as this is a simple and small little utility and in my imagination, the source code could be under 1000 lines. Do you have any good suggestions or what are your favourite open source projects ?

Comments and Suggestions are Welcome.

nUrlRewriter - IIS7 Url Rewriter

Fiddling with Fiddler

Fiddler is a HTTP Debugging Proxy tool which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Important Links:
Get Fiddler
Addons
Video Tutorials

Fiddler can be used with non - IE browsers also by changing proxy settings on browser.

Fiddling with Fiddler

Email Prioritizer from Microsoft Office Labs

Email Prioritizer is a plug-in for Microsoft Office Outlook 2007 (running on Exchange Server) that helps you manage email overload. This concept test provides a “do not disturb” button that temporarily pauses new email arrival, and prioritizes email with a 0-3 star rating system. We hope this prototype helps you focus on the emails that are most important to you.

Requirements: This prototype requires Outlook 2007 running on Exchange Server.

Links:
Email Prioritizer
FAQ
Blog

Email Prioritizer from Microsoft Office Labs

Links For August 18th 2008

Web:
YUI 3.0 Preview Release 1
Scaling Web Application - Recommended Readings

C#:
Enumeration Classes

Tools:
Google Unveils Open Source Security Tool

SQL:
Understanding SQL Execution Plan (Part I)
SQL For Developers - 9 Reasons to bother

Silverlight:
Taking your first steps into Silverlight

Links For August 18th 2008