tag:blogger.com,1999:blog-8540217610541530702024-02-18T19:46:01.637-08:00Kajax.netAnonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.comBlogger97125tag:blogger.com,1999:blog-854021761054153070.post-37607824074179633852014-04-14T14:59:00.001-07:002014-04-14T15:03:27.282-07:00scroll helper<script src="https://gist.github.com/kkurni/10682748.js"></script>Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-35579927894910259352010-08-19T00:27:00.000-07:002010-08-19T00:29:46.509-07:00There was an error processing the requestIf you get that above error.. and you have no idea what's wrong with it just put change "CustomError='Off'"Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-65449375600115979242010-08-16T19:51:00.000-07:002010-08-16T19:54:17.202-07:00WebForm_... is not Defined errorIf you get this error "WebForm_ is not defined error..."<br />and previously you never get this problem...<br /><br />---<br />you may install a plugin which compress the .axd file...<br /><br />---<br /><br />solution:<br />you need to exclude them on the compression module...<br />please check your .axd name.. and exclude them on your HTTP compression module<br /><br /><br />it needs this 2 file not to be compressed<br />System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions<br /><br />and<br /><br />System.Web.Handlers.ScriptResourceHandler, System.Web.ExtensionsAnonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-80842541988507316202010-08-01T05:13:00.000-07:002010-08-01T05:16:57.168-07:00Protect yourself from XSS attack with new ASP 4.0 nuggets<span><span style="font-family:arial;font-size:85%;">In ASP.NET 4.0, you can replace your usually habit to use <span style="font-weight: bold;"><%=%></span> with this new nuggets </span></span><span><span style="font-family:arial;font-size:85%;"><span style="font-weight: bold;"><%: %> </span></span></span><br /><span><span style="font-family:arial;font-size:85%;">This will automatically protect your applications against cross-site script injection (XSS) and HTML injection attacks and avoid duplicate encoding.<br /><br />So you don't need to worry if you forget to encode your string in the aspx files. or protect it using AntiXSS.<br /><br />It's very usefull in combination of MVC framework 2.0<br /></span></span>Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-48932819938068189622010-07-22T19:16:00.000-07:002010-07-22T19:19:40.199-07:00IsCallBack VS IsPostbackI just looking in couple framework. and just curious what they use to bind the UI is using<br />! IsCallback instead of ! IsPostback<br /><br />Why ?<br /><br />Just making summary out of this<br /><a href="http://msdn.microsoft.com/en-us/library/ms178141.aspx">http://msdn.microsoft.com/en-us/library/ms178141.aspx</a><br /><br /><br />IsCallBack will be set to true if you doing a partial postback.<br /><br />if you checking using IsCallBack and there is no ajax call , it will not affect anything. Just similar like you don't use the checking which is doesn't improve your performance.<br /><br />But there should be a reason behind it, or probably they have a mistype because of Autocomplete provided by VS =pAnonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-76408621388027240882010-07-14T23:31:00.000-07:002010-07-14T23:33:07.061-07:00Protect your apps from ClickJackingHere an interesting video which I recently lookat.<br /><br /><a href="http://www.youtube.com/watch?v=gxyLbpldmuU">http://www.youtube.com/watch?v=gxyLbpldmuU</a><br /><br />To protect your apps<br /><br />put this code<br /><br />if (top != self)<br />{<br /> self.location.href = "http://yoursite.com";<br />}Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-81833385819473027662010-07-12T17:24:00.000-07:002010-07-13T17:47:11.216-07:00CSRF Attack Prevention on .NET<div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010">In Addition to Rob's AntiXSS, we also need to secure CSRF Attack in Defence Jobs.</span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"></span></span> </div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010">Here is what I found :</span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"></span></span> </div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010">* Check this video to understand how the CSRF works & How you check your site if it is secure.