Developping for the translation industry RSS 2.0

 Monday, 23 November 2009

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

The key to exploiting injection techniques with LDAP is to manipulate the filters used to search in the directory services. Using these techniques, an attacker may obtain direct access to the database underlying an LDAP tree, and thereby to important corporate information. This can be even more critical because the security of many applications and services relies on single sign-on environments based on LDAP directories.


In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database.

 <input type="text" size=20 name="userName">Insert the username</input> 

The LDAP query is narrowed down for performance and the underlying code for this function might be the following:

 String ldapSearchQuery = "(cn=" + userName + ")";

If the variable userName is not validated, it could be possible accomplish LDAP injection, as follows:

  • If a user puts “*” on box search, the system may return all the usernames on the LDAP base
  • If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password ( cn = jonys ) ( | (password = * ) )

How to protect against these attacks?

INPUT VALIDATION. This will never be said enough: input validation is the best way to protect against most injection-type attacks. Whitelist validation is always your best bet. The idea is that you should check that the data is one of a set of tightly constrained known good values. For example, for the username field above, the input should accept only alphanumeric characters.


Other posts:

The T-SQL LoginProperty function in SQL Server 2005

BusinessWeek hit by SQL Injection attack

How to: Use Active Directory to authenticate users

How to set NTFS permissions using C# 2005

Monday, 23 November 2009 15:31:41 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -

I use log4net in every applications I build that needs to have some sort of log. 

Most of the examples on the log4net site puts the configuration right in the App.config/Web.config file for the example application. Since they are simply example and not real-life scenarios, that’s not necessarily the best way to do it. For example, you may have a single log4net.config that you want to use in several projects or you simply want to stick log4net.config somewhere else to make those config files more readable.

The magic bit that at least I can't easily find and always forget is:

If you add an appSettings key called "log4net.Config" you can put an app-relative path to an external log4net.config file in there and everything will automatically configure itself using that.

It looks like this:

<?xml version="1.0"?>
    <add key="log4net.Config" value="log4net.config" />

That example puts the log4net.config file right in the root of the application. You could specify "config/log4net.config" to put it in a "config" subfolder. You don't even have to call the XmlConfigurator.Configure method or mark your assembly with an XmlConfiguratorAttribute or anything. Some voodoo magic happens in the background and it just works.


Other posts :

How to enumerate the Domain Controllers in the current Domain in C#

How to Create User Accounts in Active Directory using C#

How to restart a Windows service using C#

How to set NTFS permissions using C# 2005

Monday, 23 November 2009 10:21:14 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
.NET | General | Tools
 Friday, 20 November 2009

There are many ways to generate random numbers in SQL Server. Here are some scripts that will let you accomplish this.

Method 1 : Generate Random Numbers (Int) between Rang
---- Create the variables for the random number generation

---- This will create a random number between 1 and 999
SET @Lower = 1 ---- The lowest random number
SET @Upper = 999 ---- The highest random number
SELECT @Random = ROUND(((@Upper - @Lower -1) * RAND() + @Lower), 0)
SELECT @Random

Method 2 : Generate Random Float Numbers
+ (
DATEPART(ss, GETDATE()) * 1000 )

Method 3 : Random Numbers Quick Scripts

---- random float from 0 up to 20 - [0, 20)
-- random float from 10 up to 30 - [10, 30)
SELECT 10 + (30-10)*RAND()
--random integer BETWEEN 0
AND 20 - [0, 20]
----random integer BETWEEN 10
AND 30 - [10, 30]
SELECT 10 + CONVERT(INT, (30-10+1)*RAND())

Method 4 : Random Numbers (Float, Int) Tables Based with Time

DECLARE @t TABLE( randnum float )
DECLARE @cnt INT; SET @cnt = 0
WHILE @cnt <=10000
@cnt = @cnt + 1
+ (
DATEPART(ss, GETDATE()) * 1000 )
randnum, COUNT(*)
GROUP BY randnum

Method 5 : Random number on a per row basis

---- The distribution is pretty good however there are the occasional peaks.
---- If you want to change the range of values just change the 1000 to the maximum value you want.
---- Use this as the source of a report server report and chart the results to see the distribution
SELECT randomNumber, COUNT(1) countOfRandomNumber
SELECT ABS(CAST(NEWID() AS binary(6)) %1000) + 1 randomNumber
FROM sysobjects) sample
GROUP BY randomNumber
ORDER BY randomNumber


Other posts :

How to convert dates in T-SQL

How to remove leading zeros within an SQL Query

How to insert a file in an image column in SQL Server 2005


Friday, 20 November 2009 10:21:08 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
Code Snippet | SQL
 Thursday, 11 June 2009

The difference between a 301 and a 302 is that a 301 status code means that a page has permanently moved to a new location, while a 302 status code means that a page has temporarily moved to a new location.

