Monday, December 18, 2017

Getting last modified software on Windows using PowerShell

Getting the list of the last modified software on Windows is actually simple, if using PowerShell
Photo by Miti on Unsplash
Whenever I get requests like "hey, how can I get the lastly installed software on my machine?", I try to resolve them with code and as simple as possible. Turns out that on Windows, PowerShell can be an excellent tool for scripts like those. On this post, let's address that using PowerShell and review how it became a fun, simple and quick exercise.

Using Get-WmiObject

The Get-WmiObject cmdlet is what we need to get Windows diag information. By combining it with Export-Csv we can export all installed software on our machines with:
Get-WmiObject -Class Win32_Product | Export-Csv installed.csv

Using Get-ChildItem

The next part consists in using the Get-ChildItem cmdlet to filter out our exported data. That can be done with:
# getting last modified files
Get-ChildItem C:\ -rec | sort LastWriteTime | select -last 1000 | Export-Csv files.csv


Doing this simple exercise was fun, simple and quick using PowerShell. Don't know PowerShell yet? I would urge you to take a look and learn it (even if just the basics). PowerShell is a powerful tool used extensively in devops on Windows, Azure and Linux.

Oh, and yes, I really don't miss the days before PowerShell!

Monday, December 11, 2017

PowerShell - The server committed a protocol violation

Let's understand what that error means and review 3 different ways to fix it.
Photo by Max Rovensky on Unsplash

This sort article details a good trick for those getting the following error in PowerShell: 
The server committed a protocol violation
After googling ducking around, I found three different solutions for this problem:
  1. Modifying your powershell.exe.config;
  2. Modifying your request in order to avoid it stopping if your url is invalid in .NET
  3. Modifying your request in order to avoid it stopping if your url is invalid in PowerShell.
Let's review each of them and understand a little more about the problem.

    Solution 1 - Modifying powershell.exe.config

    This solution will apply to all PowerShell requests so use with caution. Also, this solution is not portable so, if you plan to run this script on a machine you don't have admin access to, this solution will probably not work.
    <httpWebRequest useUnsafeHeaderParsing="true" />

    Solution 2 - Modifying your request in .NET

    To modify your request, have the code below before you actually run Invoke-WebRequest:
    $netAssembly = [Reflection.Assembly]::GetAssembly([System.Net.Configuration.SettingsSection])

        $bindingFlags = [Reflection.BindingFlags] "Static,GetProperty,NonPublic"
        $settingsType = $netAssembly.GetType("System.Net.Configuration.SettingsSectionInternal")

        $instance = $settingsType.InvokeMember("Section", $bindingFlags, $null, $null, @())

            $bindingFlags = "NonPublic","Instance"
            $useUnsafeHeaderParsingField = $settingsType.GetField("useUnsafeHeaderParsing", $bindingFlags)

              $useUnsafeHeaderParsingField.SetValue($instance, $true)

    Solution 3 - Modifying your request in PowerShell

    This is probably the simplest. Just run the line below:
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }


    On this post we reviewed three different ways to resolve a problem in PowerShell. Don't know PowerShell yet? I would urge you to take a look and learn it (even if just the basics). PowerShell is a powerful tool used extensively in devops on Windows, Azure and Linux.

    See Also

    Monday, December 4, 2017

    ASP.NET - How to allow anonymous requests on secure endpoints

    How to allow unauthenticated requests on authorized endpoints using ASP.NET? Let's take a look.
    Photo by Philipp Katzenberger on Unsplash

    In a previous article, I described how to extend the ASP.NET pipeline with custom security. Turns out that certain endpoints were still required to operated unauthenticated. How do we allow those requests to be processed? The solution relies on:
    1. Decorating the security attribute with the AllowAnonymous as discussed on the previous post.
    2. Detecting the current request is an ActionExecutingContext and allowing the request to proceed conditionally.
    Let's see how we can write a custom RequirePermission attribute to solve that problem.

    Writing a custom ActionFilter Attribute

    Writing a custom ActionFilter attribute isn't complicated. Here's one code that demonstrates how to do that elegantly:

    Using the Attribute

    Next, we ca use our attribute to decorate our actions so it runs as soon as our endpoint is hit:


    This was a quick post extending the previous discussion on how to implement custom action filters to have a better control over the requests agains our application. On this post I explained how you could intercept requests on your application and react to them using these attributes. For a complete understanding of the project, please the original discussion

    See Also

    Monday, November 27, 2017

    Security Boundaries

    Knowing the security boundaries of our applications help building safer code. Read to understand.