</span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><a title="http://www.securitytube.net/Discovering-CSRF-with-OWASP%27s-CSRFTester-Tool-video.aspx" href="http://www.securitytube.net/Discovering-CSRF-with-OWASP%27s-CSRFTester-Tool-video.aspx">http://www.securitytube.net/Discovering-CSRF-with-OWASP%27s-CSRFTester-Tool-video.aspx</a></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"></span></span> </div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><strong>* Prevention</strong></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"></span></span><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><strong> - ViewStateUserKey in (ASP.NET)</strong></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> If you use viewstate in ASP.NET. it is recommended that you include <strong>ViewStateUserKey </strong>and <strong>Encript </strong>them</span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> *(Include this on your base page)</span></span><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> </span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> protected override OnInit(EventArgs e) </span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> {<br /> base.OnInit(e);<br /> if (User.Identity.IsAuthenticated)<br /> ViewStateUserKey = Session.SessionID; </span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> }</span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> * Encript your viewstate in web.config (ViewStateEncriptionMode="Always")<br /> <a title="http://msdn.microsoft.com/en-us/library/aa479501.aspx" href="http://msdn.microsoft.com/en-us/library/aa479501.aspx">http://msdn.microsoft.com/en-us/library/aa479501.aspx</a></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> </span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><strong>Note: <br /> However ViewStateUserKey this is not fully protect you from CSRF. This just to add an addition security layer to your application.<br /> <a title="http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx" href="http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx">http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx</a></strong></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"></span></span> </div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"></span></span> </div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><strong>* Recommended Prevention</strong></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> Because ViewStateUserKey is not completely protect you from the CSRF Attack, You need to protect your application using <strong>per-request nonce to hidden form / URL</strong></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> There are framework which can automatically done this.</span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><strong> * .NET CSRF GUARD </strong><a title="http://www.owasp.org/index.php/.Net_CSRF_Guard" href="http://www.owasp.org/index.php/.Net_CSRF_Guard">http://www.owasp.org/index.php/.Net_CSRF_Guard</a></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> <strong>- </strong>This .NET version unfortunately only supply protection using URL method. (Nonce token is added on URL). This version doesn't support the hidden field method.</span></span><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><br /></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><strong> * ANTICSRF for ASP.NET (RECOMMENDED) </strong></span></span><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><a title="http://idunno.org/archive/2008/12/14/announcing-anticsrf-for-asp.net.aspx" href="http://idunno.org/archive/2008/12/14/announcing-anticsrf-for-asp.net.aspx">http://idunno.org/archive/2008/12/14/announcing-anticsrf-for-asp.net.aspx</a></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"> This framework <strong>(.NET HTTPModule)</strong> will added the per-request nonce to hidden field & cookies and validate it when post method or postback triggered.</span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"></span></span> </div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010">========================================================</span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;"><span class="798335023-13072010"><span style="font-size:130%;"><strong>Installation of ANTICSRF</strong> </span><a title="http://anticsrf.codeplex.com/" href="http://anticsrf.codeplex.com/"><span title="http://anticsrf.codeplex.com/" style="font-size:85%;">http://anticsrf.codeplex.com/</span></a><strong><span style="font-size:130%;"><br /></span></strong></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;"><span class="798335023-13072010"><strong> <span style="font-family:Times New Roman;">- Add AntiCSRF.dll to Bin Folder</span></strong></span></span></div> <div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"><span style="font-size:100%;"><strong> </strong></span><span style="font-family:Times New Roman;font-size:100%;"><strong>- Register AntiCSRF HttpModule on web config </strong> </span></span></span></div> <div dir="ltr" align="left"><pre><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><system.web><br /> ....