ASP.NET

WARNING: Serious ASP.NET issue with Windows Server 2003 and SP1

Marcus Mac Innes — Thu, 04 Aug 2005 17:20:00 GMT

We have been trying to track down a problem with our blog aggregator software B.AG which is currently powering INDA's blog aggregator at www.developers.ie/blogs.

We recently upgraded the server to Windows Server 2003 SP1 and for some reason, threads were simply disappearing from our custom threadpool and the application logging which uses log4net would simply stop without warning. We have just tracked the problem down to the System.Threading.Timer class which according to this has major issues when running on Windows Server 2003 with SP1. It seems the Timer class stops firing at some random point and never fires again...

I know of a number of major ASP.NET sites around the world that have applications that depend on functionality provided by the Timer class and I'm very surprised that this issue has not seen more publicity. So this is just a warning to ensure that you don't fall victim to this issue!

As far am I am aware there is no hotfix available for this problem yet.

ASP.Net 2.0 Roadshow in Dublin

Marcus Mac Innes — Mon, 07 Mar 2005 10:14:00 GMT

Following my talk on Securing ASP.Net Applications at last Friday’s Dublin leg of Microsoft’s ASP.Net 2.0 European Roadshow, there were a couple of requests for the slides and code samples. They can be downloaded from here.

Talking with developers afterwards in the bar, it was really interesting to see how many of them had heard of SQL Injection and XSS attacks but had not actually realised how vulnerable an application and the other applications which share the same database can be. Most had never actually seen how an attack would be carried out.

I demonstrated how security on a web site can be compromised by taking advantage of holes within the application code. These holes can be discovered by using a series of probes which disclose whether or not vulnerability exists.

The demonstration attacked the site’s Login page to discover vulnerabilities. These were then exploited to bypass the application security altogether. We were then able to take control of the database for this and other applications which share the database, create our own login accounts with administrative privileges and access the site’s customer’s credit card information.

I also demonstrated using a Cross Site Scripting attack how the Forms Authentication cookie could be stolen and silently sent to an attacker’s website to be stored for later use. Once the attacker is in position of this cookie, they would be able to login to the original web site using someone else’s authentication token.

The key message of the talk was to ensure that all user input is validated before any other processing is done. This together with strict use of secure coding standards would have disabled any attacker’s opportunities.

For more information on writing secure code, please feel free to contact me.

And many thanks to Microsoft for asking me to speak at this great event with the ASP.NET team!

Captcha to Remove Comment SPAM for .Text

Marcus Mac Innes — Fri, 07 Jan 2005 17:07:00 GMT

Recently, I've been getting inundated with comment SPAM on my blog...

Luckily Miguel Jimenez has implemented a cool little Captcha control which is easily integrated with .Text to provide protected from the Viagra salespeople. The control has now been installed on this blog!

BTW - Make sure you install the v1.2 update, although the ReadMe.txt is included with the v1.1 download.

UPDATE: New Version 1.3

B.AG Blog Aggregator Goes Live

Marcus Mac Innes — Mon, 29 Nov 2004 17:51:00 GMT

When we launched INDA at www.developers.ie a couple of weeks ago, we integrated the .Text blog engine so that our members (most of whom were new to blogging) could have their own blogs on the site. I also created a blog there, but soon I was getting frustrated by having to cross post blog entries both on my own blog here at www.styledesign.biz and on www.developers.ie.

I wanted a simple blog aggregagtor, so that I could automatically pull my most recent posts onto the site without having to cross post. It was during my search for a suitable piece of software that I came across Minh T. Nguyen's .NET Blog Aggregator (which I blogged about previously) and decided that if there was nothing available for download, I would write my own...

Blog AGgregator was born!

Running stand-alone or on top of .Text B.AG pulls content from subscribed RSS feeds and presents the combined content in a sorted, categorised format. I will more than likely blog about the internal design at some point, but for now, you can see B.AG (Beta 1) in action at http://www.developers.ie/blogs/

If you would like to incorporate into your site... just let me know. Marcus

ASP.NET 2.0 and Cross Browser Support

Marcus Mac Innes — Wed, 10 Nov 2004 09:36:00 GMT

Scott Guthrie posted a note on his blog here about the new cross browser support for ASP.NET validators in the upcoming ASP.NET v2.0 (Whidbey) Beta 2. Scott also mentions that this functionality will be retro fitted back into ASP.NET v1.0 and v1.1. Does this mean that maybe another service pack is in the pipeline for 1.1?

While this move is to be welcomed, I would like to see Microsoft state their overall position with regard to cross browser support. There are a lot of new "gadgets" in the new ASP.NET v2.0, but unless you are working on projects for Intranet deployment, we can't be sure that any of them will be of any real use.

One of the most understated new features of this next release is Client Callbacks with some info here, here and here. Asynchronous callbacks from within a web page is certainly not new, but this little control is going to take all the hastle out of the difficult plumbing. The only problem is that currently this feature is IE specific (XmlHTTP is a dependency) which is my view severely limits its usefulness. Fredrik Normén points out a new property added to the HttpBrowserCapabilities class that could be used to check if the browser support Client Callbacks "SupportsCallBack"... but this doesn't make it any more useful for real world web based applications. Back in June I posted a comment on Minh T. Nguyen blog pointing out that Mozilla had support for XmlHTTP but unfortunately the Javascript injected by ASP.NET is IE specific! I ask him this question directly and you can read his response here. We can only wait and see if the IE Specific Javascript issues has been fixed in Beta2 for the final release...

How many other controls fall foul of this same problem?

.NET 2.0 Beta 2 May Be Around The Corner...

Marcus Mac Innes — Sat, 23 Oct 2004 23:43:00 GMT

Scott Guthrie has returned to blogging with this insightful blog about some of the internal project management and testing techniques currently being adopted by the ASP.NET team for the next release of Microsoft ASP.NET 2.0, Beta 2.

Interestingly, Scott mentions that the Beta 2 milestone is now only 3 weeks away... Positive news after this week's announcement of yet another delay to the final release of VS.NET 2.0 and SQL Server 2005.

Maybe it's the SQL Server team delaying things this time in an attempt to put back the diagram!