    In order to properly implement secure applications, developers should understand the concept of security boundaries (or trust boundaries) in the context of software development/architecture.

    So let's start with a solid definition. According to IEEE, security boundaries are:
    defined by a set of systems that are under a single administrative control. These boundaries occur at various levels, and vulnerabilities can become apparent as data “crosses” each one.
    A good guideline to understand what the security boundaries of your app are is by:
    • examining their applications from both functional and technical perspectives;
    • understanding and evaluating the boundaries in and between their applications;
    • taking into account all the interfaces and integrations to/from their systems;
    • knowing that vulnerabilities can be propagated from one boundary to the other, possibly affecting not only your application but also leaking to your users;

    Trust Model

    how an organization determines who to trust with its assets or pieces of its assets.
    As developers, we could use the same paradigm by considering:
    • who should have access to my system;
    • what can they access;
    • which internal components in my application I trust, which I don't;
    • which external components in my application I trust, which I don't;
    With all that information you should be able to draw lines (security boundaries) around your architecture, helping you identify what are the trust levels between those boundaries.

    Performing security verification

    Once we know which are the boundaries of our apps, we could reduce the development effort to check security only in the application boundaries. For example: if my web app talks exclusively (is coupled) to my backend and vice versa, it's fair to say that I only need to validate my data once.
    But don't treat that as a general rule. Actually, I would treat that as an exception as applications today are getting more and more complex.

    Security checks in the cloud

    What if my web app talks exclusively to my backend via a message queue or a storage account in the cloud? Is it safe to say that I should trust everything that reaches the backend? Of course not. After all, being the transport layer publicly available, it could be compromised. Being compromised, messages reaching the backend might also be compromised, resulting in breaches in my system. I should validate them whenever possible.

    Every new element we add to our architecture is another element in the security boundary equation: should I trust everything that comes from it or not?

    Security checks with Different Networks

    Same for applications in different networks. Just by adding a public network between them, means that the information we're getting (if not encrypted) might have been tempered with. Should we trust it? The answer to that is related to how trustable our network is. Being a private vnet in the cloud, I would be ok. Public, not so much.

    Local Security checks

    In the same process

    For two assembly in the same process for example, I don't think no security checks needs to be done. However, if two applications share the same process and a component in one calls a component in the other, a security check should be done because we crossed an application boundary.

    In with different Processes

    Likewise, if two applications reside in different server processes and a component in the first application calls a component in the second application, a security check is done.

    Final Thoughts

    I briefly introduced the concept of security (or trust) boundaries in this post. I hope you use that information to, in the future, evaluate how your company is treating the data you are injecting from your users and 3rd-party APIs.

    See Also

    Monday, November 20, 2017

    How and why use stronger passwords

    The number of online attacks increases and weak passwords is one of the main reasons. Learn how to create stronger passwords and be safer online.
    Passwords are probably the most sensible aspect of our lives today. With more and more leaks happening every day, it's strongly recommended to start thinking about stronger passwords for our personal online accounts and our applications. So how can we leverage existing tools in a non-complex way to enhance our online protection?

    Let's take a look.

    What you should do

    Let's start with simple basic tips for everyone. For starters, this is what we should be doing:
    • Using passwords with at least 8 characters;
    • Using complex passwords that include numbers, symbols, and punctuation;
    • Using a variety of passwords for different accounts or roles;
    • Using a secure password tool;

    What you should not do

    It's also important to remember what we should not do. For example, below I list somethings we should not be doing:
    • using dictionary words as passwords, e.g. apple, cat, Raptors, etc;
    • use sequences of characters, e.g. 3333, abcdabcd;
    • use personal information in passwords, e.g. your birthdate;
    • reutilize passwords;
    • avoid setting the password as the associated service, e.g. Gm@il or Dropbox123;
    • combinations of those above;
    Other interesting tips to increase our protection are:
    • Avoid storing passwords on devices that you take out of home;
    • Use a password manager to securely keep track of your passwords (see the section below);
    • Setup MFA/2FA when available (see the section below);
    • Use a secure password generator to generate stronger passwords (see the section below);
    • Never remember a password!