<br /> <httpmodules><br /> <strong><add name="AntiCSRF" type="Idunno.AntiCsrf.AntiCsrfModule, Idunno.AntiCsrf"><br /></strong> </httpmodules><br /> ....<br /></system.web></span></span></pre></div> <div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Times New Roman;"><strong> </strong><span class="798335023-13072010"><strong><span style="font-family:Times New Roman;"><strong><span style="font-family:Times New Roman;">- Configure Settings</span></strong></span></strong></span></span></span></span></span></div> <div dir="ltr" align="left"><pre><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Times New Roman;"><span style="font-family:Times New Roman;"><configuration><br /> ....<br /> <configsections><br /> ....<br /> <section name="csrfSettings" type="Idunno.AntiCsrf.Configuration.CsrfSettings, Idunno.AntiCsrf"> <br /> ....<br /> </configsections></span></span></span></span></pre></div> <div dir="ltr" align="left"><pre><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Times New Roman;"><span style="font-family:Times New Roman;"> </span></span></span></span></pre></div> <div dir="ltr" align="left"><pre><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Times New Roman;"><span style="font-family:Times New Roman;"> <csrfsettings cookiename="__CSRFCOOKIE" formfieldname="__CSRFTOKEN" detectionresult="Redirect" errorpage="/AntiCSRFDetected.aspx"><br /><br /></configuration><br /></span></span></span></span></pre><pre><pre><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Times New Roman;"><span style="font-family:Times New Roman;"><span style="font-family:Verdana;"> </span><span style="font-family:Times New Roman;font-size:130%;"> </span><span style="font-family:Times New Roman;font-size:130%;">- If you don't want to proptect your page,<br /> you can add class attribute </span><span style="font-size:130%;"><span style="font-family:Times New Roman;"><strong>[Idunno.AntiCsrf.SuppressCsrfCheck]<br /> </strong>or page interface <strong><%@ Implements Interface="Idunno.AntiCsrf.ISuppressCsrfCheck" %> </strong></span></span></span></span></span></span></span></pre></pre><pre><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Times New Roman;"><span style="font-family:Times New Roman;"><br /></span></span>==================================================================</span></span></pre><pre><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> </span></span><h2 dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;">How it works (ANTICSRF)</span></span></h2><div dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> </span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Verdana;font-size:85%;"> <strong>*</strong> <strong>HTTP MODULE </strong>on <strong>PreSendRequestHeaders</strong> and <strong>PreRequestHandlerExecute</strong></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Verdana;font-size:85%;"> </span></span></span><p><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Verdana;"><span style="font-size:85%;"><span class="798335023-13072010"> </span>context.PreSendRequestHeaders += PreSendRequestHeaders;</span></span></span></span></p><p><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Verdana;"><span style="font-size:85%;"><span class="798335023-13072010"> </span>context.PreRequestHandlerExecute += PreRequestHandlerExecute;</span></span></span></span></p><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><br /></span></span></span></div></span><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> <span style="font-family:Verdana;font-size:85%;"> <strong>*</strong> <strong>Adding pre-request nonce token</strong></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"></span><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> -<span style="font-family:Verdana;font-size:85%;"> Add nonce on hidden field <span style="font-family:Courier New;font-size:100%;"><strong>__CSRFTOKEN</strong></span> and cokkie <span style="font-family:Courier New;font-size:100%;"><strong>__CSRFCOOKIE</strong></span> (configurable on settings)</span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Verdana;font-size:85%;"> </span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Verdana;font-size:85%;"><strong> * Validate nonce token on hidden field with cokkie</strong></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"></span><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> </span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> <span style="font-family:Verdana;font-size:85%;"><strong>- </strong>It