ASP.NET Web security

Coming live from DevDays in Newark (really Secaucus), NJ:

 

The web security session explained the various authentication mechanisms inherent to IIS, as well as some of the various choices for access permissions.  Hardware vs. software and basic hack attempts were shown.  My favorite dumb exploit has got to be storing a price in a hidden field (in the context of an online ordering system)... people take advantage of this system weakness by changing the price and getting goods way below the legitimate costs. 

The discussion was beginner/ slight intermediate (today, we learn that asp.net page requests are in the ASP.NET process in task manager, and can be killed from there...)  On the deeper level, IIS 6's page request path, and the basics of application pooling were shown. All requests are piped through http.snd pointed to the appropriate isapi filter within the app pool.

Details on how to configure the ASP.NET worker process, and the asp.net service under IIS 6 were discussed more in depth.

No Comments