    Use Password Managers

    While the  above tips are good to start and have in mind, let's now see concrete examples in how we can increase the complexity of our passwords and how we can protect them from external access. Utilizing stronger password demands a better memory. In case you don't have one as me, I  strongly recommend the utilization of a password manager like 1password, KeePass and it's forks KeePassX and KeePassXC. That's why I never remember my passwords! =)

    And because I need to access my passwords on Linux and Windows machines, I'm currently using KeePassXC. I also advocate for files on disk instead of services like LastPass because you cannot trust anyone else nowadays =). How safe is LastPass data for example? Well, they were hacked before...

    Using KeePass

    Since KeePass is one of the most familiar out there, let's provide a very quick introduction on it. The rest, I'm pretty sure you can figure out. Also, if you're using one of its forks, should be the same, just varying the visual look and feel.

    Step 1 - Create your password database

    The first step is to create your password database. Launch KeePass, 

    Step 2 - Start adding your passwords

    See? KeePass not only manages our passwords but also helps us generating a very complex passwords for us.

    Step 3 - Keep using it!

    Yes, keep using it! Add all your accounts to this file and keep it safe on your disk, doing periodical backups. And sice KeePass is remembering your passwords for you, you have no excuses for sharing passwords or using simple passwords. Plus, backing up this file online is safer as the file is encrypted and assuming you didn't choose a very simple password for the file, it should take a long time for someone to crack it.

    Which takes us to the next tip...

    Recycle Passwords

    Another relevant tip is recycling passwords. You may have already figured out that it's a technical term for not reusing the same passwords. But why? Yes, you should recycle your passwords every 3 months or so. It helps against data leaks. Or, if your service has something like a password expiration policy, even better:

    How to create stronger Passwords

    Most password managers have a very useful tool to generate passwords. After getting familiar with KeePass, I suggest getting acquainted with the Password generation tool.  To access it, do:
    Tools -> Password Generator:

    As we can there there are lots of intresting options here:
    • You can set the length of the generated passwords;
    • You can set/unset multiple options (I would recommend checking at least 4 of them);
    • You can provide patterns, certain characters;
    • You can strengthen entropy by clicking on the "Advanced" button
    And, by clicking on the "Generate" button, KeePass will generate a password for you. It will even tell you how strong your password is (92 bits in this case). Remember to keep an eye on the bar. It will tip you how strong your password is. In theory, we should have the tool generate passwords for us as their algorithm handles better the complexity required.

    Enable multiple-factor authentication

    Multiple-Factor Authentication (MFA) and it's simpler form Two-Factor Authentication (2FA) is a way of logging in that requires more then a password. Example: a text message or a verification e-mail with a random code on a different email account are sent and the user will only be allowed access if she enters the right code..

    MFA adds a very strong security component to our online accounts since it reduces dramatically the chances an unauthorized user can access our accounts. Many recent hacks such as the celebrity hack could have been avoided if MFA was enabled. But Apple have learned from the episode and now advise users to protect themselves using 2FA:
    To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at

    Example 1 - Enabling MFA for an Apple ID

    The majority of the most used websites currently offer MFA. As an example, here's what you need to do to enable MFA on you Apple ID.


    Example 2 - Enabling MFA on GitHub

    In GitHub, go to your profile -> security, and click:

    Then you choose one of the options below to get your code:

    How Secure is your Password?

    Speaking of strong passwords, how secure is a  92 bits password compared to my own password? According to
    • your simple password like "Apple123" is broken instantly;
    • a complex password as that one generated above would be broken in 52 quadrillion years;

    Just access that type and enter your password to get a quick feedback on how long it would take for someone to crack your passwords:
    Spot the difference? Few hours x 52 quarillion years. But wait! There are techniques to speed up this process but we will not cover them now. The objective of that was to illustrate the importance of creating and using stronger passwords.


    On this post I presented many suggestions on how to create strong passwords, store, transport and additional protection layers such as MFA. Please, start use them all and make your information safer. As a final note, consider using stronger passwords and enabling MFA on all your accounts.

