|
Bad example:
- Passwords are stored as plain text:
You should only ever store a salted hash of the password.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^] - Connecting to the database as "
sa":
This will give an attacker complete control over your SQL instance, and potentially the server as well.
You should only ever connect using a specific account which has the least permissions required to run your application. - Disposable objects not in "
using" blocks:
In the event of an exception, the SqlConnection and SqlCommand objects might not be cleaned up properly.
All objects which implement IDisposable (and don't escape the current method) should be wrapped in a using block.
On the plus side, the code is using properly parametized queries, so it isn't vulnerable to SQL Injection. 
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
|
Bad example:
- Passwords are stored as plain text:
You should only ever store a salted hash of the password.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^] - Disposable objects not in "
using" blocks:
In the event of an exception, the SqlConnection and SqlCommand objects might not be cleaned up properly.
All objects which implement IDisposable (and don't escape the current method) should be wrapped in a using block.
On the plus side, the code is using properly parametized queries, so it isn't vulnerable to SQL Injection.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Since you're starting from scratch, it's probably best to start with ASP.NET Identity[^]. That framework takes care of a lot of the work for you, and gives you a properly secured application.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
|
Do you have a question?
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Message Closed
modified 18-Jun-15 20:48pm.
|
|
|
|
|
|
I have been searching the internet for over an hour and can only find client side discussions the my latest scan finding. What I am receiving is method that uses the Read() method and because the Read() ignores the value returned could cause the program to overlook unexpected states and conditions finding. If anyone can explain, in small detail, and possibility recommend a fix the would be great. The function is below:
Offending line of code in the method:
csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
Calling method:
public String DecryptMessage(byte[] encrypted)
{
ASCIIEncoding textConverter = new ASCIIEncoding();
decryptor = aes.CreateDecryptor(key, IV);
MemoryStream msDecrypt = new MemoryStream(encrypted);
csEncrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read);
byte[] fromEncrypt = new byte[encrypted.Length];
csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
return textConverter.GetString(fromEncrypt);
}
<pre>
|
|
|
|
|
The Read method returns the number of bytes read, which could be less than the count parameter you passed in.
You need to capture the returned value, and pass it to the GetString method:
int bytesRead = csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
return textConverter.GetString(fromEncrypt, 0, bytesRead);
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Use using-blocks for every object that implements IDisposable. Not doing that can have all sorts of strange effects.
And don't declare variables as class members if you're using them only locally, they don't need to retain state and they're not expensive to create ("aes", "decryptor", "csEncrypt").
public String DecryptMessage(byte[] encrypted)
{
using (var aes = new AesManaged())
using (var decryptor = aes.CreateDecryptor(key, IV))
using (var ms = new MemoryStream(encrypted))
using (var cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
{
byte[] decrypted = new byte[encrypted.Length];
int bytesRead = cs.Read(decrypted, 0, decrypted.Length);
return Encoding.ASCII.GetString(decrypted, 0, bytesRead);
}
}
If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson
|
|
|
|
|
Message Closed
modified 18-Jun-15 20:56pm.
|
|
|
|
|
If the return value is a byte[] - which isn't the case in the code you posted! - then you need to change the code to:
public byte[] DecryptMessage(byte[] encrypted)
{
using (var aes = new AesManaged())
using (var decryptor = aes.CreateDecryptor(key, IV))
using (var ms = new MemoryStream(encrypted))
using (var cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
{
byte[] decrypted = new byte[encrypted.Length];
int bytesRead = cs.Read(decrypted, 0, decrypted.Length);
if (bytesRead != decrypted.Length)
{
Array.Resize(ref decrypted, bytesRead);
}
return decrypted;
}
}
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I have run into an issue that when my web application's web.config compilation debug is set to true I am getting a vulnerability error on a security scan.
<compilation debug="true" targetFramework="4.0">
What I want to determine is if there is a way to have some type of web.config conditional block change the debug setting to use the correct value on debug builds and release builds. I have read that setting the property in each web page itself will do this and don't know if this is in fact true and are there any problems with this?
|
|
|
|
|
|
I have a scan finding and hope someone can provide any ideas as to best ways to resolve the issue. First I will show the scan Finding then my code and finally what the scanner's recommended solution is.
Finding
Without proper access control, the method GetAttributeKey() in Provider.cs can execute a SQL statement on line 163 that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records.
Rather than relying on the presentation layer to restrict values submitted by the user, access control should be handled by the application and database layers. Under no circumstances should a user be allowed to retrieve or modify a row in the database without the appropriate permissions. Every query that accesses the database should enforce this policy, which can often be accomplished by simply including the current authenticated username as part of the query.
My Code:
Offending line:
myParam.SqlParam.Value = attribute;
Method:
public string GetAttributeKey(string attribute)
{
string qry = "SELECT ws_attribute_key FROM webservice_attributes WHERE ws_attribute = @attribute";
QueryContainer Instance = new QueryContainer(qry);
MyParam myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@attribute", Instance.AddParameterType(_DbTypes._string));
myParam.SqlParam.Value = attribute;
Instance.parameterList.Add(myParam);
object key = ExecuteScaler(Instance);
return Convert.ToString(key);
}
<pre>
Scanner's Recommend fix:
<pre>
string user = ctx.getAuthenticatedUserName();
int16 id = System.Convert.ToInt16(invoiceID.Text);
SqlCommand query = new SqlCommand(
"SELECT * FROM invoices WHERE id = <a href="http://www.codeproject.com/Members/id">@id</a> AND user = <a href="http://www.codeproject.com/Members/user">@user</a>", conn);
query.Parameters.AddWithValue("@id", id);
query.Parameters.AddWithValue("@user", user);
SqlDataReader objReader = query.ExecuteReader();
<pre>
modified 8-Jun-15 14:07pm.
|
|
|
|
|
Message Closed
modified 18-Jun-15 20:52pm.
|
|
|
|
|
This finding was determined to be changed to a mitigated warning and was remove as a valid finding. Showing that he caller needs rights to call the method when they are logged into the system is a false finding.
|
|
|
|
|
Hi,
I'm planing another website social network-like, with ASP.NET C# for the back end, and I'm having good feelings with the new stuff in MVC 6 and Net Framework 6, but I'm squeezing my brain chosing the best technology for my purposes.
