Hi all, I'm not sure if this is the appropriate forum for my questions but here goes. Suppose I have an app that uses WCF to send and receive text messages and image files across the web, and the service needs to be able to go through firewalls. Based on those requirements, I have just three questions
1 - Which binding should I use
2 - What would be my best security option?
3 - How do I make sure my data are secure?
Thanks in advance for your reply.
In my analytics, I'm seeing hits to my websites.
Many of them are government IP addresses such as the DOD (Department of Defense)
I also have this information that I don't understand
[ipv4 address block not managed by the ripe ncc]
What is this? Should I be concerned?
I have my site set up to email me whenever an error happens, and recently I've been getting an occasional blast of about 50 notifications (once every day or two) about a page not found error, but the weird thing is that the error is for a domain other than my own. Here's an example of the error (my domain isn't ncbels.org). Each error is for a different URL on the same domain. Any idea what could be causing this?
I suspect my site is being used to probe/attack other domains somehow (do you agree?). I'm not sure how to track it down without more information. I searched all my site files for references to that domain, as well as any free text fields in my database, and didn't find anything. My hosting provider ran a scan on my site and said it came up clean. I don't see enough in the stack trace to see where it is coming from.
Error in page https://mail.ncbels.
org/owa/auth/logon.a spx?url=https://mail .ncbels.org/owa/redi r.aspx%3FC=FE3qhJWgt 0aAfmzPSyMaLnaDWOIgz 9II6y56Bd7eQcsZhVwls vJ_kP3W-Npa6H92EX7JF A9UHDQ.%26URL=mailto %253aaritter%2540ncb els.org&reason=0 Message
The file '/owa/auth/logon.aspx' does not exist.
Trace
CheckVirtualFileExists at offset 9984736 in file:line:column <filename unknown>:0:0
GetVPathBuildResultInternal at offset 475 in file:line:column <filename unknown>:0:0
GetVPathBuildResultWithNoAsser t at offset 103 in file:line:column <filename unknown>:0:0
GetVirtualPathObjectFactory at offset 165 in file:line:column <filename unknown>:0:0
CreateInstanceFromVirtualPath at offset 43 in file:line:column <filename unknown>:0:0
GetHandlerHelper at offset 31 in file:line:column <filename unknown>:0:0
GetHandler at offset 37 in file:line:column <filename unknown>:0:0
System.Web.HttpApplication.IExecutionStep.Execute at offset 346 in file:line:column <filename unknown>:0:0
ExecuteStep at offset 155 in file:line:column <filename unknown>:0:0
StackTrace
at System.Web.UI.Util.CheckVirtualFileExists( VirtualPath virtualPath) at System.Web.Compilation. BuildManager. GetVPathBuildResultInternal( VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation. BuildManager. GetVPathBuildResultWithNoAsser t(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation. BuildManager. GetVirtualPathObjectFactory( VirtualPath virtualPath, HttpContext context, Boolean allowCrossApp, Boolean throwIfNotFound) at System.Web.Compilation. BuildManager. CreateInstanceFromVirtualPath( VirtualPath virtualPath, Type requiredBaseType, HttpContext context, Boolean allowCrossApp) at System.Web.UI. PageHandlerFactory. GetHandlerHelper(HttpContext context, String requestType, VirtualPath virtualPath, String physicalPath) at System.Web.UI. PageHandlerFactory.GetHandler( HttpContext context, String requestType, String virtualPath, String path) at System.Web.HttpApplication. MaterializeHandlerExecutionSte p.System.Web.HttpApplication. IExecutionStep.Execute() at System.Web.HttpApplication. ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Query String
url=https%3a%2f%2fmail.ncbels.org %2fowa%2fredir.aspx%3fC%3dFE3qhJWgt0aAfmzPSyMaLnaDWOIg z9II6y56Bd7eQcsZhVwlsvJ_kP3W- Npa6H92EX7JFA9UHDQ.%26URL% 3dmailto%253aaritter%2540ncbel s.org &reason=0
User Name
Source
System.Web
Help
Error Code
-2147467259
Form Data
Here's another batch of errors so you can see the volume. This is another URL I don't own:
Error in page https://www.themav.com/ts/en-US/c0d1f425f1bc189b.aspx - Message The file '/ts/en-US/c0d1f425f1bc189b.aspx' does not exist. Trace
Error in page https://www.themav.com/ts/en-US/Default.aspx - Message The file '/ts/en-US/Default.aspx' does not exist. Trace CheckVirtualFileExists at
Error in page https://www.themav.com/ts/en-US/9ce13f177b52ebe4.aspx - Message The file '/ts/en-US/9ce13f177b52ebe4.aspx' does not exist. Trace
