Figure 1.1: Example of a Weak Password Policy
Figure 1.2: Validating Passwords Using a CustomValidator Control: C#
Figure 1.3: Validating Passwords Using a CustomValidator Control: VB.NET
Figure 1.4: Expiring Idle Accounts
Figure 1.5: Example of an Expired Password Screen
Figure 1.6: Example Warning for Old Passwords
Figure 1.7: Password Retrieval Using E-Mail Only
Figure 1.8: Another Password Retrieval Method Using E-Mail Only
Figure 1.9: Example Password Retrieval Using Personal Information
Figure 1.10: Password Reset Process
Figure 1.11: Example Password Reset Process
Figure 1.12: Example eBay Scam E-Mail
Figure 2.1: Generic Failed-Login Message
Figure 2.2: Cleartext Passwords in Web.config
Figure 2.3: Passwords Encrypted with SHA-1
Figure 2.4: PassHash Utility: C#
Figure 2.5: PassHash Utility: VB.NET
Figure 2.6: Cain & Abel Performing a Dictionary Attack on SHA-1 Hashes
Figure 2.7: Windows Authentication Prompt
Figure 2.8: Blocking Basic Authentication Without SSL: C#
Figure 2.9: Blocking Basic Authentication Without SSL: VB.NET
Figure 2.10: Blocking Administrator Logins: C#
Figure 2.11: Blocking Administrator LoginsVB.NET
Figure 2.12: eBay’s Passport Login Form.
Figure 2.12: Citibank’s Passport Login Form
Figure 2.14: Password Authentication Delay: C#
Figure 2.15: Password Authentication Delay VB.NET
Figure 2.16: Declarative Security: C#
Figure 2.17: Declarative Security: VB.NET
Figure 2.18: Imperative Security: C#
Figure 2.19: Imperative Security: VB.NET
Figure 2.20: Explicit Authorization: C#
Figure 2.21: Explicit Authorization: VB.NET
Figure 3.1: ASP.NET State Service Packet Capture
Figure 3.2: Setting the Domain on All Cookies: C#
Figure 3.3: Setting the Domain on All Cookies: VB.NET
Figure 3.4: Verifying the Cookie Domain:
Figure 3.5: Verifying the Cookie Domain: VB.NET
Figure 3.6: Sample View State Field
Figure 3.7: The ViewState Decoder
Figure 3.8: Securing View State: C#
Figure 3.9: Securing View State: VB.NET
Figure 3.10: Enhancing the Session ID with a MAC:C#
Figure 3.11: Enhancing the Session ID with a MAC:VB.NET
Figure 3.12: Binding to the Client: C#
Figure 3.13: Binding to the Client:VB.NET
Figure 3.14: Expiring Sessions: C#
Figure 3.15: Expiring Sessions: VB.NET
Figure 4.1: Symmetric Cryptography Sample
Figure 4.2: 3DES Encryption with ASP.NET: C#
Figure 4.3: 3DES Encryption with ASP.NET: VB.NET
Figure 4.4: .NET Framework Source Code for the IsWeakKey Method
Figure 4.5: .NET Framework Source Code for the IsSemiWeakKey Method
Figure 4.6: Rijndael Encryption: C#
Figure 4.7: Rijndael EncryptionVB.NET
Figure 4.8: RC2 Encryption: C#
Figure 4.9: RC2 Encryption: VB.NET
Figure 4.10: Layering Symmetric Ciphers: C#
Figure 4.11: Layering Symmetric Ciphers: VB.NET
Figure 4.12: Using CryptDeriveKey: C#
Figure 4.13: Using CryptDeriveKey: VB.NET
Figure 4.14: Example of Key Derived from a Password
Figure 4.15: Saving the IV with the Ciphertext: C#
Figure 4.16: Saving the IV with the Ciphertext: VB.NET
Figure 4.17: Keyed Hashing Using HMACSHA1: C#
Figure 4.18: Keyed Hashing Using HMACSHA1: VB.NET
Figure 4.19: Hashing with a Salt: C#
Figure 4.20: Hashing with a Salt: VB.NET
Figure 4.21: Clearing Crypto-Related Objects: C#
Figure 4.22: Clearing Crypto-Related Objects: VB.NET
Figure 4.23: Storing and Retrieving Data from Isolated Storage: C#
Figure 4.24: Storing and Retrieving Data from Isolated Storage: VB.NET
Figure 5.1: ASP Source From 500-100.ASP
Figure 5.2: Enabling Option Strict for VB.NET
Figure 5.3: Using Generic Request References [C#]
Figure 5.4: Using Generic Request References [VB.NET]
Figure 5.5: IP Address Blocked
Figure 5.6: IP Address Allowed with REMOTE_ADDR in QueryString
Figure 5.7: Using Generic Request References [C#]
Figure 5.8: Using Generic Request References [VB.NET]
Figure 5.9: Validating Numeric Input (C#)
Figure 5.10: Allowing Known Good Characters (C#)
Figure 5.11: Allowing Known Good Characters (VB.NET)
Figure 5.12: Matching Known Bad Input (C#)
Figure 5.13: Matching Known Bad Input (VB.NET)
Figure 5.14: Reflecting Data (C#)
Figure 5.15: Reflecting Data (VB.NET)
Figure 5.16: Built-In ASP.NET HTML Blocking
