MSDD: Securing a Login Form
The focus of MS DevDays 2004 was on writing secure code. In the Web Development Track of the event, Paul Litwin demonstrated SQL Injection attacks against a simple Login web page. After all, most web apps worth attacking with SQL Injection are going to require the user to login, and Login pages are common. Of course the point of the demo was to show how easy it is to victimize a poorly written Login page. At the lunch break, one of the people I was talking to said, “Instead of showing us how to hack an unsecure login page, why don't they just build a secure login page component we can use?”. Well guess what we saw during the closing session in a demo of new features in Whidbey (codename for next release of Visual Studio.NET)? A secure login component! It's almost like they were listening to us…