Nazim's Security Blog
All things security ...
-
HTTP/2 for IIS in Windows 10 Technical Preview
Windows 10 Technical Preview comes with support for HTTP/2 on both client and server side. The client side folks in IE did a blog post talking about what HTTP/2 is all about and its benefits specifically on the performance side. This blog will detail how to setup an IIS server to communicate to clients over HTTP/2.
-
Safely handling untrusted XML server-side
If you didn't think that processing XML on the server side can lead to a Denial of Service, Information Disclosure or even Remote Code Execution, read on. The issues discussed here are include a class of issues that is commonly referred to as XML External Entity vulnerabilities (XXE), but are not limited to this. If you are NOT processing untrusted XML and the data comes from a trusted source this article doesn’t really apply for you but is still good to enforce safe usage for hygiene.
-
Is IIS vulnerable to the THC SSL DoS attack tool?
There was a recently released tool by THC that can be used to launch Denial of Service (DoS) attacks against servers hosting SSL sites. Besides the traditional bot-net Distributed Denial of Service (DDoS) class attacks, this tool lets a single client use client SSL renegotiation to cause server DoS.
-
Is IIS susceptible to the Apache Range Header DoS attack?
A recent disclosure on seclists.org about a Denial of Service attack against Apache web servers has raised concerns about whether IIS web servers are affected. We will quickly talk about the issue and its impact on IIS web servers in this post.
-
World IPv6 Day and IIS 7
Wednesday June 8 2011 is World IPv6 Day and there will be plenty of representation by IIS7 on the Windows Server side. From Microsoft we will have participation in this event by Microsoft.com, Bing.com and Xbox.com; all of which run IIS7 web servers on their front end.
-
Use of special characters like '%' ‘.’ and ‘:’ in an IIS URL
There are multiple times that we get questions about % and other special characters in the URL and what the expected behavior is in IIS. The behavior in IIS is very deterministic when it comes to these special characters, but to explain the behavior we will need to delve a little bit into both URL canonicalization and the different stages of request processing in IIS.
-
Security update released for FTP 7.0 and FTP 7.5 0-day
In the later half of December 2010, an FTP 7.X exploit was published on http://www.exploit-db.com/exploits/15803/.
-
Security update released for ASP.NET Padding Oracle Vulnerability
Microsoft has just released security bulletin MS10-070 with security updates for the issue. The updates are currently on Microsoft Download Center, but will be available through all other channels soon.
-
Update 1: ASP.NET Zero Day Vulnerability - Padding Oracle Exploit
ScottGu has posted some additional FAQs on http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx
-
ASP.Net zero day vulnerability - Padding Oracle exploit
An ASP.Net cryptograhic zero day was publicly disclosed today.