Quantcast
Channel: Security Vulnerability
Viewing all 317 articles
Browse latest View live

How to handle character count while using HTMLEncode-Decode

January 18, 2017, 4:24 am
$
0
0

Hi All,

We have one web form having many textboxes. Each is having some character limit as per business needs. To handle Cross Site Scripting, we are using

1) HTMLEncode - while fetching data from user input,

2) store it in our custom document library &

3) HTMLDecode - while retrieving data from custom document library & set it on web page

Problem Statement:

A textbox having business need as 255 max characters. We have JavaScript validation in place which checks this. But after implementing HTMLEncode; the actual characters are getting increased. 

e.g. If user is using symbol as < in textbox when we encode it; it's going as &lt so even if user is inputting 255 characters, in the background the total length is becoming more than 255 & throwing error & so not updating.

Can anyone please guide us in this?

Thanks,

Sanjay

Search

vulnerability from advertisement content

March 27, 2017, 7:00 pm
$
0
0

asp.net.4 website 

client spouse to post the server a script code.. an advertisement content.. including

html js css flash.... so and so..  

how to protect from vulnerability?

is there a dll that scan for vulnerability? 

and how to store that data? 

what encoding to use?

looking for a tool to make a third party HTML, CSS and JavaScript.... safe to embed in website

(at the moment i having a first look on google caja)

thank you

OWASP tool exception Cross-Domain Misconfiguration

April 6, 2017, 2:18 pm
$
0
0

Hi,

I am working on ASP.NET ,AZURE.

We have deployed our website on AZURE Web App and run the OWASP tool to check security issues.

It gives the exception on Cross-Domain Misconfiguration, 

for the evidences - Access-Control-Allow-Origin: *, which we have used in Web.Config are as below.

<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept,Authorization" />
<add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Credentials" value="true" />

Please suggest how to resolve this type of exception.

Regards

Uday Mahajan

OWASP tool exception Anti CSRF Tokens Scanner and Source Code Disclosure - File Inclusion

April 6, 2017, 2:27 pm
$
0
0

Hi,

I am working on ASP.NET ,AZURE.

We have deployed our website on AZURE Web App and run the OWASP tool to check for security issues.

It gives the exception on Anti CSRF Tokens Scanner and Source Code Disclosure - File Inclusion

For

1 ) Anti CSRF Token - We have used ValidateAntiFurgeryToken with HTTPPOST, but using this also OWASP gives the exception.

2) Source Code Disclosure - File Inclusion - gives exception as 

The source code for the current page was disclosed by the web server on

URL: URL/Fonts/(fuzwqe55k3i2bi3axm21yq55)/

Parameter : __ID__

Attack : ../

Here We dont know how that attack happens in Fonts ?

Please suggest how to resolve Anti CSRF Tokens Scanner and  Source Code Disclosure - File Inclusion.

Regards

Uday Mahajan

Javascript Hijacking Vulnerable Framework

April 6, 2017, 6:54 pm
$
0
0
<div>

Hi, 

We use HP Fortify to audit our application. We get hundreds of "Javascript Hijacking: Vulnerable Framework" warnings with regard to the <asp:ScriptManager> block  <asp:ScriptManager ID="ScriptManager1" runat="server"></asp:ScriptManager>.

A similar question was asked in the past by user kaganmurat but the answer given did not resolve the issue.

Any help would much appreciated.

Thank you.

</div>

Protecting a URL having parameters

April 13, 2017, 10:02 am
$
0
0

Dear friends 

I am working with the QR code , the scenario is QR Code is containing the url , while scan with the QR code scanner is redirected to the url having certain parameters passed in it to display the data on the basis of the parameters 

now the issue is the parameters are not encrypted, while i am trying to encrypt the parameters with cryptography QR code is giving error in generation

please help me in this regards , how can i generate the QR code with encrypted information  

How to upgrade to AntiXSS 4.3

May 9, 2017, 3:29 am
$
0
0

When ASP.NET 4.5 was released, AntiXSS 4 was included in the Framework.

Since then, AntiXSS 4.3.0 is the latest release. (Yes, I know it is no longer being developed etc.)

How does one go about upgrading their asp.net web forms site to use AntiXSS 4.3 instead of the older 4?

