Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

IIS Show #4 with Brett Hill

Download

Right click “Save as…”

  • MP3 (Audio only)
Prior to working for Microsoft, Brett was an IIS MVP for three years and provider of advanced IIS training to Fortune 1000 and government audiences. Having discussed web problems with many large customers, he provides some tips for developers to keep in mind when creating applications for the web. Topics range from folder naming conventions to security and are sure to help with the deployment, security, and operation of any web application.

Tags:

Follow the Discussion

  • Something just seems wrong when it is possible to specify web paths that will fool the parser.  This seems inherently insecure.  I don't disagree with your comments to keep paths short and clean but to be worried that specifying a directory with .com is going to fool the parser just makes me wonder about either the URL/HTTP specifications or the implementation of IIS.

    Microsoft has spent lots of effort allowing users to have long file names and directory names.  I rememeber the old 8.3 days and I for one love good descriptive names - though I hate blanks in names like "Program Files" and needless dots (.) are kinda silly too - yet .Net actually encouraged this practice.

    Your advise is good but the Microsoft examples out there contradict them.

    Cool

  • I completely agree - though my biggest problem is this was a total waste of time.  The message seemed slightly rehearsed and for the most part completely "out-of-date." 

    I, personally, would like more exciting, powerful topics coming out of Microsoft considering IIS was pretty much the first hackable product for Microsoft.  Were you around, or seriously involved with IIS when Code Red was in it's prime?
  • Yup, i was around. Of course the basics would have prevented code red such as applying existing patches or disabling extensions you aren't using. I didn't cover that info in the podcast since this was not about administration as much as much as what to tell developers. I can assure it was not rehearsed. 

    So what I would like to know is what you would like to have heard in this? In other words, what would you say to developers are the top things the should know to write secure code for web applications?

    =brett
  • I appreciate your concern here, however, the thing to keep in mind is that the parser is not fooled, it is simply parsing according to its rules. Keep in mind that you cannot send this kind of URL from IE as it wil not allow it. You have to use another utility of some kind.
    See http://www.windowsitpro.com/Article/ArticleID/23278/23278.html?Ad=1
    http://www.mvps.org/marksxp/WindowsXP/IIS/iis4.php

    And Writing Secure Code by Michael Howard
    "Just say no to parent paths. If you remove the requirement for parent paths in your application, anyone attempting to access a resource by using parent paths is, by definition, an attacker!"

    http://www.microsoft.com/mspress/books/sampchap/5612b.asp

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.