Hi all, I'm not sure if this is the appropriate forum for my questions but here goes. Suppose I have an app that uses WCF to send and receive text messages and image files across the web, and the service needs to be able to go through firewalls. Based on those requirements,  I have just three  questions

  1 - Which binding should I use

  2 - What would be my best security option?

  3 - How do I make sure my data are secure? 

Thanks in advance for your reply.

I have an asp.net webforms application(.net framework 4.5) running on client's server. A recent security audit indicates that the application collapse the POST and GET parameters into a single collection and that this is a flawed design pattern from a security standpoint.

The audit further indicates that using interceptors, it is possible to change the method type to GET which is unsafe as the information is appended to the URL and can be easily tampered.

So, instead of allowing the user to login with the modified request, he/she should have been redirected to the login page/error page.

hi,

is there any pattern or regex for find SQL-injection request in c#?

niafam.com

In my analytics, I'm seeing hits to my websites.

Many of them are government IP addresses such as the DOD (Department of Defense)

I also have this information that I don't understand

[ipv4 address block not managed by the ripe ncc]

What is this?  Should I be concerned?  

Hello,

first I want to apology to send new question in Visual Studio General Questions. But I cannot see ASP.NET forum. I would like to ask you if there is someone who solved problem with auth cookie. 

We have two IIS servers and load balancer which switch users between these servers. We use Form authentication to log in user. In login there is created auth cookie and it is sent back to browser (client). When user creates request then this cookie is send back to server and user is authenticate. It works fine. But there is some situation when user is switched to context another user. I don't understand how. User is switched means that user is logged as another user. 

I take a long time to investigate it and learn about cookie authentication. I think there must be some place where cookie from another user is send back to different user. But there is one place where auth cookie is send back to client only. This is login page. 

My question is if this behavior could be caused by IIS servers. 

Thank you.

I have a "next" button which gray out after click next so the screen reader read "NEXT IS DISABLED". How can I disable "NEXT IS DISABLED" from screen reader? I tried aria-hidden=true or aria-disabled=true but it did not work. Please advise. Thanks.

--

<asp:Label ID="lblNext" runat="server" Text="&nbsp;" Visible="False" />
                <GSI:GSIButton ClickOnce="true"  ID="btnNext" runat="server" aria-disabled="true" CssClass="formbutt" OnClick="GotoNextPage" Text="<%$ Resources: Resource, _Next %>" aria-label="<%$ Resources:Resource,lbtnNext %>" />
 
Protected Sub GotoNextPage(ByVal sender As Object, ByVal e As System.EventArgs)
        _GoNextEventHandler.Invoke(sender, e)
    End Sub
Public Property ClickOnce As Boolean
            Get
                Return _ClickOnce
            End Get
            Set(value As Boolean)
                _ClickOnce = value
            End Set
        End Property
Private Sub EmitClickOnceJS()
            If ClickOnce Then
                Dim js As New StringBuilder
 
                'function to disable button if it was then element which caused postback
                js.AppendLine("<script type='text/javascript'>")
                js.AppendFormat("function DisableButton_{0}()", Me.ClientID)
                js.AppendLine("{")
                js.AppendFormat(" if(document.activeElement.id=='{0}') document.getElementById('{0}').disabled=true;", Me.ClientID)
                js.AppendLine()
                js.AppendLine("}")
 
                'ensure this function is caused when posting back using before unload
                js.AppendFormat("$(window).on('beforeunload',DisableButton_{0})", Me.ClientID)
                js.AppendLine()
 
                'async begin request disable if this button was cause of postback
                js.AppendLine("var postbackElement;")
                js.AppendLine("$(document).ready(function(){")
                js.AppendLine(" try {")
                js.AppendLine("         Sys.WebForms.PageRequestManager.getInstance().add_beginRequest(function(sender,args)")
                js.AppendLine("         {")
                js.AppendLine("          postbackElement = args.get_postBackElement();")
                js.AppendFormat("        if(postbackElement.id=='{0}') document.getElementById('{0}').disabled=true;", Me.ClientID)
                js.AppendLine("         });")
                js.AppendLine("     }catch(e){}")
                js.AppendLine("});")
 
