I am new to repairing security vulnerability on ASP .NET code. Can someone give me links to on-line reference material where someone new like me can learn the process?
↧
Learing ASP.NET Security Vulnerability programming
↧
Preventing XSS attacks to dynamically created DOM webpages and dynamically generated javascript event handlers
I have read the following article:
https://msdn.microsoft.com/en-us/library/bb355989.aspx
Now this article allows me to understand XSS vulnerability defense to a webpage that is statically made up of asp and html controls built on a webpage as in true markup layout fashion. I now understand that that control input should use not only server side in validation but input should validate length, range, format and type. The question I have is that I am trying to sanitize a website where the page layout controls are build on to the DOM object dynamically when the page loads. For example on the page load event methods add controls to the document object one at a time in the method that builds the entire webpage during that calling method. Also, control event handling is done by methods that send concatenated JavaScript strings, during page load, as output to the page that handle page control events. I guess my question is, how do I use asp.net validation controls, regex checking, etc. functionally when everything is built, the DOM and JavaScript event handling on the loading of the webpage?
For example adding controls as in the following fashion:
private void CreateControls(ControlCollection cc)
{
if (RadScriptManager.GetCurrent(_contextPage) == null)
{
RadScriptManager rsm = new RadScriptManager();
rsm.ID = "scriptManager";
cc.Add(rsm);
}
}↧
↧
please give me ex of each one of rout url
hi, all
following lines are from professional asp.net 4.5
i understand the first exmaple which is of controller , please give me
some code of other two so that i can understand.
TABLE 34-2
ROUTE URL PATTERN EXAMPLES OF URLS THAT MATCH
{controller}/{action}/{category} /products/list/beverages/blog/posts/123
service/{action}-{format} /service/display-xml
{reporttype}/{year}/{month}/{date} /sales/2008/1/23
yours sinceryl
↧
CSRF question
I am investigating a CSRF finding in asp.net c# code behind as shown in the following code:
LinkButton LinkButtonControl = new LinkButton(); LinkButtonControl.ID = Name;
Now, I feel that the following code using ViewStateUserKey is the right approach:
protected override OnInit(EventArgs e) {
base.OnInit(e);
if (User.Identity.IsAuthenticated)
ViewStateUserKey = Session.SessionID; }However; another person I work with thinks that the Httputility.htmlencode method is the correct way to solve the problem. First I don't know if the Httputility.htmlencode method is the best way and if so I would I use it?
↧
list all the roles the user is in
When a user opens my web app, I want to list all the roles the user is in. How do I extract roles from HttpContext.Current.User ?
I am able to check if the user is in a role with HttpContext.Current.User.IsInRole but I want to list what roles the user has.
↧
↧
cross site scripting issue with javascript code behind
We have scanned our site for vulnerabilities. We received a warning message on this code("StaticPostBackScrollVerticalPosition") for potential cross-site scripting.
What needs to be changed to fix this issue? Please let me know.
private const string VerticalPosition = "StaticPostBackScrollVerticalPosition";
private const string ScriptHidden = "document.forms[0].{0}.value";
private const string SaveScriptName = "StaticPostBackScrollPositionSave";
private const string LoadScriptName = "StaticPostBackScrollPositionLoad";
private const string ScriptGetPosition = ScriptHidden + " = (navigator.appName == 'Netscape') ? window.page{1}Offset : document.documentElement.scroll{2};";
private string GetPositionScript()
{
StringBuilder sb = new StringBuilder();
sb.Append("<script language=\"JavaScript\"> \n");
sb.Append("function SaveScrollPosition() { \n");
sb.AppendFormat(ScriptGetPosition , VerticalPosition, "Y", "Top");
sb.Append("setTimeout('SaveScrollPosition()', 100);");
sb.Append("} \n");
sb.Append("SaveScrollPosition(); \n");
sb.Append("</script> \n");
return sb.ToString();
}
private void ScrollPosition()
{
if (!this.ClientScript.IsStartupScriptRegistered(SaveScriptName))
{
this.ClientScript.RegisterClientScriptBlock(GetType(), SaveScriptName, GetPositionScript());
this.ClientScript.RegisterHiddenField(VerticalPosition , "0");
}
}↧
Access Denied when using ASP.NET to run PowerShell
Hi,
I am writing a PowerShell / ASP.NET application to enumerate, disconnect, and log off a user's Terminal Server sessions.I can enumerate them just fine, but I am receiving an Access Denied message when I try to disconnect the user from ASP.NET (from a PowerShell window it works just fine).
I have set both the identity of the application pool in use, as well as the identity of the web site to a known domain administrator. I have also added the user to the local IIS_IUSRS group.
I am *not* using PoSh Remoting.
Does any one have an idea of what the problem might be?
Thanks!
Sam
↧
how to make sure user would not able to browse directly to that page in the URL
how to make sure user would not able to access the aspx page directly by manually entering the url but only through the application.
I tried useing url.referrer but as I am using server.transfer it would not work.
Please suggest and also suggest how can we disable browser back button, tried javascript on load window.history.forward(); but its now working
↧
Dangerous code detected on production server only with htmleditor extender.
I'm a bit baffled. I've got all prerequisites configured and working correctly with my htmleditorextender meaning.
1) Sanitization providers correctly installed, referenced with dlls ext.
2) latest htmlagilitypack installed configured.
3) latest antixss library referenced.
4) requestvalidation set to false so that these process override the inherent asp.net validation.
Result... locally this all works perfectly with visual studio 2012. but when I run this on my VPS we still get an error 'dangerous code detect..'
Why would it do that???
↧
↧
can google webmaster tools find malware in pages that are password protected?
I use membership security for my website (yes, I know it is outdated, but I had too much trouble updating it), which means that various folders in the site have a web.config file in them, that restricts each folder to users in a particular role.
