Archive

Archive for the ‘ASP.NET’ Category

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty

October 20th, 2015 No comments

Today, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit https://aka.ms/bugbounty to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Categories: .NET, ASP.NET, Bounty Programs Tags:

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty

October 20th, 2015 No comments

Today, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit https://aka.ms/bugbounty to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Categories: .NET, ASP.NET, Bounty Programs Tags:

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty

October 20th, 2015 No comments

Today, I have another exciting expansion of the Microsoft Bounty Programs to announce. Please visit https://aka.ms/bugbounty to find out more. I’ll be discussing this new bounty in my talk at SyScan360 on October 21, 2015. We are delighted to offer a bounty for the .NET Core and ASP.NET Beta which Microsoft released earlier this month.

.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite. This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms. You can find more information in the FAQs, .NET program terms and the .NET team’s blog. The highlights are as follows:

  • .NET Core and ASP.NET Beta 8 and any subsequent Betas or Release Candidates during the bounty period

  • Presently includes supported platforms on Windows, OS X and Linux

  • The bounty will run October 20, 2015 – January 20, 2016

  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Happy Hacking!

Jason Shirk

Categories: .NET, ASP.NET, Bounty Programs Tags:

Advance Notification Service for the October 2014 Security Bulletin Release

October 9th, 2014 No comments

Today, we provide advance notification for the release of nine Security Bulletins. Three of these updates are rated Critical, five are rated as Important, and one is rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, .NET Framework, and ASP.NET.

As per our usual process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, October 14, 2014, at approximately 10 a.m. PDT. Revisit this blog then for analysis of the relative impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

As a reminder, we are now using a new format for our Security Bulletin Webcast, scheduled on Wednesday, October 15, at 11 a.m. PDT. You are no longer required to register, download the Live Meeting client, or dial in to a separate number. A link to the Webcast will be included in our blog next Tuesday.

You can follow us on Twitter at @MSFTSecResponse

Thank you,

Tracey Pretorius, Director
Response Communications

Advance Notification Service for the October 2014 Security Bulletin Release

October 9th, 2014 No comments

Today, we provide advance notification for the release of nine Security Bulletins. Three of these updates are rated Critical, five are rated as Important, and one is rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, .NET Framework, and ASP.NET.

As per our usual process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, October 14, 2014, at approximately 10 a.m. PDT. Revisit this blog then for analysis of the relative impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

As a reminder, we are now using a new format for our Security Bulletin Webcast, scheduled on Wednesday, October 15, at 11 a.m. PDT. You are no longer required to register, download the Live Meeting client, or dial in to a separate number. A link to the Webcast will be included in our blog next Tuesday.

You can follow us on Twitter at @MSFTSecResponse

Thank you,

Tracey Pretorius, Director
Response Communications

Silverlight 3.0 Datagrid – How to change a cell state?

February 13th, 2010 No comments

Hi Syam Pinnaka, Sr. SDE in Infosec tools team.

Silverlight 3.0 datagrid can be used to bind to any enumerable collection and display the data in the grid. The data changes in the grid can be propagated back to the bound data using a special type in silverlight called ObservableCollection. We will discuss more about ObservableCollection in a separate post. In this post Lets see how to change a datagrid cell state based on certain condition. For example lets say there are two DataGridCheckBoxColumn columns and first check box column state will need to change to read-only based on the value of second check box column.

We can accomplish this by handling datagrid events like BeginningEdit or CellEditEnded. In our example, we can use BeginningEdit to check for checkbox whether the checkbox being clicked is first one, if so check the state of second check box to allow the click or not. Example code below.

#region selectUsersGrid_BeginningEdit
private void selectUsersGrid_BeginningEdit(object sender, DataGridBeginningEditEventArgs e)
{
    if (e.Column.DisplayIndex == 0) //First DataGridCheckBoxColumn
    {
        User u = e.Row.DataContext as User; //fetch the row data.
        if (u.IsMember == false) //examine the second checkbox data, do not allow if its false
        {
            e.Cancel = true;
        }
    }
}
#endregion

The same effect can be accomplished in some other ways. For example we can use CellEditEnded instead of BeginningEdit. In CellEditEnded, check for second check box state and mark first one as read-only when required. Example code below.

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {
        User u = e.Row.DataContext as User; //fetch the row data
        if (u.IsMember == false) //This is not a member, Clear IsDeny (make first check box as read-only)
            u.IsDeny = false;
    }
}
#endregion

One point to note in the above two code snippets is that, we are modifying the data (binding) to alter the cell state instead of cell itself. This becomes essential when we waned to change state that is not related to data, for example lets say background color of the cell. this can be accomplished as below.

