The past week has contained a bit of uncertainty around the vulnerability to ASP.NET’s security. The good news is that Microsoft has a security update coming to address the issue tomorrow, and should be applauded for responding so quickly. You only have to stop for a moment and think about the level of testing required for anything affecting a product such as the .NET framework to realise that responding within a limited timeline like this is pretty impressive indeed.

However for those who want a bit more technical info (i.e. people who are simply curious about how this stuff works), here’s a collection of interesting posts on the subject.

Firstly, let’s set the scene with a short video demonstrating the exploit in action against DNN. You should note that DNN is a good target due to the fact that some of their default administrator usernames are well known – this makes it easier to exploit the vulnerability. It’s a reminder as to why it’s always good to change these default usernames whenever you have the option to do so.

Now, for some links. Firstly this one - HOWTO: Verify that custom error handling solutions do not expose padding oracle – is a useful post with some good technical info, and a more useful way to verify vulnerability by using Fiddler to visit a couple of variations on requests to WebResource.axd. There’s some good discussions and clarifications that take place in the replies, which are good reading if you want a bit more background information.

Next is a Padding oracle detection script, which comes from the same author as above. This can be used to help verify whether your sites have been properly patched or not.

Finally, a couple of links from ScottGu - Update on ASP.NET Vulnerability and ASP.NET Security Update Shipping Tuesday, Sept 28th.

Stay safe out there!

-Ross

One of the features json.org mentions when describing JSON is that “It is easy for humans to read and write”. This is mostly true, however when you’re dealing with a large chunk of dynamically generated JSON it can be a little bit of a tougher ask for this human, especially if it’s in the context of an AJAX application where typically the JSON data will be lacking in formatting, indentation and white space in order to speed up transmission.

So here’s a couple of simple things we’ve found that help to make working with JSON slightly easier.

SublimeText – I really love working with SublimeText. Now, out of the box it comes with support for a lot of languages.. but not JSON. Never fear, as it supports Textmate .tmlanguage files, so you can add JSON support quite easily by downloading this .tmlanguage file and adding it to your Sublime Text\Packages directory. Restart SublimeText, and JSON highlighting can be yours.

However if your JSON is lacking in white space and carriage returns then even with the highlighting it’s not going to be too easy to read. Enter the next tool:

Simple JSON Formatter – this is a client side JSON formatter written in JavaScript by Jon Combe. Being paranoid at the thought of the Internet being down we’ve taken a copy and popped it on our own servers for our convenience. The JSON formatter will do exactly what its name implies – it lets you paste a chunk of unformatted JSON into the text box, then click the button, and have it formatted with white space, indentation, and carriage returns.

Combine these two simple tools together, and you’ve got a much improved JSON debugging experience!

-Ross

Yesterday Microsoft announced an important security vulnerability with ASP.NET.

Since then we have run the auditing script recommended by Microsoft on our hosting servers. All Site Foundation Framework websites pass by default, so all of our website customers can rest assured that their sites are safe from this exploit.

26/09/2010 EDIT: Scott Guthrie has posted an update containing more details. Read it here.

28/09/2010 EDIT: Microsoft has a security update coming to address the issue tomorrow.

Link: Important: ASP.NET Security Vulnerability

Link: ASP.NET Security Update Shipping Tuesday, Sept 28th

-Ross

…and to celebrate, here’s a couple of links for anyone interested in reading about the rather unglamorous yet important subject of application logging.

Firstly a post from my personal blog titled You’re doing it wrong – error logging. Writing can often be prompted through first hand experiences, and this was certainly one of those times.

Here at Ignition, our logging library of choice is currently log4net. It’s flexible, free, works well, and using it means we save time by not having to build something from scratch. That last point might seem a strange one to labour – but you’d be surprised how often we see other people wanting to re-invent the wheel in application development, and it seems to be an incredibly popular thing to do when it comes to error logging. If you’re looking to get up to speed with log4net, then this post from Jan Heggernes would be a great place to start.

Happy logging!

-Ross