PS. I tried Nuget on a clean new site. All it does is download and copy two .dll files to the Bin folder. No changes were made to the web.config file. I assume there would have to be a change of some sort in web.config to tell the site to use the local dll file in Bin rather than the baked in version that came with the Framework - but I do not know what those changes are.

Stop reverse engineering

May 13, 2017, 10:11 am
$
0
0

Hi,

I have an application in mvc. I want to protect it so that no one could reverse engineer its dlls or if possible then want a some kind of encryption after reverse engineer.

I also want to hide my logic of javascript files.

Can anyone guide me such an excellent thing (in this way )?

thank you

Search

cross posting/accessing direct url

May 17, 2017, 5:26 pm
$
0
0

HI,

I am developing an application in MVC .

I want that no one could cross posting (means unauthorized person can give the direct url and open the application ).

I want to use something like antiforgery or some better light weight solution .I don't want to write a Custom Filter.

I want to use something primitive feature and I don't want to use identity (memebership api) .

I am using mysql

 

Transferring Confidential Data Files From One Network (location) to Other

June 22, 2017, 1:24 pm
$
0
0

Dear Folks,

I have a scenario where there are multiple operators (companies) reporting to one parent company (you can assume it as a different company altogether). Now, the operators have their secured networks and very stringent security policies. I have a requirement where I have to transfer some data files from these operators site to their parent company (which is on different network).

I am not sure what is the best solution to achieve this. For your reference, I considered following options.

1. Create a secured web service (https service) and deploy it at parent company's network on TMZ/DMZ server. Now, this web service will be on internet so it can be consumed by all operators to transfer their data files. Using this approach operators will receive proper acknowledgment for every file transfer so there is proper handshaking in this approach. This approach has some security concerns from my operators. So, I am not sure how much security we can handle using this approach.

2. Use SFTP. I don't have much insight about how I can use SFTP in my case. I read somewhere that in SFTP sometimes you may not get acknowledgment whether the file is transferred or not. My operators are pushing for this approach but I am not sure how to go about it.

I am not sure what else could be done to achieve a common ground for implementing the solution for this problem. Please note that the security involve in this solution is of utmost priority.

Can anyone please help me out with a optimized approach.

Thanks in advance.

Thanks,

Shivank Sharma

entityframework security

July 29, 2017, 4:59 am
$
0
0

Hi asp.net,

I have a question about EF security.

Are there any SQL Injection concerns with EF?

If not, what are the security concerns with EF?

Thanks

kourosh

System.Security.SecurityException when setting .NET Trust Level to High

June 22, 2016, 6:52 am
$
0
0

Hello,

I am getting System.Security.SecurityException when setting .NET Trust Level toHigh in IIS (version 8.0), please refer to below screenshot for further error details. I am using .NET framework 4.0.

Web Application is working fine in Full .NET Trust Level

Below error is only appearing on the pages where I am using third party controlABCpdf and using our custom developed component to generate Dynamic Reports. 

Please suggest.

Http tag Cache-Control contains public for WebResource.axd

September 1, 2017, 10:07 am
$
0
0

I am required to fix a vulnerability in my web application wherein the Http tagCache-Control contains value public for WebResource.axd. I do not know what exactly needs to be done to fix it; probably I need to make the valueprivate, but how?

Kindly suggest.

cannot find certificate local machine root store even after granting access apppool user

September 5, 2017, 12:48 pm
$
0
0

hi all, I have installed a certificate that has to pass into a httpwebrequest to access a third party API.. so I have installed certificate into local machine root store and granted access to IIS application pool identity user using winhttpcertcfg 

C:\Program Files (x86)\Windows Resource Kits\Tools>winhttpcertcfg.exe -g -c local_machine\my -s "certificateissuedname" -a "servername/apppoolusername"

I have tried below code to find certificate but no luck certificate count 0.