Error in page https://www.themav.com/store/2acedb3a3f01e5dd.aspx - Message The file '/store/2acedb3a3f01e5dd.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/store/268d393ed863bc30.aspx - Message The file '/store/268d393ed863bc30.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/store/ShoppingCart.aspx - Message The file '/store/ShoppingCart.aspx' does not exist. Trace CheckVirtualFileExists at
Error in page https://www.themav.com/shoppingcart/f88b8c524dfd5180.aspx - Message The file '/shoppingcart/f88b8c524dfd5180.aspx' does not exist. Trace
Error in page https://www.themav.com/shopping/5a996c38b3c098b8.aspx - Message The file '/shopping/5a996c38b3c098b8.aspx' does not exist. Trace
Error in page https://www.themav.com/shoppingcart/be5f69491555a7db.aspx - Message The file '/shoppingcart/be5f69491555a7db.aspx' does not exist. Trace
Error in page https://www.themav.com/shopping/08ea539bb182f405.aspx - Message The file '/shopping/08ea539bb182f405.aspx' does not exist. Trace
Error in page https://www.themav.com/shoppingcart/ShoppingCart.aspx - Message The file '/shoppingcart/ShoppingCart.aspx' does not exist. Trace
Error in page https://www.themav.com/pages/154ef6207d723d24.aspx - Message The file '/pages/154ef6207d723d24.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/pages/9c64906843289a9f.aspx - Message The file '/pages/9c64906843289a9f.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/shopping/ShoppingCart.aspx - Message The file '/shopping/ShoppingCart.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/pages/ShoppingCart.aspx - Message The file '/pages/ShoppingCart.aspx' does not exist. Trace CheckVirtualFileExists at
Error in page https://www.themav.com/order/8d0c5dacfa52ff67.aspx - Message The file '/order/8d0c5dacfa52ff67.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/order/ShoppingCart.aspx - Message The file '/order/ShoppingCart.aspx' does not exist. Trace CheckVirtualFileExists at
Error in page https://www.themav.com/estore/35efd689838d088b.aspx - Message The file '/estore/35efd689838d088b.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/order/1de65df28d6aa5c8.aspx - Message The file '/order/1de65df28d6aa5c8.aspx' does not exist. Trace CheckVirtualFileExists
Error in page https://www.themav.com/cart/d6fe3be2c41a1bc2.aspx - Message The file '/cart/d6fe3be2c41a1bc2.aspx' does not exist. Trace CheckVirtualFileExists
Thanks!
Hello,
I am getting System.Security.SecurityException when setting .NET Trust Level toHigh in IIS (version 8.0), please refer to below screenshot for further error details. I am using .NET framework 4.0.
Web Application is working fine in Full .NET Trust Level.
Below error is only appearing on the pages where I am using third party controlABCpdf and using our custom developed component to generate Dynamic Reports.
Please suggest.
Hi,
I want to download the document from below mentioned URL. When i try to download directly in the IE URL, it will be asking username and password credential to open the document.
But, when i try to download through application i am getting below error.
"The remote server returned an error: (401) Unauthorized."
ASP.NET Code:
downloadbutton_click event
URIFile = http://sr1250kl.vrmnet.vrm.intranet/A1/servlet/Download?auth=basic&event_name=k1_view&_file=emparea&id=0000008763&version=01
Dim client As New WebClient()
client.Credentials = CredentialCache.DefaultCredentials
client.UseDefaultCredentials = True
client.Credentials = New NetworkCredential("XXXXXX", "XXXXXXX", "vrmnet.vrm.intranet")
Dim buffer As Byte() = client.DownloadData(URIFile )
Dim download As String = Encoding.ASCII.GetString(buffer)
Console.WriteLine(download)
Console.WriteLine("Download successful.")
Response.ContentType = "application/pdf"
Response.AddHeader("content-length", buffer.Length.ToString())
Response.BinaryWrite(buffer)
The above code is not working when i click the download button using above code. Error : "The remote server returned an error: (401) Unauthorized."
How to download the file..?
The code below works with my AD account groups and the login page goes to the page i need (mysecurepage.aspx) after I login using the username and password from the AD group.
However, im having a bit of trouble securing the page in preventing the user from being able to access the page through its URL outside of the login. Can't find an answer for this can anybody assist?
