|
To be exploited, an IDOR issue must be combined with an Access Control issue because it's the Access Control issue that "allow" the attacker to access to the object for which he have guessed the identifier through is enumeration attack.
So long as you have proper access controls in place, and return the same error for accounts that the current user doesn't have permission to access as for accounts which don't exist, there shouldn't be any problems.
Depending on what you're doing, you might be able to drop the querystring and deduce the record to display based on the currently logged-in user. Or you could replace the IDs with a Guid, which would be much harder to enumerate.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Access control is something I have not implemented yet, still working on the nuts and bolts.
Never underestimate the power of human stupidity -
RAH
I'm old. I know stuff - JSOP
|
|
|
|
|
Greetings again,
I have an asp.net web app and have been tasked with validating user log in through Active Directory.
I have been working on this part now for almost two days with no success.
Here is what I have been working on.
I created a table called ADSI_Table
This table has two fields, ParamName and ParamValue:
Here is the complete table info:
ParamName ParamValue
WindowsDomainServer pcg.porto.loc
BaseDN DC=pcg, DC=porto, DC=loc (Base DN)
UserDN OU=InformationSystems (User DN)
GroupName CN=ITTESTAPP, OU=IT-Groups, DC=pcg, DC=porto, DC=loc
AccountFilter sAMAccountName
The DB Server is configured to talk to Active Directory Server.
Then I am using the following C# code to query this table:
protected void btnSubmit_Click(object sender, System.EventArgs e)
{
if (txtUserName.Text.Trim().Equals("") || txtPassword.Text.Trim().Equals(""))
{
Message.Text = "Please Enter UserName/Password...";
txtPassword.Text = "";
txtUserName.Text = "";
}
else
{
GetADSILogin();
}
}
public void GetADSILogin()
{
try
{
string strServerName = "";
string strBaseDN = "";
string strUserDN = "";
string strGroupName = "";
string strAccountFilter = "";
string strPortNo = "389";
Boolean blnGroupUser = false;
string source = "Data Source=myDBServerName;Initial Catalog=MyDB;user=mysusername;password=myPassword";
string select = "SELECT * from ADSI_Table";
SqlConnection conn = new SqlConnection(source);
conn.Open();
SqlCommand cmd = new SqlCommand(select, conn);
SqlDataReader myReader = cmd.ExecuteReader();
if (myReader.HasRows)
{
while (myReader.Read())
{
string strParameterName = myReader.GetString(0).Trim();
string strParameterValue = myReader.GetString(1).Trim();
if (strParameterName.ToUpper().Equals("SERVERNAME"))
strServerName = strParameterValue;
if (strParameterName.ToUpper().Equals("BASEDN"))
strBaseDN = strParameterValue;
if (strParameterName.ToUpper().Equals("USERDN"))
strUserDN = strParameterValue;
if (strParameterName.ToUpper().Equals("GROUPNAME"))
strGroupName = strParameterValue;
if (strParameterName.ToUpper().Equals("ACCOUNTFILTER"))
strAccountFilter = strParameterValue;
}
}
DirectoryEntry deSystem = new DirectoryEntry("LDAP://" + strServerName + "/" + strUserDN + "," + strBaseDN);
deSystem.AuthenticationType = AuthenticationTypes.Secure;
deSystem.Username = txtUserName.Text;
deSystem.Password = txtPassword.Text;
string strSearch = strAccountFilter + "=" + txtUserName.Text;
DirectorySearcher dsSystem = new DirectorySearcher(deSystem, strSearch);
dsSystem.SearchScope = SearchScope.Subtree;
SearchResult srSystem = dsSystem.FindOne();
ResultPropertyValueCollection valcol = srSystem.Properties["memberOf"];
if (valcol.Count > 0)
{
foreach (object o in valcol)
{
if (o.ToString().Equals(strGroupName + "," + strBaseDN))
{
blnGroupUser = true;
break;
}
}
}
if (blnGroupUser == true)
Message.Text = "Login Sucessfull...";
else
Message.Text = "User Does Not Belong to Specified ADSI Group";
}
catch (Exception ex)
{
Message.Text = (ex.Message);
}
int i = 0;
i = i + 1;
if (i == 5)
{
Message.Text = "Login failed for 5 times. Quiting...";
this.Close();
}
}
When a user attempts to login and the log in is successful, the user is redirected to search page although I have not put the redirect code yet as I am busy testing authentication.
If the user does to belong to the specified Active Directory group, the user gets the following message:
User Does Not Belong to Specified AD Group.
So far, that's all I keep getting.
I have run the AD tree and attributes the infrastructure folks who set up the AD and they have confirmed that the entries are correct.
Can someone please tell me what could be wrong with my code or am I missing a key component?
Many thanks in advance.
|
|
|
|
|
If the account that is running the code does not have the proper permissions you can get nothing back from AD with no error. So, I would validate the permissions you have.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
@ZurdoDev,
Thank you very much for your input.
I will have our Admin folks look into this although I don't necessarily that is true in my case.
The group that the account (mine, I assume that's what you mean) is trying to log into exists there.
|
|
|
|
|
Also try an ldap query tool that will allow running queries directly so you can make sure your actual query works.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
Assuming your variables are well-named, you're doing a subtree search off of a full DN. You want a search scope of "Base". A user object has no subtree; it's not a container like an OU.
Another suggestion, your structure is highly coupled and can be easily jacked up by very minor changes to the directory. Assuming that you're using a SAM Name for login, you can completely skip the SQL server.
If you really need the SQL, though, you're doing it wrong. Use a parameterized query to leverage the DBMS rather than pulling the whole table and iterating it locally. So many wasted cycles!
