how to make sure user would not able to access the aspx page directly by manually entering the url but only through the application.
I tried useing url.referrer but as I am using server.transfer it would not work.
Please suggest and also suggest how can we disable browser back button, tried javascript on load window.history.forward(); but its now working
I have a C# ASP.NET 4.0 web site and would like to limit access to the web site to users in one or more active directory groups. I have been able to configure my web.config so that only users with a valid active directory user names and passwords can access the web site but I have not been able to figure out how to limit access to users in an active directory group or groups. I'm using Visual Studio 2010. I've done Google searches for the last several days have have only found complex code samples of how to perhaps get this to work. I don't understant why Microsoft hasn't made this simple to implement. Seems like it should only require relatively simple changes to the web.config file. Is it possible to get this authentication to work by only making changes to the web.config file? Somebody please enlighten me on why Microsoft has made this so difficult to do. I would appreciate any help or advice on the easiest way to implement this authentication. Thanks!
I have been trying to find a code repair for a Web Inspect HP Fortify report class II finding. I have a case where the IA error, Information disclosure vulnerability has been caused by poor error handling. The application runs fine; however, this problem is found in the low level code and reported. Every thing I have found on the internet only talks about errors that cause the application to throw high level exceptions that cause the application to crash and not one that goes deep enough to find code solutions at the code level for IA errors that don't crash the application. If anyone knows of a actual code solution that would be great.
I'm a bit baffled. I've got all prerequisites configured and working correctly with my htmleditorextender meaning.
1) Sanitization providers correctly installed, referenced with dlls ext.
2) latest htmlagilitypack installed configured.
3) latest antixss library referenced.
4) requestvalidation set to false so that these process override the inherent asp.net validation.
Result... locally this all works perfectly with visual studio 2012. but when I run this on my VPS we still get an error 'dangerous code detect..'
Why would it do that???
I use membership security for my website (yes, I know it is outdated, but I had too much trouble updating it), which means that various folders in the site have a web.config file in them, that restricts each folder to users in a particular role.
Recently I added my site to Google Webmaster Tools, which has a feature that searches the site for malware. (I'm not sure what this means - does it look at pages to see if malicious javascript was inserted, or does it just look for programs?)
Anyway, it would seem that Google tools could not access most of my folders and files, given this security setup. So the malware check is useless.
Am I correct?
Thanks.
Is there any point to pass information read frm a db through AntiXSS filters if the only way they could be saved to the db in the first place was going through an AntiXSS filter? I have dynamic pages that pull information from a db and that information was submitted by other users and before being saved to the db all the input was passed through and confirmed by AntiXSS filters. I don' really see a point to putting the information through the filters again once the dynamic page is populated fromo the db?
I have a webservice on my website. I also have a stand alone program that people can download from my website, to interact with the webservice. The webservice writes to a database, and my website reads from that database (and also writes to it as well).
My website is protected with https (ssl). So information (such as passwords) that is sent to the website is protected. But if I want my stand-alone program (that people download) to interact with the web-service, will the traffic between it and the webservice be protected by SSL? Is there a way to find out?
Thanks
I have an asp.net website, which I work on from home. One day, I worked on it with a library computer, (the library was 40 miles from my home) and several pages crashed. But they crashed with server errors, not with browser errors. So I asked my web provider if websites could be redirected by hackers, and they said yes, but I did not quite see why one computer (at home) would work, and another in another town would not work.
Recently, we had a friend in another state of the U.S. test our website. He gave all sorts of advice, but complained that his laptop crashed 40 times while using our site. I started reading his advice, and I realized that he was complaining about features that we had removed half a year ago, and he was mentioning in passing GUI features (such as GO buttons) that we had removed even before that.
And he did this test last week, not six months ago.
So I reported all this to a colleague, and my colleague asked me this: - suppose this person had been told about our website a year ago, and had viewed it, and then forgotten that he viewed it, would pages be cached in his browser, so he would see an super-old version of our website?
Otherwise we have a super-security problem.
Thanks
G
I keep getting a JavaScript error on all for my working ASP.net programs in Visual Studio.
I think I caught a virus.
Here is my error code:
JavaScript critical error at line 1, column 1 in about:/WebResource.axd?d=...: Syntax error
This even happens to ASP.net programs that do not have any <script></script> code.
