|
I have read the following article:
https://msdn.microsoft.com/en-us/library/bb355989.aspx
Now this article allows me to understand XSS vulnerability defense to a webpage that is statically made up of asp and html controls built on a webpage as in true markup layout fashion. I now understand that that control input should use not only server side in validation but input should validate length, range, format and type. The question I have is that I am trying to sanitize a website where the page layout controls are build on to the DOM object dynamically when the page loads. For example on the page load event methods add controls to the document object one at a time in the method that builds the entire webpage during that calling method. Also, control event handling is done by methods that send concatenated JavaScript strings, during page load, as output to the page that handle page control events. I guess my question is, how do I use asp.net validation controls, regex checking, etc. functionally when everything is built, the DOM and JavaScript event handling on the loading of the webpage? For example adding controls as in the following fashion:
<pre>
private void CreateControls(ControlCollection cc)
{
if (RadScriptManager.GetCurrent(_contextPage) == null)
{
RadScriptManager rsm = new RadScriptManager();
rsm.ID = "scriptManager";
cc.Add(rsm);
}
}
<pre>
-- modified 14-Jun-15 13:45pm.
|
|
|
|
|
I am new to repairing security vulnerability on ASP .NET code. Can someone give me links to on-line reference material where someone new like me can learn the process?
|
|
|
|
|
Good Day All
i have a web api with a controller like this
public class RegistrationController : ApiController
{
[System.Web.Http.AcceptVerbs("GET", "POST")]
[System.Web.Http.HttpGet]
public int Get([FromBody]Registration model)
{
try
{
GetMyContact.Services.Database.Database db = new Database.Database();
db.RegisterUser(model);
var response = Request.CreateResponse<string>(HttpStatusCode.Created, string.Empty);
string uri = Url.Link("DefaultApi", new { id = model.USER_ID });
response.Headers.Location = new Uri(uri);
return model.USER_ID;
}
catch(Exception ex)
{
HttpStatusCode statusCode = HttpStatusCode.BadRequest;
var errResponse = Request.CreateResponse<string>(statusCode, ex.Message);
throw new HttpResponseException(errResponse);
}
}
}
and the config is like this
<pre> config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);</pre>
and i am testing it using the following URL just to see if i will hit that breakpoint http://localhost:39194/api/Registration
but i get the following error on the browser
<error>
<message>
The requested resource does not support http method 'GET'.
Thanks
Vuyiswa Maseko,
Spoted in Daniweb-- Sorry to rant. I hate websites. They are just wierd. They don't behave like normal code.
C#/VB.NET/ASP.NET/SQL7/2000/2005/2008
http://www.vimalsoft.com
vuyiswa[at]vimalsoft.com
|
|
|
|
|
Try executing it by removing ,
[System.Web.Http.AcceptVerbs("GET", "POST")]
[System.Web.Http.HttpGet]
Since your action name is Get , it will automatically be executed with Get Verb.
Thanks
Do not forget to comment and rate the article if it helped you by any means.
|
|
|
|
|
Good morning every body! Please help me out in this since I can't really figure out what is wrong.
I have a datalist control that displays posted status. Inside this datalist is a textbox control and a button 'Add idea'. I want visitors to add their own idea so I used this code
Public Sub AddIdea(ByVal sender As Object, e As DataListEventsCommand...)
Dim txt As TextBox = e.Item.FindControl("txtidea")
If txt.Text <> "" Then
MsgBox (txt.Text)
Else
MsgBox ("No idea entered")
End Sub
But if the Add idea button is heat, the msgbox returns an empty string. Help please.
|
|
|
|
|
Debug your code and check what is the value you are getting in txt variable. It looks like txtidea control is not found by FindControl() and hence the result is empty.
Also, avoid checking string values with ""
If txt.Text <> "" Then
Instead use
If !string.IsNullOrEmpty(txt.Text) Then
its cleaner and less error prone.
|
|
|
|
|
Abhipal Singh wrote: If !string.IsNullOrEmpty(...
