Hauser & Wenz :: Blog

Once again I'll be speaking at DevConnections this fall. One of my talks will tackle one of my main topics: web application security. I'll cover common (and some uncommon) attacks against web sites, discuss countermeasures and have a close look which safeguards ASP.NET offers, and where developers need to add some security code on their own.

As usual I plan to show a number of code demos, so I thought it would be a nice addition to present a list of important resources for topics I am covering in this session. The list tries to focus only on major sources for each topic, but feel free to use the comments to suggest additional websites.

See you in Las Vegas!

• General
  
  
  • The Open Web Application Security Project
  
  


• Cross-Site Scripting (XSS)
  
  
  • Controlling Internet Explorer's XSS filter
  
  
  • XSS Cheat Sheet (unfortunately a bit outdated)
  
  
  • The Microsoft Web Protection Library (includes AntiXSS)
  
  
  • Content Security Policy
  
  


• SQL Injection
  
  
  • Microsoft Source Code Analyzer for SQL Injection (for Classic ASP sites)
  
  
  • How to protect from SQL Injection attacks with ASP.NET
  
  


• Cross-Site Request Forgery (CSRF)
  
  
  • How to protect from CSRF attacks with ASP.NET
  
  
  • AntiCSRF for ASP.NET
  
  
  • .NET CSRF Guard
  
  
  • The X-FRAME-OPTIONS HTTP header
  
  


• CAPTCHAs
  
  
  • The official CAPTCHA site
  
  
  • reCAPTCHA
  
  


• Clickjacking
  
  
  • Clickjacking
  
  

Once again I'll be speaking at DevConnections this fall. One of my talks will provide an introduction into jQuery plugin authoring. One of the main features of jQuery is the huge amount of available plugins. Writing such a plugin is not that hard, but there are some common patterns that help you getting started.

I plan on covering a variety of topics, so this posting just gives you a glimpse what's about to come. Be ready to get started with jQuery plugin development in less than a minute!

Here we will develop a trivial plugin that provides information about a hyperlink when the user hovers over it with the mouse. We do this by setting the link's title attribute to a text containing the target URL and, if available, the target frame/window.

First of all we create a new file, jquery.linkinfo.js. This follows the usual pattern for jQuery plugins. In this file, we include our code. The base structure makes sure that we can access $ from our code, that the code is executed immediately (which in turn defines the method we are writing) and that no global variables remain:


(function ($) {

})(jQuery);


Within this block, we define our extensions method. This is done by adding an entry to the $.fn hashtable, like this:


$.fn.linkInfo = function () {

}


Most jQuery methods support chaining, so they need to return a list of the current elements (in form of the usual jQuery "object"). A common approach to ensure this is the following code:


return $(this).each(function () {

});


We are almost done! Within the each() block, we first access the current element via $(this) - later this will be a link. Then, we set the element's title attribute to text containing of the URL (href attribute) and, if applicable, the target (target attribute).


var el = $(this);
el.attr("title", "URL: " + el.attr("href") + "; target: " + (el.attr("target") || ""));


Using this plugin in our code is quite easy: We first load jQuery itself, then the plugin. Finally, a script block accesses all links on the page and executes the linkinfo() method:


$(function () {
  $("a").linkInfo();
});


More on these (and related) topics in Las Vegas - hope to see you there!

Once again I'll be speaking at DevConnections this fall. One of my talks will provide a concise introduction to jQuery for ASP.NET developers. Since Microsoft has embraced jQuery and is shipping it with their Visual Studio templates, a solid understanding of how jQuery works is fundamental for many modern ASP.NET web applications.
I plan on covering a variety of topics, which includes (but is certainly not limited to) the following list.

1. Loading jQuery
   jQuery can be easily obtained from jquery.com and be included using a standard <script> tag. The way browsers work with JavaScript makes sure that following script code is only executed once jQuery has been loaded.


2. Wait for the DOM to be ready
   One of the main tasks developers do with JavaScript is to access elements on the page, using the DOM (Document Object Model) interface. However this only works once the DOM is ready, which usually means that the whole page has been transferred from the server. There are several approaches to ensure this, but the solution with the least amount of typing is to write the relevant code within a $() call. It might not look that way, but $ is actually something provided by jQuery.


3. Accessing elements
   $() may also be used to access elements on the page. jQuery supports most CSS selectors (including options provided by the upcoming CSS3 standard). One common approach is to use the CSS class name provided in an element's class attribute, or to access an element via its ID. However when using ASP.NET Web Forms you need to be careful as some controls rewrite the ID. In that case, using the element's ClientID property can provide the correct value.


4. Event handling
   jQuery provides several ways to implement event handling. For many common events, the framework offers a built-in methods. For instance the click() method may be used to provide code once the user clicks on the current element. The actual code is usually written in form of an anonymous function.


