Archive for the ‘Uncategorized’ Category


The .NET Developer’s Guide to Windows Security…

July 3, 2018

The .NET Developer’s Guide to Windows Security….




















This book covers about the .NET security in Microsoft Windows Operating System platform such as Windows NT , Windows 2000 , Windows XP Professional and Windows Server 2003. Think about protection , detection , and reaction in a typical computer system. You might have to think hard to come up with any detection and reaction countermeasures because the focus is almost always on protection. The hardware of the machine provides isolation between processes. This is  protection. Cryptography is the basis for even more protection: data integrity protection , authentication , protection from eavesdropping , and so on. Further protection is on the horizon with Microsoft’s proposed Next Generation Secure Computing Base (NGSCB) .

When you design secure systems , try to think of protection countermeasures as a jeweler thinks of a safe. They exist to buy you time. Design detection and reaction into your systems as well. For example , you could instrument your server processes with WMI ( Windows Management Instrumentation ) and then use WMI to report security statistics and automatically react , or provide further alerts to the administrator. This is an area we all need to be working harder to perfect.

Repudiation is where the attacker denies having performed some act. This is particularly important to consider if you plan on prosecuting an attacker. A common protection against repudiation is a a secure log file , with timestamped events. One interesting considerations with these types of logs is the kind of data you store in them. If the log file were to be included in a court subpoena , would it be more damaging to your company to reveal it? Be careful what you put in there!…

Desktop applications should be designed to conform to the Windows Logo guidelines to ensure that they don’t attempt to write to protected parts of the file system or registry. When you ship programs that  don’t follow these guidelines , they break when users attempt to run with least privilege ( under normal , nonadministrative user accounts ). If you don’t want your Mom browsing the web as an administrator , then start writing programs that she can use as a normal user.

Lastly , this book explain about the .NET security in Microsoft Windows Operating System platform , how we can secure our windows box and add security measures to our operating system.Topics covered include Kerberos authentication , access control , impersonation , network security , constrained delegation , protocol transition , securing enterprise services , secure remoting and Programming the Security Support Provider Interface ( SSPI ) in Visual Studio.NET 2005. Some of the article is taken as an exceprt from the book – The .NET Developer’s Guide to Windows Security written by Keith Brown and published by Addison-Wesley – Pearson Education.







Linux Professional Institute Certification – 1 (LPIC-1) – Study Guide…

March 8, 2018

LPIC-1 - Sybex

Hey there again…Got this book – pdf version from the internet…This year I’m taking LPIC-1 as my short course and certification..It’s a great book to read about Linux administration and the certification is a must have certification for system administrator and system engineer. The book covers topic such as managing linux distribution , handling file systems in linux , how to configure booting in linux , configuring the X-window systems , configuring basic networking , writing scripts , configuring email and managing databases , and lastly , securing your systems.

Linux shell use is fairly straightforward for anybody who’s used a text-mode OS before: You type a command, possibly including options to it, and the computer executes the command. For the most part, Linux commands are external—that is, they’re separate programs from the shell. A few commands are internal to the shell, though, and knowing the distinction can be important. You should also know some of the tricks that can make using the command shell easier—how to have the computer complete a long command or fi lename, retrieve a command you’ve recently run, or edit a command you’ve recently used (or haven’t yet fully entered).

Red Hat developed RPM for its own distribution. Red Hat released the software under the General Public License (GPL), however, so others have been free to use it in their own distributions—and this is precisely what has happened. Some distributions, such as Mandriva (formerly Mandrake) and Yellow Dog, are based on Red Hat, so they use RPMs as well as many other parts of the Red Hat distribution. Others, such as SUSE, borrow less from the Red Hat template, but they do use RPMs. Of course, all Linux distributions share many common components, so even those that weren’t originally based on Red Hat are very similar to it in many ways other than their use of RPM packages. On the other hand, distributions that were originally based on Red Hat have diverged from it over time. As a result, the group of RPM using distributions shows substantial variability, but all of them are still Linux distributions that provide the same basic tools, such as the Linux kernel, common shells, an X server, and so on.