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
End Sub
Public Class AllowedADGroup
Public GroupName As String
Public AssociatedUserType As String
End Class
Public Function UserHasPreferencesAccess(ByVal UserName As String, ByVal Password As String) As Boolean
Dim result As Boolean = False
Dim referringPageName As String = "mystring"
Dim actualADGroups As List(Of String) = GetGroups(UserName, Password)
Dim matchingAllowedADGroup As AllowedADGroup = ADgroupsContainAnAllowedGroup(referringPageName, actualADGroups)
If matchingAllowedADGroup IsNot Nothing Then
'has a valid group
result = True
End If
Return result
End Function
Public Function GetGroups(UserName, password) As List(Of String)
Dim domainName As String = IPGlobalProperties.GetIPGlobalProperties().DomainName
Dim context As PrincipalContext = New PrincipalContext(ContextType.Domain, domainName)
Dim usr As UserPrincipal = UserPrincipal.FindByIdentity(context, UserName)
Dim result As New List(Of String)
'verify credentials first
If context.ValidateCredentials(UserName, password) = True Then
' if found - grab its groups
If Not usr Is Nothing Then
Dim groups As PrincipalSearchResult(Of Principal)
groups = usr.GetAuthorizationGroups()
' iterate over all groups
For Each p As Principal In groups
' make sure to add only group principals
If TypeOf (p) Is GroupPrincipal Then
result.Add((CType(p, GroupPrincipal).Name))
End If
Next
End If
End If
Return result
End Function
Private Function GetAllowedActiveDirectoryGroups(ByVal requestingProductName As String) As List(Of AllowedADGroup)
Dim retval As New List(Of AllowedADGroup)
Dim sqlCon As New SqlConnection(ConfigurationManager.ConnectionStrings("ConString").ConnectionString)
Dim sqlCmd As New SqlCommand("Client.GetAllowedActiveDirectoryGroups", sqlCon)
sqlCmd.CommandType = CommandType.StoredProcedure
sqlCmd.Parameters.Add("@RequestingProductName", SqlDbType.VarChar, 50)
sqlCmd.Parameters("@RequestingProductName").Value = requestingProductName
sqlCon.Open()
Dim sqlr As SqlDataReader = sqlCmd.ExecuteReader()
While sqlr.Read()
Dim newADGroup As New AllowedADGroup
If Not sqlr.IsDBNull(0) Then newADGroup.GroupName = sqlr.GetString(0)
If Not sqlr.IsDBNull(1) Then newADGroup.AssociatedUserType = sqlr.GetString(1)
retval.Add(newADGroup)
End While
Return retval
End Function
Private Function ADgroupsContainAnAllowedGroup(ByVal nameOfCallingProduct As String, ByVal adGroups As List(Of String)) As AllowedADGroup
Dim retVal As AllowedADGroup = Nothing
Dim allowedADGroups As List(Of AllowedADGroup) = GetAllowedActiveDirectoryGroups(nameOfCallingProduct)
'Check user's AD security groups include one that's allowed e.g. "myPreferenceUsers"
For Each grp As String In adGroups
For Each allowedGroup In allowedADGroups
If String.Compare(grp, allowedGroup.GroupName, True) = 0 Then
retVal = allowedGroup
Exit For 'Exit inner for
End If
Next
If Not retVal Is Nothing Then
Exit For
End If
Next
If retVal Is Nothing Then
End If
Return retVal
End Function
Protected Sub btnLogin_Click(sender As Object, e As EventArgs)
If UserHasPreferencesAccess(txtUserName.Text, txtPassword.Text) Then
Response.Redirect("~/mysecurepage.aspx")
Else
messagebox.Text = "Login failed. Please check your user name and password and try again."
End If
End SubHow to remove Server information in Http header programatically?i don't want to use Urlscan or any other tool
In Global.asax file Application_PreSendRequestHeaders event i have below code
Response.Headers.Remove("Server");
And i tried same thing in custom httphandler also,But some how it doesn't remove Server information.
How to fix this problem,from where else server information is pushing into Http response?
Hi, everyone,
I am developing a web application that uses X509Certificate2 to get a private key from a certification file. Code snippet looks like following:
public static RSACryptoServiceProvider GetSignProviderFromPfx()
{
var strFileName = "c:\cer\mycerfile.pfx";
var strPassword = "000000";
X509Certificate2 pc = new X509Certificate2(strFileName, strPassword, X509KeyStorageFlags.MachineKeySet);
var ThePivateKey = pc.PrivateKey;
return (RSACryptoServiceProvider)ThePivateKey;
}But the statement pc.Privatekey causes a System.Security.Cryptography.CryptographicException "Invalid provider type specified" . I'm sure the certification file has no problem, it really has a private key. And the property pc.HasPrivateKey
is also return true.