Hi,
I wanted to do AutoLogin and Screen scrapping the page. I was able to login by extending WebClient. I'm using Asp.Net 4.5 without MVC. The problem I have is, inside this page have a flash component that do an HTTP POST to get data. Once the flash object do an HTTP POST, I can see in fiddler that I get an Authentication. I suspect the ASP.NET_SessionId is not set for flash to do HTTP request. I tried to setting the Cookie in the Response but the flash object is still not rendering because of the authentication problem. because the ASP.NET_SessionId is empty.
Setting the ASP.NET_SessionId:
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", System.Web.HttpContext.Current.Session.SessionID));private CookieContainer container;
public WebClientEx()
{
this.container = new CookieContainer();
}
public WebClientEx(CookieContainer container)
{
this.container = container;
}
public string Get(string URL)
{
return this.DownloadString(URL);
}
public CookieContainer CookieContainer
{
get { return container; }
//set { container = value; }
}
protected override WebRequest GetWebRequest(Uri address)
{
WebRequest r = base.GetWebRequest(address);
var request = r as HttpWebRequest;
if (request != null)
{
request.CookieContainer = container;
request.ProtocolVersion = HttpVersion.Version10;
request.UserAgent = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0";
request.Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
request.KeepAlive = true;
}
return r;
}
protected override WebResponse GetWebResponse(WebRequest request, IAsyncResult result)
{
WebResponse response = base.GetWebResponse(request, result);
ReadCookies(response);
return response;
}
protected override WebResponse GetWebResponse(WebRequest request)
{
WebResponse response = base.GetWebResponse(request);
ReadCookies(response);
return response;
}
private void ReadCookies(WebResponse r)
{
var response = r as HttpWebResponse;
if (response != null)
{
CookieCollection cookies = response.Cookies;
container.Add(cookies);
}
}
public string Post(string URL, NameValueCollection data)
{
return this.Encoding.GetString(this.UploadValues(URL, data));
}Error Authentication:
{"Message":"Authentication failed with error code <NotAuthenticated>","StackTrace":"","ExceptionType":""}
I have a website, which is intended for logon windows user only, so I set IIS anonymous access = false, windows authenication = true.
and assign all users to a group that have access to the wwwroot website folder.
It works for a long time, suddenly today, no users can access website.
I did some tests find that:
1. all static files works fine, require a windows logon, and if you have a logon, you can access it.
2. all asp.net file, like .aspx or access through controller/view are denied
3. one particular user can login, only if I specify domain-name in front of it (previously, no doman name required), other users still can't even I have domain name specified.
4. that user are owner of the website folder, have full permission, however, if I assign full permission to another user, the other user still can't logon, so I don't know what makes first user can logon.
Please help
This is very similar to a previous post but with different code.
I have to eliminate a SQL injection error from within a method. Now, with only minor modifications this error must be eliminated. Here is the description from the scan:
Attack vector: system_data.system.data.IDbCommand.ExecuteReader
Description: The database query contains a sql injection flaw. The call to system_data_dll.System.Data.IDbCommand.ExecuteReader constructs a dynamic sql query using a variable derived from user-supplied input. An attacker could exploit this flaw to execute
arbitrary sql queries against the database. ExecuteReader was called on the command object, which contains tainted data. The tainted data originated from earlier calls to system_data_dll.data.common.dbcommand.executereader, System_web_dll.system.web.httprequest.get_params,
system_web_dll.data.common.dbadapter_fill, system_data_dll.system.data.common.dbwommand.executescarar and system_web_dll.system.web.httprequest.get_form
Code:
protected DataTable ExecuteDataTable(DbCommand command, ParamData[] pDataArr)
{
DataTable returnValue = null;
try
{
if (_connection == null)
OpenConnection();
else
{
if (_connection.State == ConnectionState.Closed)
OpenConnection();
}
command.Connection = _connection;
command.CommandType = CommandType.Text;
command.CommandTimeout = 12000;
//add Parameter
for (int i = 0; i < pDataArr.Length; i++)
{
DbParameter parameter = command.CreateParameter();
parameter.ParameterName = pDataArr[i].pName;
parameter.DbType = pDataArr[i].pDataType;
parameter.Value = pDataArr[i].pValue;
command.Parameters.Add(parameter);
}
// Create a DataTable
returnValue = new DataTable();
DbDataReader reader;
reader = command.ExecuteReader();
using (reader)
{
// Fill DataTable
returnValue.Load(reader, LoadOption.OverwriteChanges);
}
reader.Close();
if (!KeepAlive && _connection.State == ConnectionState.Open)
{
CloseConnection();
}
}
catch (Exception e)
{
if (e is EntryPointNotFoundException)
throw e;
_iserror = true;
LogBLL bll = new LogBLL();
bll.WriteErrorLog(e);
}
pDataArr = null;
return returnValue;
}
Thanks in advance!