will validate the token when <strong>(POST Request or Postback)</strong></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Verdana;font-size:85%;"><br /> </span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><strong> <span style="font-family:Verdana;font-size:85%;">- Get Request will NOT be validated unless it is Postback</span></strong></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><strong></strong></span></span></span><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> </span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> - <span style="font-family:Verdana;font-size:85%;">It will NOT validate any <span style="font-family:Times New Roman;font-size:130%;"><strong>SuppressCsrfCheck </strong><span style="font-family:Verdana;font-size:85%;">class attribute or any class which inherits <strong><span style="font-family:Times New Roman;font-size:130%;">Idunno.AntiCsrf.ISuppressCsrfCheck</span></strong></span></span></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><strong></strong></span></span></span><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> </span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Times New Roman;font-size:130%;"><strong> <span style="font-family:Verdana;font-size:85%;">* If Attack detected</span></strong></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Times New Roman;font-size:130%;"><strong> <span style="font-family:Verdana;font-size:85%;">-When</span></strong></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Times New Roman;font-size:130%;"><strong> </strong><span style="font-family:Verdana;font-size:85%;"><strong>- </strong>hidden field or cookkie token are null/empty</span></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> <span style="font-size:85%;"><strong><span style="font-family:Verdana;"> </span></strong><span style="font-family:Verdana;"><strong>- </strong>hidden field and cookkie token is not match</span></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> <span style="font-family:Verdana;font-size:85%;"> -<strong>ACTION </strong>(based on configuration setting <span style="font-family:Courier New;font-size:100%;"><strong>detectionResult)<br /> <span style="font-family:Verdana;font-size:85%;">- </span></strong><span style="font-family:Verdana;font-size:85%;">Throw an exception</span></span></span></span></span></span></div><div dir="ltr" align="left"><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> <span style="font-size:85%;"><strong><span style="font-family:Verdana;"> </span></strong><span style="font-family:Verdana;"><strong>- </strong>Or redirect to other page based on configuration setting (</span><span style="font-family:Courier New;font-size:100%;"><strong>errorPage</strong>)</span></span></span></span></span></div></pre></div> <div dir="ltr" align="left"><pre><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;">==================================================================</span></span></span></pre></div> <h2 dir="ltr" align="left"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;">Limitations of ANTICSRF</span></span></h2> <div dir="ltr" align="left"><span class="798335023-13072010"> <span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><li><span class="798335023-13072010"> </span>Non-ASP.NET forms are not protected with this module.</li></span></span></span></div> <div dir="ltr" align="left"> <ul><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><li>You, the developer, must ensure your <strong>GET requests are idempotent </strong>(i.e. the side-effects of multiple identical requests are the same as for a single request). GET requests are not protected with this module. See <a class="externalLink" title="http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2" href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2">http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2<span class="externalLinkIcon" title="http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2"></span></a>.<span class="798335023-13072010"> </span></li></span></span></ul></div> <div><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;">---------------------</span></span></span></div> <div><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Verdana;"> * This Framework will not protect the GET Request (Except if it is postback).</span></span></span></span></div> <div><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> For example<br /> - when you use AJAX call using GET Request, It will not validate the token.