I have been searching the internet for over an hour and can only find client side discussions the my latest scan finding. What I am receiving is method that uses the Read() method and because the Read() ignores the value returned could cause the program to overlook unexpected states and conditions finding. If anyone can explain, in small detail, and possibility recommend a fix the would be great. The function is below:
I have run into an issue that when my web application's web.config compilation debug is set to true I am getting a vulnerability error on a security scan.
<compilation debug="true" targetFramework="4.0">
What I want to determine is if there is a way to have some type of web.config conditional block change the debug setting to use the correct value on debug builds and release builds. I have read that setting the property in each web page itself will do this and don't know if this is in fact true and are there any problems with this?
Alternatively, on your production server, you can set a machine-wide configuration switch which disables debug compilation, trace output, and remote detailed error messages for all ASP.NET code on the server:
I have a scan finding and hope someone can provide any ideas as to best ways to resolve the issue. First I will show the scan Finding then my code and finally what the scanner's recommended solution is.
Without proper access control, the method GetAttributeKey() in Provider.cs can execute a SQL statement on line 163 that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records.
Rather than relying on the presentation layer to restrict values submitted by the user, access control should be handled by the application and database layers. Under no circumstances should a user be allowed to retrieve or modify a row in the database without the appropriate permissions. Every query that accesses the database should enforce this policy, which can often be accomplished by simply including the current authenticated username as part of the query.
myParam.SqlParam.Value = attribute;
public string GetAttributeKey(string attribute)
string qry = "SELECT ws_attribute_key FROM webservice_attributes WHERE ws_attribute = @attribute";
QueryContainer Instance = new QueryContainer(qry);
MyParam myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@attribute", Instance.AddParameterType(_DbTypes._string));
myParam.SqlParam.Value = attribute;
object key = ExecuteScaler(Instance);
Scanner's Recommend fix:
string user = ctx.getAuthenticatedUserName();
int16 id = System.Convert.ToInt16(invoiceID.Text);
SqlCommand query = new SqlCommand(
"SELECT * FROM invoices WHERE id = @id AND user = @user", conn);
SqlDataReader objReader = query.ExecuteReader();
This finding was determined to be changed to a mitigated warning and was remove as a valid finding. Showing that he caller needs rights to call the method when they are logged into the system is a false finding.
I'm planing another website social network-like, with ASP.NET C# for the back end, and I'm having good feelings with the new stuff in MVC 6 and Net Framework 6, but I'm squeezing my brain chosing the best technology for my purposes.
I will need of course an entire front-end website, so I may need use MVC 6, but I want to make several mobile clients too, though RESTful WebAPI.
I was wondering if I have to use simply WebAPI project for backend + AngularJS for the frontend, but I really don't like the way that AngularJS will expose some "server-side" things, such the route table.
So the question is, should I use a classic MVC project (with normal controllers + razor views) AND in separate, controllers for WebAPI for the mobile aplications? Or maybe WebAPI + AngularJS?
PD: I don't want to repeat the logic in normal controllers and in WebAPI controllers
Since you are going to use ASP.NET MVC 6, do not worry about different standards. ASP.NET MVC 6 is composed of
ASP.NET MVC Much popular web development framework.
ASP.NET Web Pages Known for its compact structure and easy deployment.
ASP.NET Web API Known for robust and efficient REST solutions
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
One thing to try is a Response.Clear at the start of your page_load event and Response.End at the end of it. If that doesn't work use Fiddler to look at the request for the image and see what the response is, it might shed some light on what the problem is, especially if you compare it against a request for a static image.
You need to validate the filename passed in the query-string. You only want the code to be used to read images directly within the specified path, but it could currently be used to read images anywhere on the server.
You should also use Path.Combine to combine the folder path and file name:
Dim filename AsString = Request.QueryString("filename")
If filename.IndexOfAny(System.IO.Path.GetInvalidFileNameChars()) <> -1 ThenThrowNew HttpException(400, "Bad request")
EndIfDim width AsInteger = Integer.Parse(Request.QueryString("width"))
Dim serverPath AsString = Server.MapPath("~/images/")
Dim imagePath AsString = System.IO.Path.Combine(serverPath, filename)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
I am having two methods in a single service below. I will host this service in IIS. I will be having only one service URL. Client will consume this service by creating the proxy classas usual. But Mehod1 should only be displayed to Client A, Mehod2 should only be displayed to Client B. How can I overcome this scenario?.. Can you please clarify my doubt..? Thanks in Advance
string Method1(string id); //This method should be displayed to Client A only
string Method2(string id); //This method should be displayed to Client B only
I can see it now....task given to Employee A who thinks "I'll just ask on CP". Doesn't get a simple "here is the code" answer as the requirement is essentially flawed, so he can't do his task. Task is taken off him and given to Employee B. Employee B thinks "I'll just ask on CP" ....
Don't edit spam in QA, even to add a "Spam" tag.
When you do, you risk the automated system thinking you are the author and you getting the "spammer" votes.
And if you edit it to remove the spam, then you can confuse the spam detector which results in more "false positives" when it picks up "spam / abuse" kicks later.
Best thing to do is just hit the "spam" flag and / or report it in the Spam and Abuse forum - a Protector or Staff member will delete it.
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
Last Visit: 31-Dec-99 18:00 Last Update: 6-Jul-15 14:15