I have to eliminate a SQL injection error from within a method. What the code is doing is passing in a SQL querystring as the command to a DbCommand object, see the code below. Now, with only minor modifications this error must be eliminated. Here is the
description from the scan:
This database query contains a sql injection flaw. the call to system_data_dll.Data.IDbCommand.ExecuteNonQuery constructs a dynamic sql queryusing a variable derived from the user-supplied input.An attacker could exploit this flaw to execute arbitrary sql queries
against the database ExecuteNonQuery was called on the command object, which contains tainted data. The tainted data originated from from earlier calls to system_data.system.data.common..dbconnand.execurereader, system_web_dll.wweb.httprequest.get_params,
system_data_dll.system.data.system.data.common.dbaadapter.fill.
Below is the actual function code:
protected object ExecuteScaler(string queryString)
{
object returnValue = null;
if (!_iserror)
{
if (_trace)
{ DoTrace("TAMIS.Data.Loader.ExecuteScalar", queryString); }
if (_connection == null || _connection.State == ConnectionState.Closed)
{
OpenConnection();
}
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
command.CommandText = queryString;
command.CommandType = CommandType.Text;
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteScalar();
}
catch (Exception ex)
{
if (ex is EntryPointNotFoundException)
throw ex;
//if (_useTransaction == true)
//_transaction.Rollback();
RollBack();
LogBLL bll = new LogBLL();
bll.WriteErrorLog(ex);
_iserror = true;
}
finally
{
if ((!KeepAlive && _connection.State == ConnectionState.Open) || _iserror == true)
{
CloseConnection();
}
}
}
else
{
returnValue = -1;
}
return returnValue;
}
Thanks in advance for all of your help!
I finally get it. It's not just the code I use to execute the ExecuteScalar method but it is mainly the code up stream that is executing the class. It is everything calling your code. That said, can someone please see if the code executing the my SQL class has faults. I still cant pass the scans. First I will show you two examples of the code calling my code, then the calling code, and finally the executing code, which I formulated and displayed from a previous post.
Calling code with Three parameters
public bool isTamAsp(int aspKey, int fy, string accountCode)
{
MyParam myParam;
string sqlQuery = "select isTamMacom = count(macom_key) FROM hier_fy " +"WHERE hier_key = @aspKey AND fy = @fy AND @accountCode NOT IN (3,4,7,8) AND macom_key IN (select hier_key from lkup_e581_MacomThatRequireTAM) AND is_visible = 1 AND is_active = 1";
QueryContainer Instance = new QueryContainer(sqlQuery);
myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@aspKey", Instance.AddParameterType(_DbTypes.Int));
myParam.SqlParam.Value = aspKey;
Instance.parameterList.Add(myParam);
myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@fy", Instance.AddParameterType(_DbTypes.Int));
myParam.SqlParam.Value = fy;
Instance.parameterList.Add(myParam);
myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@accountCode", Instance.AddParameterType(_DbTypes._string));
myParam.SqlParam.Value = accountCode;
Instance.parameterList.Add(myParam);
if (Convert.ToInt32(ExecuteScaler(Instance)) < 1)
return false;
return true;
}Calling code with no parameters:
public long GetMarinesUploadNextUploadKey()
{
string query = "SELECT MAX(upload_key) FROM temp_auth_usmc_upload";
QueryContainer Instance = new QueryContainer(query);
string result = Convert.ToString(ExecuteScaler(Instance));
if (string.IsNullOrEmpty(result))
return 1;
else
return Convert.ToInt64(result) + 1;
}
Code calling my previous code with three parameters
public bool isTamAsp(int aspKey, int fy, string accountCode)
{
return e581provider.isTamAsp(aspKey, fy, accountCode);
}Method calling the SQL executing my code:
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
{
command.CommandText = Instance.Query;
command.CommandType = CommandType.Text;
if (Instance.parameterList.Count > 0)
{
foreach (var p in Instance.parameterList)
{
command.Parameters.Add(p.SqlParam);
}
}
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteScalar();
}My Class containing the SQL string and the cmd parameter List.
