Author | Lightnews

Reposted by Andrew Lock "Sock"

Andrew Lock "Sock" @andrewlock.bsky.social · 6d

Blogged: Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315

andrewlock.net/understandin...

In this post I discuss request smuggling, the recent vulnerability in ASP.NET Core with a severity score of 9.9, and how attackers could exploit it

#dotnet #aspnetcore

Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315

In this post I discuss request smuggling, the recent vulnerability in ASP.NET Core with a severity score of 9.9, and how attackers could exploit it

andrewlock.net

9 22

Reposted by Andrew Lock "Sock"

Damien Bowden @damienbod.com · 1d

Blogged: Implement a secure MCP server using OAuth DPoP and Duende identity provider

damienbod.com/2025/11/03/i...

#aspnetcore #mcp #llm #duende #openidconnect #oidc #oauth #dpop #jwt #openai #ai

Implement a secure MCP server using OAuth DPoP and Duende identity provider

Code: This post demonstrates how an ASP.NET Core application can connect to a secure MCP server using OpenID Connect and OAuth. Both applications use Duende IdentityServer as the identity provider.…

damienbod.com

3 5

Reposted by Andrew Lock "Sock"

ASP.NET Core News @aspnetcore.news · 3d

Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315 by @andrewlock.bsky.social andrewlock.net/understandin... #aspnetcore

3 3

Andrew Lock "Sock" @andrewlock.bsky.social · 5d

Interesting - I assume the feature flag client is doing some caching of the results rather than doing HTTP or something every time? Maybe ValueTask<T> would be a good option for the API (i.e. sync primarily but with async option)... only question is how to introduce it in a back compat way 😅

2

Andrew Lock "Sock" @andrewlock.bsky.social · 5d

I considered it originally, my concern was that you probably shouldn't be doing async stuff on your request hot path, so the sync api was meant to encourage you to just do simple stuff or offload to a background service etc if necessary

1

Andrew Lock "Sock" @andrewlock.bsky.social · 5d

Yeah, that's probably your best bet

Andrew Lock "Sock" @andrewlock.bsky.social · 6d

Blogged: Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315

andrewlock.net/understandin...

In this post I discuss request smuggling, the recent vulnerability in ASP.NET Core with a severity score of 9.9, and how attackers could exploit it

#dotnet #aspnetcore

Understanding the worst .NET vulnerability ever: request smuggling and CVE-2025-55315

In this post I discuss request smuggling, the recent vulnerability in ASP.NET Core with a severity score of 9.9, and how attackers could exploit it

andrewlock.net

9 22

Andrew Lock "Sock" @andrewlock.bsky.social · 9d

Awesome, Giscus is so much cleaner, and hopefully that script works well for you! 🤞😃

1 1

Andrew Lock "Sock" @andrewlock.bsky.social · 12d

Blogged: Adding metadata to fallback endpoints in ASP.NET Core

andrewlock.net/adding-metad...

In this post I discuss fallback endpoints and show how adding metadata to MVC or Razor Page fallback endpoints has some quirks to be aware of

#dotnet #aspnetcore

Adding metadata to fallback endpoints in ASP.NET Core

In this post I discuss fallback endpoints and show how adding metadata to MVC or Razor Page fallback endpoints has some quirks to be aware of

andrewlock.net

1 2

Andrew Lock "Sock" @andrewlock.bsky.social · 12d

a cartoon of homer simpson standing in a grassy area

ALT: a cartoon of homer simpson standing in a grassy area

media.tenor.com

3

Reposted by Andrew Lock "Sock"

Kevin Gosse @kevingosse.net · 13d

I just published a new article: Using profiler function hooks in .NET with Silhouette.
In the process, we also learn how to use static linking with NativeAOT.

minidump.net/using-functi...

Using profiler function hooks in .NET with Silhouette

In this article, we see what are function hooks, and how to use them in .NET with Silhouette. We also learn how to statically link a library with NativeAOT.

minidump.net

6 6

Andrew Lock "Sock" @andrewlock.bsky.social · 28d

What I don't really understand is if you're redirecting to somewhere on the same origin, then it should be covered by the CSP and not be violating as far as I can tell... But if your Auth is such that you redirect externally, then I'd expect you to hit the issue?

1

Andrew Lock "Sock" @andrewlock.bsky.social · 28d

You can see someone having a similar issue with redirects here: community.auth0.com/t/applicatio...

Application Security - Strict CSP form-action for login with Auth0 connections

I’m trying to increase the security of our application’s CSP and I have run into issues during the login process. Specifically around the use of form-action on the login call. The same issue applies f...

community.auth0.com

1 1

Andrew Lock "Sock" @andrewlock.bsky.social · 28d

Ah, intriguing! It looks like if you have a redirect from a form submission, you need to have the final location in the CSP too 🤔

github.com/w3c/webappse...