<br /> </span></span></span></div> <div><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> - But if you want to use AJAX call using the POST Request,<br /> You must Suppress the AntiCSRF validation by what I mention above on the <strong>Intallation. </strong>by adding the attribute or page attribute. </span></span></span></div> <div><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> Because If you don't suppress the AntiCSRF validation, it will detect as AntiCSRF Attack, because they can't find the token located on your hidden field.</span></span></span></div> <div><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"> Please have a read on <strong>How It Works explanation above.</strong></span></span></span></div> <div><span class="798335023-13072010"><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;">---------------------</span></span></span></div> <div><span style="font-family:Verdana;font-size:85%;"><span style="font-family:Times New Roman;font-size:100%;"><span style="font-family:Verdana;font-size:85%;"><span class="798335023-13072010"></span></span> </span></span></div>Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-81530317930385490782010-07-12T16:31:00.000-07:002010-07-12T16:38:31.549-07:00XSS Prevention attackMost web developer must know about RequestValidation configuration in .NET<br />which we can disable the XSS attack.<br /><br />But If we want to disable 'RequestValidation' it so we can have flexibility to handle it, We can use Server.HtmlEncode(). to display it.<br /><br />However this still not enough. This will expose to XSS attack.<br />My college (Rob) find a utility which nice to replace Server.HTMLEncode().<br /><br />Download AntiXSSLibrary.dll<br />and replace Server.HTMLEncode() with AntiXss.UrlEncode();<br /> <br />http://msdn.microsoft.com/en-us/library/aa973813.aspx<br />http://blogs.msdn.com/b/cisg/archive/2008/08/26/what-is-microsoft-antixss.aspxAnonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-9895293404080538032010-06-22T18:03:00.000-07:002010-06-22T18:05:03.436-07:00Remember clientaccesspolicyRemember to have clientaccesspolicy.xml<br /><br />to enable your WCF to be consumed by silverlight<br /><br />http://videos.visitmix.com/MIX09/T42F<br />http://community.dynamics.com/blogs/cesardalatorre/comments/9579.aspxAnonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-48075909330365428112010-06-09T22:03:00.000-07:002010-06-09T22:05:12.698-07:00Calling SP using NHibernate with IDBCommandIf there is transaction open.<br />you need to supply the transaction by enlist it in NHibernate<br /><br />iSession.Transaction.Enlist(sqlComm);Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-87662397000507594692010-06-09T17:31:00.000-07:002010-06-09T17:36:29.817-07:00inject javascript in bookmarkGet stuff from GBone..<br /><br />it's pretty amazing that we can inject javascript to debug on browser<br /><br />put this bookmark..<br />javascript:<br />var b=document.body;<br />if(b)<br />{<br /> void(z=document.createElement('script'));<br /> void(z.src='http://www.company.com/somescript.js');<br /> void(b.appendChild(z));<br />}<br /><br />this will run that script on your browserAnonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-21012247279676203892010-06-09T16:57:00.000-07:002010-06-09T16:59:29.141-07:00Jquery.DataLearning new stuff today..from Rob...<br /><br />It's better to use Jquery.Data instead of custom attribute in element.<br />because it will break some browser for custom attribute which not standard.<br /><br />Thanks Rob..<br /><br />Here is the example<br /><br /> jQuery.data(div, "test", { first: 16, last: "pizza!" });<br /> $("span:first").text(jQuery.data(div, "test").first);<br /> $("span:last").text(jQuery.data(div, "test").last);Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-72018671914025032632010-06-03T23:26:00.000-07:002010-06-03T23:28:18.659-07:00System.Web.Extension conflicting with the GACBe careful when you upgrade the site into 3.5<br />if you get this error about ambigous with GAC version.<br />then you need to take this out from your bin folder.<br /><br />because It may be your version in bin folder is different. 1.1<br />but in GAC version is 3.5.Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-36673504344179804282010-06-02T19:17:00.001-07:002010-06-02T19:29:47.910-07:00Without Postback with disable your browser JavascriptPostback is very heavy code to load (viewstate,etc).<br />such as you want to get rid of this from your form <asp:form runat="server">.<br /><br /><br />So the solution is you can use AJAX.. to handle all this postback to make your page still dynamic or more responsive that before.<br /><br />But how about if the client browser disable their javascript..<br />Your page will be static.<br /><br />so you need to consider this as well.