Skip to main content

Home/ Agency Oasis Developers/ Group items tagged asp.net

Rss Feed Group items tagged

mgraber

ASP.NET QuickStart Tutorials - 0 views

  • Securing Non-ASP.NET Files
  • ASP.NET handles requests for file extensions that are normally associated with ASP.NET, while IIS handles requests for all other file extensions. By default this means common file extensions such as .aspx and .asmx are processed by ASP.NET. This processing includes authentication and authorization to ASP.NET files. Sometimes though, a developer wants non-ASP.NET resources to be processed by ASP.NET. One reason for processing non-ASP.NET files through ASP.NET is to allow ASP.NET authentication and authorization to control access to these types of files. The combination of IIS6 on Windows Server 2003 and ASP.NET 2.0 provides the most flexibility for running the ASP.NET pipeline as part of processing a request for a non-ASP.NET resource. IIS6 includes support that allows ASP.NET 2.0 to perform authentication and authorization steps, and to then hand off the remainder of the processing of a non-ASP.NET resource back to IIS6. For example, it is possible to authenticate access to an ASP page using ASP.NET forms authentication, authorize access with ASP.NET's Url authorization and still allow the ASP ISAPI extension (asp.dll) to execute the ASP page. This support is possible because IIS6 introduced a new server support function for ISAPI extensions: HSE_REQ_EXEC_URL. Assume that a directory structure contains a mix of both ASP and ASP.NET files. The ASP.NET pages are used to log a user in with forms authentication, while the ASP pages represent the rest of the application. Using the IIS6 MMC, right-click on directory and create an application (this is the same step that is necessary when setting up a standard ASP.NET application). After an application has been created, click on the Configuration button that is located on the Directory property page. This will cause the Application Configuration dialog to be displayed. New to IIS6 is a feature called wildcard application mapping. The bottom of the Application Configuration dialog allows you to configure this feature. First determine the path for the ASP.NET ISAPI extension that processes ASP.NET files such as .aspx files. You can find this path by looking at the extensions that are listed in the Application Extensions list shown in the top half of the Application Configuration dialog. Click on the row in the list that maps the .aspx extension, and select the Edit button. In the dialog that pops up, highlight the text in the Executable textbox and copy it to the clipboard. Then cancel out of the dialog. Next, click the Insert button that is in the bottom half of the Application Configuration dialog. A dialog box titled Add/Edit Application Extension Mapping will be displayed. In the Executable text box, enter the path to the ASP.NET ISAPI extension that you copied to the clipboard earlier. The end result should look something like the screenshot below.
  • Click OK to close out all of the dialogs. Now whenever a request is made for any file, the request will first be processed by ASP.NET. If the web.config for your ASP.NET application has enabled forms authentication, an unauthenticated request for a .asp file will first trigger a redirect to the login page configured for forms authentication. After a user has successfully logged in, they will be redirected back to the original .asp page. When the now-authenticated user requests the .asp page, ASP.NET will first run through the FormsAuthenticationModule to verify that the forms authentication cookie exists and is still valid. If this check passes, ASP.NET will hand processing of the .asp page back to IIS6, at which point IIS6 will pass the request on to the ISAPI extension that normally process .asp pages. In this case the extension is asp.dll and the ASP page will then run to completion. The reason ASP.NET will pass the request back to IIS6 is that non-ASP.NET resources will fall through the list of configured <httpHandlers> to the following entry: <add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler" validate="True" /> The DefaultHttpHandler is responsible for handing requests back to IIS6 for further processing.
  •  
    "Securing Non-ASP.NET Files"
mgraber

Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP - 0 views

  •  
    "Viewstate (ASP.NET) ASP.NET has an option to maintain your ViewState. The ViewState indicates the status of a page when submitted to the server. The status is defined through a hidden field placed on each page with a control. Viewstate can be used as a CSRF defense, as it is difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF. To use the ViewStateUserKey property within the Viewstate to protect against spoofed post backs. Add the following in the OnInit virtual method of the Page-derived class (This property must be set in the Page.Init event) protected override OnInit(EventArgs e) { base.OnInit(e); if (User.Identity.IsAuthenticated) ViewStateUserKey = Session.SessionID; } The following keys the Viewstate to an individual using a unique value of your choice. (Page.ViewStateUserKey) This must be applied in Page_Init because the key has to be provided to ASP.NET before Viewstate is loaded. This option has been available since ASP.NET 1.1. However, there are limitations on this mechanism. Such as, ViewState MACs are only checked on POSTback, so any other application requests not using postbacks will happily allow CSRF. "
Douglas Couto