Yum originated with the fairly obscure Yellow Dog Linux distribution, but it’s since been adopted by Red Hat, CentOS, Fedora, and some other RPM-based distributions. Yum isn’t used by all RPM-based distributions, though; SUSE and Mandriva, to name just two, each use their own meta-packagers. Debian-based distributions generally employ the Advanced Package Tools (APT), as described later in “Using apt-get.” Nonetheless, because of the popularity of Red Hat, CentOS, and Fedora, knowing Yum can be valuable. The most basic way to use Yum is with the yum command, which has the following syntax:
yum [options] [command] [package…]

An interrupt request (IRQ), or interrupt, is a signal sent to the CPU instructing it to suspend its current activity and to handle some external event such as keyboard input. On the x86 platform, IRQs are numbered from 0 to 15. More modern computers, including x86-64 systems, provide more than these 16 interrupts. Some interrupts are reserved for specifi c purposes, such as the keyboard and the real-time clock; others have common uses (and are sometimes overused) but may be reassigned; and some are left available for extra devices that may be added to the system. Table 3.1 lists the IRQs and their common purposes in the x86 system. (On x86-64 systems, IRQs are typically assigned as in Table 3.1, but additional hardware may be assigned to higher IRQs.)

PATA disks once ruled the roost in the x86 PC world, but today SATA disks have largely supplanted them. Thus, you’re most likely to encounter PATA disks on older computers— say, from 2005 or earlier. PATA disks are still readily available, though. As the full name implies, PATA disks use a parallel interface, meaning that several bits of data are transferred over the cable at once. Thus, PATA cables are wide, supporting a total of either 40 or 80 lines, depending on the variety of PATA. You can connect up to two devices to each PATA connector on a motherboard or plug-in PATA controller, meaning that PATA cables typically have three connectors—one for the motherboard and two for disks.
PATA disks must be configured as masters or as slaves. This can be done via jumpers on the disks themselves. Typically, the master device sits at the end of the cable, and the slave device resides on the middle connector. All modern PATA disks also support an option called cable select. When set to this option, the drive attempts to configure itself automatically based on its position on the PATA cable. Thus, your easiest configuration is usually to set all PATA devices to use the cable-select option; you can then attach them to whatever position is convenient, and the drives should configure themselves.

Linux supports quite a few different filesystems, both Linux-native and those intended for other OSs. Some of the latter barely work under Linux, and even when they do work reliably, they usually don’t support all the features that Linux expects in its native filesystems. Thus, when preparing a Linux system, you’ll use one or more of its native filesystems for most or all partitions:
Ext2fs The Second Extended File System (ext2fs or ext2) is the traditional Linux-native filesystem. It was created for Linux and was the dominant Linux filesystem throughout the late 1990s. Ext2fs has a reputation as a reliable filesystem. It has since been eclipsed by other filesystems, but it still has its uses. In particular, ext2fs can be a good choice for a small /boot partition, if you choose to use one, and for small (sub-gigabyte) removable disks. On such small partitions, the size of the journal used by more advanced filesystems can be a real problem, so the non-journaling ext2fs is a better choice. (Journaling is described in more detail shortly.) The ext2 filesystem type code is ext2.

In Conclusion , this book is a great book to read for someone who taking LPIC-1 certification..LPIC-1 is an important certification when you dealing to search for an IT job in the market nowadays…Some of the article above is an excerpt from the book Linux Professional Institute Certification – 1 (LPIC-1 ) Study Guide written by Christien Bresnahan and Richard Blum..




Modern Operating Systems…

February 2, 2018

modern operating system

Got this book from National Library ( PNM ) last month. This book tells us about the operating systems concepts , threads , interprocess communication , scheduling , deadlocks , memory management , input/output , filesystems , multimedia operating systems , multi processor systems , security and linux/unix.

All the runnable software on the computer , sometimes including the operating system , is organized into number of sequential processes , or just processes for short. A process is just an executing program , including the current values of the program counter , registers , and variables. Conceptually , each processes has its own virtual CPU. In reality ,of course , the real CPU switches back and forth from process to process , but to understand the system , it is much easier to think about a collection of processes , running in pseudo parallel , than to try to keep track of how the CPU switches from program to program. This rapid switching back and forth is called multiprogramming.