 

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {

FrameworkElement firstCheckbox = e.Column.GetCellContent(e.Row);
if (firstCheckbox is CheckBox)
{
    CheckBox c = firstCheckbox as CheckBox;
    c.Background = new SolidColorBrush(Colors.Red);
}

    }
}
#endregion

 

This is about it for now, We will talk more silverlight during coming posts. Feel free to contact me at syamp@microsoft.com if you have any questions about the above post.

Happy coding!

Categories: ASP.NET, C#, SilverLight, Visual Studio Tags:

Silverlight 3.0 Datagrid – How to change a cell state?

February 13th, 2010 Comments off

Hi Syam Pinnaka, Sr. SDE in Infosec tools team.

Silverlight 3.0 datagrid can be used to bind to any enumerable collection and display the data in the grid. The data changes in the grid can be propagated back to the bound data using a special type in silverlight called ObservableCollection. We will discuss more about ObservableCollection in a separate post. In this post Lets see how to change a datagrid cell state based on certain condition. For example lets say there are two DataGridCheckBoxColumn columns and first check box column state will need to change to read-only based on the value of second check box column.

We can accomplish this by handling datagrid events like BeginningEdit or CellEditEnded. In our example, we can use BeginningEdit to check for checkbox whether the checkbox being clicked is first one, if so check the state of second check box to allow the click or not. Example code below.

#region selectUsersGrid_BeginningEdit
private void selectUsersGrid_BeginningEdit(object sender, DataGridBeginningEditEventArgs e)
{
    if (e.Column.DisplayIndex == 0) //First DataGridCheckBoxColumn
    {
        User u = e.Row.DataContext as User; //fetch the row data.
        if (u.IsMember == false) //examine the second checkbox data, do not allow if its false
        {
            e.Cancel = true;
        }
    }
}
#endregion

The same effect can be accomplished in some other ways. For example we can use CellEditEnded instead of BeginningEdit. In CellEditEnded, check for second check box state and mark first one as read-only when required. Example code below.

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {
        User u = e.Row.DataContext as User; //fetch the row data
        if (u.IsMember == false) //This is not a member, Clear IsDeny (make first check box as read-only)
            u.IsDeny = false;
    }
}
#endregion

One point to note in the above two code snippets is that, we are modifying the data (binding) to alter the cell state instead of cell itself. This becomes essential when we waned to change state that is not related to data, for example lets say background color of the cell. this can be accomplished as below.

 

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {

FrameworkElement firstCheckbox = e.Column.GetCellContent(e.Row);
if (firstCheckbox is CheckBox)
{
    CheckBox c = firstCheckbox as CheckBox;
    c.Background = new SolidColorBrush(Colors.Red);
}

    }
}
#endregion

 

This is about it for now, We will talk more silverlight during coming posts. Feel free to contact me at syamp@microsoft.com if you have any questions about the above post.

Happy coding!

Categories: ASP.NET, C#, SilverLight, Visual Studio Tags:

Silverlight 3.0 Datagrid – How to change a cell state?

February 13th, 2010 No comments

Hi Syam Pinnaka, Sr. SDE in Infosec tools team.

Silverlight 3.0 datagrid can be used to bind to any enumerable collection and display the data in the grid. The data changes in the grid can be propagated back to the bound data using a special type in silverlight called ObservableCollection. We will discuss more about ObservableCollection in a separate post. In this post Lets see how to change a datagrid cell state based on certain condition. For example lets say there are two DataGridCheckBoxColumn columns and first check box column state will need to change to read-only based on the value of second check box column.

We can accomplish this by handling datagrid events like BeginningEdit or CellEditEnded. In our example, we can use BeginningEdit to check for checkbox whether the checkbox being clicked is first one, if so check the state of second check box to allow the click or not. Example code below.

#region selectUsersGrid_BeginningEdit
private void selectUsersGrid_BeginningEdit(object sender, DataGridBeginningEditEventArgs e)
{
    if (e.Column.DisplayIndex == 0) //First DataGridCheckBoxColumn
    {
        User u = e.Row.DataContext as User; //fetch the row data.
        if (u.IsMember == false) //examine the second checkbox data, do not allow if its false
        {
            e.Cancel = true;
        }
    }
}
#endregion

The same effect can be accomplished in some other ways. For example we can use CellEditEnded instead of BeginningEdit. In CellEditEnded, check for second check box state and mark first one as read-only when required. Example code below.

