Category Archives: ASP.NET

Out-of-band Authorization

A lot of applications require the need for an in-session authorization mechanism. This means that when an end-user is within an authenticated session, the end-user will be prompted to enter a set of credentials before he can be allowed to … Continue reading

Posted in ASP.NET | Leave a comment

ASP.NET Session and Forms Authentication

The title can be misleading, because in concept, one is not related to the other.  However, a lot of web applications mix them up, causing bugs that are hard to troubleshoot, and, at worst, causing security vulnerabilities. A little bit … Continue reading

Posted in ASP.NET | Tagged | 9 Comments

Yet Another Take on the Padding Oracle Exploit Against ASP.NET

Or an example Padding Oracle attack in 100 lines of C# code. This post has been in my outbox for weeks, since I did not want to make it generally available before the patches were released.  Now that the patches … Continue reading

Posted in ASP.NET | Tagged , | 2 Comments