The test environment is VS2013, window 7.
I also tried following:
a. I debugged it in VS2013 with iis express, the problem occured.
b. I debugged it in another computer with same enviroment with mine, the problem occured too.
c. I published the application to a server with iis running on Windows Web Server 2008 R2, it worked fine.
d. I published the application to widows azure website, it also worked fine.
Therefore, I guess the code snippet has no problem. The key reason raising the exception is that there may be some problem about runningenvironment. I checked and compared the reading/writing right on the certification file in different environment, all of them are same.
Anybody can help?
Thanks.
We have scanned our site for vulnerabilities. We received a warning message on this code("StaticPostBackScrollVerticalPosition") for potential cross-site scripting.
What needs to be changed to fix this issue? Please let me know.
privateconststringVerticalPosition="StaticPostBackScrollVerticalPosition";privateconststringScriptHidden="document.forms[0].{0}.value";privateconststringSaveScriptName="StaticPostBackScrollPositionSave";privateconststringLoadScriptName="StaticPostBackScrollPositionLoad";privateconststringScriptGetPosition=ScriptHidden+" = (navigator.appName == 'Netscape') ? window.page{1}Offset : document.documentElement.scroll{2};";privatestringGetPositionScript(){StringBuilder sb =newStringBuilder();
sb.Append("<script language=\"JavaScript\"> \n");
sb.Append("function SaveScrollPosition() { \n");
sb.AppendFormat(ScriptGetPosition,VerticalPosition,"Y","Top");
sb.Append("setTimeout('SaveScrollPosition()', 100);");
sb.Append("} \n");
sb.Append("SaveScrollPosition(); \n");
sb.Append("</script> \n");return sb.ToString();}privatevoidScrollPosition(){if(!this.ClientScript.IsStartupScriptRegistered(SaveScriptName)){this.ClientScript.RegisterClientScriptBlock(GetType(),SaveScriptName,GetPositionScript());this.ClientScript.RegisterHiddenField(VerticalPosition,"0");}}I am investigating a CSRF finding in asp.net c# code behind as shown in the following code:
LinkButton LinkButtonControl = new LinkButton(); LinkButtonControl.ID = Name;
Now, I feel that the following code using ViewStateUserKey is the right approach:
protected override OnInit(EventArgs e) {
base.OnInit(e);
if (User.Identity.IsAuthenticated)
ViewStateUserKey = Session.SessionID; }However; another person I work with thinks that the Httputility.htmlencode method is the correct way to solve the problem. First I don't know if the Httputility.htmlencode method is the best way and if so I would I use it?
NEW Robux Hack - Free 100K Robux is our latest online tool. Now you can get free robux using our robux hack generator tool.
Check this out => http://generator-online.us/roblox
Generating Robux from Roblox hack tool is often easy. Everything you have to do, is to insert your username, opt your system and choose just how much resources would you like. This cheat tool works good, considering that it's repeatedly modified. After you are finished (commonly couple minutes) resources should be inserted in your game. You may use the tool just once a day!
Roblox hackRoblox cheatsRoblox gameRoblox cheat freeRoblox RobuxRoblox iOSRoblox guideRoblox Online-Generator AndroidRoblox iPhoneRoblox ipadRoblox iPodRoblox mobileRoblox gratis RobuxRoblox hack toolRoblox iosRoblox free getRoblox hackRoblox cheatsRoblox getRoblox Free android hackRoblox Free Robux cheats getRoblox Free cheats for RobuxRoblox Free cheats freeRoblox Free cheats Robux roblox hack hack roblox free robux robux free robux robux hack robux generator roblox free roblox free robux roblox robux hack roblox robux roblox cheats roblox robux free free robux in roblox roblox robux generator roblox hack for robux roblox generator free robux generator free roblox cheat roblox cheats for roblox cheat for roblox hack for roblox hacks for roblox how to hack roblox how to get free robux how to get free robux in roblox
Hi, everyone,
I am developing a web application that uses X509Certificate2 to get a private key from a certification file. Code snippet looks like following:
public static RSACryptoServiceProvider GetSignProviderFromPfx()
{
var strFileName = "c:\cer\mycerfile.pfx";
var strPassword = "000000";
X509Certificate2 pc = new X509Certificate2(strFileName, strPassword, X509KeyStorageFlags.MachineKeySet);
var ThePivateKey = pc.PrivateKey;
return (RSACryptoServiceProvider)ThePivateKey;
}But the statement pc.Privatekey causes a System.Security.Cryptography.CryptographicException "Invalid provider type specified" . I'm sure the certification file has no problem, it really has a private key. And the property pc.HasPrivateKey
is also return true.
