Welcome to Michaels Blog

All posts tagged with label Security

Blog of latest news, updates, and stories for developers

Silverlight 2 beta 1 and Socket Exception: Access Denied

Playing around with the sockets [1] in Silverlight 2 beta 1 [2] I found out that it works fine on my local host. When publishing my sample to a real Web server (I mean a Web server that is reachable in the Internet with a domain) I got always a socket exception saying that access is denied [3]. I looked around if I could find any help on that. I thought that there maybe is a restriction in the defaults of Silverlight and that I could find somewhere a configuration similar to the .NET and zones configuration, but I didn't.

Posted by Michael Schwarz on Sunday, March 9, 2008

Maybe Socket Bug in Policy Code in Silverlight 2 beta 1

In my last post [1] I wrote about how you can use sockets in Silverlight 2 beta 1 [1]. Well, when publishing my application to a Internet domain the code didn't work. I always get a socket exception: error code 10013, access denied. I have put an example online at http://frankfurt.schwarz-interactive.de:4510/test.aspx [2].

Posted by Michael Schwarz on Saturday, March 8, 2008

Silverlight 2 and System.Net.Sockets.Socket

The new beta of Silverlight 2 [1] introduces Sockets. The security model enforced by the System.Net.Sockets namespace in Silverlight 2 allows for a connection only back to the site or host of origin. So Silverlight 2 applications will be allowed to connect only to the host from which they were downloaded.

Posted by Michael Schwarz on Friday, March 7, 2008

ASP.NET AJAX Roles and Security

David Barkol [1] writes on his blog about ASP.NET AJAX Role Application Service with Visual Studio 2008 (Orcas). [2] Well, it is a new service that is working similar to the profile [3] and authentication [4] service. As it is very easy to call it from the client-side JavaScript code you should be a little bit more careful using these new methods.

Posted by Michael Schwarz on Monday, July 30, 2007

Authentication and Session

In my current project I'm using a own User object that I store in the HttpContext.Session to have personalized data available without connecting on each AJAX method / page refresh to the database. If the session will end because of timeouts, Web server resets/crash or application pool recycle this data will not be available any more, I have to read all again and store it in the session.

Posted by Michael Schwarz on Monday, July 30, 2007

webinale 07

I will be available for Microsoft Silverlight discussions at the [webinale 07 [1] conference in Ludwigsburg/Stuttgart to talk and discuss about the latest version of Silverlight presented at the Mix07 in Las Vegas. Of course, you can talk with me about Ajax.NET Professional, too.]

Posted by Michael Schwarz on Saturday, April 28, 2007

Looking Forward to next AjaxPro Release

Some developers mentioned that it would be nice if Ajax.NET Professional [1] could be more JSON compliant to use with some JavaScript frameworks that are not using the eval statement. And, if you have a look at json.org [2] JSON message always have to be an object or array, not a string or boolean directly. Well, I absolutly see the need of these changes and I have done this already in a beta version which I will provide this evening.

Posted by Michael Schwarz on Friday, April 13, 2007

Trackbacks, Who Is Linking You and where you should pay attention

Today I opened the turkish version of Google [1] and did a search for something I cannot remember. The thing was that I didn't hit enter, instead I clicked on the button Google'da Ara. What I noticed then was that the ' was not correct url encoded. Hm, nothing you have to care about. But after clicking on a link to a blog from the search results I found the same wrong url encoded url in the who is linking me section. While reading the page I had the idea to do some more testing with the apostrophe (or a quote).

Posted by Michael Schwarz on Wednesday, April 11, 2007

JSON Hijacking and How Ajax.NET Professional (AjaxPro) Avoids these Attacks

There are a couple of web sites reporting about security issues that hackers can use to invoke AJAX methods or use the JSON output to get data from other web applications. Specificallly, these attacks use HTTP GET requests invoked via an HTML <script src=""> include element to circumvent the "same origin policy" enforced by browsers (which limits JavaScript objects like XmlHttpRequest to only calling URLs on the same domain that the page was loaded from), and then look for ways to exploit the JSON payload content. The use of HTTP POST is only working if you are in the same domain, which does not mean this is not a dangerous security issue if used in web sites where different users can access data (i.e. spaces.live.com, blogger.com,...); there it is very easy to run HTTP POST with XmlHttpRequest object in the same domain (see Google XSS bug [1]).

Posted by Michael Schwarz on Saturday, April 7, 2007

Are we ready for AJAX?

I had a watch today on the webcast How Hackers Reverse Engineer and Exploit an Ajax Application [1]. There wasn't any new security issue as we already should know as AJAX or web application developers. Samples did show how to hack the AutoComplete.asmx web service (using ASP.NET AJAX [2]) which was used on a demo web application using SQL Injection.

Posted by Michael Schwarz on Thursday, January 25, 2007

How to surf the Internet more safely

In the past you may have heared about more and more security bugs on well-known web sites you use maybe more often a day. Below there are some tips you should have in mind when browsing:

Posted by Michael Schwarz on Tuesday, January 16, 2007

Pending Members - Google Groups XSS Bug [Part 1]

During the weekend I found an script error on the Google pending members web page. Because I was using the new Google groups beta interface I didn't looked on it. But today the script error still occurs and I noticed the same error on the older version, too. I had a look inside the generated html output and found that there was a script tag that was not closed, ah, it was a membership request message.

Posted by Michael Schwarz on Monday, December 4, 2006

The top 10 mistakes when using AJAX

The last months I found more and more web sites that make a heavy use of AJAX to be on the Web 2.0 train, but a lot of them are very strange because they are slower than before, you will get more errors and sometimes nothing does work (i.e. when running on a mobile device). Here are my top 10 mistakes when using AJAX (not depending which framework you want to use):

Posted by Michael Schwarz on Monday, November 20, 2006

Avoid using Impersonation in ASP.NET

Scott Hanselman [1] is writing on his blog [2]:

Posted by Michael Schwarz on Tuesday, October 24, 2006

IE7 and no native XMLHttpRequest support

This weekend I had a deep look on the native XMLHttpRequest support with the new Internet Explorer version 7 which is still in beta. If you do a Google search for "native xmlhttp support ie [1]" you will read that everyone is happy with this native support. Yes, it is the first step to have XMLHttpRequest on every PC. Ajax developers have changed their JavaScript source code to support this new object, this is great!

Posted by Michael Schwarz on Monday, July 3, 2006

Ajax.NET Professional with new Converters

I put the new version online, download the latest DLL at http://www.ajaxpro.info/ [1]. There are a lot of performance changes done, and the lib is now working perfect with the script.aculo.us effects. A not yet finished updated version of the Starter Kit is online, see http://munich.schwarz-interactive.de/ [2]. See the changes here:

Posted by Michael Schwarz on Friday, June 2, 2006

Security and Ajax.NET Professional

I have written a short example about how to use web forms security with Ajax.NET Professional. The example (C# and VB.NET) is included in the latest version available at http://www.ajaxpro.info/ [1]. Discuss the security.aspx example at Google groups [2]. (Update: there are about 2.500 members reading and writing posts!!!)

Posted by Michael Schwarz on Friday, May 12, 2006