Monday, June 27, 2016

.NET : Web Vulnerability and prevent attack

SQL Injection

Enables an attacker to execute SQL using the malicious sql string in the form. The attacker can view all the data and/or delete data etc.

Prevent Attack
-Use Entity framework and it takes care of generating SQL text. However if you use SqlQuery method then we are vulnerable. eg (_context.users.SqlQuery("select * .." + input);
-Use @param in sql string

XSS - cross site scripting

Enable an attacker to execute malicious script on the victim's computer or web page

Prevent Attack
- escape (eg &lt;script&gt) and not raw (<script>)
- ASP.net MVC rejects JavaScript in inputs by default (web.config)
- Razer views escape content (exception Html.Raw())

CSRF - Cross-site Request Forgery

Allows an attacker to perform actions on behalf of a user without their knowledge

Prevent Attack
-using @Html.AntiForgeyToken()
-using filter in controller action [ValidateAntiForgeryToken]






Monday, September 28, 2015

New Authentication Technology

Identity Provider (issuer) => STS (security token services) => Token (contains claims and signature)

Identity Provider or Issuer

It's an authority that makes claims about user
Example Identity providers


Token & and its Claims
A token is a set of bytes that expresses Information about an entity. example a user.
  1. A token consists of one or more claims
  2. Each claim contains Information about the entity
  3. A token also contains a signature, which contains information such as who created this token and guards/protects against changes.


The token workflow process behind the scenes

Accessing an Enterprise application 


Claim Transformation



Microsoft Identity Technology




















Windows Azure Active Directory as a Federation Provider




More screenshots at http://1drv.ms/1gVRxtT


Tuesday, September 22, 2015

JavaScript - Tips 6 - OOPs - Prototype

function Foo(who)
{
this.me = who;
}
Foo.prototype.speak = function(){
alert("Hello, I am " + this.me + ".");
};
var a1 = new Foo("a1");
a1.speak();
view raw JS ProtoType.js hosted with ❤ by GitHub

The output is

Monday, September 21, 2015

ASP.NET Web API Documentation using Swagger

Now the trend is APIs  and we need documentations for APIs to publish and share with teams for Apps and Application development. .NET comes with the in-build tool which have some challenges and not very impressive.

On the other hand, Swagger is a framework for describing, consuming and visualizing RESTful APIs. It keeps the documentation system, client and server code in sync always. We don't need to update manually and its fully automated.

Installing and configuring Swagger is simple, easy and no dependency. The following are the simple steps to enable API documentation in your ASP.Net site.

Step 1 : Install Swagger using Nuget package manager


Step 2 : Use Install-Package command to install Swagger



Step 3 : Step 2 adds a few changes in your project (updates web.config and adds a file "SwaggerConfig.cs" as shown in the figure)



Step 4 :  Minimal changes to enable Swagger and Swagger UI.



Step 5 : That's it. Now time to check the documentation. Use your application URL for your testing. Example "http://YourLocalhostURL/swagger/ui"



Step 6 : I changes some APIs with Swagger decorations as shown below.



Step 7 : Documentation for the Values Controller in Step 6


Enjoy API Programming and documentation.


Friday, September 18, 2015

JavaScript - Tips 5 - JSOM with Deferred / promises

'use strict';
//Global Variable with namespaces
var BasicJSOM = window.BasicJSOM || {};
BasicJSOM.Samples = BasicJSOM.Samples || {};
// This code runs when the DOM is ready
//and creates a context object which is needed to use the SharePoint object model
$(document).ready(function () {
debugger;
BasicJSOM.Samples.SimpleDemo = new BasicJSOM.Samples.WebAndListSamples();
BasicJSOM.Samples.SimpleDemo.getUserName();
debugger;
var readPromise = BasicJSOM.Samples.SimpleDemo.getLists();
if (readPromise != undefined && readPromise != null)
{
readPromise
.done(
function () {
alert('Success');
})
.fail(
function () {
alert('Fail');
})
.always(
function () {
alert('always callback');
}
);
}
});
view raw App.js hosted with ❤ by GitHub
BasicJSOM.Samples.WebAndListSamples = function () {
//private varables
var context = SP.ClientContext.get_current();
var user = context.get_web().get_currentUser();
var lists = context.get_web().get_lists();
//private functions
function _getUserName() {
$('#message').text('Web Absolute url : ' + _spPageContextInfo.webAbsoluteUrl);
context.load(user);
context.executeQueryAsync(onGetUserNameSuccess, onGetUserNameFail);
}
function onGetUserNameSuccess() {
$('#message').append('<br/> User Title :' + user.get_title());
}
function onGetUserNameFail(sender, args) {
alert('Failed to get user name. Error:' + args.get_message());
}
function _getLists() {
var dfd = $.Deferred();
context.load(lists);
context.executeQueryAsync(
//Async success callback
function () {
$('#message').append('<br/> List Count ' + lists.get_count());
dfd.resolve();
},
//Async fail callback
function (sender, args) {
alert('Failed to get list names. Error:' + args.get_message());
dfd.reject();
});
return dfd.promise();
}
//register public members
var publicMembers = {
getUserName: _getUserName,
getLists: _getLists
}
return publicMembers;
}
view raw AppManager.js hosted with ❤ by GitHub
<%-- The following 4 lines are ASP.NET directives needed when using SharePoint components --%>
<%@ Page Inherits="Microsoft.SharePoint.WebPartPages.WebPartPage, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" MasterPageFile="~masterurl/default.master" Language="C#" %>
<%@ Register TagPrefix="Utilities" Namespace="Microsoft.SharePoint.Utilities" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPages" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register TagPrefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%-- The markup and script in the following Content element will be placed in the <head> of the page --%>
<asp:Content ContentPlaceHolderID="PlaceHolderAdditionalPageHead" runat="server">
<script type="text/javascript" src="../Scripts/jquery-1.9.1.min.js"></script>
<script type="text/javascript" src="/_layouts/15/sp.runtime.js"></script>
<script type="text/javascript" src="/_layouts/15/sp.js"></script>
<meta name="WebPartPageExpansion" content="full" />
<!-- Add your CSS styles to the following file -->
<link rel="Stylesheet" type="text/css" href="../Content/App.css" />
<!-- Add your JavaScript to the following file -->
<script type="text/javascript" src="../Scripts/App.js"></script>
<script type="text/javascript" src="../Scripts/AppManager.js"></script>
</asp:Content>
<%-- The markup in the following Content element will be placed in the TitleArea of the page --%>
<asp:Content ContentPlaceHolderID="PlaceHolderPageTitleInTitleArea" runat="server">
JSOM Samples
</asp:Content>
<%-- The markup and script in the following Content element will be placed in the <body> of the page --%>
<asp:Content ContentPlaceHolderID="PlaceHolderMain" runat="server">
<div>
<p id="message">
<!-- The following content will be replaced with the user name when you run the app - see App.js -->
initializing...
</p>
</div>
</asp:Content>
view raw Default.aspx hosted with ❤ by GitHub
Also please have a look at this sample too by mkropat https://gist.github.com/mkropat/8811708.js

JavaScript - Tips 4 - Deferred or Promises

<!DOCTYPE html>
<html>
<head>
<script data-require="jquery@*" data-semver="2.1.4" src="http://code.jquery.com/jquery-2.1.4.min.js"></script>
<script src="http://malsup.github.com/jquery.blockUI.js"></script>
<link rel="stylesheet" href="style.css" />
<script src="script.js"></script>
</head>
<body>
<div>Live demo : <a href='http://jsfiddle.net/jfromaniello/AjwaV/40/light/' target='_blank'>http://jsfiddle.net/jfromaniello/AjwaV/40/light/</a></div>
<ul>
<li>First name: <span id="firstName"></span></li>
<li>Address: <span id="address"></span></li>
</ul>
</body>
</html>
view raw index.html hosted with ❤ by GitHub
function getCustomer(customerId){
var d = $.Deferred();
$.post(
"/echo/json/",
{json: JSON.stringify({firstName: "Jose", lastName: "Romaniello", ssn: "123456789"}),
delay: 4}
).done(function(p){
d.resolve(p);
}).fail(d.reject);
return d.promise();
}
function getPersonAddressBySSN(ssn){
return $.post("/echo/json/", {
json: JSON.stringify({
ssn: "123456789",
address: "Siempre Viva 12345, Springfield" }),
delay: 2
}).pipe(function(p){
return p.address;
});
}
function load(){
$.blockUI({message: "Loading..."});
var loadingCustomer = getCustomer(123)
.done(function(c){
$("span#firstName").html(c.firstName)
});
var loadingAddress = getPersonAddressBySSN("123456789")
.done(function(address){
$("span#address").html(address)
});
$.when(loadingCustomer, loadingAddress)
.done($.unblockUI);
}
load();

Wednesday, September 16, 2015

JavaScript - Tips 3 - Namespace and SharePoint Web and List


'use strict';
//Global Variable with namespaces
var BasicJSOM = window.BasicJSOM || {};
BasicJSOM.Samples = BasicJSOM.Samples || {};
// This code runs when the DOM is ready
//and creates a context object which is needed to use the SharePoint object model
$(document).ready(function () {
debugger;
BasicJSOM.Samples.SimpleDemo = new BasicJSOM.Samples.WebAndListSamples();
BasicJSOM.Samples.SimpleDemo.getUserName();
BasicJSOM.Samples.SimpleDemo.getLists();
});
BasicJSOM.Samples.WebAndListSamples = function () {
//private varables
var context = SP.ClientContext.get_current();
var user = context.get_web().get_currentUser();
var lists = context.get_web().get_lists();
//private functions
function _getUserName() {
$('#message').text('Web Absolute url : ' + _spPageContextInfo.webAbsoluteUrl);
context.load(user);
context.executeQueryAsync(onGetUserNameSuccess, onGetUserNameFail);
}
function onGetUserNameSuccess() {
$('#message').append('<br/> User Title :' + user.get_title());
}
function onGetUserNameFail(sender, args) {
alert('Failed to get user name. Error:' + args.get_message());
}
function _getLists() {
context.load(lists);
context.executeQueryAsync(onGetListSuccess, onGetListFail);
}
function onGetListSuccess() {
$('#message').append('<br/> List Count ' + lists.get_count());
}
function onGetListFail(sender, args) {
alert('Failed to get list names. Error:' + args.get_message());
}
//register public members
var publicMembers = {
getUserName: _getUserName,
getLists: _getLists
}
return publicMembers;
}
Now run the code in an app and the output is as shown below.