A lot of applications require the need for an in-session authorization mechanism. This means that when an end-user is within an authenticated session, the end-user will be prompted to enter a set of credentials before he can be allowed to perform specific transactions. These transactions are identified as high-risk transactions, such as changing a password [...]
The title can be misleading, because in concept, one is not related to the other. However, a lot of web applications mix them up, causing bugs that are hard to troubleshoot, and, at worst, causing security vulnerabilities.
A little bit of background on each one. ASP.NET sessions are used to keep track and keep information [...]
Or an example Padding Oracle attack in 100 lines of C# code.
This post has been in my outbox for weeks, since I did not want to make it generally available before the patches were released. Now that the patches are being pushed on Windows Update, and I also see that there are a couple [...]