The test environment is VS2013, window 7.
I also tried following:
a. I debugged it in VS2013 with iis express, the problem occured.
b. I debugged it in another computer with same enviroment with mine, the problem occured too.
c. I published the application to a server with iis running on Windows Web Server 2008 R2, it worked fine.
d. I published the application to widows azure website, it also worked fine.
Therefore, I guess the code snippet has no problem. The key reason raising the exception is that there may be some problem about runningenvironment. I checked and compared the reading/writing right on the certification file in different environment, all of them are same.
Anybody can help?
Thanks.
Hi everyone,
I am trying to remove the "server" from the HTTP Response Headers through the Global.asax file as shown below but it is not working. I am using IIS6 and asp.net 2.0.
May I know how do I change to remove it ? Through URLRewrite ?
void Application_Start(object sender, EventArgs e) { // Code that runs on application startup } protected void Application_PreSendRequestHeaders() { Response.Headers.Remove("Server"); }
Appreciate for your help.
Thank You.
We have scanned our site for vulnerabilities. We received a warning message on this code("StaticPostBackScrollVerticalPosition") for potential cross-site scripting.
What needs to be changed to fix this issue? Please let me know.
privateconststringVerticalPosition="StaticPostBackScrollVerticalPosition";privateconststringScriptHidden="document.forms[0].{0}.value";privateconststringSaveScriptName="StaticPostBackScrollPositionSave";privateconststringLoadScriptName="StaticPostBackScrollPositionLoad";privateconststringScriptGetPosition=ScriptHidden+" = (navigator.appName == 'Netscape') ? window.page{1}Offset : document.documentElement.scroll{2};";privatestringGetPositionScript(){StringBuilder sb =newStringBuilder();
sb.Append("<script language=\"JavaScript\"> \n");
sb.Append("function SaveScrollPosition() { \n");
sb.AppendFormat(ScriptGetPosition,VerticalPosition,"Y","Top");
sb.Append("setTimeout('SaveScrollPosition()', 100);");
sb.Append("} \n");
sb.Append("SaveScrollPosition(); \n");
sb.Append("</script> \n");return sb.ToString();}privatevoidScrollPosition(){if(!this.ClientScript.IsStartupScriptRegistered(SaveScriptName)){this.ClientScript.RegisterClientScriptBlock(GetType(),SaveScriptName,GetPositionScript());this.ClientScript.RegisterHiddenField(VerticalPosition,"0");}}Hi All,
we are having "Microsoft IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability" in one of our servers. could you please let me know what is the solution to fix this issue?
Thanks.
ASP.NET (Framework 3.5, IIS 8.5, windows server 2012R2) with Ajax control toolkit is being blocked by WAF (Web Applications Firewall). Following is the screen shot from WAF
These are signatures from WAF
I tried disabling ajax components at the web page but still getting same problem.
Any suggestions ??
dear all,
i have mark my project as SSL enabled to true , added certificate provided by microsoft. then in MMC, under computer account, i imported this certificate fromPersonal to Trusted Root Certification Authorities (to make this certificate a trusted one). but when i tried to run my mvc application default page it shows error "Your connection is not secure" {as mentioned in the subject} in Firefox and Chrome. please anybody could tell me what steps do i need to view my site in these browsers without any errors, provided that i use the certificate generated by visual studio. i want https protocol for this application.
with many thanks
Hello,
There is a software called Fortify that scans my web code pages and that the code below vulnerable for Cross-Site Scripting: Persistent. I am not sure how to go about fixing it. Any ideas? Thanks.
public void GetStates()
{
DataSet DS = new DataSet();
string strQuery = "Select * from tbl_State where StateName <> '' order by StateName";
SqlConnection oConn = new SqlConnection(ConnStr);
SqlDataAdapter DA = new SqlDataAdapter(strQuery, oConn);DA.Fill(DS); //Line 85 - Cross-Site Scripting: Persistent
State.Items.Clear();
State.Items.Add(new ListItem("Select a State", ""));
foreach (DataRow DR in DS.Tables[0].Rows)
{State.Items.Add(new ListItem(DR["State"].ToString(), DR["StateID"].ToString())); //Line 90 - Cross-Site Scripting: Persistent
}
}
Hi,
We have generated the ConnectionString in web.config using EDMX Design Model from Sql Server, and how to encrypt or protect the Sql DB Credentials with in the Connection String of Web.Config file.