    See Also

    Tuesday, November 14, 2017

    Why use Firefox

    Understand why Firefox is still the best browser for those looking to keep their privacy online.
    If you have been following this blog, you may know that I've been discussing the importance of security and privacy. If not, please read how we are being tracked without consent everywhere: by search engines, browsers, mobile apps, social networks, TVs, games, devices, etc. Turns out we're living in difficult times for those seeking privacy

    My Favorite Firefox Features

    Apart from its privacy-first commitment, let me list my favorites of  Firefox.


    This version of Firefox is 2x-faster than a year ago, significantly faster than Chrome. Do not believe? Check the video below for a quick comparison between the performances of Firefox and Chrome.


    Firefox made significant improvements to its new engine and now uses 30% less memory than Chrome:

    Development Tools

    Every developer deserves an awesome development environment. Firefox Quantum ships with a completely revamped DevTools with multiple improvements included. Check more on this blog post to find out more.

    Privacy Considerations

    As previously said, Firefox is the only browser committed to privacy. Even Brave who marketed themselves as the best privacy-oriented browser were caught replacing ads with their own and probably also tracking you.

    Beautiful UI

    And, my last personal favorite: the new Photon UI. Simply gorgeous:


    I've used many browsers on different mobile devices and honestly, never have been completely satisfied. Lately, I've been using Firefox Focus and if you want speed, privacy in a lightweight browser, you got it there:

    Contributions to the Open Standard

    Apart from Firefox, Mozilla has been doing very important advances in open science in:
    • Gaming: WebAssembly & WebGL;
    • MDN: extensive documentation on web technologies including HTML, CSS, and APIs for both Web sites and progressive web apps.
    • WebVR: an incubator for virtual reality on the web;
    • Servo: an amazing parallel browser engine 
    • Rust: an amazing open-source programming language that focuses on speed, memory safety and parallelism.
    • Open Codecs: if you use Linux, you know what I mean...
    • Speech and Machine Learning


    If you agree with me and thing that it's time for a more open web, more privacy and security, join me and millions of other users and start using Firefox again! So what are you waiting for? Go get your Firefox right now!

    See Also

    Tuesday, November 7, 2017

    How can you become a FOSS / Open-Source Contributor

    Considering joining the open-source movement but don't know where to start? Learn some tips on this post.
    Photo by Mohamed Nohassi on Unsplash

    FOSS is awesome! Millions of people around the world dedicate their time working and free/open-source software benefiting the world around us. Most likely the tools use love and use are probably backed by open-source software one way or another. For example, the internet you're using now runs on Linux. SmartTVs, drones, cars, super computers, your android phone and yes, even your iOS device is also based on BSD, a FOSS project. 

    There are hundreds thousands of projects you probably use that available for free. Projects like like Mozilla Firefox, OpenOffice, git, Bootstrap, React, FontAwesome, OpenSSH, internet servers, just to name a few. On this post let's learn ways you too can help free/open-source communities around the world.

    Tips for programmers

    If you know how to program and would like to contribute that way, here's a couple of ways you could help the community:
    • Writing code;
    • Submitting pull requests;
    • Reviewing code;
    Once you understand the project requirements, philosophy, workflow and communication channel, get in touch with the project maintainer(s) to present yourself. The easiest way for those that know how to program is to go directly to the project page. A nice start page would be Git Explore.

    Tips for non-programmers

    Do not have programming skills? Don't give up! There are lots of other ways you can help. Check the list below.


    Like writing? There's definitely gaps in documentation on free/open-source software. Consider supporting your favourite project on:
    • Documentation;
    • Tutorials;
    • Translations;


    You're a designer? There are lots of opportunities to contribute with your artistic skills on free/open-source software. For example:
    • Logos;
    • UI mockups;
    • Event banners;
    • Fonts;
    • User Experience
    • TShirts;

    Participating / Organizing Events

    Social events? You can always participate in:
    • Meetups;
    • Install fests;
    • Volunteering in bigger events

    Using the software

    Know well some specific software? Why not help people:
    • installing free software;
    • on Q/A sites around the internet
    • on Slack/IRC/Discuss channels;
    • helping someone else installing/troubleshooting someone else's computer;

    Helping with Infrastructure

    Know systems and infrastructure? What about:
    • supporting servers;
    • donating servers;
    • maintaining the build systems;
    • packaging;


    None of the previous? What about donating to organizations you like / admire / support other FOSS projects like:

    Supporting other Users

    You can always support other users by answering their questions on StackOverflowAskFedora or AskUbuntu for example.


