Whidbey (RSS)

Whidbey

Lobby MS to eliminate SQL injection

secure Querystring
http://www.dotnetjunkies.com/HowTo/99201486-ACFD-4607-A0CC-99E75836DC72.dcik
http://www.dotnetjunkies.com/Forums/ShowForum.aspx?forumid=4922

Vote here and here on MSDN  to have this functionality included in ASP.NET

links

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/06/6748.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/03/6530.aspx

 

 

posted Saturday, July 10, 2004 10:09 AM by stefandemetz with 20 Comments

ADO.NET guru has a blog

ADO.NET Guru Angel Saenz-Badillos has a blog at http://weblogs.asp.net/angelsb/  :)) Hopefully David Sceppa will also join the blogophere soon !!

 

posted Saturday, July 03, 2004 4:28 PM by stefandemetz with 1 Comments

Hardening ASP.NET - ASP.NET querystring parameter tampering - Part 3

Parameter tampering:

UPDATE!!! possible solution:

secure Querystring
http://www.dotnetjunkies.com/HowTo/99201486-ACFD-4607-A0CC-99E75836DC72.dcik
http://www.dotnetjunkies.com/Forums/ShowForum.aspx?forumid=4922

Vote here and here on MSDN  to have this functionality included in ASP.NET

From my quick and preliminary investigation of URLSCAN today I found out that the QueryString part of the url is not protected

To alleviate this issue of GET parameter tampering in ASP.NET I wrote up a little code with does the following:

- get the QueryString part of the URL
- decode it (HtmlDecode)
- parse out all the bad input
- limit the length of the queryString to minimum necessary

Since the HttpRequest class is sealed/not inheritable there are 3 ways to do it:

1) Write HttpHandler to deal with it
2) Extend Page class and set this functionality in prerender event
3) Write your own ISAPI handler in unmanaged code

I put one item on my personal .NET wishlist

 

posted Friday, February 06, 2004 9:31 PM by stefandemetz with 18 Comments