• .NET "ValidateRequest" Approach
  Microsoft introduced ValidateRequest in .NET 1.1. The idea is that the framework checks incoming requests for any constructs indicative of Cross Site Scripting issues. If any problems are found, an error is raised and the request does not even get to the web application. The directive can be placed in Machine.config, web.config or at the page level. This option is turned on by default in ASP.NET.
  Microsoft has made it clear that you should not rely ONLY on this method:
  

  Do not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation.

  It is clear why Microsoft adds the precaution. This is a blacklist based approach and every blacklist has limitations. In addition, if there is a business need to use constructs that are blacklisted by validateRequest (e.g., Ajax apps that send xml back and forth), you may need to turn off this feature.
  Lets check what validateRequest does by cracking open the relevant dll’s.

  .NET Framework 1.1 does the following checks as seen from the disassembly:
  
  Reading through the code, we see that the following items are checked - expression strings, JavaScript script and OnXXX handlers, ‘<’ followed by alpha characters and "&#". It is a decent list that
  catches most common XSS vectors.

  .NET Framework 2.0 does the following checks as seen from the disassembly:
  
  In this case, the following items are checked - ‘<’ followed by alpha characters and "&#".
  It appears that MS decided to dumb down request validation when .NET framework went from 1.1 to 2.0.
  An important point to remember about "validateRequest" is that these protections are given to only certain parts of the request. Query Strings, Form variables and Cookies are protected. Header values, Server Variables, viewstate, information inside multi-part forms (e.g., file upload) are not validated.

  From a developer’s perspective, the usefulness of this class is limited by the fact that it cannot be overridden or extended.

• Anti-XSS Library
  The Anti-XSS library is an exhaustive blacklist. The following screenshot shows all function calls in the library (ver 1.5).
  As seen in the disassembly above, the coverage of Anti-XSS library is quite good as it looks at JavaScript, VbScript, XML. Being a public class, it is possible to extend and override methods to suit your application needs.Use of this library entails downloading the latest dll and adding a reference to your web application project.
• Output Encoding
  This method involves the use of HttpUtility.HtmlEncode() call whenever you send information to the presentation layer. This process is not as automatic as the first two methods because the developer has to be more aware of where they are displaying data.

More »

Most of the security folks are peeved by the fact that an application firewall can be used in place of a code review. I agree with the nay-sayers from a purely technical perspective. Application firewalls do not protect you from attacks for which you cannot write good signatures…and there are many, many attacks that fall in this category (authentication, authorization etc, etc). Even for attacks such as SQL Injection and Cross Site Scripting, which the WAP are designed to mitigate, there may be new ways to circumvent the firewall. So, from a technical perspective it is pretty ineffective if an organization is pushing for security.

There lies the big problem. Most organizations do not really care about security. Customer data is just one piece of the puzzle to get their business done. The only reason companies take customer data seriously is because there are laws and the reputation loss. From a business and process perspective, it is just one cog of many. They know there is something called PCI and there are a few requirements to be met. And the PCI Council has given these companies a freebie in the form of web application firewall.

In my view, the whole issue about section 6.6 has to be taken in perspective. If an organization is to pass PCI requirements, they need to satisfy all sections. In other words, the PCI requirements also stipulate a lot of best practices - network segmentation (Req. 1), separation of duties (Req.6.3), good programming practices [OWASP Top 10] (Req.6.5), Regular vulnerability testing (Req.11) that needs to be satisfied. If a company wants to be PCI Compliant, they would ideally look at all of these and, in the process become compliant. Viewed in this light, the issue of web application firewall is a small one.

More »

To get started, install gpg4win. Download, double-click on the downloaded file and you are good to go. After installation, when you right-click on a file, you should see a new option, GPGee,  in your menu. This means everything went well with the install.

Now to go Start -> Programs ->  GnuPG For Windows -> GPA

GPA (Gnu Privacy Assistant) is the heart of this program. What we will do next is generate keys for you to use. You see, this type of encryption depends on “keys” that have your unique signature. The only personal identification in the keys are your name and email address. I would suggest putting in your real name and a real email address you use. This is so others can find your keys easily. These keys are meant to be made public.

If you already have your own keys, skip forward to the “key import” section.

