Monday, June 27, 2016

.NET : Web Vulnerability and prevent attack

SQL Injection

Enables an attacker to execute SQL using the malicious sql string in the form. The attacker can view all the data and/or delete data etc.

Prevent Attack
-Use Entity framework and it takes care of generating SQL text. However if you use SqlQuery method then we are vulnerable. eg (_context.users.SqlQuery("select * .." + input);
-Use @param in sql string

XSS - cross site scripting

Enable an attacker to execute malicious script on the victim's computer or web page

Prevent Attack
- escape (eg &lt;script&gt) and not raw (<script>)
- ASP.net MVC rejects JavaScript in inputs by default (web.config)
- Razer views escape content (exception Html.Raw())

CSRF - Cross-site Request Forgery

Allows an attacker to perform actions on behalf of a user without their knowledge

 Prevent Attack
-using @Html.AntiForgeyToken()
-using filter in controller action [ValidateAntiForgeryToken]






Posted by at 2 comments:
Labels:

Monday, September 28, 2015

New Authentication Technology

Identity Provider (issuer) => STS (security token services) => Token (contains claims and signature)

Identity Provider or Issuer

It's an authority that makes claims about user
Example Identity providers


Token & and its Claims
A token is a set of bytes that expresses Information about an entity. example a user.
  1. A token consists of one or more claims
  2. Each claim contains Information about the entity
  3. A token also contains a signature, which contains information such as who created this token and guards/protects against changes.


The token workflow process behind the scenes

Accessing an Enterprise application 


Claim Transformation

Microsoft Identity Technology


















Windows Azure Active Directory as a Federation Provider


More screenshots at http://1drv.ms/1gVRxtT


Posted by at No comments:
Labels: , , , , ,

Tuesday, September 22, 2015

JavaScript - Tips 6 - OOPs - Prototype


The output is
Posted by at No comments:
Labels:

Monday, September 21, 2015

ASP.NET Web API Documentation using Swagger

Now the trend is APIs  and we need documentations for APIs to publish and share with teams for Apps and Application development. .NET comes with the in-build tool which have some challenges and not very impressive.

On the other hand, Swagger is a framework for describing, consuming and visualizing RESTful APIs. It keeps the documentation system, client and server code in sync always. We don't need to update manually and its fully automated.

Installing and configuring Swagger is simple, easy and no dependency. The following are the simple steps to enable API documentation in your ASP.Net site.

Step 1 : Install Swagger using Nuget package manager


Step 2 : Use Install-Package command to install Swagger



Step 3 : Step 2 adds a few changes in your project (updates web.config and adds a file "SwaggerConfig.cs" as shown in the figure)



Step 4 :  Minimal changes to enable Swagger and Swagger UI.



Step 5 : That's it. Now time to check the documentation. Use your application URL for your testing. Example "http://YourLocalhostURL/swagger/ui"



Step 6 : I changes some APIs with Swagger decorations as shown below.



Step 7 : Documentation for the Values Controller in Step 6


Enjoy API Programming and documentation.


Posted by at No comments:
Labels: ,

Friday, September 18, 2015

JavaScript - Tips 5 - JSOM with Deferred / promises

Also please have a look at this sample too by mkropat https://gist.github.com/mkropat/8811708.js
Posted by at No comments:
Labels: , , ,

JavaScript - Tips 4 - Deferred or Promises

Posted by at No comments:
Labels: ,

Wednesday, September 16, 2015

JavaScript - Tips 3 - Namespace and SharePoint Web and List


Now run the code in an app and the output is as shown below.


Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)