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
Hello,
I am using ASP.NET MVC in one of my projects. I want to import an Excel file from the local computer and store it on the server and also want to export the Excel file. How do I do import and export of excel file in ASP.NET MVC?
|
|
|
|
|
There are many different ways of doing it and it will depend on what controls you already have or how you want it to work.
Where are you stuck?
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
|
Thank you Durano!
For your Reply.
Also Visited your Website.
Very Informative. Nice. Thankyou.
|
|
|
|
|
How to send Email using ASP.NET(MVC) SMTP
|
|
|
|
|
Google will find you many examples.
|
|
|
|
|
Thank you
|
|
|
|
|
Google will find you many examples.
|
|
|
|
|
reviously the program was written on VS2005, now I use VS2010 to run the program normally but when I publish the web site I get an error:
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
error CS0433: The type 'webapp4U.UI.Controls.Controls_MenuLeft' exists in both 'c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\nhadat\42a77785\d1e96df3\App_Web_danhmucbds.ascx.cc671b29.dll' and 'c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\nhadat\42a77785\d1e96df3\App_Web_quangcaoleft.ascx.cc671b29.dll'...
|
|
|
|
|
You posted this question on many websites.
It means that "webapp4U.UI.Controls.Controls_MenuLeft" web user control exists twice.
Here and here ...
c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\nhadat\42a77785\d1e96df3\App_Web_danhmucbds.ascx.cc671b29.dll
c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\nhadat\42a77785\d1e96df3\App_Web_quangcaoleft.ascx.cc671b29.dll
You can try and go to the folder and delete the 2 files and rebuild the project. See if that clears up the error.
But I have found far in the past that this user control probably exists in 2 spots in your project. In other words you have somehow duplicated the same control in the same project. Try and locate the first instance of the control, then locate the 2nd. Or rename the first instance and rebuild to see what happens.
Newer versions of VS does a better job of detecting these mistakes, and sort of forces you to use namespaces to keep code tidy. In my experience the older VS versions let a few things slip by, until you deploy and learn the hard way.
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
I have checked and followed your instructions but it's failed, I have checked the user controls but have not seen the same, press F5 to run normally but Publish web site has the above error, I do not know how to fix such errors Come on.
|
|
|
|
|
|
I deleted the buffer of Clearing out "temporary asp.net files" and I'm using VS 2015 but still got the error
|
|
|
|
|
hi, i have this code and this code not working properly
code in one.aspx
<asp:HiddenField runat="server" ID="hfDistrict" Value='<%# Eval("District")%>' />
<asp:HiddenField runat="server" ID="hfDistCode" Value='<%# Eval("DistCode") %>' />
<asp:LinkButton runat="server" ID="btn_NoOfA" PostBackUrl="~/AcData.aspx" Text='<%# Eval("NoOfCount") %>' />
Code in AcData.aspx
string k = ((HiddenField)PreviousPage.FindControl("hfDistrict")).Value;
also try this code
string DistrictN1 = Request.Form["hfDistrict"]
but i did not get value from previous page
actually we need to remove querystring from old code and not want to use session and we are try to use postbackurl to pass value from one.aspx to AcData.aspx.
what is the exact problem i was doing and what will be the solution. plz provide solution thanks and regrds
|
|
|
|
|
|
|
Has anyone on here had any experience getting server-side Blazor to work with IE11?
The reason I ask is that some large companies and government agencies still require all web apps to run on IE11. Regardless of how wrong that may be, it is currently an immutable requirement.
When I create a new server-side Blazor project in VS 2019 16.3.0 Preview 1, I can run it using IIS Express and targeting IE11. The web site comes up and runs, but the "onclick" event does not change the counter value display. You can recreate this issue by simply creating a new server-side Blazor app in that version of VS 2019 Preview.
I would appreciate knowing the specifics of how anyone has been successful at making their server-side Blazor app with IE11. I've done several web searches, and saw some suggestions about PolyFill.io, but nothing concrete.
Thanks in advance for those willing to help.
|
|
|
|
|
I thought this would be pretty simple to do, but has turned into a circular headache.
It's hard to find info on the internet on this subject, for most are using MailKit and MimeKit, others using SendGrid.
Plus I read that SmtpClient has been obsoleted as well with MailKit being reccomended.
So I have my secrets file working,
My Google OAuth2 Credentials have been tested and works.
Altered my Startup.cs to add Google credentials to services.
Altered my Startup.cs to services.AddAuthentication().AddGoogle
I did the example that opens up the browser to a Google Auth Page, writes the token with successful auth.
So here is my circular headache ....
Using Nuget MailKit/MimeKit, it doesn't register with .Net Core V2.2
Using Nuget SendGrid, same thing, doesn't register, get the caution or warning icon in dependencies nuget.
I can do this now, but I don't have any code to actually send the email.
var secrets = new Google.Apis.Auth.OAuth2.ClientSecrets
{
ClientId = Environment.GetEnvironmentVariable("GMailClientId"),
ClientSecret = Environment.GetEnvironmentVariable("GMailClientSecret")
};
var googleCredentials = await GoogleWebAuthorizationBroker.AuthorizeAsync(secrets, new[] { GmailService.Scope.MailGoogleCom }, email, CancellationToken.None);
if (googleCredentials.Token.IsExpired(SystemClock.Default))
{
await googleCredentials.RefreshTokenAsync(CancellationToken.None);
}
I'm not sure which way I should proceed.
I can't find any references, or documentation for .Net Core V2.2
I must admit that the SendGrid SAS looks pretty cool for sending email from my website.
Any help would be appreciated!
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|