<br /><br />So the big picture of this solution is to put ajax as common.<br />but on the event onclick or href.. you can't just call that function to call an ajax.<br /><br />for example <br />href="javascript:CallPostbackFunction();"<br /><br />you need to change this to<br />href="/page/ajax/somePage.aspx" class="AjaxCall"<br /><br />then.. in you can check .. if the browser is enabled the javascript..<br />then you can call your ajax function.<br /><br />If the javascript is disabled from your browser then you still can load to the proper page. instead of just do nothing.<br /><br />//check if browser enabled their javascript<br />jQuery(document).ready(function() {<br /> //perform init and replace to an proper javascript<br /> var ajaxCalls = $('#ajaxCall');<br /> ajaxCalls.unbind('click', this.addClick);<br /> ajaxCalls.bind('click', this.addClick);<br />});<br /><br /><br />Here a good reference for Object Oriented Programming in Javascript<br />http://devedge-temp.mozilla.org/viewsource/2001/oop-javascript/Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-58455404686944827802010-03-28T22:00:00.000-07:002010-03-28T22:03:09.241-07:00response.d in .net 3.5 JSONMigrate Json .Net 2.0 to .Net 3.5<br /><br />Here need to be note...<br />================<br />response.d<br /><br />While I wish this unexpected change had been more clearly announced, it’s a good one. Here’s how Dave Reed explained it to me:<br /><br /> {"d": 1 }<br /><br /> <br /><br /> Is not a valid JavaScript statement, where as this:<br /><br /> <br /><br /> [1]<br /><br /> <br /><br /> Is.<br /><br /> <br /><br /> So the wrapping of the "d" parameter prevents direct execution of the string as script. No Object or Array constructor worries.<br /><br />[] is JavaScript’s array literal notation, allowing you to instantiate an array without explicitly calling a constructor. To expand on Dave’s explanation, simply consider this code:<br /><br /><br />=====================<br />make sure you change web.config to use ScriptService of v 3.5 in HttpHandlers<br /><br />add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-34940617821840177052009-08-03T20:39:00.000-07:002009-09-08T20:28:40.898-07:00Jquery AJAX impacted on document.writejust find a solution, when you use jquery ajax, and there is document.write after that, it will clear all your content..<br /><br />all u need to do is create a span, where you want to write that content. then.. overwrite document.write function to write into that span instead doing document.write..<br /><br />here is the sample<br /><br />span id="test" /span<br />script document.write = function(text){ jQuery('#test').append(text) }<br />/script<br /><br /><br />=D<br />Here is the reference<br />http://javascript.about.com/library/blwrite.htm<br /><br /><br />--------<br />Huh.. but this still have a problem.. in IE.. if you overwrite into different holder.<br /><br />so the best solution at this moment is using iframe...Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-1126436079623345472009-05-10T22:33:00.001-07:002009-05-10T22:34:27.004-07:00Change culture without changing deployment ServerAdd globalization tag inside System.web tag in Web.Config<br /><br />globalization requestEncoding="utf-8" responseEncoding="utf-8" culture="en-AU"Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-4891612499967537842009-04-01T20:34:00.000-07:002009-04-01T20:36:01.655-07:001st NHibernate.LINQ LimitationJust found Nhibernate Linq limitation.<br /><br />It can't translate toLower() on string but luckily, it has compare in case sensitive.<br /><br />it throws weird error if you use this.<br /> q = q.Where(c => c.firstName.Contains(flter) || c.lastName.Contains(flter) || c.email.Contains(flter));<br /> <br />says <br />----<br />Index was out of range. Must be non-negative and less than the size of the collection.<br />Parameter name: index<br />----Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-23772246886145614202009-03-02T23:04:00.000-08:002009-03-03T14:27:50.588-08:00Restricting Text box (Multiline) using Javascript//Restrict Length<br />function restrictLength(e,ctl,maxLength)<br />{<br /> var evt = e ? e : window.event;<br /> <br /> //check the length for copy paste<br /> if (ctl.value.length >= maxLength)<br /> {<br /> //only character<br /> if (e.keyCode == 0)<br /> {<br /> return false;<br /> }<br /> } <br /> return true; <br />}<br />-- don't for get to called using (RETURN)<br />javascript:return restrictLength(event,this,10);Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-58071272244099465492009-03-02T23:02:00.000-08:002009-03-02T23:04:21.957-08:00Sending Email from HTMLI decide to use File rather then web request coz some server are restricted to loopback.