Friday, March 28, 2008
PWN To OWN
Thursday, March 27, 2008
Google Calendar Sync
Guice
Tuesday, March 25, 2008
Building a Partially Trusted Web Application
By default, Visual Studio (all versions through 2008) creates web applications that run as "Fully Trusted" .NET applications. A Fully Trusted application is one that bypasses all Code Access Security checks. This can be a security risk for a number of reasons. Conversely, a "Partially Trusted" application is one that reduces the attack surface of the application by reducing the available code that can be called by an application. As an extreme example, you can reduce the risk of SQL injection attack to near 0% (I'm not brave enough to use the word always) by making it impossible to make any type of data access calls in the first place.
If you have ever toyed around with Code Access Security policy, you know that it can be a bit of a daunting and counterintuitive task to intelligently configure a secured application. There are surprisingly easy steps that can be taken to bring a pretty significant level of security to an ASP.NET web application. One of Stefan's highest recommendations is to, at the very least, move a web application from a fully trusted application to "Highly Trusted" application. High Trust disables calls to the unmanaged Win32 API as well as calls to .NET components that are not decorated with the AllowPartiallyTrustedCallersAttribute. I will demonstrate going a step further and making the web application a "Medium Trust" application, which is more suited for internet facing applications or applications in shared environments.
Get the guide here, and the sample code here.
Thursday, March 20, 2008
Stored Procedure Digger
DECLARE @sprocName NVARCHAR(100)
SET @sprocName = 'sp_MyLostStoredProcedure'
/************************************************/
DECLARE @DbName sysname
DECLARE @command NVARCHAR(MAX)
DECLARE DbEnum CURSOR FAST_FORWARD FOR
SELECT [name] FROM sys.sysdatabases
OPEN DbEnum
FETCH NEXT FROM DbEnum INTO @DbName
WHILE @@FETCH_STATUS = 0
BEGIN
SET @command = N'USE ' + @DbName + '
GO
'
SET @command = @command + N'IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N''[dbo].[' + @sprocName + ']'') AND type in (N''P'', N''PC''))
BEGIN'
SET @command = @command + N' PRINT ''' + @DbName + '.dbo.' + @sprocName + '''
'
SET @command = @command + N' EXEC sp_helptext ' + @sprocName + '
END
'
PRINT @command
FETCH NEXT FROM DbEnum INTO @DbName
END
CLOSE DbEnum
DEALLOCATE DbEnum
Friday, March 14, 2008
Future of XML
The section headed "Oneiromancy" is particularly well written.
Another new keyboard shortcut
Tuesday, March 11, 2008
Layout and Firebug
The layout seems to work well enough on Firefox 2.0 and Safari 3.0 for Mac as well as Firefox 2.0 and IE7 on PC.