    On your school, university or company? What about educating people on how to use free/open-source software?

    Writing posts

    What about blog posts? Even those as simple as as this one help people around the world! 😊



    This post was just to present ideas on how to start helping open source projects. Most people think that contributing to open source is just about code while it is not. There's tons of ways we can start helping others out there so why not?

    See Also

    Monday, October 30, 2017

    It's time to Firefox again

    Understand why now is the best time to start using Firefox again

    On a previous post, I listed ways we are being tracked without consent by search engines, browsers, mobile apps, social networks, TVs, games, devices, etc. Hopefully by now, you understand why we all should be concerned with security, ethics and privacy.

    But before we discuss privacy and why we should reconsider Firefox, I thought it would be interesting to do a quick recap on web browsers, this omnipresent tool in our lives.

    Market Share

    Today, Firefox has about 13% market share. A huge decrease if we consider that it originates from Netscape, which had close to 80% of the market two decades ago.


    To understand how that happen, let's take a quick look at the browser market history

    The First Browser War

    Back in 1995, Netscape sailed in calm waters until a Internet Explorer 1.0 was released by Microsoft. That was the beginning of what's called the first browser wars.

    According to Wikipedia:
    • By mid-1995, Netscape Navigator was the most widely used web browser and Microsoft had licensed Mosaic to create Internet Explorer 1.0 which it had released as part of the Microsoft Windows 95 Plus! Pack in August.
    • Internet Explorer 2.0 was released as a free download three months later. Unlike Netscape Navigator it was available to all Windows users for free, even commercial companies.
    • Internet Explorer 4 changed the tides of the browser wars. It was integrated into Microsoft Windows, which gave it a large installation base.

    Quickly, the Windows-IE integration brought excellent results to Redmond. Now, Microsoft had two advantages in the browser market:
    • Resources - Microsoft had way more financial resources than the relatively small company that essentially had a single product (Netscape Navigator)
    • IE was bundled with Windows - since Windows had over 90% share of the desktop operating system market, IE quickly gained adoption.

    Fast dominance, Slow innovation

    But the market share dominance certainly was not good for consumers. A period of slow innovation started:
    Microsoft was able to dominate the market share easily as customers had it as the default browser. This also brought an end to the rapid innovation in web browsers; until 2006 there was only one new version of Internet Explorer since version 6.0 had been released in 2001.

    The market remained stalled for a few years until a new contender entered the market: Google Chrome.

    The Second Browser War

    The Chrome browser was released on December 11, 2008, using the same WebKit rendering engine as Safari and a faster JavaScript engine called V8. Google replicated Microsoft's aggressive strategy and embedded Chrome in Android. Quickly we saw Chrome surpassing Firefox and IE to reach the top spot:

    Chrome Advances

    Let's be honest: Chrome indeed brought us many advances. To name some: simple bookmarks and settings synchronization, web standards support, malware blocking, plugins, incognito mode, speed, stability, desktop apps, its web store, extensions, themes, automatic web page translation, release channels, frequent release cycles, etc. That's a lot!

    But remember, they weren't the first to create most of these features. Firefox (and Opera) had most of those features way before them:
    • themes;
    • a web store;
    • extension support;
    • plugin support;
    • incognito mode;
    • web standards support;
    • developer tools;
    • do not track;
    • automatic updates;

    The Strategy

    The history repeated itself: a company with OS dominance embed  their browser and foster it as the best for you on all its channels. Example, if you go to today using Firefox you will see:

    Source: (using Firefox)

    Because Chrome is embedded in Android (the most popular mobile OS), has tight integration into other Google services and to ads like the above, people keep ditching alternatives and just using Chrome.

    The problem

    As always, problems begin when you dominate the market share. Impartial practices, disrespect to open standards, privacy concerns and all sorts of other issues happen. Common complaints in the past are now back with Chrome:

    The solution

    The solution is a more open Web, not a web governed by one or two companies but internet for people, not for profit. It has to include open standards, open formats, strong security and privacy that protect the users.

    It's internet for the people, not for profit


    Unfortunately, the web today has problems. Security, ethics and privacy are not being respected and we should work together to improve it. And it will start with us, the users. It should start with our search engines and with our browser.


