Skip to main content

Hack-ED with Kirk Jackson & Andy Prow

TechED 2013

I recently attended 2 amazingly fun filled Hack-Ed sessions at Microsoft's TechEd, Australia. The speakers were Kirk Jackson and Andy Prow. And as promised, there was live hacking on stage and awkward humour that will made us cringe (in a good way). Not to mention, I won a chocolate bar! Yay!

I have posed a link to both their sessions below but I though I'd quickly touch on a few important things that they spoke about. I also highly recommend you follow their blog at

Kirk and Andy went through a couple of recent security breaches around the world (I've listed a few below). But what was really funny was that most of them were easily preventable.

I know you've probably heard this before, but as web developers, security should not be an after-thought to the development process, but rather an integral part of your design. I highly recommend that you have a read through the Open Web Application Security Project (OWASP). They have recently updated their list of top 10 vulnerabilities to look out for, available at

Interesting Security Breaches

Now here are some of the interesting attacks that Kirk and Andy mentioned.

Some interesting types of attacks

Security Sessions at TechED

Hack-Ed: Wheedling and Cajoling your way to Success (

Hack-Ed: Develop your Security Spidey Sense (


  1. Regardless of where your entity sits, data must be protected. Investing in security may not remove the possibility of a data breach. Consider turn to one of the top virtual data room service providers.


Post a comment

Popular posts from this blog

Internet Information Services(IIS) reveals its real or internal IP Address

In the ever changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure.

Keeping that in mind, we recently ran our flagship product through a security audit. It was such a helpful exercise in tying-off any remaining lose ends in our application in terms of application security. 
Based on the security audit report, there was a relatively minor issue that appeared when accessing the /images directory of our application. Turns out that the Location response header of the 301 request returns an Internal IP address. The issue is detailed below.

Issue reportedInternet Information Services (IIS) may reveal its real or internal IP address in the Location header via a request to the /images directory. The value returned whilst pen testing is

The riskInformation regarding internal IP add…

Unit Testing HttpContext.Current.Session in MVC3 .NET

We recently changed some functionality where during the "CREATE" process, we go through a wizard to save application data. This data is saved only to the session in the final step when the user clicks the final submit.

This was easy enough to implement but when I started writing unit tests for my static methods that Add, Update, Delete or Modify the contents of our application data in the session, I got the following error:
System.NullReferenceException: Object reference not set to an instance of an object.

Turns out I had forgotten to setup the HttpContext.
The following "TestInitialise" method fixed my problem :)

public void TestSetup()
// We need to setup the Current HTTP Context as follows:

// Step 1: Setup the HTTP Request
var httpRequest = new HttpRequest("", "http://localhost/", "");

// Step 2: Setup the HTTP Response
var httpResponce = new HttpResponse(new StringWriter());

// Step 3: Se…

IIS Request Filtering to block HTTP Verbs (For example Trace)

The issueRequest Filtering is a built-in security feature that was introduced in Internet Information Services (IIS) 7.0. This can be used to block specific verbs like "Trace".

When request filtering blocks an HTTP request, IIS 7 will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied. Verb Denied.

HTTP SubstatusDescription404.5URL Sequence Denied404.6Verb Denied404.7File Extension Denied404.8Hidden Namespace404.1Request Header Too Long404.11URL Double Escaped404.12URL Has High Bit Chars404.13Content Length Too Large