VB.NET uses Not , not ! , for logical negation.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks for correcting me Richard!
I generally work on C# so, not aware of exact VB syntax
Also, you raised a good point about MessageBox, that it will get displayed on server side.
I suggest, we can use javascript alerts instead of message box.
|
|
|
|
|
MsgBox isn't going to work in an ASP.NET application. The message will be displayed on the server, not the client.
It might appear to work when you debug your code in Visual Studio, but that's only because the server and the client are the same machine in that specific scenario.
As soon as you deploy your code to a real server, it will either crash, or hang waiting for someone to acknowledge the message on the server, where nobody will ever see it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
i want to know code of login page with database
|
|
|
|
|
If you do a Google search you will find many suggested solutions.
|
|
|
|
|
We can't just give you everything. But essentially you need a form for the user to enter their information. Then send that info to SQL and verify it.
Look into Forms Authentication too, https://msdn.microsoft.com/en-us/library/7t6b43z4(v=vs.140).aspx[^]
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
|
Bad example:
- Passwords are stored as plain text:
You should only ever store a salted hash of the password.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^] - Connecting to the database as "
sa ":
This will give an attacker complete control over your SQL instance, and potentially the server as well.
You should only ever connect using a specific account which has the least permissions required to run your application. - Disposable objects not in "
using " blocks:
In the event of an exception, the SqlConnection and SqlCommand objects might not be cleaned up properly.
All objects which implement IDisposable (and don't escape the current method) should be wrapped in a using block.
On the plus side, the code is using properly parametized queries, so it isn't vulnerable to SQL Injection.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
|
Bad example:
- Passwords are stored as plain text:
You should only ever store a salted hash of the password.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^] - Disposable objects not in "
using " blocks:
In the event of an exception, the SqlConnection and SqlCommand objects might not be cleaned up properly.
All objects which implement IDisposable (and don't escape the current method) should be wrapped in a using block.
On the plus side, the code is using properly parametized queries, so it isn't vulnerable to SQL Injection.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Since you're starting from scratch, it's probably best to start with ASP.NET Identity[^]. That framework takes care of a lot of the work for you, and gives you a properly secured application.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
|
Do you have a question?
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Message Closed
modified 18-Jun-15 20:48pm.
|
|
|
|
|
|
I have been searching the internet for over an hour and can only find client side discussions the my latest scan finding. What I am receiving is method that uses the Read() method and because the Read() ignores the value returned could cause the program to overlook unexpected states and conditions finding. If anyone can explain, in small detail, and possibility recommend a fix the would be great. The function is below:
Offending line of code in the method:
csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
Calling method:
public String DecryptMessage(byte[] encrypted)
{
ASCIIEncoding textConverter = new ASCIIEncoding();
decryptor = aes.CreateDecryptor(key, IV);
MemoryStream msDecrypt = new MemoryStream(encrypted);
csEncrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read);
byte[] fromEncrypt = new byte[encrypted.Length];
csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
return textConverter.GetString(fromEncrypt);
}
<pre>
|
|
|
|
|
The Read method returns the number of bytes read, which could be less than the count parameter you passed in.
You need to capture the returned value, and pass it to the GetString method:
int bytesRead = csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
return textConverter.GetString(fromEncrypt, 0, bytesRead);
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Use using-blocks for every object that implements IDisposable. Not doing that can have all sorts of strange effects.
And don't declare variables as class members if you're using them only locally, they don't need to retain state and they're not expensive to create ("aes", "decryptor", "csEncrypt").
public String DecryptMessage(byte[] encrypted)
{
using (var aes = new AesManaged())
using (var decryptor = aes.CreateDecryptor(key, IV))
using (var ms = new MemoryStream(encrypted))
using (var cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
{
byte[] decrypted = new byte[encrypted.Length];
int bytesRead = cs.Read(decrypted, 0, decrypted.Length);
return Encoding.ASCII.GetString(decrypted, 0, bytesRead);
}
}
If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson
|
|
|
|
|
Message Closed
modified 18-Jun-15 20:56pm.
|
|
|
|