As you may know, there aren't too many situations where a 302 is the appropriate choice. How often have you temporarily moved a page? It's much more common to move pages permanently. However, for lazy webmasters, it is a lot easier to create 302 redirects than 301. You can simply use Javascript or a meta tag to create a 302. With Windows servers and IIS, creating a 301 redirect is pretty straitforward. In the website properties or the page properties, you select the following screen. You simply have to select the “A redirection du a URL” option and you have to make sure that the “A permanent redirection for this resource” checkbox is checked. If it isn’t checked, a 302 redirect will be issued by IIS.


Using 302 redirects is a dangerous practice. Search engines don't like this redirection type because it is a common strategy that spammers use to get more of their domains up in search engine results. Another reason to use 301 redirects instead is that then your URLs maintain their link popularity. If you set up 302 redirects, Google and other sites that determine popularity ratings assume that the new link is eventually going to be removed. After all, it's a temporary redirect. So the new page doesn't have any of the link popularity associated with the old page. It has to generate that popularity on its own.

If you're changing your site's domain name, you should never use a 302 redirect. This almost screams "spammer" and is a good way to get all your domains blocked from Google and other search engines. If you have several domains that all need to point to the same place you should use the 301 server redirect. This is common practice for sites to buy additional domains with spelling errors ( or for other countries (, and then redirect them to the primary Web site. As long as you use a 301 redirect, you won't be penalized in search engines.

Other posts :

8 easy tips to drive traffic from search engines to your site

What Are Customers Saying About You Online?

Thursday, 11 June 2009 10:48:53 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
 Wednesday, 10 June 2009

This C# snippet lets you enumerate all the domain controllers in the current Active Directory Domain.

using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;

public static ArrayList GetDomainControllerNames()

ArrayList domainControllerList = new ArrayList();
Domain currentDomain = Domain.GetCurrentDomain();
foreach (DomainController dc in currentDomain.DomainControllers)

domainControllerList .Add(dc.Name);

return domainControllerList ;


Other relevant posts:

How To: Create User Accounts in Active Directory using C#

How to enumerate the Domains in the current Forest in C#

How To: Use Active Directory To Authenticate Users

Wednesday, 10 June 2009 13:07:53 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
C# | Code Snippet

This C# snippet lets you enumerate all the domains present in the current Active Directory Forest.

using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;

public static ArrayList GetDomainNames()

ArrayList domainList = new ArrayList();
Forest currentForest = Forest.GetCurrentForest();
DomainCollection myDomains = currentForest.Domains;
foreach (Domain domainItem in myDomains)



return domainList;


Other relevant posts:

How To: Create User Accounts in Active Directory using C#

How To: set NTFS Permissions using C#

How To: Use Active Directory To Authenticate Users

Wednesday, 10 June 2009 12:57:23 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
C# | Code Snippet
 Monday, 08 June 2009
Just found this excellent blog post (continually updated) that lists a ton of free SQL Server tools for all sorts of purposes. Check it out at
Monday, 08 June 2009 10:04:24 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
SQL | Tools
 Friday, 20 March 2009

This function creates a new user Account in your active directory domain:

public string CreateUserAccount(string ldapPath, string userName, string password)
        string connectionPrefix = "LDAP://" + ldapPath;

        DirectoryEntry dirEntry = new DirectoryEntry(connectionPrefix);
        DirectoryEntry newUser = dirEntry.Children.Add(
"CN=" + userName, "user");

        newUser.Properties["samAccountName"].Value = userName;

        newUser.Invoke("SetPassword", new object[] { password });

    catch (System.DirectoryServices.DirectoryServicesCOMException E)

Related posts :

How To: Use Active Directory To Authenticate Users

How To: set NTFS Permissions using C#

How to enumerate the Domain Controllers in the current Domain in C#

Friday, 20 March 2009 13:11:31 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
C# | Code Snippet
 Wednesday, 11 March 2009

If you haven’t already jumped on the Silverlight train, here’s a fun way to get you started.