To implement the process model , the operating system maintains a table ( an array of structures ) , called the process table , with one entry per process. ( some authors call these entries process control blocks ). This entry contains information about the process state , its program counter , stack pointer , memory allocation , the status of its open files , its accounting and scheduling information , and everything else about the process that must be saved when the process is switched from running to ready or blocked state so that it can be restarted later as if it had never been stopped.

Now let us consider having the kernel know about and manage the threads. No run time system is needed in each , as shown. Also , there is no thread table in each process. Instead , the kernel has a thread table that keeps track of all the threads in the system. When a thread wants to create a new thread or destroy an existing thread , it makes a kernel call , which the does the creation or destruction by updating the kernel thread table.

The kernel’s thread table holds each thread’s registers , state , and other information. The information is the same as with user-level threads ,  but it is now in    the kernel instead of in user space ( inside the run-time system). This information is a subset of the information that traditional kernels maintain about each of their single-threaded processes , that is , the process state. In addition , the kernel also maintains the traditional process table to keep track of processes.

When the semaphore’s ability to count is not needed , a simplified version of the semaphore , called a mutex , is sometimes used. Mutexes are good only for managing mutual exclusion to some shared resource or piece of code. They are easy and efficient to implement , which makes them especially useful in thread packages that are implemented entirely in user space.

A mutex is a variable that can be in one of two states : unlocked or locked. Consequently , only 1 bit is required to represent it , but in practice an integer often is used , with 0 meaning unlocked and all other values meaning locked. Two procedures are used with mutexes. When a thread (or process) needs access to a critical region , it calls mutex_lock. If the mutex is current unlocked ( meaning that the critical region is available ) , the call succeeds and the calling thread is free to enter the critical region.

The best possible page replacement algorithm is easy to describe but impossible to implement. It goes like this. A the moment that a page fault occurs , some set of pages is in memory. One of these pages will be referenced on the very next instruction ( the page containing that instruction). Other pages may not be referenced until 10 , 100 , or perhaps 1000 instructions later. Each page can be labeled with the number of instructions that will be executed before that page is first referenced.

p/s:- Some of these article is an excerpt from the book Modern Operating Systems – second edition published by Prentice Hall Inc and written by Andrew S. Tanenbaum. It’s a good book to read for students who taking the subject Operating Systems.





Architecture , Programming and Applications of Advanced Microprocessors..

January 2, 2018


Happy New Year 2018…Hope this year will bring more future income and profit  for this year 2018…This new year I would like to post a review blog about microprocessors. Got this book from PNM (Perpustakaan Negara Malaysia) last year. This book tells us about the 8086 , Pentium , Pentium Pro microprocessor architecture , how does it work in a microprocessor circuit , the architecture and programming concept using assembly language of advanced microprocessor covering advanced INTEL microprocessor family starting from 8086 to Pentium Duo.

The book covers about Super Scalar Technology , the function of graphics coprocessor and video processor chips , interfacing chips are also illustrated with connection diagrams. The Intel 8086 is a 16 bit HMOS microprocessor which is implemented in n-channel silicon gate technology. It is called 16 bit microprocessor because its arithmetic logic unit , internal registers and most of its instructions are designed to operate with 16 bit binary words. It is a 40 pin IC chip constructed with 29000 transistors. It has 20 address lines out of which low order 16 lines are used as 16 bit data bus. The four high order address lines are also multiplexed. They carry four high order address bits and also four status signals.

Parallel fetching of instructions by BIU (Bus Interface Unit) and execution of instructions by EU is known as pipelining. Pipelining is achieved by using more than one functional unit to work simultaneously. While execution unit is busy to decode or execute an instruction , the bus interface unit fetches instruction bytes for next operation of the execution unit. These pre-fetched instruction bytes are stored in a first in first out (FIFO) register set in BIU. This register set is called queue. Thus instruction execution  of the current instruction , the next instruction is received by the execution unit from the queue of the BIU. Thus the EU requires negligible time to fetch the instruction from BIU and idle state of the execution unit is reduced. As a result , the function of microprocessor becomes faster. Hence pipelining process increases the processing speed of the microprocessor.