                'async end request enable if this was the button which caused postback
                js.AppendLine("$(document).ready(function(){")
                js.AppendLine(" try {")
                js.AppendLine("         Sys.WebForms.PageRequestManager.getInstance().add_endRequest(function(sender,args)")
                js.AppendLine("         {")
                js.AppendFormat("           if(postbackElement.id=='{0}') document.getElementById('{0}').disabled=false;", Me.ClientID)
                js.AppendLine("         });")
                js.AppendLine("     }catch(e){}")
                js.AppendLine("});")
                js.AppendLine("</script>")
 
                'register the js
                If Not Page.ClientScript.IsClientScriptBlockRegistered(String.Format("disable{0}", Me.ClientID)) Then
                    Page.ClientScript.RegisterClientScriptBlock(Page.GetType, String.Format("disable{0}", Me.ClientID), js.ToString())
                End If
 
            End If
 
        End Sub
 

Hi.  What's the most secure way to setup Visual Studio with Azure DevOps?  Best case scenario is that my users CAN NOT download code to their personal computers.

Thanks for the feedback!

We are setting auth cookie as follows:

var authTicket = new FormsAuthenticationTicket            (                1, principal.Email, DateTime.Now, DateTime.Now.AddMinutes(1200),                false, JsonConvert.SerializeObject(principal), FormsAuthentication.FormsCookiePath            );            var enTicket = FormsAuthentication.Encrypt(authTicket);            var cookies = new HttpCookie(FormsAuthentication.FormsCookieName, enTicket)            {                Expires = DateTime.Now.AddMinutes(1200)            };            response.Cookies.Add(cookies);

This cookie expires in 10 mins. Windows log viewer says:
Event code: 4005 
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid. 

Any ideas what can happen and how to fix that?

We have an asp.net application with lots of .aspx forms and it was built using .net framework 4.0

We have a form where user can enter text in the textbox and we are validating the textbox with validation controls ...the value user enters will be save in the sql server on button click. And it will be feteched and displayed in the screen. So far good.

Now  what happens is user enter the text in the textbox and click on save button and the payload will be captured in the fiddler and it will modified by injecting javascript.

Lets say user enters welcome in the textbox  but in the fiddler we are appending script payload like

"welcome %uff1cscript%uff1ealert(XSS);%uff1c/script%uff1e"

Before saving it into textbox we are encoding the above and saving it into database..while displaying we are decoding it and show it in the UI 

and in the UI it shows "welcome<script>alert(xss)</script> and it is not showing any alert since we are doing encoding and decoding.

But we dont want to show the injected value..

How to prevent that... 

1) Is it possible to invalid the request if it is modified by the fiddler ..If yes how can we check whether the request payload is modified or not

2)We want to redirect it to error page if the script payload is injected with actual payload because we dont want to save that in database.

3)Is it possible to validate whether injected happened or not in the code behind

4)How can we check whether the text has html and javascript..Is there any regular expression available to validate the text has javascipt or html

Please help

My project has to be scanned by software called 'Checkmarx', and it lists out vulnerabilities and how to fix them. One of them is "Missing_Column_Encryption" and "Insufficient_Connection_String_Encryption", where it says the SQL data that is being worked with needs to be encrypted. But when I add the suggested remediation, essentially adding enabling column encryption like this for example:

string connectionString = "Data Source=server63; Initial Catalog=Clinic; Integrated Security=true; Column Encryption Setting=enabled";

It fails to pull in data, which must be because of the encrypted values. I think I would need to add some other code on the Server side? Does anyone know how to properly implement SQL column encryption?

Thanks!