Recently I added my site to Google Webmaster Tools, which has a feature that searches the site for malware. (I'm not sure what this means - does it look at pages to see if malicious javascript was inserted, or does it just look for programs?)
Anyway, it would seem that Google tools could not access most of my folders and files, given this security setup. So the malware check is useless.
Am I correct?
Thanks.
↧
Microsoft.Security.Application.Encoder.CssEncode how to read result?
hello
asp/net.4.webForm
using Microsoft.Security.Application.Encoder.CssEncode.
string
s = "background-color: rgb(165, 42, 42);"
, s2 = Microsoft.Security.Application.Encoder.CssEncode(s);
// s2 result = "background\00002Dcolor\00003A\000020rgb\000028165\00002C\00002042\00002C\00002042\000029\00003B"the browser dont know how to read that Encoding when using an inline style.. (not on css but on the html tag)
i have tried
c# HttpUtility.HtmlDecode, HttpUtility.UrlDecode js decodeURIComponent decodeURI
↧
Using AntiXSS on store and read from db redundant?
Is there any point to pass information read frm a db through AntiXSS filters if the only way they could be saved to the db in the first place was going through an AntiXSS filter? I have dynamic pages that pull information from a db and that information was submitted by other users and before being saved to the db all the input was passed through and confirmed by AntiXSS filters. I don' really see a point to putting the information through the filters again once the dynamic page is populated fromo the db?
↧
accessing a webservice both from asp.net and from a program
I have a webservice on my website. I also have a stand alone program that people can download from my website, to interact with the webservice. The webservice writes to a database, and my website reads from that database (and also writes to it as well).
My website is protected with https (ssl). So information (such as passwords) that is sent to the website is protected. But if I want my stand-alone program (that people download) to interact with the web-service, will the traffic between it and the webservice be protected by SSL? Is there a way to find out?
Thanks
↧
↧
in server - how Sanitize json comes from ajax
hello
net.4. web form - web method;
in server - how Sanitize json comes from ajax?
i need to strip all html tags and to validate its a valid json.
(at the server i parse the json to dynamic and than to hard type)
i have tried to use
Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(data)
but it not strip the tag just rewrite it on a different encoding..
for example
HttpUtility.HtmlDecode(Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment("<script src=alert()"))
// will give you:
// <script src=alert()at the end i need to parse the json to server object..
thanks
thanks
↧
the user underwhich web service should run
Hi,
Setting the user under-which a web service could be called,, to anonymous, while setting the internal impersonation to an elevated user, could technically work nicely, but this way any user could call this web service (unless e.g. no access to web server itself).
Alternatively, setting the user, under-which web service could be called by, to group of specific users, may complicate implementation of web service, when elevated access rights required for the web service code to run, requiring some smart solution. This is probably not a "rare" case, yet didn't find a ready solution off-hand and simple search, hence would appreciate a referral to some good article with solution and example.
Thank u
↧
Print to network printer fails from IIS 8 web application
Hi All,
I am stuck with an issue printing a crystal report to network printer on IIS8 ( Windows server 2012). Printer Queue shows up information on document is being spooled-> printed -> Deleting but nothing is sent to printer. I believe this is something related to Security.
I tried running application pool under all builtin accounts and a domain account having admin privileges but nothing helped.
I believe there is no problem with printer and i am able to print a test page to network printer.
Please help me fix this issue.
Thanks
↧
Using X509Certificate2 to get PrivateKey causes CryptographicException "Invalid provider type specified"
Hi, everyone,
I am developing a web application that uses X509Certificate2 to get a private key from a certification file. Code snippet looks like following:
public static RSACryptoServiceProvider GetSignProviderFromPfx()
{
var strFileName = "c:\cer\mycerfile.pfx";
var strPassword = "000000";
X509Certificate2 pc = new X509Certificate2(strFileName, strPassword, X509KeyStorageFlags.MachineKeySet);
var ThePivateKey = pc.PrivateKey;
return (RSACryptoServiceProvider)ThePivateKey;
}But the statement pc.Privatekey causes a System.Security.Cryptography.CryptographicException "Invalid provider type specified" . I'm sure the certification file has no problem, it really has a private key. And the property pc.HasPrivateKey
is also return true.
The test environment is VS2013, window 7.
I also tried following:
a. I debugged it in VS2013 with iis express, the problem occured.
b. I debugged it in another computer with same enviroment with mine, the problem occured too.
c. I published the application to a server with iis running on Windows Web Server 2008 R2, it worked fine.
d. I published the application to widows azure website, it also worked fine.
Therefore, I guess the code snippet has no problem. The key reason raising the exception is that there may be some problem about runningenvironment. I checked and compared the reading/writing right on the certification file in different environment, all of them are same.
Anybody can help?
Thanks.
↧
↧
Custom Error page not loading
When I have custom error turned on for my site, and then try www.domain.com/robots.txt..// , it errors out to an error page which says
Server Error in '/' Application.
Runtime Error
Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.
How can debug this error or fix it so that the standard error page shows up?
Thanks.
- Dhillip
↧
Security Audit
Hi,
We've been working on a public-facing ASP.NET application and we're thinking about getting a security audit done on the app.
Can anyone make any suggestions as to whom we should hire for the audit?
↧
accessing a webservice both from asp.net and from a program
I have a webservice on my website. I also have a stand alone program that people can download from my website, to interact with the webservice. The webservice writes to a database, and my website reads from that database (and also writes to it as well).
My website is protected with https (ssl). So information (such as passwords) that is sent to the website is protected. But if I want my stand-alone program (that people download) to interact with the web-service, will the traffic between it and the webservice be protected by SSL? Is there a way to find out?
Thanks
↧