The interrupts of Intel microprocessor family include two hardware pins INTR and NML. Another hardware pin INTA is used to acknowledge the interrupt requested through INTR. The microprocessor also includes software interrupts INT , INTO , INT3 and BOUND. Interrupt flag (IF) and trap flag (TF) are related to the interrupt structure. There are three sources of interrupts in 8086:-

1- Hardware interrupt : An interrupt caused by application of external signal to either non – maskable interrupt ( NMI ) input pin or maskable interrupt INTR input pin is called harware interrupt.

2- Software interrupt : Execution of an interrupt instruction by INT instruction is known as software interrupt.

3 – Interrupt is also caused due to error condition produced in the 8086 by the execution of an instruction e.g. Divide by zero interrupt is such type of interrupt.

Lastly , its a quite a good book to read for those who interested in knowing about microprocessor architecture..Lots of assembly language coding here thats programmed  the microprocessor , registers , buffers , IC , controller and so much more…Some of the article above is an excerpt from the book  Architecture , Programming and Applications of Advanced Microprocessors – Second Edition written by A.K. Ganguly and published by Alpha Science – copyright 2012.



Malaysia IT Fair 2017 – Midvalley Exhibition Centre – Megamall….

December 17, 2017





Malaysian IT Fair 2017 is held at Midvalley Exhibition Centre – Megamall starting from 15/12/2017 till 17/12/2017. I went to attend the Malaysian IT Fair 2017 yesterday at Midvalley Megamall. The journey from my house took about 45 minutes. Got stranded in the highway trying to reach Midvalley, and at last reach the parking lot of Midvalley. The first booth that I enter is the Kaspersky booth…They presented me with the latest Kaspersky Anti Virus 2018 , Kaspersky Internet Security and Kaspersky Small Office Security. Got a promotion price if you buy Kaspersky Anti Virus product at Malaysian IT Fair 2017.

Then , I went into the Exhibition Centre and the first thing I saw I was introduced with a gaming rig – HP Omen with AMD Ryzen 7 Processor with 16GB RAM and 2 TB Hard Disk Space…I play Dirt 4 and I was quite amazed with it’s  performance , the processor speed is really fast , no lag when playing Dirt 4 , and it’s really a fast computer. It uses AMD Ryzen 7 1800X 8 Core Processor 3.6GHz/4.0 Ghz processor speed. The graphics that it uses was AMD Radeon RX580 ( 4GB GDDR5 Graphics Memory).


Bitcoin Mining using GPU’s …









Then , after a walk through some several booth , I encounter a Bitcoin Server at Jayacom Booth..It was a DIY Bitcoin Mining System. The sales assistant explain me about ethereum package 02 – A bitcoin server that uses Intel G4400 3.3Ghz Processor , Biostar socket 1151 TB250-BTC , use memory of G.Skill 8GB Aegis Series DDR4 2400MHz , and a Galaxy Gamer SSD L 120 GB 2.5″ SSD. It uses Bitcoin 1600W Power Supply. The price is RM11,729.00 .  Compare to ethereum package 03 , the price is RM12,229.00. For Bitcoin server , he suggest me to buy Antminer S9 , a power supply for the bitcoin server that uses 11.60 – 13.0V that price RM16,900.00.

Some booth at Malaysian IT Fair 2017

At MSI Booth…Gaming Rig plus a MSI’s LCD Monitor










A quite interesting gaming rig.

At Logitech booth…


Me at Kaspersky Booth…The event is co-sponsored by Kaspersky…

Quit a cool PC from Illegear…

Me at Kaspersky booth…Grab your Kaspersky Anti Virus 2017 , Kaspersky Internet Security for PC and mobile devices and Kaspersky Small Office Security for just a promotion price…end till today….Stand to win prizes for buying Kaspersky products and you can get a redemption for it…You also can get many computer accessories , IT networking products , external hard drive for just a low price and many other IT gadgets…Company that has it’s booth here were Lenovo , HP , MSI , Asus ROG , Logitech , Microsoft, Western Digital and lots more….