    That's why my browser of choice is Firefox. Because I want my privacy respected, because I want a more open web, because I support open-source software, because it has excellent development support and it's super fast!

    Enhanced Tracking Protection

    To get better, Mozilla has been working on the Enhance Tracking Protection feature. Starting on Firefox 63, users will be able to block all third-party cookies so they are not tracked while browsing the web.

    Fast, Lightweight and Private

    Bonus: Firefox Focus

    I've used many browsers on different mobile devices and honestly, never have been completely satisfied. Lately, I've been using Firefox Focus and if you want speed, privacy in a lightweight browser, you got it there:


    We are being tracked without consent by search engines, browsers, mobile apps, social networks, TVs, games, devices, etc. Hopefully by now, you understand why we all should be concerned with security, ethics and privacy.

    There are alternative search engines and browsers that respect your privacy. Why not try and spread the word?


    See Also

    Monday, October 23, 2017

    Creating private git repos using Azure DevOps

    GitHub's also offering free repos now! As it's the world's most popular development platform, I'd recommend using it instead of Azure DevOps.

    GitHub is awesome. It dramatically changed how we share and contribute to open source sofware in the work. But, one of its limitations, especially for startups, companies or even tech professionals is that it doesn't allow private repos for free.

    Fair enough, they are a company and need to pay for infrastructure, their employees and support all the amazing work that they do and all the traffic that they get. But since startups usually can't have upfront costs what's the alternative?

    Introducing Azure DevOps

    Azure DevOps is a private (up to 5) service that has a bunch of cool stuff for developers and startups.

    I'm a big fan of Visual Studio Team Services because:
    • as, this post explains, offers private git repos for free;
    • allows us to do view repos, code, pull requests/merges online;
    • automate Azure deployment;
    • run automated tests;
    • do continuous integration;
    • do relelease management;
    • have multi branches for your baseline;
    • install extensions;
    • host your private wiki;
    • and more, way more.

    Creating your Repo

    But back to the repos. Being free, once you register, you can create a new project like:
    Azure DevOps - Creating a new private repo

    Once your project is created, you should see your Git url from which you're able to pull privately using the credentials for the account you just created.

    VSTS - Your Git Url

    After your first push, you should see your files there. Other nice features already mentioned above, are available in the blue bar above and I plan to review them in the future.

    Personal Git Repo

    One thing that was not much explored is, the benefit developers and people who produce digital content in general is using VSTS to host your personal files. Instead of using GDrive, DropBox or OneDrive, why not host all your files there? Plus, you get all the benefits already provided by git and the cloud:
    • security
    • confidentiality
    • intergrity
    • version control
    • hosted on the cloud

    So, you could store your portfolio, your projects, all those txt files that are never archived and always lost =) in git, access and modify them from multiple machines and let git manage it for you - for example, rejecting one modification because you are not up to date with the repo.


    So there you have it. VSTS is a very friendly, powerful and free (up to 5 users) that you can use to host your personal and professional projects. Definitely it's worth trying.

    GitHub's also offering free repos now! As it's the world's most popular development platform, I'd recommend using it instead of Azure DevOps.


    See Also

    Monday, October 16, 2017

    Securing your front-end

    How secure is your front-end and how much could it be? Let's discuss it on this post.

    An extremely common and dangerous flaw in web apps security is relying solely in client side security as we already discussed on this blog here and here. On this post we’ll examine the most frequent mistakes developers make and how to protect from them. But before we proceed, check our previous discussions on web application security. For all the topics on security, please click here.

    Law of Security #4

    We already reviewed the 10 laws of security on this blog. So, you may recall our Law #4:
    If you allow a bad guy to upload programs to your Web site, it’s not your website any more.
    That's probably, the main (but not the only) reason why web applications are so insecure: users are constantly submitting data to your application and changing data state. So what should we do? 
    Should you trust all data being submitted to you?

    Can you trust data from cookies sent to you?

    Can you trust everything that you are getting in your web application layer?
    Of course not.

    You cannot trust client side security

    Because you don’t have control of what runs on your client or how that information is being submitted - if it was manipulated or came from a different source than you expect - you should never trust the data you are getting in a request. That's why you should always re-validate in your server data sent to you. The only actual info you should trust is the session, stored on the server.

