Monday, April 14, 2014
Thursday, August 19, 2010
There was an error processing the request
If you get that above error.. and you have no idea what's wrong with it just put change "CustomError='Off'"
Monday, August 16, 2010
WebForm_... is not Defined error
If you get this error "WebForm_ is not defined error..."
and previously you never get this problem...
---
you may install a plugin which compress the .axd file...
---
solution:
you need to exclude them on the compression module...
please check your .axd name.. and exclude them on your HTTP compression module
it needs this 2 file not to be compressed
System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions
and
System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions
and previously you never get this problem...
---
you may install a plugin which compress the .axd file...
---
solution:
you need to exclude them on the compression module...
please check your .axd name.. and exclude them on your HTTP compression module
it needs this 2 file not to be compressed
System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions
and
System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions
Sunday, August 1, 2010
Protect yourself from XSS attack with new ASP 4.0 nuggets
In ASP.NET 4.0, you can replace your usually habit to use <%=%> with this new nuggets <%: %>
This will automatically protect your applications against cross-site script injection (XSS) and HTML injection attacks and avoid duplicate encoding.
So you don't need to worry if you forget to encode your string in the aspx files. or protect it using AntiXSS.
It's very usefull in combination of MVC framework 2.0
This will automatically protect your applications against cross-site script injection (XSS) and HTML injection attacks and avoid duplicate encoding.
So you don't need to worry if you forget to encode your string in the aspx files. or protect it using AntiXSS.
It's very usefull in combination of MVC framework 2.0
Thursday, July 22, 2010
IsCallBack VS IsPostback
I just looking in couple framework. and just curious what they use to bind the UI is using
! IsCallback instead of ! IsPostback
Why ?
Just making summary out of this
http://msdn.microsoft.com/en-us/library/ms178141.aspx
IsCallBack will be set to true if you doing a partial postback.
if you checking using IsCallBack and there is no ajax call , it will not affect anything. Just similar like you don't use the checking which is doesn't improve your performance.
But there should be a reason behind it, or probably they have a mistype because of Autocomplete provided by VS =p
! IsCallback instead of ! IsPostback
Why ?
Just making summary out of this
http://msdn.microsoft.com/en-us/library/ms178141.aspx
IsCallBack will be set to true if you doing a partial postback.
if you checking using IsCallBack and there is no ajax call , it will not affect anything. Just similar like you don't use the checking which is doesn't improve your performance.
But there should be a reason behind it, or probably they have a mistype because of Autocomplete provided by VS =p
Wednesday, July 14, 2010
Protect your apps from ClickJacking
Here an interesting video which I recently lookat.
http://www.youtube.com/watch?v=gxyLbpldmuU
To protect your apps
put this code
if (top != self)
{
self.location.href = "http://yoursite.com";
}
http://www.youtube.com/watch?v=gxyLbpldmuU
To protect your apps
put this code
if (top != self)
{
self.location.href = "http://yoursite.com";
}
Monday, July 12, 2010
CSRF Attack Prevention on .NET
In Addition to Rob's AntiXSS, we also need to secure CSRF Attack in Defence Jobs.
Here is what I found :
* Check this video to understand how the CSRF works & How you check your site if it is secure.
* Prevention
- ViewStateUserKey in (ASP.NET)
If you use viewstate in ASP.NET. it is recommended that you include ViewStateUserKey and Encript them
*(Include this on your base page)
protected override OnInit(EventArgs e)
{
base.OnInit(e);
if (User.Identity.IsAuthenticated)
ViewStateUserKey = Session.SessionID;
base.OnInit(e);
if (User.Identity.IsAuthenticated)
ViewStateUserKey = Session.SessionID;
}
* Encript your viewstate in web.config (ViewStateEncriptionMode="Always")
http://msdn.microsoft.com/en-us/library/aa479501.aspx
http://msdn.microsoft.com/en-us/library/aa479501.aspx
Note:
However ViewStateUserKey this is not fully protect you from CSRF. This just to add an addition security layer to your application.
http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx
However ViewStateUserKey this is not fully protect you from CSRF. This just to add an addition security layer to your application.
http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx
* Recommended Prevention
Because ViewStateUserKey is not completely protect you from the CSRF Attack, You need to protect your application using per-request nonce to hidden form / URL
There are framework which can automatically done this.
* .NET CSRF GUARD http://www.owasp.org/index.php/.Net_CSRF_Guard
- This .NET version unfortunately only supply protection using URL method. (Nonce token is added on URL). This version doesn't support the hidden field method.
* ANTICSRF for ASP.NET (RECOMMENDED) http://idunno.org/archive/2008/12/14/announcing-anticsrf-for-asp.net.aspx
This framework (.NET HTTPModule) will added the per-request nonce to hidden field & cookies and validate it when post method or postback triggered.
========================================================
Installation of ANTICSRF http://anticsrf.codeplex.com/
- Add AntiCSRF.dll to Bin Folder
- Register AntiCSRF HttpModule on web config
....
....
- Configure Settings
....
....
....
- If you don't want to proptect your page,
you can add class attribute [Idunno.AntiCsrf.SuppressCsrfCheck]
or page interface <%@ Implements Interface="Idunno.AntiCsrf.ISuppressCsrfCheck" %>
==================================================================How it works (ANTICSRF)
* HTTP MODULE on PreSendRequestHeaders and PreRequestHandlerExecutecontext.PreSendRequestHeaders += PreSendRequestHeaders;
context.PreRequestHandlerExecute += PreRequestHandlerExecute;
* Adding pre-request nonce token- Add nonce on hidden field __CSRFTOKEN and cokkie __CSRFCOOKIE (configurable on settings)* Validate nonce token on hidden field with cokkie- It will validate the token when (POST Request or Postback)
- Get Request will NOT be validated unless it is Postback- It will NOT validate any SuppressCsrfCheck class attribute or any class which inherits Idunno.AntiCsrf.ISuppressCsrfCheck* If Attack detected-When- hidden field or cookkie token are null/empty- hidden field and cookkie token is not match-ACTION (based on configuration setting detectionResult)
- Throw an exception- Or redirect to other page based on configuration setting (errorPage)
==================================================================Limitations of ANTICSRF
- You, the developer, must ensure your GET requests are idempotent (i.e. the side-effects of multiple identical requests are the same as for a single request). GET requests are not protected with this module. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2.
---------------------
* This Framework will not protect the GET Request (Except if it is postback).
For example
- when you use AJAX call using GET Request, It will not validate the token.
- when you use AJAX call using GET Request, It will not validate the token.
- But if you want to use AJAX call using the POST Request,
You must Suppress the AntiCSRF validation by what I mention above on the Intallation. by adding the attribute or page attribute.
You must Suppress the AntiCSRF validation by what I mention above on the Intallation. by adding the attribute or page attribute.
Because If you don't suppress the AntiCSRF validation, it will detect as AntiCSRF Attack, because they can't find the token located on your hidden field.
Please have a read on How It Works explanation above.
---------------------
Subscribe to:
Posts (Atom)