X509Store keystore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
keystore.Open(OpenFlags.ReadOnly);
X509CertificateCollection certs = keystore.Certificates.Find(X509FindType.FindByThumbprint, "‎‎‎19 27 d4 55 b3 j7 55 d1 78 a2 63 99 5g 25 gg 65 t5 t5 05 8c", false);

if (certs.Count > 0)
{
return  " found cert on local root ";
}

I have change StoreName to my no luck

anyone to help 

Run asp application in secured https localhost with visual studio 10 development server

September 18, 2017, 9:53 am
$
0
0

Hello,

I want to run my application with secure https connection in localhost without any IIS configuration.  I am using VS inbuilt development server. How i can achieve this? currently, it is running at http://localhost:58136

The other page i am referring to is a https secure page and that is showing "Refused to display 'https://....XXX....' in a frame because it set 'X-Frame-Options' to 'sameorigin' " error if localhost is not secure.

Thanks for help!

Search

My Local IIS not able to authenticate other projects hosted on Local IIS

March 16, 2018, 4:52 pm
$
0
0

Hi team, I am facing strange scenario for me where, I have a solution with three Projects. My project goes Like this. I have to Login from Home Project and I am authenticated and authorized to go to home page. In the next step I need to navigate to other Project by a url click. Each Project in a solution are on different ports. My home Project is not able to authenticate that and returning back me the error. 

where the same solution hosted on Dev server is working fine. I am not able to figure it out the issue . Please reach me if I am not clear or need few screenshots.

Cross Frame Scripting Vulnerability

December 2, 2015, 10:53 pm
$
0
0

We had a third-party security audit and they found a bunch of things that needed to be corrected.  We fixed all of them, except for one.  They claim we still have a problem with Cross Frame Scripting and clickjacking.  The test put out login page within a frame in a page on a completely different website, which could be exploited.  While it is considered a low threat, my boss wants me to resolve this.

What we did originally was put this in the web.config:

<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>

Apparently this doesn't cut it.  I've looked at other solutions but all I could find was to put JavaScript on every page (in our case in the MasterPage) that checks the frame origin, but I thought something like above would be a better solution.  Has anyone found a solution for this problem?

Website Hacking

January 13, 2016, 6:00 am
$
0
0

I have created and managed an asp.net website using C# through Visual Studio 2010 of our church denomination last year.

After few months it was hacked but the hacker doesnot seem to interfere the SQL database but they redirect or replace the front page to their created Islam praising contents. 

I have take the website down and report to the domain provider but he does not have any solution to the problem. He only knows about wordpress but since our old church website was done using php he was chose for the provider, after i take part in the commitee and since i want to use asp.net we told him and he dont know about windows based but gave us a space since we can manage the whole site.

It was like talking to a wall about the hacking. My question here is, "how vulnerable asp.net site is compared to wordpress websites?" ..He blamed me for not securing the codes and chosing asp.net. I dont really know how comes? I work in a company and all our website is just like this website but never hacked. Does it means our work website is secure only because no one hacked it. How can i improve the coding or asp.net website?

Please provide a cheap solution to resume our church website.. like a domain provider in our country (india). Is it possible to use the same domain name to other domain provider?

Authentication using Mobile number

February 19, 2016, 5:07 am
$
0
0

I am in the process of developing web API(ASP.net) for a mobile app. The app wants to do authentication based on mobile number. My idea is

  1. The user registers using his mobile number (An API will be called)
  2. On registration the user will be sent an OTP.
  3. Once the user confirms the OTP I will validate it with server.
  4. If the OTP is correct I will send an HMAC key to the mobile user.
  5. This HMAC key will be specific to that user only.
  6. For accessing the web API the mobile APP will generate a signature using mobile number, HMAC key and timestamp.

Now, my concern is that there is web based Admin panel as well which uses same web APIs, how would i do authentication for it? To use Admin panel the user has username and password. I am looking for common authentication process. Please advise what will be the best way to keep authentication common and is my approach correct.

Vulnerability (XSS)

March 16, 2016, 6:09 pm
$
0
0

I have a simple website form that take users' input and save that to a database.  (e.g., names and email). very basic information.

Recently, it fails Vulnerability scan and I am not sure what the vulnerability below meant. Please help!

Cross-Site Scripting (XSS), allowing arbitrary malicious content to run in a legitimate user's session, is possible via a website (login.xxx.mil) system (banner and acceptance page).

Thanks.

Viewing all 317 articles
Browse latest View live
Search