.NET news » Security

Cross-site scripting attacks are platform and browser independent, and can allow malicious users to perform malicious actions such as gaining unauthorized access to client data like cookies or hijacking sessions entirely. Simple steps that developers can take to prevent XSS attacks in their ASP.NET applications include doing the following: 1. Validating and constraining input 2. Encoding output For defense in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The principle of inclusions approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements.

The Enterprise Library Application Blocks aren't useful only in Windows Forms applications; you can use them in ASP.NET too by downloading a set of patch files and configuring the security settings appropriately. Find out how.

Windows Communication Foundation (WCF) is a secure, reliable, and scalable messaging platform for the .NET Framework 3.0.With WCF, SOAP messages can be transmitted over a variety of supported protocols including IPC (named pipes), TCP, HTTP and MSMQ. Like any distributed messaging platform, you must establish security policies for protecting messages and for authenticating and authorizing calls. This article will discuss how WCF accomplishes this.

Whenever you build a new system you should consider how an in¬truder might go about attacking it and then build in appropriate defenses at design time.

Developers often concentrate on writing secure code but leave security vulnerabilities in application configuration files. Discover the most common configuration security problems—and how to avoid them.

This article is devoted to consideration of practice with recommendations on how to use these options for protection not only against reverse engineering and deobfuscation, but also for protection of algorithms and data contained in .Net assemblies. Spices.Obfuscator is a tool for protecting different kinds of assemblies from managed C++ assemblies , ASP.Net, Windows.Forms and Compact.Framework assemblies. The Spices.Obfuscator tools can be customized by means of ObfuscationOptions which can be seen in Spices.Project for each project assembly. Open the assembly in Spices.Net, go to section Properties, open the property AssemblyList, and then open sub-properties to get the setting options of Obfuscator of each assembly.

It wasn't all that long ago that biometric authentication seemed like the kind of sci-fi technology that might never be practical outside of top-secret government laboratories. But believe it or not, you can build a fingerprint scanner into any .NET application you like just by following these simple instructions.

Is running .NET Framework code within SQL Server 2005 exciting or a threat? Which is it? This article explores the security issues of SQLCLR code so that both developers and DBAs can make informed decisions about its use.

Many classic ASP applications exist side-by-side with newer ASP.NET applications, sometimes leading to a need to transfer or share information between the two. This article shows one method of transferring such information securely.

One of the major benefits of writing .NET code to run in the Common Language Runtime (CLR) hosted in any environment is code access security (CAS).CAS provides a code-based-rather than user-based-authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005's own, newly enhanced security features? By default your .NET code is reasonably secure, but it's all too easy for the two security schemes to butt heads and cause you grief. In this article I'll look briefly at the concept behind CAS and a few new security features in SQL Server 2005, then explore how to make the two systems work for you instead of against you as you take advantage of these advanced programming features in SQL Server.