BeyondCorp proxy possibilities on AWS, Google Cloud, Azure

It appears there’s now another tool in the arsenal for those looking at implementing BeyondCorp style security model, with the arrival of OIDC authentication support in AWS’s application load balancer. It adds to a growing list of possiblities, at least for HTTP-based services. Who needs VPN anyway? The options I’m aware of now include: Bitly’s oAuth2 proxy – a simple… Read more “BeyondCorp proxy possibilities on AWS, Google Cloud, Azure”

Not ready to #DeleteFacebook? Here’s some baby steps…

I admit it. I still haven’t taken the plunge to #DeleteFacebook. I can’t remember the last time I posted anything on it, but friends still invite me to events and send me messages via Messenger. Likewise, I haven’t brought myself to using VPN as standard, or Tor for that matter! That said, here’s some things you might like to try,… Read more “Not ready to #DeleteFacebook? Here’s some baby steps…”

SSL Termination and Secure Cookies/requireSSL with ASP.NET Forms Authentication

If you’re running a HTTPS-only web application, then you probably have requireSSL set to true in your web.config like so: <httpCookies requireSSL="true" httpOnlyCookies="true" With requireSSL set, any cookies ASP.NET sends with the HTTP response – in particular, the forms authentication cookies – will have the “secure” flag set. This ensures that they will only be sent to your website when… Read more “SSL Termination and Secure Cookies/requireSSL with ASP.NET Forms Authentication”

Get ASP.NET auth cookie using PowerShell (when using AntiForgeryToken)

At FundApps we run a regular SkipFish scan against our application as one of our tools for monitoring for security vulnerabilities. In order for it to test beyond our login page, we need to provide a valid .ASPXAUTH cookie (you’ve renamed it, right?) to the tool. Because we want to prevent Cross-site request forgeries to our login pages, we’re using… Read more “Get ASP.NET auth cookie using PowerShell (when using AntiForgeryToken)”

Forms Authentication loginUrl ignored

I hit this issue a while back, and someone else just tripped up on it so thought it was worth posting here. If you’ve got loginUrl in your Forms Authentication configuration in web.config set, but your ASP.NET Forms or MVC app has suddenly started redirecting to ~/Account/Login for no apparent reason, then the new simpleMembership(ish) provider is getting in the… Read more “Forms Authentication loginUrl ignored”

Achieving an A+ grading at Qualys SSL Labs (Forward Secrecy in IIS)

At FundApps we love the SSL Labs tool from Qualys for checking best practice on our SSL implementations. They recently announced a bunch of changes introducing stricter security requirements for 2014, and a new A+ grade – so I was curious what it would take to achieve the new A+ grading. There are a few things required to now achieve… Read more “Achieving an A+ grading at Qualys SSL Labs (Forward Secrecy in IIS)”

Windows IE exploit found after source code leak

I must admit this happened much quicker than I thought it would :- see these articles on the Register and Security tracker – apparently an exploit for a buffer overrun problem in IE *5* has already been released – supposedly discovered by reading the leaked windows source code. I’m curious as to whether this source code leak will be a… Read more “Windows IE exploit found after source code leak”