5. Manipulate elements
   There are several mechanisms to manipulate an element via jQuery. For CSS operations, the css() method is quite common to set individual styles.


6. Chaining
   The return value of most jQuery methods is a jQuery "object", as is the return value of $() itself. This allows fluent interfaces, or chaining, by calling several methods directly in a row.

The following codes sums all up: jQuery is loaded (step 1), and after the DOM is ready (step 2) we access the Label element on the page (step 3). Once the user clicks on it (step 4), we change a CSS property (step 5) and use some other jQuery magic to animate it (step 6).






Hope to see you in Las Vegas!

Early June I released version 0.1.0 of my Google +1 Helper for WebMatrix and Razor. This helper provides easy access to the Google +1 functionality that was released the day before. This page will serve as a documentation placeholder. Have a look at the full post to get more information on the helper; also, feel free to head to the Google +1 Helper NuGet package page and give it a try! Continue reading "Google +1 Helper for WebMatrix and Razor"

The Serendipity project has released version 1.5.5 of their blog system a few hours ago. This is a security release, since there is a 0-day exploit out in the wild that is already used heavily. The security issue allows uploading script code to your server, so in other words: if affected, you are hosed.
If you are using Serendipity you should consider updating as soon as possible. Garvin has more on the issue in the release announcement.

Thanks to the Serendipity security team for their prompt actions (as always!), and to Stefan Neufeind for providing logs and insights about how the exploit was used.

Just a quick note: I just updated Serendipity to version 1.5.1 on one of our servers; yet afterwards I could not log in anymore. Also, Serendipity reported that version 1.5.1 was present, although I did not run the update script from the admin console yet. At first I thought I did something wrong, but a s9y forum posting described a similar issue.

The fix was actually quite simple: for some reason—may it be due to my own fault or due to a bug in the upgrade logic—the SQL upgrade script was not run, but Serendipity still thought it had been upgraded already. The file sql/db_update_1.5-alpha1_1.5-alpha2_mysql.sql contains the required SQL commands (in case you are using MySQL). Just remember to replace {PREFIX} with the table prefix you are using (s9y_ in my case):


ALTER TABLE s9y_authors ADD COLUMN hashtype int(1);
ALTER TABLE s9y_authors CHANGE password password VARCHAR(64) NOT NULL;


HTH. Once again, Happy Holidays.

Just a quick note that my JSON Gotchas article has just been published. The editors removed the last sentence, so here it is again: Happy holidays everyone!

Ein Hinweis in eigener Sache: Die Kollegen von video2brain, die unter anderem auch ein paar Videotrainings von uns verlegen, haben heute Mittag angekündigt dass die Trainings nun auch in einem Abonnementsmodell veröffentlicht werden. Kurzform: für einen fixen Betrag hat man ein Jahr lang Zugriff auf alle Videotrainings. Hier die Langform auf Basis der Pressemitteilung:

Die ab sofort erhältlichen Trainingsabonnements bieten ein Jahr lang unbeschränkten Zugang zu allen Originaltrainings von video2brain – in komplettem Umfang und mit vollständiger Funktionalität. Mehrmals im Monat kommen neue Trainings hinzu. So können Abonnenten jederzeit und überall ihr Können bedarfsgerecht weiterentwickeln und aktuell halten – mit wertvollem Wissen zu einem günstigen Komplettpreis. Das Trainingsabonnement gibt es in einer Standardvariante mit reiner Online-Verfügbarkeit für 199 Euro sowie in einer Premiumversion mit zusätzlicher Offline-Nutzbarkeit für 299 Euro. Schüler, Studenten, Lehrkräfte und Bildungseinrichtungen erhalten das Standard-Abonnement für 99 Euro.

Die Trainingsabonnements erfüllen damit die Wünsche derjenigen Kunden, die ein hohes Maß an Flexibilität bei gleichzeitiger Planungssicherheit benötigen. Wer mit vielen unterschiedlichen Technologien und Softwareanwendungen arbeitet und wer in seinem Arbeitsalltag und Leben sich mit einer Vielzahl von Themen auseinandersetzt, schätzt besonders den kompletten Zugriff auf das gesamte Expertenwissen der video-2brain-Seminare – und zwar jederzeit und an jedem Ort. Wer ein Standard-Abonnement erwirbt, kann jederzeit über eine Online-Verbindung die Trainings durcharbeiten. Premium-Abonnenten stehen die Seminare auch als Download zur Verfügung sowie zusätzlich das Begleitmaterial zum jeweiligen Training. Damit können die Lektionen der Video-Trainings auch am eigenen Computer durchgearbeitet werden.