public enum _DbTypes
{
Int = 1, _string = 2, _long = 3, _bool = 4, _DateTime = 5,
_decimal = 6, _float = 7, _short = 8, _bite = 9
}
public class MyParam
{
public SqlParameter SqlParam { get; set; }
}
/// <summary>
/// Summary description for QueryContainer SGH
/// </summary>
public class QueryContainer
{
string _query;
public List<MyParam> parameterList = new List<MyParam>();
public QueryContainer(string query) { _query = query; }
public SqlDbType AddParameterType(_DbTypes id)
{
switch (id)
{
case _DbTypes.Int:
return (SqlDbType)Enum.Parse(typeof(SqlDbType), "int", true);
case _DbTypes._string:
return (SqlDbType)Enum.Parse(typeof(SqlDbType), "NVarChar", true);
case _DbTypes._long:
return (SqlDbType)Enum.Parse(typeof(SqlDbType), "SqlDbType.BigInt", true);
case _DbTypes._bool:
return (SqlDbType)Enum.Parse(typeof(SqlDbType), "SqlDbType.Bit", true);
}
return SqlDbType.VarChar;
}
public string Query
{
get
{
return _query;
}
set { _query = value; }
}
}
I posted a message in the SQL forum but I think it was the wrong place. This is my problem. When I do an ExecuteNonQuery statement string from a c# client I am adding C# variables to the hard coded ExecuteNonQuery statement from the client as such:
string sqlQuery = "UPDATE rights SET category_key = " + toCat + " WHERE rights_key = @rights_key"; QueryContainer Instance = new QueryContainer(sqlQuery); ExecuteNonQuery(sqlQuery);
Also when I do an SQL ExecuteScaler statement I am using from a C# client I am adding C# variables to the hard coded values in the SQL statement Execute ExecuteScaler client like this:
queryString.Append(" SELECT isnull(");
queryString.Append(" (SELECT CASE WHEN convert(smalldatetime, '" + valDateMaterialRequired + "') < (getdate() + isNull(hier_asp_config.late_days_num, 3)) THEN '1' ELSE '0' END");
queryString.Append(" FROM hier_asp_config ");
queryString.Append(" WHERE asp_key = " + aspKey + " )");
queryString.Append(" , CASE WHEN convert(smalldatetime, '" + valDateMaterialRequired + "') < (getdate() + 3) THEN '1' ELSE '0' END)");
return ExecuteScaler(queryString.ToString()).ToString();Now in the Class that calls the actual SQL I am using these techniques:
protected int ExecuteNonQuery(string queryString)
{
int returnValue = 0;
if (!_iserror)
{
if (_trace)
DoTrace("TAMIS.Data.Loader.ExecuteNonQuery", queryString);
if (_connection == null || _connection.State == ConnectionState.Closed)
{
OpenConnection();
}
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
command.CommandText = queryString;
command.CommandType = CommandType.Text;
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteNonQuery();
}
catch (Exception e)
{
if (e is EntryPointNotFoundException)
throw e;
//if (_useTransaction == true)
// _transaction.Rollback();
RollBack();
LogBLL bll = new LogBLL();
bll.WriteErrorLog(e);
_iserror = true;
}
finally
{
if ((!KeepAlive && _connection.State == ConnectionState.Open) || _iserror == true)
{
CloseConnection();
}
}
}
else
{
returnValue = -1;
}
return returnValue;
}And this:
protected object ExecuteScaler(string queryString)
{
object returnValue = null;
if (!_iserror)
{
if (_trace)
{ DoTrace("TAMIS.Data.Loader.ExecuteScalar", queryString); }
if (_connection == null || _connection.State == ConnectionState.Closed)
{
OpenConnection();
}
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
command.CommandText = queryString;
command.CommandType = CommandType.Text;
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteScalar();
}
catch (Exception ex)
{
if (ex is EntryPointNotFoundException)
throw ex;
//if (_useTransaction == true)
//_transaction.Rollback();
RollBack();
LogBLL bll = new LogBLL();
bll.WriteErrorLog(ex);
_iserror = true;
}
finally
{
if ((!KeepAlive && _connection.State == ConnectionState.Open) || _iserror == true)
{
CloseConnection();
}
}
}
else
{
returnValue = -1;
}
return returnValue;
}These are clearly giving me SQL injection errors. In my case I cant change the code to stored procedures like they should be so How do I make the C# variable values from my client calling code and still work but not give me SQL injection errors.