Lastly , hope to see Malaysian IT Fair for next year 2018 , hope next year will bring more IT  company to produce their product and services better. This year is quite smooth and the price for PC gaming , notebook and IT gadget is quite reasonable to buy for a low price. Till then , happy gaming….!





Illustrated C# 2008 …..

November 29, 2017














Got this book from National Library (PNM) on 11/11/2017….The book tell us about how to program in C# language , you’ll have a thorough working knowledge of all aspects of the C# language , whether you’re a novice programmer or a seasoned veteran of other languages. The chapter covers in this book is about types , storage and variables , classes , methods , classes and inheritance , expressions and operators , statements , namespaces and assemblies , exceptions , structs and many more…Illustrations alone , however , are not sufficient to explain a programming language  and platform. The goal of this book is to find the best combination of words and illustrations to give you a thorough understanding of the language , and to allow the book to serve as a reference resource as well.

The compiler for a .NET language takes a source code file and produces an output file called an assembly. An assembly is either an executable or a DLL. The process is illustrated here….The code in an assembly is not native machine code , but an intermediate language called the Common Intermediate Language ( CIL ) . An assembly , among other things , contains the following items :

1. The program’s CIL

2. Metadata about types used in the program.

3. Metadata about references to other assemblies.

The acronym for the intermediate language has changed over time , and different references use different terms. Two other terms for the CIL that you might encounter are IL ( Intermediate Language ) and MSIL ( Microsoft Intermediate Language ) , which was used during initial development and early documentation.

Some types , such as short , int , and long , are called simple types , and can only store a single data item. Other types can store multiple data items. An array, for example , is a type that can store multiple items of the same type. The individual items are called elements , and are referenced by a number , called an index. Other types , however , can contain data items of many different types. The individual elements in these types are called members , and , unlike arrays , in which each member is referenced to by a number , these members have distinct names. There are two types of members: data members and function members.

1. Data members store data that is relevant to the object of the class or the class itself.

2. Function members execute code. Function members define how the type can act.

A method is a named block of executable code that can be executed from many different parts of the program , and even from other programs. ( There are also anonymous methods , which aren’t named ). When a method is called , or invoked , it executes its code, and then returns to the code that called it. Some methods return a value to the position from which they were called. Methods correspond to member functions in C++. The minimum syntax for declaring a method includes the following components :

1. Return type : This states the type of value the method returns. If a method does not return a value , the return type is specified as void.

2. Name : This is the name of the method.

3. Parameter list: This consist of at least an empty set of matching parentheses. If they are parameters , they are listed between the parentheses.

4. Method body : This consists of a matching set of curly braces , containing the executable code.

Some of these articles are taken from the excerpt from the book Illustrated C# 2008 written by Daniel Solis and published by APress.




Database Systems.















Received and read this book on 11/11/2017 and got it from National Library (PNM). The book discussed about database system and its usage in our daily activities . The important element in discussing database is to explain the data. Data and information are the basic elements contributing to the process of decision-making. As today’s society relies so much on information , data will be utilized and generated at all time. Before taking a step further , it is good to differentiate the terms data and information although occasionally both are used to refer to a similar item.

In the client-server architecture , database and DBMS are stored in a computer known as a server. Server computers usually possess higher processing capability which acts as the back end and connects to client computer. The client computer acts as the front end in a local area network as depicted. This design is able to reduce costs as we can use work stations or personal computers as a client and server. Besides sharing the database , client-server architecture allows sharing of other resources such as printers , scanners , data storage equipment and others. Request for the database usage will be made by the client while the server will provide database management and communication services. Client-server architecture are suitable for small and medium working groups such as library database system , student fee payment system , and a supermarket’s sales and inventory system.

Two main objectives in creating database are to achieve high level of data independence and high data abstraction. Specifically , data independence means changes in storage structure and data access techniques does not affect application program. This condition can be achieved because database does not only keep user data , but also data dictionary that includes information on structure of data in the database. It means information about data organisation and its access techniques need not be coded in application programs as being done in file processing system.