Die Themenpalette der Trainingsabonnements entspricht dem Gesamtprogramm von video2brain und reicht von Expertenwissen für Kreativprofis und Fotografen, über Schulungen für Büroanwender, Anwendungsentwickler und IT-Fachleute bis hin zu Workshops für Privat- und Hobbyanwender.
Durch die Themenvielfalt und die flexiblen Nutzungsmöglichkeiten, sind die video2brain-Trainingsabonnements sowohl für Einzelnutzer als auch für Unternehmen und Bildungseinrichtungen interessant. Gerade in Organisationen erleichtert der Online-Zugang zu den Schulungen den Verwaltungsaufwand enorm. Zugang, Kreis der Nutzer und die Zahl der gleichzeitig Lernenden lassen sich zentral festlegen.

Nähere Informationen zu den Einzeltrainings und dem Gesamtprogramm finden sich unter video2brain.

Am 13. Oktober 2008 haben Peter Bucher und Golo Roden unter dem Titel "Noch Fragen, Bucher? Ja, Roden!" angekündigt, jeweils zum ersten eines jeden Monats einen Kommentar zu einem vorab gemeinsam gewählten Thema verfassen zu wollen. Heute, am 1. November 2009, ist es nun wieder so weit, und das Thema für diesen Monat lautet:

Wieviel Sinn machen Unit-Tests? [Der Anglizismus ist natürlich arg hässlich. Ich kann es aber auf meine Mitstreiter schieben, die sich diese Formulierung haben einfallen lassen.]

Die beiden haben mich netterweise gefragt ob ich dieses Mal wieder als "Gast-Mitstreiter" dabei bin, und so haben wir drei uns unabhängig voneinander im Vorfeld unsere Gedanken gemacht, wie wir diesem Thema gegenüberstehen. Peters und Golos Kommentare finden sich zeitgleich in ihren Blogs, folgend nun meine Meinung zu diesem Thema:
Continue reading "Wieviel Sinn machen Unit-Tests?"

Am 13. Oktober 2008 haben Peter Bucher und Golo Roden unter dem Titel "Noch Fragen, Bucher? Ja, Roden!" angekündigt, jeweils zum ersten eines jeden Monats einen Kommentar zu einem vorab gemeinsam gewählten Thema verfassen zu wollen. Heute, am 1. August 2009, ist es nun wieder so weit, und das Thema für diesen Monat lautet:

C# oder VB: Welche Sprache soll ich lernen?

Die beiden haben mich netterweise gefragt ob ich dieses Mal als "Gast-Mitstreiter" dabei bin, und so haben wir drei uns unabhängig voneinander im Vorfeld unsere Gedanken gemacht, wie wir diesem Thema gegenüberstehen. Peters und Golos Kommentare finden sich zeitgleich in ihren Blogs, folgend nun meine Meinung zu diesem Thema:
Continue reading "C# oder VB: Welche Sprache soll ich lernen?"

I just finished my Microsoft TechDays presentation (WEB309: Fixing Ajax Applications). Thanks to everybody who attended! This session will be repeated during the day, so if you missed it you still can tune in.

There was a question at the very end on the history hash ASP.NET writes, but I was too slow to answer it before the session room was closed. The EnableSecureHistoryState property may help in the specific situation and lets you at least toggle between a secure and a human-readable format.

Microsoft have released the first public beta for their upcoming Windows 7 operating system. To me it looks surprisingly similar to Vista (which is a good thing and a bad thing ), so I thought that installing PHP on it should be easy, as well. Actually, it was really easy, but since yesterday two people indenpendently from each other asked me how to do it, I thought I'd write down the required steps.
Continue reading "Installing PHP on Windows 7"

Well, kinda. It's true that you can download the first public beta of Windows 7, but even if you passed the very slow "Server too busy" profile.microsoft.com server, there are still chances that you do not get the desired download afterwards, but this message instead ("next business day" is awesome):


A glimpse at the source code reveals interesting insights:


Debugoutput:

System.Data.Odbc.OdbcException: ERROR [08001] [Microsoft][ODBC SQL Server Driver][DBNETLIB]General network error. Check your network documentation.
ERROR [01000] [Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionOpen (PreLoginHandshake()).
at System.Data.Odbc.OdbcConnection.HandleError(OdbcHandle hrHandle, RetCode retcode)
at System.Data.Odbc.OdbcConnectionHandle..ctor(OdbcConnection connection, OdbcConnectionString constr, OdbcEnvironmentHandle environmentHandle)
at System.Data.Odbc.OdbcConnectionOpen..ctor(OdbcConnection outerConnection, OdbcConnectionString connectionOptions)
at System.Data.Odbc.OdbcConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.Odbc.OdbcConnection.Open()
at Futurecom.Microsoft.ProductKeys.Framework.DataAccess.GetProductKeys(String userSid, Int32 editionId, Int32 maxKeys, Boolean getAnotherKey, String fullEditionName, String& debugOutput)
at Futurecom.Microsoft.ProductKeys.Framework.Controls.Win7Distribution.refreshProductKeyList(Boolean getAnotherKey)


Hmmm ... Are they really using SQL Server or maybe rather Access?