0. Generate Keys

When you started GPG, the program probably came up asking if you want to generate keys.

Say “Generate Keys” at this screen. You will be asked for your name and email address and a password and the program will generate a key for you in a few seconds. This key will show up in your “keyring”. A keyring is where you store your own key and other user’s keys. Your key is protected by the password you entered, so don’t forget the password. The initial keyring will just have the key you just generated.

1. Encrypting/Decrypting Files

To encrypt a file, right-click on the file and select “GPGee -> Sign and Encrypt”.

A window will pop up that will list all the keys that can be used to encrypt. First choose the encryption key  (box at top) by checking the box. Next, select the signing key.

After you click “ok”, you will see a file with a *.gpg extension in the same folder. This is the encrypted version of the file.

To decrypt a file, we need to reverse this process. First, right-click on the encrypted file and choose “GPGee -> Verify/Decrypt”. This will ask for your password to unlock your key that will be used for decryption. You should get a success message box after decryption. The decrypted file will show up in the same folder.

2. Sending encrypted emails

Unfortunately,there is no easy way to use GnuPG to send encrypted emails.

Update: You can use thunderbird with Enigmail to automate this process.

Here’s what you can do.

1. Write your email in notepad or another text editor. Save the file.
2. Encrypt this file to get a file with *.gpg extension
3. Open the *.gpg file in notepad or another text editor
4. Use Ctrl+A to select the data in the file, Ctrl+C to copy the data
5. Paste this into your email client (Outlook, Hotmail, GMail whatever you use)

To decrypt any encrypted emails that you get:

1. Copy full email from your email client
2. Paste this into notepad or another text editor
3. Save the file with a *.gpg extension
4. Decrypt the file using the discussion in section 1.
5. The decrypted file will show up in the same folder

3. Sharing your key with others

This method of encryption works only when you have the keys of the people you want to send encrypted files/emails to. Others who need to send you encrypted files or emails need to know your keys also.

1. Start up GPA (Start -> Programs -> GnuPG for Windows)
2. Click on your key
3. Click Export button and give it a file name
4. Your key will be saved to a file.

This file can then be emailed to anyone you choose. These files are meant to be public and do not have any sensitive information.

4. Importing keys from other users

1. Start up GPA (Start -> Programs -> GnuPG for Windows)
2. Click Import button
3. You’ll be asked for a file to import keys from. Select the file and click OK

Now the newly imported key will show up in your keyring.

More »

I had almost given up on installing Wordpress when google found me this illuminating article on GoDaddy and Wordpress, which had links to a couple of other sites with detailed instructions on the setup.

This is what you do:

   1. Identify the required database information
          * Login to GoDaddy.com
          * Go to “Host & Servers” ->”My Hosting Account”
          * Select your registered domain and click “Open” in the Control Panel.
          * Scroll down to Databases and click on MySQL icon
          * It should now show you the Database Name, Host Name and Username
   2. Input the exact Database Name into the wp-config.php file:

          define(’DB_HOST’, ‘mysql95.secureserver.net’);

      This is near the top of the file.
   3. Comment the following lines in wp-settings.php

          //if ( !extension_loaded(’mysql’) )
          // die( ‘Your PHP installation appears to be missing the MySQL which is required for WordPress.’ );

      I am not sure why these lines need to be commented out even though the MySQL extensions has been loaded.

Finally, go through the Famous 5-minute install for Wordpress and you are done!.

Thanks to whoami and pradob at Wordpress Installation Support

Update Apr 17, 2006: Everything was going fine till I needed to install plugins. For the life of me, I could not get plugins recognized in the admin folder. I kept getting the “Couldn’t open Plugins folder or Plugins were not found” error message. I should mention that my Wordpress blog is hosted on godaddy servers with PHP and IIS. Here’s the fix for the error (credit goes to Jason).

Open the file “wp-admin/admin-functions.php” and find the following line. Replace the old line with the new line.

    function get_plugin_data($plugin_file) {
    //$plugin_data = implode(’’, file($plugin_file));
    $plugin_data = file_get_contents($plugin_file);

Plugins will start working with this change.

Update May 15, 2008: WordPress works so much better on Linux!. Everything simply works out of the box, no tweaking needed.

More »