<br /><br />/// <summary><br /> /// Get Email Body from file <br /> /// </summary><br /> /// <returns></returns><br /> public static string GetEmailBodyFromFile(string filePath)<br /> {<br /> string emailMasterBody = "";<br /> <br /> Encoding encode = System.Text.Encoding.GetEncoding("utf-8");<br /> using (System.IO.StreamReader objReader = new StreamReader(filePath, encode))<br /> {<br /> emailMasterBody = objReader.ReadToEnd();<br /> }<br /><br /> return emailMasterBody;<br /> }Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-21119897848043741002008-12-02T21:53:00.000-08:002008-12-02T21:54:51.001-08:00PL-SQL LoopingDECLARE CursorTemplate CURSOR<br />FAST_FORWARD FOR <br /> SELECT Val1, Val2, Val3 FROM Table1<br /><br />OPEN CursorTemplate<br /><br />FETCH NEXT FROM CursorTemplate<br />INTO @Var1, @Var2, @Var3<br /><br />WHILE (@@FETCH_STATUS = 0)<br />BEGIN<br /> --do something here w/ your data<br /><br /> FETCH NEXT FROM CursorTemplate<br /> INTO @Var1, @Var2, @Var3<br /><br />END<br /><br />CLOSE CursorTemplate<br />DEALLOCATE CursorTemplateAnonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-78142606190696097132008-11-26T21:20:00.000-08:002008-11-26T21:21:40.813-08:00Fix Calendar Extender on IE 6add this style<br />.ajax__calendar_container { z-index : 1004 ; }<br /><br />add this javascript<br />function dateEditor_OnShown(dateControl, emptyEventArgs)<br />{<br /> var shimWidth = dateControl._width;<br /> var shimHeight = dateControl._height;<br /> <br /> // Open current popup<br /> // Create the popup element<br /> var dateEditorShim;<br /> dateEditorShim = document.getElementById("dateEditorShim");<br /> dateEditorShim.style.width = dateControl._popupDiv.offsetWidth;<br /> dateEditorShim.style.height = dateControl._popupDiv.offsetHeight;<br /> dateEditorShim.style.top = dateControl._popupDiv.style.top; <br /> dateEditorShim.style.left = dateControl._popupDiv.style.left;<br /> dateControl._popupDiv.style.zIndex = 999;<br /> dateEditorShim.style.zIndex = 998;<br /> dateEditorShim.style.display = "block";<br /> <br />}<br /> <br /> // Function: dateEditor_OnShown<br /> // Summary: Handles the OnShown event of the dateEditor control. <br /> // Inputs: dateControl -> The date control object<br /> // emptyEventArgs -> Empty event arguments raised by the date control<br /> // Remarks: Make sure to insert a shim of an empty iframe underneath the calendar popup container<br /> function dateEditor_OnHiding(dateControl, emptyEventArgs)<br /> {<br /> var shimWidth = 0;<br /> var shimHeight = 0;<br /> <br /> // Open current popup<br /> // Create the popup element<br /> var dateEditorShim;<br /> dateEditorShim = document.getElementById("dateEditorShim");<br /> dateEditorShim.style.width = 0;<br /> dateEditorShim.style.height = 0;<br /> dateEditorShim.style.top = 0;<br /> dateEditorShim.style.left = 0;<br /> dateEditorShim.style.display = "none";<br /> }<br /><br /><br />//add this in code <br />calDOB.OnClientShown = "dateEditor_OnShown";<br />calDOB.OnClientHiding = "dateEditor_OnHiding";Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-35720376919424531282008-11-25T18:48:00.000-08:002008-11-25T18:51:57.688-08:00Error in Calendar Extender because the master page has asp tag <%%>Today, I just annoyed with this error.<br />Every form which using Calendar extension works fine before. <br />and somehow after I change the master page, it start to show an error said :<br /><br />=================<br />System.Web.HttpException: The Controls collection cannot be modified because the control contains code blocks (i.e. ). <br />=================<br /><br />Luckily, with Tom's Help, I found the problem.<br />It was on the master page on the header java script which use <%= ... %> to get the content from server....Anonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-38163019496016995062008-11-20T19:39:00.001-08:002008-11-20T19:39:33.060-08:00Pomegranate Phonehttp://www.pomegranatephone.com/default.htmlAnonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0tag:blogger.com,1999:blog-854021761054153070.post-62151343265378150062008-11-19T19:58:00.000-08:002008-11-19T20:00:56.608-08:00Url Rewriting VS PostbackTo Resolve a problem in postback for url rewriting,<br />you can use control adaptor and rewrite the form.<br /><br />public class FormRewriter : System.Web.UI.Adapters.ControlAdapter<br /><br />more information : visit : http://weblogs.asp.net/scottgu/archive/2007/02/26/tip-trick-url-rewriting-with-asp-net.aspxAnonymoushttp://www.blogger.com/profile/12056200584493392094noreply@blogger.com0