I am working on a MVC application and I am starting to work on a STIG finding. This finding is "Insuring that an application does not maintain a valid state on initialization, shutdown failure.". Basically, what this requires is that if the MVC application failures on startup or shutdown it must not allow for a hacker to read valid application data or information during the failure. I have spent hours looking at how this is prevented in an ASP MVC application and can't find anything. Does anyone know how this is handled in MVC?
After talking to a couple of people the idea of Application_Error and Authentication logic was discussed but would this really prevent the STIG from being displayed. A great link for Application_Error is below but is this the real solution? Has anyone had experience with this?
Assuming Rule SRG-APP-000225 from the Application Security and Development Security Technical Implementation Guide (which is really an SRG, silly cybersec people), the current version dated 27APR2018 has a lot of example detail in it. https://iasecontent.disa.mil/stigs/zip/U_ASD_V4R6_STIG.zip
The general idea is that it should not be left "half-open" on failure, so something like a no-op sled cannot push an instruction into the application and bypass authentication. If you are running a basic CRUD app, then IIS will handle this stuff for you, providing you dispose of database connections which you're supposed to do anyway if you're using EF in the Repository/Unit of Work pattern.
By and large, in an MVC.NET application all you can really do is make sure that any operational statics are cleared (or reset as part of an application restart/correction process) and that un-managed resources are properly disposed as part of the failure. You can wrap all of this into a failure handler that can attempt to self-correct and, failing that, fail closed.
This all said, if an auditor declared it a finding then they should have given you some sort of finding detail.
If you need detailed support or code review, I'm in the GAL.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
Your code-behind runs on the server. It has no access to the client's file system.
The only way you can "create" a file on the client's computer is to write it to the response with the appropriate headers. The user will then be able to save the file wherever they want. They will also be able to choose not to save the file.
And to pre-empt your next question: no, you can't force them to save the file, and you can't influence where the file is saved. You can provide a default file name, but it's only a suggestion, and the user is free to change it.
I working on an ASP .NET project and am have serious problems with TFS source control mapping. First what was happening is that because nuget or no other dll third party folder was setup when the project was downloaded to a new work space all the dll's were missing. We'll to solve this problem I did created a shared source control folder and moved all of the needed third party dll's to this source control folder and had each project reference them from there. Now, this is the problem I'm left with. It seems that there are certain files and folders of various type (i.e. print.txt, showChart.pdf) that are in project folders which are missing after the project has been fixed on one machine's workspace, checked-in, and get latest to another machine's workspace. They disappear after the source code is downloaded to a new mapping on a different machine. It seems that these folders and files will only stay in the workspace's mapping that they were fixed in. Does anyone have any suggestions?
I spent an hour today looking at the Miniblog project and was quite impressed. I had no idea that you can do some of the things he did with MVC. What he did with robots.txt and the sitemap seems pretty cool and the rewrite section in web.config was an eye opener for me.
So this Segways into a couple of questions for me.
I see how he created views with almost a single file, but how did he do this without a controller?
I ask this because I think MVC really needs a CMS package so it can be more like Wordpress, in which website owners can create new pages. I can write a view, but I can't figure out how to handle the controller part.
I can't compete with Wordpress, and these Wordpress guys that are very low skilled, who just copy and paste code and html are really grabbing a large chuck of market share.
If my little Project Indigo Personal edition had CMS features It would be a game changer for me.
This is a product of poor design and improper use of TFS but I have started on a new project with big problems. A little background first. This is an ASP .NET MVC 3 EntityFramework multiple project application. Now, when development first began several years ago the application had a production branch of TFS source control and no other branches. Two programmers started and worked on creating this application. Now, as each did work they would download directly from the production branch and check-in directly into the production branch. This went on until two weeks before I started work on the application.
Three weeks ago a three separate named user branch tree, named for each developer, was created off of the production branch for each new developer to work on so now checkout/check-in is no longer directly off of the production branch. What we have is a main production branch as the root and three sub branches right off of the production branch. What a mess!
Now to the problem we are currently having. When they downloaded source control application code from the production branch to each person's named branch all of the asp project and third party dll's are gone along with the bin and bin/debug directories. Each of the new branches won't build their projects and the main Web project won't build. What I have done is pulled all of the asp project and third party dll's into my branch from production created a working branch. Than I checked my branch back into MY named branch of source control. Now, after doing this another developer has downloaded the new updated, MY named branch, branch to their machine and again the bin and bin\debug directories and all of the dll's are missing. Based on my confusing description of the problem can someone provide guidance on how we can fix this problem?
Not sure I fully understand the issue and it depends what these third party dlls are, but you usually solve this problem with nuget packages. So if your project needs, for example, Entity Framework, you add that to your project as a nuget package. What that does is create a folder under a "packages" folder and that folder contains xml that describes the package. When you check the code in you also check in the packages folder. When the next developer gets the project they will have the packages but not the dlls, however when they compile VS will realise this and use the data in the nuget package to download the dlls itself. So rather than manage third party dlls you manage nuget packages and VS sorts it out for you.
One problem with nuget is the application is on an intranet. What I have done is to create a root level folder and checked it in. With the new folder I have added all of the needed third party dll's and referenced them in each of the application project's references. Is this the correct way to do it or is nuget still possible?
I was considering adding a blog to my website to get more traffic or a pay wall of knowledge and was wondering if anybody has implemented any good packages for this. I really don't want to write a app for that at the moment plus I'n not really set on a design for it.
If I did write a blog app for myself, I would want to have unique page names, but I can't figure out how to dynamically add pages to a controller.
I can add views easy, but the controller part is fuzzy for me. Guess I would have to use 1 page name and add a route as the description.
we can get our job done by access token then why should i go for
....what would be the benefit.
i saw a example of refresh token which show when we are getting access token then refresh token also passing along with access token. so i was totally confuse and do not understand how and why refresh token.
if possible please discuss the story of refresh token. thanks in advance.
When a page is requested that requires a token for authentication, that is the first token.
But if the user refreshes the page, then perhaps the first token is now expired or no longer valid, so a new token is issued called a refresh token.
Most likely this is a form, so on Post, validation must be correct first then the token must match to submit the form, or to call the function after token matching.
If your tokens never match, then the form will never get written.
If you keep issuing the same token, then token authentication will become useless and bots will take over the form.
In MVC it's called the AntiForgeryToken and you call it using attributes in the MVC controller.
So on a GET request you issue the token from the controller and it gets written inside the form tags in the view if you place the correct HTML helper in the right spot.
Then the page gets submitted, a POST request and the controller will check the token if you place the right code to check for the token first before or after validation or Model.IsValid.
The question was confusing, but I thought my reply was OK without being long winded on the subject.
I didn't have time to draw diagrams or write an article on the subject.
Maybe English was not his first language.
That's for backing me up on that.
If it ain't broke don't fix it
Last Visit: 24-Aug-19 8:37 Last Update: 24-Aug-19 8:37