Security Vulnerability of passing Domain objects to Controller Actions in MVC

Sometimes I come across ASP.NET MVC or WebAPI code that contains a security flaw where developers will accept the same model in their controller action’s parameter that they are passing to their data access. This model can be a Domain Object used in an ORM such as Entity Framework or NHibernate. A client can send additional properties in the json body, form collection or whatever content type you are accepting, that will populate unintended properties in the domain object if available, including navigational properties and foreign keys. Usually this domain is then used directly in the ORM either in an...

Blue-Green Deployments with Octopus Deploy and Azure Websites from TFS

This article aim to explain how we can use Octopus Deploy to Automate Deployments to Azure Websites with a single deployment agent (tentacle) using the Blue-Green deployment pattern. This infrastructure is being used in my startup Grikly running purely on Azure using the BizSpark subscription, a simple and nice setup for a low cost software development company. The same concepts can be used in Enterprise grade systems. Blue-Green deployments allow us to deploy web applications that require warm up time without any down times. This require running 2 instances of production grade environments such as a staging and production. We deploy to staging,...

Integration test ASP.NET WebAPI with OWIN and Authentication

In this article, I’m going to share the steps I take in order to run integration tests on ASP.NET WebAPI using OWIN/Katana that uses authentication from ASP.NET Identities. One of the great things about ASP.NET WebAPI 2.0 is that we can self-host the whole application without the need for IIS. This allows us to easily write integration tests, we can have our test runner spin up the web application in memory and throw in memory requests at it. Prepare WebAPI for testing First we need to prepare the WebAPI project for in-memory testing. Help Page If you are generating the Help...

Setting up Release Management in Azure Virtual Machine

This is a walk through in setting up Release Management tool in a windows azure virtual machine and then connecting to it from an off-site machine. Tools required Release Management Server Release Management Client Windows Azure Virtual Server Setup Configure RM Server Remote to your server, download and install the Release Management Server. The identity for Release Management services should be an account that you would like to shadow on other environments. Server settings should look like the image below. I installed an SQL Express server on the same VM and the web service port is the default port 1000....

Things learnt at start-up weekend Jamaica 2013

I attended the first start-up weekend Jamaica event with the intention of gaining some experience and learning things from the vast knowledge base provided by the awesome coaches at the event. The weekend is a 54 hour event, starting from a Friday evening to Sunday evening attended by entrepreneurs from various backgrounds such as designers, developers, marketers, etc. We pitch an idea, people form a team with the ideas they like and they work on a pitch over the weekend. They try to iron out the problem, solutions and business viability with the help of coaches. Being a part of...