Jaa


Varun Sharma's security blog

Securing the Microsoft Azure subscription

This blog post is part of a series of posts on Security Best Practices for Microsoft Azure...

Date: 10/02/2014

Security Best Practices for Microsoft Azure Applications

Responsibility for security of applications on Azure is shared by Microsoft and the customer....

Date: 09/20/2014

TechNet Webcast: Configuring with Least Privilege in SQL Server 2008

I recently presented a TechNet Webcast on the topic “Configuring with Least Privilege in SQL Server...

Date: 06/20/2009

Catch the security flaw #6

If you can find the security issue with this piece of code, write about it by adding a comment to...

Date: 04/10/2009

Virtual techdays: Top 5 Web Application security bugs in custom code

Microsoft Virtual TechDays is starting from the 18th February 09. In the security track, I will be...

Date: 02/15/2009

catch the security flaw #5 (flaw and its countermeasure)

In my last post, I showed input validation code that uses RegularExpressionValidators improperly....

Date: 12/29/2008

Catch the security flaw #5

A lot of web applications use RegularExpressionValidators for performing input validation [1]....

Date: 12/21/2008

Catch the Security Flaw(s) #4

Identify as many security issues as you can with this piece of code:- 1: [WebMethod] 2: public...

Date: 12/02/2008

NASSCOM – DSCI Information Security Summit 2008 Security Tutorial

My colleague Sagar and I will be conducting an application security workshop at the NASSCOM – DSCI...

Date: 11/24/2008

How To: Configure permissions in Out-of-the-box MOSS 2007 Approval Workflow such that “Approvers” cannot edit or delete the item to be approved

  1. Consider a Microsoft Office SharePoint Server 2007 site that will be used as a “Document Approval...

Date: 08/04/2008

Catch the Security Flaw #3

Quite a few web applications encrypt query string values. This is generally done as an added measure...

Date: 07/14/2008

Confusion property of symmetric block ciphers

Modern symmetric block encryption algorithms need to satisfy a number of properties to be considered...

Date: 07/14/2008

catch the security flaw #2 (flaw and its countermeasure)

In my previous “Catch the Security Flaw” post I wrote about a flawed CAPTCHA implementation. In this...

Date: 06/16/2008

Catch the security flaw #2

Consider a fictional web site that lets you create new accounts (as shown below). This site...

Date: 03/31/2008

Catch the security flaw #1 (Flaw and its countermeasure)

It is time to discuss the flawed code that I posted a couple of weeks back. The comments posted were...

Date: 02/08/2008

Catch the security flaw #1

I will be from time to time, putting up flawed code as an open question on this blog. Those who can...

Date: 01/23/2008

Common Authorization flaw in Web Applications: Why disabling buttons (or other controls) is not enough?

I have seen quite a few web applications that rely on disabling controls for authorization. Consider...

Date: 01/22/2008

XSSDetect: Tool for finding Cross Site Scripting bugs

About a month back, ACE Engineering released "XSSDetect", a stripped down version of the "Code...

Date: 12/06/2007

Block Ciphers: Simple attack on ECB mode

This is nothing new, but I just wanted to document it on my blog. Block ciphers encrypt data in...

Date: 11/27/2007

ClubHACK 2007: I will be presenting some “Subtle Security Flaws”

In its own words, "ClubHACK is one of its kind hacker's convention in India which serves as a...

Date: 11/26/2007

The Unbreakable Cipher

The concept of perfect secrecy is that given the cipher text, and any resources and amount of time,...

Date: 11/15/2007

Common Authorization Vulnerability in Thick Client applications

Consider the following architecture for an intranet application. A thick client installed on the...

Date: 10/31/2007

Browser Security: Why you can’t get the file that the user doesn’t want you to get?

In the year 1995, there were eight options for the “type” attribute of the “input” element. These...

Date: 10/01/2007

Catch the security flaw: Configuring encryption from Web Server to SQL Server

I assess software security for a living, but I almost missed this one. <connectionStrings>...

Date: 09/10/2007

SQL injection: Dynamic SQL within stored procedures

Most resources on the internet concentrate on dynamic SQL in the data access code as the cause of...

Date: 09/05/2007

How To: Run Sql Server Agent and Sql Server Jobs with least privilege in Sql Server 2005

How to: Run Sql Server Agent service under an account which is not a member of the local...

Date: 08/30/2007