Or put another way, form-action is basically broken in a bunch of scenarios, including PRG pattern🙄

CSP: form-action and redirects · Issue #8 · w3c/webappsec-csp

From @ptoomey3 on September 23, 2015 0:12 I just wanted to open an issue to get your thoughts on form-action with respect to redirects. We have been working on deploying form-action and have run in...

github.com

1

Andrew Lock "Sock" @andrewlock.bsky.social · Oct 3

Interesting, I'm out of the country for a couple of weeks but happy to take a closer look when I'm back if you haven't got to the bottom of it 😬 what's the exact error you're getting? 🤔

1

Andrew Lock "Sock" @andrewlock.bsky.social · Oct 3

Any more details? I haven't tried it specifically, but you'll need to allow js sources at a minimum. client-side wasm needs wasm-unsafe-eval too. See learn.microsoft.com/en-us/aspnet... and also the section on frame-ancestors

1

Andrew Lock "Sock" @andrewlock.bsky.social · Sep 30

Blogged: Publishing NuGet packages from GitHub actions the easy way with Trusted Publishing

andrewlock.net/easily-publi...

In this post I describe how you can use nuget's new Trusted Publishing feature to publish NuGet packages from a GitHub Actions workflow

#dotnet #NuGet #GitHubActions

Publishing NuGet packages from GitHub actions the easy way with Trusted Publishing

In this post I describe how you can use nuget.org's new Trusted Publishing feature to publish NuGet packages from a GitHub Actions workflow

andrewlock.net

1 7

Andrew Lock "Sock" @andrewlock.bsky.social · Sep 25

Tbh, it's not my area, so you'll probably be better of raising a ticket with support 🙂 Not trying to fob you off, just might be quicker for you! 😄

1

Andrew Lock "Sock" @andrewlock.bsky.social · Sep 25

I think the main thing your missing is setting the resources like service.name, deployment.environment.name and service.version using the resource builder, though I can't find any good guidance for your to follow unfortunately

1

Andrew Lock "Sock" @andrewlock.bsky.social · Sep 25

Nothing stands out tbh, RE the metrics, this is the docs logs for the metrics OTLP endpoint, (we're missing a .NET atm) docs.datadoghq.com/opentelemetr...

but the agentless page also says this:

> The Datadog OTLP intake endpoint is in Preview. To request access, contact your account representative

Datadog OTLP Metrics Intake Endpoint

Datadog, the leading service for cloud-scale monitoring.

docs.datadoghq.com

2

Andrew Lock "Sock" @andrewlock.bsky.social · Sep 24

I'm still not quite sure if you want to use the .NET Datadog auto-instrumentation or Datadog.Trace package, or if you want to use pure OTel? This sample shows using the standard `AddOpenTelemetry()` APIs with auto-instrumentation, sending to a Datadog agent: github.com/DataDog/dd-t...

github.com

3

Andrew Lock "Sock" @andrewlock.bsky.social · Sep 23

Blogged: sleep-pc: a .NET Native AOT tool to make Windows sleep after a timeout

andrewlock.net/sleep-pc-a-d...

In this post I describe a small native AOT .NET tool that I built to force a Windows PC to go to sleep after a timer expires

#dotnet

sleep-pc: a .NET Native AOT tool to make Windows sleep after a timeout

In this post I describe a small native AOT .NET tool that I built to force a Windows PC to go to sleep after a timer expires

andrewlock.net

3 12

Andrew Lock "Sock" @andrewlock.bsky.social · Sep 22

Hey, I don't have any articles about it, but just to check - how are you configuring "native OTEL"? If it's just using the "standard" Otel packages (i.e. nothing Datadog specific, no Datadog.Trace etc) then you should just be able to point the exporter at the Datadog OTEL collector endpoint

1

Reposted by Andrew Lock "Sock"

Kevin Gosse @kevingosse.net · Sep 18

As requested, I published an article about how the UI profiler works: minidump.net/measuring-ui...
It allows me to measure the responsiveness of Visual Studio when running with ReSharper, in various conditions.

I also made the source code available on github: github.com/kevingosse/U...

1 7 15

Reposted by Andrew Lock "Sock"

Damian Edwards @damianedwards.com · Sep 16

.NET STS releases are now supported for 2 years instead of 18 months starting with .NET 9 (the current STS). STS releases now go out-of-support on the same day as the previous LTS release. Upgrading to an STS release will no longer cause you to lose support!
devblogs.microsoft.com/dotnet/dotne...

.NET STS releases supported for 24 months - .NET Blog

.NET STS releases will be supported for 24 months

devblogs.microsoft.com

8 36 79