Tess has up on her blog a full tutorial on creating a game in silverlight.

Her game project is divided in 5 parts:

Part 1 - Creating the main layout

Part 2 - Creating a Car user control

Part 3 - Using Linq to XML to read and generate the levels

Part 4 - Adding drag and drop functionality to move the cars around

Part 5 - Storing high scores in Isolated Storage with Linq to XML

And by the way, she maintains the best debugging blog i’ve seen. Called “If broken it is, fix it you should”, she write very high quality content and covers lots of advanced stuff  debugging application hangs, application crashes and memory leaks.

Wednesday, 11 March 2009 09:54:18 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
Silverlight | Games

What is Native Client?

Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser neutrality, OS portability, and safety that people expect from web apps.

About the contest

Do you think it is impossible to safely run untrusted x86 code on the web? Do you want a chance to impress a panel of some of the top security experts in the world? Then submit an exploit to the Native Client Security Contest and you could also win cash prizes, not to mention bragging rights.

What is the contest

This is a contest with the goal to test the security of Native Client.

To participate, you will need to:

  • Register yourself (or your team)
  • Download our latest build
  • Join the NaCl discussion group
  • Report the exploits you find to our team


You can register for the contest on Wednesday, February 25th 2009. The contest will end on Tuesday, May 5th 2009 at 11:59:59 Pacific time. Sign up early to start reporting exploits as soon as possible.

What’s in it for you

Participating in the contest means that you will engage with early stage research technology. In addition, your work will be reviewed by a panel of security experts from some of the world’s most renowned universities, chaired by Edward Felten of Princeton University. Finally, by submitting high impact bug(s), you will also have the chance to compete to win one of our five cash prizes, as well as the recognition of your peers.

Eligible participants that are ranked in the top 5 positions of the competition by Judges will receive the following awards in U.S. Dollars based on their rank:

1st prize: $8,192.00
2nd prize: $4,096.00
3rd prize: $2,048.00
4th prize: $1,024.00
5th prize: $1,024.00

Winning Entries will be announced on or about December 7th.

Details at:

Wednesday, 11 March 2009 08:57:37 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
News | Security
 Friday, 20 February 2009

MicrosoftolsbofferThe words “free” and “Microsoft” don’t often appear in the same sentence, so imagine my surprise at discovering this deal: a free custom domain name, free Web hosting, free e-mail accounts, and more.

As you might expect from the name, Microsoft Office Live Small Business has a decidedly business focus–but that doesn’t mean you can’t use it for a personal site.

The freebie account includes not only the domain (any available .com, .net, .org, or .info address), but also site-building tools, reporting tools, project and document managers, 100 e-mail addresses, and collaboration-minded online workspaces. You get 500MB of storage, too.

So what’s the catch? There really isn’t one, though the free domain hosting expires after one year. After that, it’ll run you $14.95 annually.

Photo by Microsoft.

Friday, 20 February 2009 15:41:02 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -

Following my post on Chuck Norris programming facts, here is more facts for your viewing pleasure:

  • MVC actually stands for Model-View-ChuckNorris. Controller is just one of his nicknames.
  • Chuck Norris was written in C# which itself was written in Chuck Norris
  • You don't follow Chuck Norris on Twitter. He follows you, finds you, and kills you
  • The design of Silverlight DeepZoom was directly inspired by Chuck Norris’ powers of bionic vision.
  • Chuck Norris doesn't write code...oh no, he thinks about the finished product and the code appears.
  • Chuck Norris has no need for virtual methods. Nothing can override Chuck Norris.
  • A synchronize operation doesn't protect against Chuck Norris, if he wants the object, he takes it.
  • Chuck Norris invented recursion to see what would happen if he roundhouse kicked himself.
  • Chuck Norris can multi-thread on a single processor by breaking it into pieces.
  • Chuck Norris wrote a program that calculated the last digit of pi.
  • Chuck Norris' compiler is afraid of displaying warnings to him. It just fixes the code automatically.
  • Chuck Norris uses Vista with UAC turned on. He has received no warnings. Ever.
  • Chuck Norris monitor has no glare…no-one glares at Chuck Norris.


And as a last one for today, try to type "How to Find Chuck Norris" in Google and click "I'm Feeling Lucky"…

Friday, 20 February 2009 13:34:35 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -

About the author/Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2017
Stanislas Biron
Sign In
Total Posts: 135
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2017, Stanislas Biron