With Coveralls.IO it’s possible to get code coverage on all pull requests submitted. For Kentor.AuthServices I’ve set up AppVeyor builds that uses Coveralls.Net to upload coverage numbers to Coveralls.IO. Why Coveralls.IO? When I set up the code coverage I already had AppVeyor builds running. I wanted something that worked together with AppVeyor. I tried out… Continue reading Code Coverage on GitHub PRs with Coveralls.IO
Author: Anders Abel
Breaking Changes to SignedXml in MS16-035
Earlier this month, Microsoft released MS16-035 that addresses issues I previously reported in SignedXml. They did not only fix the duplicate Id vulnerability I reported though, they also fixed a number of other issues – introducing some breaking changes. This post is an effort to document those and changes and the registry switches that can… Continue reading Breaking Changes to SignedXml in MS16-035
Vulnerability in .NET SignedXml
.NET’s SignedXML class has had a risky implementation for lookup of XML elements by id in GetIdElement() when resolving signed xml references. The lookup validated only the first element if there are several with the same id. This opens up for XML Signature Wrapping attacks in any library that is using the default implementation without… Continue reading Vulnerability in .NET SignedXml
XML Signatures and References
Last week I showed a peculiar XML Signature that validates even though the containing document was changed. The reason is that the signature lacks References. Before explaining what’s wrong with the signature – and with the validation code, we’ll have a look at how XML Signatures work. XML DSig Primer XML in general is a… Continue reading XML Signatures and References
An Always Valid XML Signature
XML Signatures are powerful, but also a bit tricky to get right. Here’s a challenge: I have a signature that will validate, even though the contents of the XML document are altered. This is the “magic” signature that validates regardless of what XML document it is placed in. <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod… Continue reading An Always Valid XML Signature