Figure 5.17: Using HtmlEncode (C#)
Figure 5.18: Using HtmlEncode (VB.NET)
Figure 5.19: Double Decoding (C#)
Figure 5.20: Double Decoding (VB.NET)
Figure 6.1: Firewall Layout #1
Figure 6.2: Firewall Layout #2
Figure 6.3: Removing an ODBC Driver from the Registry
Figure 6.4: Removing DSNs
Figure 6.5: Setting the Maximum Logging Level
Figure 6.6: Setting IIS for ODBC Logging
Figure 6.7: Windows Authentication [C#]
Figure 6.8: Windows Authentication [VB.NET]
Figure 6.9: SQL Authentication Connection String [C#]
Figure 6.10: SQL Authentication Connection String [VB.NET]
Figure 6.11: Common Query String [C#]
Figure 6.12: Common Query String [VB.NET]
Figure 6.13: Table Name Exposed in Error Message
Figure 6.14: Next Column in Query Is Exposed in Error Message
Figure 6.15: Username Value Exposed in Error Message
Figure 6.16: Escaping the ‘ Character [C#]
Figure 6.17: Escaping the ‘ Character [VB.NET]
Figure 6.18: Using SqlParameters in Building SQL Statements (C#)
Figure 6.19: Using SqlParameters in Building SQL Statements (VB.NET)
Figure 6.20: Using SqlParameters in Calling Stored Procedures (C#)
Figure 6.21: Using SqlParameters in Calling Stored Procedures (VB.NET)
Figure 6.22: Filtering Dangerous SQL Commands (C#)
Figure 6.23: Filtering Dangerous SQL Commands (VB.NET)
Figure 6.24: Common Authentication Code (C#)
Figure 6.25: Common Authentication Code (VB.NET)
Figure 6.26: Improved Authentication Code (C#)
Figure 6.27: Improved Authentication Code (VB.NET)
Figure 6.28: Locking Down Access
Figure 6.29: Restricting Read and Write Access
Figure 6.30: Setting NTFS Permissions
Figure 6.31: Add and Remove Extension Mappings
Figure 7.1: Runtime Error
Figure 8.1: XML Encryption Specification Syntax
Figure 8.2: XML Encryption Schema
Figure 8.3: XML Document to Encrypt
Figure 8.4: XML Document Encryption C#
Figure 8.5: XML Document Encryption: VB.NET
Figure 8.6: XML Document After Encryption
Figure 8.7: XML Document Decryption C#
Figure 8.8: XML Document Decryption VB.NET
Figure 8.9: XML Digital Signature Structure
Figure 8.10: XML Document to Be Digitally Signed
Figure 8.11: Creating an XML Digital Signature: C#
Figure 8.12: Creating an XML Digital Signature: VB.NET
Figure 8.13: XML Digitally Signed Document
Figure 8.14: Validating an XML Digital Signature: C#
Figure 8.15: Validating an XML Digital Signature: VB.NET
Figure A.1: Performing Stack Walking to Prevent Unauthorized Access
Figure A.2: Graphical Representation of a Code Group Hierarchy
Figure A.3: Security in Code: C#
Figure A.4: Security in Code: VB.NET
Figure A.5: Link Demand at Class and Method Level: C#
Figure A.6: Link Demand at Class and Method Level: VB.NET
Figure A.7: Inheritance Demand: C#
Figure A.8: Inheritance Demand: VB.NET
Figure A.9: Inheritance Demand at the Method Level: C#
Figure A.10: Inheritance Demand at the Method Level: VB.NET
Figure A.11: A Stack Walk Is Short-Circuited by an Assert
Figure A.12: Setting an Assert: C#
Figure A.13: Setting an Assert: VB.NET
Figure A.14: A Stack Walk Is Short-Circuited by a Deny
Figure A.15: Setting a Deny: C#
Figure A.16: Setting a Deny: VB.NET
Figure A.17: Using the PrincipalPermissionAttribute: C#
Figure A.18: Using the PrincipalPermissionAttribute: VB.NET
Figure A.19: Using PrincipalPermission: C#
Figure A.20: Using PrincipalPermission: VB.NET
Figure A.21: C#
Figure A.22: VB.NET
Figure A.23: C#
Figure A.24: VB.NET
Figure A.25: C#
Figure A.26: VB.NET
Figure A.27: The .NET Configuration Snap-In
Figure A.28: The User’s Permission Sets and Code Groups
Figure A.29: Modify the Permission Set Using the Create Permission Set Dialog Box
Figure A.30: Modify the Settings of FileIO Using the Permission Settings Dialog Box
Figure A.31: Modifying the Security Settings Using the Permission Settings Dialog Box
Figure A.32: The Default Code Group Structure for the User Security Policy
Figure A.33: Select One of the Available Condition Types for a Code Group
Figure A.34: Importing a Certificate for a Publisher Condition in a Code Group
Figure A.35: Setting Attributes in the General Tab of the Code Group Permission Dialog Box