Hi

Hi, I'm using JQuery.Unobtrusive-Ajax.js for our MVC apps. It makes development faster and easier. But when we're doing security scan (OWASP) using fortify, it detected as a low vulnerable on line 144, 156, and 201. Titled "Javascript Hijacking: Vulnerable Framework". If you think those are just false positives, please help with your official justification for this? Thank you

I have a Rijndael based c# code. I try to encrypt in c# Rijndael and decrpt in javascript(CryptoJS). But i cant match the encrypted values. I try lots of things but nothing worked.

Here is my c# code:

 public string GenerateKey () {
        string EncodeAes (string key, string input) {
            var aes = GetCryptoParams (key);
            var plainBytes = Encoding.UTF8.GetBytes (input);
            //Key will be Base64 String -- oo
            return Convert.ToBase64String (AesEncrypt (plainBytes, aes));
        }
        RijndaelManaged GetCryptoParams (string key) {
            // random key bytes 16bit
            var keyBytes = new byte[16];
            var secretKeyBytes = Encoding.UTF8.GetBytes (key);
            Array.Copy (secretKeyBytes, keyBytes, Math.Min (keyBytes.Length, secretKeyBytes.Length));
            var aes = new RijndaelManaged {
                Mode = CipherMode.CBC,
                Padding = PaddingMode.PKCS7,
                KeySize = 128,
                BlockSize = 128,
                Key = keyBytes,
                IV = keyBytes
            };

            return aes;
        }
        byte[] AesEncrypt (byte[] plainBytes, RijndaelManaged rijndaelManaged) {
            return rijndaelManaged.CreateEncryptor ()
                .TransformFinalBlock (plainBytes, 0, plainBytes.Length);
        }
        return EncodeAes ("qwertasdfgzxcvbn", RandomPassword.Generate (16));
    }

    // POST api/values
    [HttpPost]
    public HttpResponseMessage GetEncDecText ([FromBody] encRequest req) {
        string EncodeAes (string key, string input) {
            var aes = GetCryptoParams (key);
            var plainBytes = Encoding.UTF8.GetBytes (input);
            return Convert.ToBase64String (AesEncrypt (plainBytes, aes));
        }
        string DecodeAes (string key, string thisDecode) {
            var aes = GetCryptoParams (key);
            try {
                var encryptedBytes = Convert.FromBase64String (thisDecode);
                return Encoding.UTF8.GetString (AesDecrypt (encryptedBytes, aes));
            } catch {
                return null;

            }

        }
        RijndaelManaged GetCryptoParams (string key) {
            var keyBytes = new byte[16];
            var secretKeyBytes = Encoding.UTF8.GetBytes (key);
            Array.Copy (secretKeyBytes, keyBytes, Math.Min (keyBytes.Length, secretKeyBytes.Length));
            var aes = new RijndaelManaged {
                Mode = CipherMode.CBC,
                Padding = PaddingMode.PKCS7,
                KeySize = 128,
                BlockSize = 128,
                Key = keyBytes,
                IV = keyBytes
            };

            return aes;
        }
        byte[] AesEncrypt (byte[] plainBytes, RijndaelManaged rijndaelManaged) {
            return rijndaelManaged.CreateEncryptor ()
                .TransformFinalBlock (plainBytes, 0, plainBytes.Length);
        }
        byte[] AesDecrypt (byte[] encryptedData, RijndaelManaged rijndaelManaged) {
            return rijndaelManaged.CreateDecryptor ()
                .TransformFinalBlock (encryptedData, 0, encryptedData.Length);
        }

    }

And here is my javascript code:

var serverEncText = "P+KvsN/m3qOc8egIkqyi4w==";
var secretKey = "7YIOB9NooY225lP6CRSqKQ0KiluAF/6cYn3kFXvJkS0=";

var decryptData2 = function(encryptedData) {
  var Key = CryptoJS.enc.Base64.parse(secretKey);
  var IV = CryptoJS.enc.Utf8.parse(new Buffer.from("0123456789ABCDEF"));
  var decryptedText = CryptoJS.AES.decrypt(encryptedData, Key, {
      keySize: 128 / 8,
      BlockSize: 128,
      iv: IV,
      mode: CryptoJS.mode.CBC,
      padding: CryptoJS.pad.Pkcs7
  });

  return decryptedText.toString(CryptoJS.enc.Utf8)
}

var result = decryptData2(encryptedData);
console.log(result, "result");

backend works awesome: "secretKey" is my generated c# key and "serverEncText" is my c# encoded text. When when i try this in javascript it's always returns empty string.