I have a scan finding and hope someone can provide any ideas as to best ways to resolve the issue. First I will show the scan Finding then my code and finally what the scanner's recommended solution is.
Finding
Without proper access control, the method GetAttributeKey() in Provider.cs can execute a SQL statement on line 163 that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records.
Rather than relying on the presentation layer to restrict values submitted by the user, access control should be handled by the application and database layers. Under no circumstances should a user be allowed to retrieve or modify a row in the database without the appropriate permissions. Every query that accesses the database should enforce this policy, which can often be accomplished by simply including the current authenticated username as part of the query.
My Code:
Offending line:
myParam.SqlParam.Value = attribute;
Method:
public string GetAttributeKey(string attribute)
{
string qry = "SELECT ws_attribute_key FROM webservice_attributes WHERE ws_attribute = @attribute";
QueryContainer Instance = new QueryContainer(qry);
MyParam myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@attribute", Instance.AddParameterType(_DbTypes._string));
myParam.SqlParam.Value = attribute;
Instance.parameterList.Add(myParam);
object key = ExecuteScaler(Instance);
return Convert.ToString(key);
}Scanner's Recommend fix:
string user = ctx.getAuthenticatedUserName();
int16 id = System.Convert.ToInt16(invoiceID.Text);
SqlCommand query = new SqlCommand("SELECT * FROM invoices WHERE id = @id AND user = @user", conn);
query.Parameters.AddWithValue("@id", id);
query.Parameters.AddWithValue("@user", user);
SqlDataReader objReader = query.ExecuteReader();
So I have a small asp site I built for a customer. Since it was a really low budget, I just have some minor error logging on it. I wasn't too concerned because there are really like 3 or 4 custom pages built in .net, and we're not storing anything sensitive or processing payments or anything. However, I woke up this morning to like over 1000 errors. They were all 404s saying The file '/WebEdit/db/dbwebedit#cc495898.aspx' does not exist. The file '/360.aspx' does not exist., The file '/4.aspx' does not exist. From what I could see it looks to me like someone was possibly crawling the site looking for logins on generic cms's and other kinds of things.
I've just used the standard asp.net memberhsip provider as a login, but it doesn't sit on https, once again, because we're not really holding an sensitive info. Should I be concerned though? I've done tons of sites in my time and have never seen this before.
I have used parameters to prevent SQL injection; however, my scan is complaining about the passed in query string coming from an untrusted source. This is confusing me because everything appears to be find. Because the user has a valid login and because the code is internal to the business layer how could this be an untrusted source? If anyone has any ideas about a fix please let me know. First the scan error:
Scan finding:
On line 429 of Loader.cs, the method ExecuteScaler() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
The code causing the finding is this line:
command.CommandText = Instance.Query;
The code containing the actual finding line above:
protected Object ExecuteScaler(QueryContainer Instance)
{
object returnValue = null;
if (!_iserror)
{
if (_connection == null || _connection.State == ConnectionState.Closed)
{
OpenConnection();
}
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
{
command.CommandText = Instance.Query;
command.CommandType = CommandType.Text;
if (Instance.parameterList.Count > 0)
{
foreach (var p in Instance.parameterList)
{
command.Parameters.Add(p.SqlParam);
}
}
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteScalar();
}The code calling the method that calls the offending method above:
public string GetFileHashByLogExcelKey(int key)
{
string query = @"SELECT file_hash from log_excel where log_excel_key = @key";
QueryContainer Instance = new QueryContainer(query);
MyParam myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@key", Instance.AddParameterType(_DbTypes.Int));
myParam.SqlParam.Value = key;
Instance.parameterList.Add(myParam);
return Convert.ToString(ExecuteScaler(Instance));
}
I have been searching the internet for over an hour and can only find client side discussions the my latest scan finding. What I am receiving is method that uses the Read() method and because the Read() ignores the value returned could cause the program to overlook unexpected states and conditions finding. If anyone can explain, in small detail, and possibility recommend a fix the would be great. The function is below:
Offending line of code in the method:
csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
Calling method:
public String DecryptMessage(byte[] encrypted)
{
ASCIIEncoding textConverter = new ASCIIEncoding();
decryptor = aes.CreateDecryptor(key, IV);
MemoryStream msDecrypt = new MemoryStream(encrypted);
csEncrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read);
byte[] fromEncrypt = new byte[encrypted.Length];
csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
return textConverter.GetString(fromEncrypt);
}