Data independence is important to database system because of two main factors:

1. The need of different users views for a set of same data. If data independence does not exist , we cannot provide different views             from the same data.

2. Very dynamic database. Data and application program expand with the increase of user requirements. Just imagine if there is no            data independence , programmers will spend so much time to write and change program codes when additional data requirements          or change to storage structure occurs.

Data abstraction can be done as a result of data independence. Thus , users are not burdened with the database physical structure , but only need to focus on the abstract data views that they required. It also suitable to the different user views for different categories of users with the database shared by many. Data abstraction is supported by three-level architecture introduced by ANSI-SPARC in 1975 that has become fundamental to the architecture of several database systems today.

Internal level describes the data structure and the file organisations that enables data being physically stored in storage devices in the database. Internal level is interfaced with operating system access method in order to establish indexes , and data storage mechanisms. It shows that under internal level , there is an existence of physical level that is being controlled by operating system with DBMSs make full use of its operating system access method facilities , and other DBMSs use their own file organisation.

Internal schema written in DLL stated the metadata of internal level. It has information such as :

1. Data structure used

2. Data representation

3. Records sequence

4. Space and storage allocation for data and indexes.

Finally this book is a good book to read in the subject database systems. This book was written in the spirit of helping the students to learn the subject of database management system in a guided manner based on real life examples. Some of the articles are taken from the excerpt of the book Database System written by Prof Dr. Abdullah Embong printed in 2010 and published by University Malaysia Pahang.






SQL and Relational Theory….How to write accurate SQL code…..

October 11, 2017










Got this book from National Library last month…It introduces us about SQL and Relational Theory …where it origins and the terms used in SQL statement. And another point on terminology: Having said that SQL tries to simplify one set of terms , I must say too that it does its best to complicate another. I refer to its use of terms operator , function , procedure , routine , and method , all of which denote essentially the same thing ( with perhaps very minor differences ). In this book I’ll use the term operator throughout ; thus , for example , I’ll refer to “=” (equality comparison ) , “:=” (assignment) , “+” ( addition ) , DISTINCT , JOIN , SUM , GROUP BY ( etc , ) all as operators specifically.

The point about principles is : They endure. By contrast , products and technologies ( and the SQL language , come to that ) change all the time- but principles don’t. For example , suppose you know Oracle ; in fact , suppose you’re an expert on Oracle. But if Oracle is all you know , then your knowledge is not necessarily transferable to , say , a DB2 or SQL Server  environtment ( it might even make it harder to make progress in that new environtment). But if you know the underlying principles – in other words , if you know the relational model – then you have knowledge and skills that will be transferable: knowledge and skills that you’ll be able to apply in every environtment and will never be obsolute.

An integrity constraints ( constraint for short) is basically just a boolean expression that must evaluate to TRUE. In the case of departments and employees , for example , we might have a constraint to the effect that SALARY values must be greater than zero. Now , any given database and will be subject to numerous constraints ; however, all of those constraints will necessarily be specific to that database and will thus be expressed in terms of the relations in that database. By contrast , the relational model as originally formulated includes two generic constraints – generic , in the sense that they apply to every database , loosely speaking. One has to do with primary keys and the other with foreign keys. Here they are:

1- The entity integrity rule: Primary key attributes don’t permit nulls

2- The referential integrity rule: There musn’t be any unmatched foreign key values.

The logical differences between relations and relvars is actually a special case of the logical difference between values and variables in general , and I’d like to take a few moments to look at more general case. Here then are some definitions:

Definition : A value is what the logicians call an “individual constant,” such as the integer 3. A value has no location in time or space. However , values can be represented in memory by means of some encoding , and those representations or encoding do have location in time and space. Indeed , distinct representations of the same value can appear at any number of distinct locations in time and space – meaning , loosely , that any number of different variables ( see the next definition) can have the same value , at the same time or different times. Observe in particular that , by definition , a value can’t be updated ; for if it could , then after such an update it would’nt be that value any longer.

Definition: A variable is a holder for a representation of a value. A variable does have location in time and space. Also , variables , unlike values , can be updated ; that is , the current value of the variable  can be replaced by another value . ( After all , that’s what “variable” means – to be variable is to be updatable and to be updatable is to be a variable; equivalently, to be a variable is to be assignable to , to be assignable to is to be a variable ).