[How Do I:] Use the ASP.NET AJAX History Control?: The Official Microsoft ASP.NET Site - 0 views

  •  
    "[How Do I:] Use the ASP.NET AJAX History Control?"
Mark Ursino

ELMAH (Error Logging Modules and Handlers) - 0 views

  •  
    ELMAH (Error Logging Modules and Handlers) is an application-wide error logging facility that is completely pluggable. It can be dynamically added to a running ASP.NET web application, or even all ASP.NET web applications on a machine, without any need for re-compilation or re-deployment.
Mark Ursino

Custom ASP.NET NUnit Test Runner - 0 views

  •  
    The custom ASP.NET NUnit test runner is a simple utility to allow running your NUnit tests inside your ASP.NET application. This is used to allow testing inside an HttpContext without the hassles and pitfalls of trying to fake the context for a test. I use this test runner on my Sitecore projects to allow unit testing inside the Sitecore application.
mgraber

Microsoft Asp.net version 3.5 : Security vulnerabilities - 0 views

  •  
    "ASP.NET in Microsoft .NET 3.5 does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks against the form control via the __VIEWSTATE parameter"
mgraber

ASP.NET forms authentication - auto login with a test account while debugging? - Stack ... - 0 views

  •  
    "ASP.NET forms authentication - auto login with a test account while debugging"
Mike Tomasulo

The ASP Column: Using SOAP Extensions in ASP.NET - 0 views

  •  
    How to log XML from SOAP messages in (non-WCF) ASP.NET
mgraber

James Jardine : Developer Notes - 0 views

  •  
    "Cross Site Request Forgery (CSRF) This article assumes you already understand what CSRF is and how it works. If you don't, do a quick Google search and it will clear it up. CSRF can be done using POST or GET, but GET is much easier to implement. By default, ASP.Net forms and other functionality work via the POST method. If we could submit a GET instead of a POST it would open up the attack surface a great deal. No longer do we need someone to visit a page with a form on it, but we could actually embed the GET request (a link) in emails or other medium. Fortunately for the attacker, unfortunately for the developer, .Net uses Value Shadowing for its controls. This means all server side controls, ie. Viewstate, EventValidation, EventCommand, EventArguments, etc.. It is possible to take the values that would be submitted as part of the form and just add them to the Querystring instead. Now there is a GET request that is comparable to the POST request. ASP.Net Webforms does not check whether a post back comes from GET or POST. The one thing to keep in mind is that the URL in a GET is limited in size. If the form is large and the viewstate is very large, this could block this technique from working. This depends on the way the application is configured (more later)."
Mark Ursino

Juice UI → Supercharge ASP.NET Web Forms with jQuery UI - 1 views

  •  
    ASP.NET Controls For All Of The jQuery UI Widgets
Mark Ursino

Download ASP.NET MVC 2 RTM - 0 views

  •  
    Took me a long time to find this downloader. This will allow you to run ASP.NET MVC 2 sites
Douglas Couto

Bipin Joshi.net | .Net & Coding - 0 views

  •  
    "Using HTML5 input types in ASP.NET Web Forms"
Mark Ursino

Demystifying 'Sys is undefined' - 0 views

  •  
    Are you running into this error on your ASP.NET AJAX enabled web site? Does it only happen on some machines or on some browsers? Here's how you can get to the bottom of it.
Douglas Couto

Thoughts.exe » Blog Archive » ASP.Net Detecting Bots, Crawlers - 0 views

  •  
    "ASP.Net Detecting Bots, Crawlers"
mgraber

ScrewTurn Wiki - Free ASP.NET Wiki Software - ScrewTurn Wiki - 0 views

  •  
    Free ASP.NET Wiki Engine
mgraber

How To: Prevent Cross-Site Scripting in ASP.NET - 0 views

  •  
    "How To: Prevent Cross-Site Scripting in ASP.NET"
mgraber

How To: Protect From Injection Attacks in ASP.NET - 0 views

  •  
    "How To: Protect From Injection Attacks in ASP.NET"
mgraber

Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks - 0 views

  •  
    "Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks"
Mark Ursino

RequestReduce (for .NET) - auto minify/bundle static assets - 0 views

  •  
    For ASP.NET - Super Simple Auto Spriting, Minification and Bundling solution - No need to tell RequestReduce where your resources are - Your CSS and Javascript can be anywhere - even on an external host - RequestReduce finds them at runtime automatically
1 - 20 of 128 Next › Last »
Showing 20 items per page