How to resolve it ?

Have .Net Core 2.2 MVC application and integrated with Azure AD for userAzure AD. User authentication and sign out is working as expected.

But if we copy the cookies AspNetCore.AzureADCookie, .AspNetCore.AzureADCookieC1, .AspNetCore.AzureADCookieC2 from the authenticated browser session using the EditThisCookie extension and logout then if we import again those copied cookies back into browsers and we are able to access the application. Application trusting the application and login automatically.

I'm using NuGet Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package

Is this behavior expected?

I am working as a full stack developer. Following vulnerability reported by our security team.

Environment - IIS 7, ASP.NET Web Pages, ASP.NET MVC, .NET framework 4.6

Any hint or resources to address this vulnerability ?

Vulnerability Description: Application's SSL/TLS has several flaws. Successful attacks on a security protocol that is designed to protect you, defies its purpose and jeopardizes the integrity, confidentiality and authenticity of information transmitted.

By performing SSL/TLS analysis, the following issues have been notified.

TLS_FALLBACK_SESV Support : NO

LUCKY13 - Potentially vulnerable

BREACH - Potentially vulnerable)

Hello,

I need to remove img tag also from GetSafeHtmlFragment function but it's not removing.

Does any one have idea how to remove to img tag? Is there any whitelist or black list?

Can we make our customize Blacklist for tags?

Hello there,

In my .net MVC web application, users can upload and download files. The web application runs on ServerX but since it doesn't have enough disk space, the uploaded files are stored in a folder called "FT" on ServerY. If I give Everyone  account change and read permission on this FT folder all works well.  I hesitate using Everyone account since it gives everyone access to the file folder.

What account can I use that would give web application running on ServerX permission to access file folder on ServerY?

Joe

Hello,

I am using .NET Core 2.2 - MVC Framework.  I had but this security code which works well in dev, but in prod it does not seem to read the jquery lib and throws off the whole page. if I remove it, the app works fine in dev and prod.

Code

Startup.cs

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
 app.UseHsts(); //commented 2019.10.28 for deployment purposes
}

　
//******* this enables the deployed code website not to read jquery.  ok in dev
//app.Use(async (context, next) =>
//{
// context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
// context.Response.Headers.Add("X-Frame-Options", "DENY");
// context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
// context.Response.Headers.Add("Content-Security-Policy",
// "script-src 'self'; " +
// "style-src 'self'; " +
// "img-src 'self'");
// await next();
//});

Please advise.

thanks,

tinac99

There is a link for preventing XSS in .Net Core 2.1.

It uses some code like below which I don't understand it at all.

services.AddSingleton<HtmlEncoder>(
     HtmlEncoder.Create(allowedRanges: new[] { UnicodeRanges.BasicLatin,
                                               UnicodeRanges.CjkUnifiedIdeographs }));

But it is for Razor, I don't use Razor. My front end is using Angular. 

So how to apply it to prevent XSS in .net core 2.1?

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    public void ConfigureServices(IServiceCollection services)
    {
        var connectionString = configuration["myConnectionString"];
        services.AddCors();
        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
        service.AddDbContext<MyDbContext>(options => options.UseSqlServer(connectionString);
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();
        app.UseAuthorization();
       
    }
}

Thanks.

I'm making a login page with MongoDB as database , But I am not understanding how to encrpt and decrypt password . can anyone help ??