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {
        User u = e.Row.DataContext as User; //fetch the row data
        if (u.IsMember == false) //This is not a member, Clear IsDeny (make first check box as read-only)
            u.IsDeny = false;
    }
}
#endregion

One point to note in the above two code snippets is that, we are modifying the data (binding) to alter the cell state instead of cell itself. This becomes essential when we waned to change state that is not related to data, for example lets say background color of the cell. this can be accomplished as below.

 

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {

FrameworkElement firstCheckbox = e.Column.GetCellContent(e.Row);
if (firstCheckbox is CheckBox)
{
    CheckBox c = firstCheckbox as CheckBox;
    c.Background = new SolidColorBrush(Colors.Red);
}

    }
}
#endregion

 

This is about it for now, We will talk more silverlight during coming posts. Feel free to contact me at syamp@microsoft.com if you have any questions about the above post.

Happy coding!

Categories: ASP.NET, C#, SilverLight, Visual Studio Tags:

How To: Use CAT.NET 2.0 Beta

February 5th, 2010 Comments off

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

image_thumb

 

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

 

image_thumb1

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image_thumb2

3. Click on the “Rules” tab to select appropriate rules.

image_thumb3

 
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image_thumb4

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET 2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

image_thumb

 

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

 

image_thumb1

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image_thumb2

3. Click on the “Rules” tab to select appropriate rules.

image_thumb3

 
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image_thumb4

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET 2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

image_thumb

 

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

 

image_thumb1

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image_thumb2

3. Click on the “Rules” tab to select appropriate rules.

image_thumb3

 
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:AntiXssSample ApplicationbinSampleApp.dll"

image_thumb4

 

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

February 5th, 2010 Comments off

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

February 5th, 2010 No comments

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

image

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

image

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

image

3. Click on the “Rules” tab to select appropriate rules.

image
Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:AntiXssSample ApplicationbinSampleApp.dll"

image

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

CAT.NET 2.0 – Beta

February 4th, 2010 No comments

Mark Curphey here…

Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to ist-cat@microsoft.com.  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

Enjoy!

CAT.NET 2.0 – Beta

February 4th, 2010 Comments off

Mark Curphey here…

Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to ist-cat@microsoft.com.  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

Enjoy!

CAT.NET 2.0 – Beta

February 4th, 2010 No comments

Mark Curphey here…

Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month.  The final released version is scheduled to release shortly after VS 2010 RTM.   The goal of this beta program is to garner feedback from the user community.   Please send all feedback to ist-cat@microsoft.com.  There have been some significant changes to the code.  These changes include;

User Experience

  • Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
  • Easy analysis using FxCop command line or UI interface or VSTS Team Build.
  • Currently beta includes FxCop UI and Command prompt.

Core Analysis

  • Total of 55 rules have been added.  There are 9 data flow rules and 46 configuration rules are included in this version.
  • Updated tainted data flow analysis engine to track both tainted operands and source symbols.
  • Reduced false positives and false negatives. 
  • Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
  • New Data flow rule to detect XML Injection attacks
  • Updated configuration rules engine detecting clear text connection strings and credentials.
  • Rules to detect insecure defaults. 
  • Example minRequiredPasswordLength attribute of membership providers add element.
  • Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document.  The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

Enjoy!

Delay Between Actions Feature in CUIT

January 18th, 2010 No comments

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

The CUIT code is executed at a very fast pace, at times you may want to execute the code a bit slow or with a delay between actions.

We have playback API which helps to achieve this as shown below;

Playback.PlaybackSettings.DelayBetweenActions = 1000;

The value is in milliseconds, use the above code as the first line in your CUIT methods to get a delay between actions of one milliseconds during playback.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Delay Between Actions Feature in CUIT

January 18th, 2010 No comments

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

The CUIT code is executed at a very fast pace, at times you may want to execute the code a bit slow or with a delay between actions.

We have playback API which helps to achieve this as shown below;

Playback.PlaybackSettings.DelayBetweenActions = 1000;

The value is in milliseconds, use the above code as the first line in your CUIT methods to get a delay between actions of one milliseconds during playback.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Delay Between Actions Feature in CUIT

January 18th, 2010 Comments off

Syed Aslam Basha here. I am a tester on  the Information Security Tools Team.

The CUIT code is executed at a very fast pace, at times you may want to execute the code a bit slow or with a delay between actions.

We have playback API which helps to achieve this as shown below;

Playback.PlaybackSettings.DelayBetweenActions = 1000;

The value is in milliseconds, use the above code as the first line in your CUIT methods to get a delay between actions of one milliseconds during playback.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead