Monday, June 27, 2016

.NET : Web Vulnerability and prevent attack

SQL Injection

Enables an attacker to execute SQL using the malicious sql string in the form. The attacker can view all the data and/or delete data etc.

Prevent Attack
-Use Entity framework and it takes care of generating SQL text. However if you use SqlQuery method then we are vulnerable. eg (_context.users.SqlQuery("select * .." + input);
-Use @param in sql string

XSS - cross site scripting

Enable an attacker to execute malicious script on the victim's computer or web page

Prevent Attack
- escape (eg &lt;script&gt) and not raw (<script>)
- ASP.net MVC rejects JavaScript in inputs by default (web.config)
- Razer views escape content (exception Html.Raw())

CSRF - Cross-site Request Forgery

Allows an attacker to perform actions on behalf of a user without their knowledge

Prevent Attack
-using @Html.AntiForgeyToken()
-using filter in controller action [ValidateAntiForgeryToken]






Monday, September 28, 2015

New Authentication Technology

Identity Provider (issuer) => STS (security token services) => Token (contains claims and signature)

Identity Provider or Issuer

It's an authority that makes claims about user
Example Identity providers


Token & and its Claims
A token is a set of bytes that expresses Information about an entity. example a user.
  1. A token consists of one or more claims
  2. Each claim contains Information about the entity
  3. A token also contains a signature, which contains information such as who created this token and guards/protects against changes.


The token workflow process behind the scenes

Accessing an Enterprise application 


Claim Transformation



Microsoft Identity Technology




















Windows Azure Active Directory as a Federation Provider




More screenshots at http://1drv.ms/1gVRxtT


Monday, September 21, 2015

ASP.NET Web API Documentation using Swagger

Now the trend is APIs  and we need documentations for APIs to publish and share with teams for Apps and Application development. .NET comes with the in-build tool which have some challenges and not very impressive.

On the other hand, Swagger is a framework for describing, consuming and visualizing RESTful APIs. It keeps the documentation system, client and server code in sync always. We don't need to update manually and its fully automated.

Installing and configuring Swagger is simple, easy and no dependency. The following are the simple steps to enable API documentation in your ASP.Net site.

Step 1 : Install Swagger using Nuget package manager


Step 2 : Use Install-Package command to install Swagger



Step 3 : Step 2 adds a few changes in your project (updates web.config and adds a file "SwaggerConfig.cs" as shown in the figure)



Step 4 :  Minimal changes to enable Swagger and Swagger UI.



Step 5 : That's it. Now time to check the documentation. Use your application URL for your testing. Example "http://YourLocalhostURL/swagger/ui"



Step 6 : I changes some APIs with Swagger decorations as shown below.



Step 7 : Documentation for the Values Controller in Step 6


Enjoy API Programming and documentation.