I will need of course an entire front-end website, so I may need use MVC 6, but I want to make several mobile clients too, though RESTful WebAPI.
I was wondering if I have to use simply WebAPI project for backend + AngularJS for the frontend, but I really don't like the way that AngularJS will expose some "server-side" things, such the route table.
So the question is, should I use a classic MVC project (with normal controllers + razor views) AND in separate, controllers for WebAPI for the mobile aplications? Or maybe WebAPI + AngularJS? 
PD: I don't want to repeat the logic in normal controllers and in WebAPI controllers
|
|
|
|
|
Since you are going to use ASP.NET MVC 6, do not worry about different standards. ASP.NET MVC 6 is composed of
- ASP.NET MVC
Much popular web development framework. - ASP.NET Web Pages
Known for its compact structure and easy deployment. - ASP.NET Web API
Known for robust and efficient REST solutions
That is not all. Angular, Knockout, jQuery and other famous JavaScript libraries are already supported and tutorials are already posted on CodeProject, ASP.NET's official website and other similar platforms. So for you, the only task is to learn ASP.NET MVC 6. It is the next web development standard by ASP.NET. ASP.NET MVC 6 would allow you to have control over MVC (the source code pattern), Web API (how mobile and other devices communicate) and client-side libraries (already mentioned above).
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
I would like to be able to have on a plain HTML page and image that is dynamically created from a link to an ASP.NET page
<img src="http://www.domanin
name.co.uk/GetImage.aspx?filename=ImageName.png&width=200">
I have the following code in the GetImage.aspx page
```
<script runat="server">
Dim strServerPath, strFilename As String
Private Sub Page_Load(sender As Object, e As System.EventArgs)
Dim filename As String = Request.QueryString("filename")
Dim width As Integer = Integer.Parse(Request.QueryString("width"))
strServerPath = Server.MapPath("images\")
strFilename = strServerPath & Request.QueryString("filename")
Me.GenerateThumbnail(Server.MapPath(strFilename), width)
End Sub
Private Sub GenerateThumbnail(filename As String, width As Integer)
Try
Using orig As System.Drawing.Image = System.Drawing.Image.FromFile(filename)
Me.GenerateThumbnail2(orig, New Size(width, CalculateHeight(orig, width)), GetFormat(filename))
End Using
Catch ex As Exception
End Try
End Sub
Private Sub GenerateThumbnail2(orig As System.Drawing.Image, size As Size, format As ImageFormat)
Try
Using stream As New MemoryStream()
Dim callback As New System.Drawing.Image.GetThumbnailImageAbort(AddressOf ThumbnailCallback)
Dim img As System.Drawing.Image = orig.GetThumbnailImage(size.Width, size.Height, callback, IntPtr.Zero)
img.Save(stream, format)
Response.ContentType = "image/" + format.ToString()
Response.BinaryWrite(stream.ToArray())
img.Dispose()
Response.Flush()
End Using
Catch ex As Exception
Try
Dim img As System.Drawing.Image = Drawing.Image.FromFile(strFilename)
img.Save(Response.OutputStream, ImageFormat.Jpeg)
Catch
Dim img As System.Drawing.Image = Drawing.Image.FromFile(strServerPath & "PaddySheepskinSlippers1.png")
img.Save(Response.OutputStream, ImageFormat.Jpeg)
End Try
End Try
End Sub
Private Shared Function GetFormat(filename As String) As ImageFormat
If filename.EndsWith("jpg") OrElse filename.EndsWith("jpeg") OrElse filename.EndsWith("tiff") Then
Return ImageFormat.Jpeg
End If
Return ImageFormat.Png
End Function
Private Shared Function CalculateHeight(img As System.Drawing.Image, desiredWidth As Double) As Integer
Dim power As Double = img.Width / desiredWidth
Return CInt(img.Height / power)
End Function
Private Function ThumbnailCallback() As Boolean
Return False
End Function
</script>
```
But my HTML page does not display the image.
I would appreciate if someone could tell me what I have done wrong or omitted in the code. Thank you
|
|
|
|
|
One thing to try is a Response.Clear at the start of your page_load event and Response.End at the end of it. If that doesn't work use Fiddler to look at the request for the image and see what the response is, it might shed some light on what the problem is, especially if you compare it against a request for a static image.
|
|
|
|
|
You need to validate the filename passed in the query-string. You only want the code to be used to read images directly within the specified path, but it could currently be used to read images anywhere on the server.
You should also use Path.Combine to combine the folder path and file name:
Dim filename As String = Request.QueryString("filename")
If filename.IndexOfAny(System.IO.Path.GetInvalidFileNameChars()) <> -1 Then
Throw New HttpException(400, "Bad request")
End If
Dim width As Integer = Integer.Parse(Request.QueryString("width"))
Dim serverPath As String = Server.MapPath("~/images/")
Dim imagePath As String = System.IO.Path.Combine(serverPath, filename)
GenerateThumbnail(imagePath, width)
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
|
HI,
Every Body,
Can anyone tell me,What is Eval()and Bind() method in asp.net and What it's use???
And
What is difference between Eval() and Bind() Method???
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