    So what are the most common mistakes?

    In the context of web applications, the most common mistakes web developers make are:
    • Hiding info in hidden fields
    • Relying on Http cookies
    • Relying on Url parameters
    • Using Form action urls for backend logic
    • Using the Referer header for backend logic
    • Trying to be cryptic or to obfuscate info
    • Rely purely on the ASP.Net Viewstate
    • Rely only on html form attributes
    • Only run Javascript validation

    Mistake #1 - Hiding info in hidden fields

    In the past, developers used to hide essential information in hidden form fields as:
    <input type=”hidden” name=”price” value=”45”>
    So when a post was submitted to the server, something like the below would be sent:
    POST /page.aspx HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 20
    Hacking this application is as simple as:
    1. changing the price value using devtools and resubmitting the form;
    2. issuing a post from a different tool to the server.
    Luckily, this anti-pattern is no longer common anymore.


    The solution here is simlpy not use hidden fields to pass sensitive information to the client. Use the Id of the product or some other type of identifier instead.

    Mistake #2 - Relying on HTTP cookies

    This one is less common but is still being used. Developers are still saving sensitive information in cookies, which are stored in the client side and can be easily manipulated. Consider this response from the server:
    HTTP/1.1 200 OK
    Set-Cookie: Discount=20
    Content-Length: 100
    Assuming that the Discount value set in the cookie was used to perform some calculation in the server, a malicious user could easily change that information to 100 for example, and get the product for free. Not what we want.
    POST /store.aspx HTTP/1.1 
    Cookie: Discount=100
    Content-Length: 10


    The solution here is simlpy not use cookies fields to exchange/store sensitive information to the client. If you need to save, save it on the session, on the server. Upon each request, get the session value and process it from there.

    Mistake #3 - Relying on Url parameters

    Often, urls are very easily hackeable:
    Anyone using a web browser or curl for example could alter that url and, if that property was used to provide the price to the server, alter it and benefit from your security issue. Others can be more obscure but also open to attacks:
     Remember that security trough obscurity does not work flawlessly.


    Avoid using the query string to pass sensitive information. Even if some urls are meant to be hackeable, that's not the objective here.

    Mistake #4 - Using Form action urls for backend logic

    Similar to mistake #3, hidden but still modifiable, form actions can also be used to pass information :
    <form action="/store/submit?discount=10">
    Remember, this approach could be easily manipulated.


    Avoid using the query string to pass sensitive information. Even if some urls are meant to be hackeable, that's not the objective here.

    Mistake #5 - Using the Referer header for backend logic

    Less common, the Http Referer header can be used to simulated authentication logic in the server. For example, a request like:
    GET /auth/CreateUser.aspx HTTP/1.1
    Could be interpreted in the server that the user indeed came from the admin page. While this could be true for non-malicious requests, it could also be manipulated.


    Avoid using the Referer for authentication as can be easily manipulated in the client side.

    Mistake #6 - Trying to be cryptic or to obfuscate info

    We already provided an example in mistake #3. Trying to be cryptic or obfuscating information is not a 100% reliable solution. Yes, it could be used as part of a solution but should not be the sole solution.


    Be creative securing your services and avoid security trough obscurity.

    Mistake #7 - Rely only on html form attributes

    Html form attributes like maxlength and disabled are nice but can be easily circumvented by simply removing them in developer tools or by submitting. Example:


    Keep using those components to provide more friendlier applications but never rely only on them to validate your data. Always have similar validation in the server and in the backend if necessary.

    Mistake #8 - Only run Javascript validation

    As in mistake #8, relying solely on javascript is highly insecure as javascript can be disable or be easily removed, altered or manipulated in the client machine.


    Make use of javascript to serve more friendlier applications but never rely only on it to validate your data. Always have similar validation in the server and in the backend if necessary.


    So there you are, hope this post has helped you identifying the threats your app may be facing and how you could protect against them. But only for your front end. Remember, security is complicated. Securing your frontend is just another piece in the complex effort towards a good security framework.

    See Also

      For more posts about ASP.NET on this blog, please click here.

    Monday, October 9, 2017

    Privacy and Ethics

    Security, Ethics, Privacy and Confidentiality. How's everything related on today's internet.
    On a previous post we discussed Security and Ethics. Today we follow up on Ethics and Information Privacy and discuss privacy and ethics.