In conclusion , this second edition includes new material on recursive queries, “missing information” without nulls , new update operators , and topics such as aggregate operators, grouping and ungrouping , and view updating. If you have a modest-to-advanced background in SQL , you’ll learn how to deal with a host of common SQL dilemmas. Some of the excerpts above is taken from the book SQL and Relational Theory – How to write accurate SQL code – second edition written by C.J. Date and published by O’Reilly Media , Inc – 2011.

Beginning ASP.NET Security.












Previously , got this book from National Library (PNM). It tells about the uniqueness of ASP.NET security , how web pages are design according to the security considerations , using the ASP language and web pages , how to use form and fields in a web page , user authentication using log in name and password , and so much more. When debugging web applications , or trying to understand the underlying mechanisms an application uses , it is often useful to capture HTTP requests and responses. This section introduces you to one such useful debugging tool , Fiddler , and how you can use it to hand craft HTTP requests. Like a lot of tools with legitimate  uses , tools such as Fiddler can be used by an attacker to send fake requests to a website in attempt to compromise it.

The mitigation technique for XSS is as follows : you , the developer , must examine and constrain all input (be it from the user, a database, an XML file, or other source) and encode it for output. Even with request validation , it is your responsibility to encode all output before writing it to a page.

Encoding output consists of taking an input string , examining each character in the string , and converting the characters from one format to another format. For example , taking the string <hello> and encoding it in a form suitable for HTML output (HTML encoding) would consist of replacing the < with &lt ; and the >with&gt; , resulting in a safe output of &lt;hello&gt;.

The Anti-XSS library also includes the Security Run-time Engine (SRE) , and HTTP Module , which protects your ASP.NET application by using the Anti-XSS library to automatically and proactively encode data. It works by analyzing your web application  and inspecting each ASP.NET web controls, or controls derived from them. The module can be configured via the antixssmodule.config to specify which encoding is applied to a control’s property.

All ASP.NET validation controls are normal ASP.NET controls that also implement the IValidator interface , as shown here:

public interface IValidator


void Validate();

string ErrorMessage { get; set ; }

bool IsValid { get; set; }


As you can see , the IValidator interface defines two properties (ErrorMessage and IsValid) and a single method (Validate). When a validation control is placed on a page , it adds itselft to the page’s Validators collection. The Page class provides a Validate method in each control performs whatever validation logic has been written , and then sets the IsValid and ErrorMessage that attaches the validation to the input control you wish to validate.

ASP.NET controls that trigger a postback have a CausesValidation property. When set to true , a postback will cause the page’s Validate method to be called before any of the control’s event handlers run. Some controls ( such as Button ) will have a default CausesValidation value of true ; others ( generally those that do not automatically trigger a postback) do not.

When you were testing the CSRF protection module you wrote , you may have tested it on a page that raises postbacks. You may have noticed another hidden form field , _EVENTVALIDATION. A common interface design for web applications is to show or hide various parts of a web page based on who a user is , and what that user can do. For example , users in an administrative role may see extra buttons and text on a page ( such as “Delete comment” or “Modify price”).

This is generally implemented by including every possible control on a page , and hiding or disabling them at run-time as the page loads using the role membership provider that ASP.NET provides , as shown here:

if (!User.IsInRole(“siteadmin”))

adminPanel.Visible = false;

When a control is hidden , the HTML it would generate is no longer included in the HTML output for a page. When a control is disabled , then , typically , the HTML-enabled attribute is set to false when the control’s HTML is rendered.

Lastly , this book explores issues with user input including validation , cross-site scripting (XSS) and cross-site request forgery (CSRF) , examines methods for authenticating and authorizing users , including ASP.NET membership providers and preventing cookie theft. The book also present security with the Microsoft ASP.NET Ajax framework and Silverlight and includes an overview of security with the Microsoft MVC framework. Some of the article above is an excerpt from the book Beginning ASP.NET Security written by Barry Dorrans and published by John Wiley & Sons – 2010.