Archive for July, 2007

Serialization

Jul 29

I got a little sidetracked with a problem due to an assumption. What I am doing is returning a proxy to an object to my client. I started to think what would happen across my serialization boundary.

I assumed that the serializer would access all the properties and send their values across the wire to be reconstituted on the other side. Well, I was wrong. What serialization will do is serialize all the private fields and move those across the wire and then repopulate all the fields on the other side (via reflection). This is clearly obvious now as if it access the properties and the get/set property modified data in some way upon access (usually a bad code practice I know) then the act of serializing and deserializing an object would actually change values.

So for those who always wanted to know… serialization just takes the fields and serializes those (if those fields are objects it will serialize the child object as well) and then reconstitutes it on the other side.

Filed Under: General

Thanks!

Jul 14

I recently had the pleasure of speaking to the e-commerce class at DevStudios about input validation and hashing. It was a fun talk and I love the interactivity you get when talking to a smaller audience. Thanks guys!

Filed Under: Speaking

.NET 1.1 & 2.0 Security Hole

Jul 11

An interesting bug has been found in the .net framework. Basically if a null is inserted into a string and you manipulate that string through several different methods then the data after the null will be dropped.

MailMessage message = new MailMessage()
message.to = request["to"] + "@legitserver.com"

if request["to"] were to be something like i@spamvictim.com%00 the message.to property would become i@spamvictim.com instead of what you would expect as i@spamvictim.com@legitserver.com

the reason behind this is that .NET treats nulls as data where the native calls that .NET uses behind the scenes treats nulls as string terminators (many languages internally terminate strings with nulls).

More info on this can be found in the whitepaper on this here

Two patches have been released from Microsoft to address this issue:
KB928365 for .NET 2.0
KB928366 for .NET 1.1

Filed Under: Security

Vancouver Follow Up

Jul 8

I wanted to thank the Vancouver user group for having me out to speak. It was a great experience and a surprising turnout considering that the weather was just great outside!

As I said in the demo you can download the code, database and slides here.

The demo web site also implements some other features that I did not get to talk about due to time constraints. The biggest one is a custom security level (the web.config has a named policy named demo and a demo.config file with the policy in it). I wanted to talk about this feature of .NET but the scope of custom security levels (i.e. code access security / partial trust) was just to large to fit in to the timeframe.

The demo code also has a second iterative hashing algorithm that I did not talk about. The class is Rfc2898IterativeHasher.cs and it implements the built in Rfc2898DerivedBytes class that will easily do an iterative hash with a salt as well. I could not find out what algorithm was being used behind the scenes in this class but it is an easy way to implement iterative hashes.


Filed Under: Speaking