    We're living interesting times. Around 10 years ago, the biggest ad agency of all time started tracking and reading personal information. Now it has expanded from your browser to, basically, everywhere. In case you are not sure what I mean, let's examine where tracking is happening.

    Tracking is Everywhere

    Tracking today happens on:
    • E-mail providers: Gmail, Outlook, Yahoo! and everyone else is reading your email. What about you? Are you reading your own emails? 
    • Search Engines: where do you think that Google, Bing, Yahoo!, et al get their money from? But wait! We seem to have an option that does not track you. 
    • Social Networks: every social network these days tracks you and reads your data. And they make a lot of money. 
    • Companies:Google, Apple, Microsoft, Facebook, Amazon and everyone else is tracking you not only by using their services but, if you're using their gadgets, you're probably being tracked there too! 
    • TVs: smart TVs like Samsung TVs are spying on viewers. 
    • Smart devices: Smart devices like these, are tracking users:
    • Virtual Assistants are tracking us: virtual assistants are also tracking their users:

    Tracking and Privacy

    But people are starting to note that privacy invasion is becoming or will become an issue. And that is a good thing!

    Maybe this change is happening due to the impacts of the recent very important data leaks on Equifax and Deloitte, or because their personal pictures leaked online or, because their Dropbox, Adobe, LastPass, personal e-mail, mobile operator, and so many other services suffered a leak and they lost confidential information and/or were victim of a scam/phishing/smishing, etc because of those leaks. Who knows? It doesn't matter.

    What matters is that the society as a whole needs to be aware of how our privacy is being disrespected and start demanding for a change. Unfortunately, neither governments nor companies are doing their share and remain doing all that's possible to get access to your data - ethically or unethically. But why is that happening?

    Remember: If a product is free, you are the product

    As we already discussed that on the Security and Ethics post why is this all happening? Why now?

    To understand that, we first need to reflect on why would a company give their products for free? Since the majority of them are not charities,  maybe this is happening because, they make tons of money out from your data and ads

    For example, here's how Alphabet (Google's parent company) makes money (88% from Ads):


    And here's how Facebook makes money (97% from Ads):

    US$ 106 Billion / year in revenue from Ads

    As show in the previous charts, advertising generates 88% and 97% of their revenues to Google and Facebook respectively. That's USD 106.36 Billion per year from your data. All from "free products" like Facebook, Gmail, YouTube, Instagram, Android, Google Docs, etc That's why they say thatif a given product is free you are the product.

    All that said, we should be concerned. Not because we're doing stuff we're not supposed to do or because we're being injected too many adds but because your information is being scanned without consent or further notice.

    This is not a financial but an ethical decision. It's not about stock prices or revenue per user.

    Privacy concerns have reached a limit and people are starting to realize that. You can see by google searches decreasing (more on that later), or increase in utilization of tools like DuckDuckGo (which I recommend using), even by the increase in adoption of free/open software projects like LibreOffice or Firefox that do not track your data. Not because they are better but because they are safer and more trustworthy - If I can read the code, I can trust it.

    Privacy - What are our options?

    Then where should we be? What should our companies be doing? This is what would like to see: companies that explicitly care about your privacy and how the internet and our lives will be better if everyone cared about that.

    Here are my humble suggestions.


    My browser of choice is Firefox. Yes I know there are other options but for my daily use (including development) works very well.

    Search Engine

    I believe my search engine shouldn't track me. That's why I use and recommend DuckDuckGo.

    Operating System

    I want privacy in my desktop operating system. That's why I use Fedora Linux.


    I wish a modern phone that respects my privacy and runs all the apps I like. Who knows the Librem 5 or the PinePhone one day doesn't happen? I'm closing monitoring their development and it's getting close, real close!

    Final Thoughts

    Think about it. Think about the necessity of protecting our privacy, our families' privacy. Think about the impact it can have in 20, 30 years from now. Think how can we make the web and our lives safer for ours and future generations.

    See Also

    Update [Mar 13, 2018]: There is a very nice description on why you should consider migrating from LastPass here. 
    Update [Mar 13, 2018]: Good News! Purism just showed some updates on the Librem 5 phone here

    About the Author

    Bruno Hildenbrand      
    Principal Architect, HildenCo Solutions.