Preventing Reply Attacks In C#.net?
Mar 25, 2011I am using c#.net web application.I will not allow reply attacks in my application.How do i prevent from the same.
View 3 RepliesI am using c#.net web application.I will not allow reply attacks in my application.How do i prevent from the same.
View 3 RepliesThis involves using the Membership provider to add a comment to users server side records when they log in and out, and then confirming that when a cookie is used to authenticate, that the user hasn't logged out. This makes perfect sense to me. Where this starts to fall apart is that we do not currently use a membership provider, and so it seems like I face reimplementing all our authentication code to use a membership provider. We currently check authentication in a controller, and make a call to FormsAuthentication.SetAuthCookie() once we know the user exists. It would be a lot of work to force a membership provider in.
Is all this work really neccesary. Can I roll my own key value store of cookie values to logged in users and just make sure I clear this when a user hits the logout button. If this seems unsafe is there a way of implementing a minimal Membership provider in order to make these checks without handing off all authentication code to it?
I guess my main problem here is that we decided a long time ago that the membership provider model doesnt fit with the model we use for locking and unlocking accounts, and chose not to use it. Now we find that the MS recommendations specifically mention a membership provider, and as this is security I need to be sure that not using it as they recommend isn't going to cause troubles.
When a user presses Button1 on the Webpage, I would like to copy slightly modified string from txt1 (Text) into txt2 (Text).
The problem is sometimes I get an error "a potentially dangerous request.form value was detected from the client validaterequest". I get this error when special symbols llike "<" or ">" are in txt1.Text.I've read about that problem. That error is to prevent from hackers who can input scripts into the txt1.All I did is:
1) Put validateRequest="false" into <%@ Page Language="VB" validateRequest="false" at Default.aspx.
2) Default.aspx.vb contains now:
sHTMLEncodedString = Server.HtmlEncode(txt1.Text))
[code]....
Now it works and allows to take any data from txt1, slightly modify it and put into txt2.So, my question is: Did a level of security was reduced after I wrote validateRequest="false" ? Any code should be added to keep the good level of security? Or, I'd better use another way to copy txt1 to txt2?
i know how to receive a data.. from sms.. using the service provider gateway.. but my problem is the reply of message from the source..the instruction says
[Code]....
[Code]....
Is it possible to send it using asp.net alone?
Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability.
What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire?
No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn't an issue.
I would now like to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like:
-code removed-
I am using smtp to send email messages through our asp.net aplication.
I want to stop user from replying the mail i had sent.
I had seen this on some autogenerated mails where they does not show senders address and also we cannot reply to these address.
How to achieve this in asp.net.
using a linqDataSource control... in the selecting event I have code like the following for a simple search feature:
[Code]....
In general, would dynamically building the 'Where' property of a linqDataSource be vulnerable to sql injection? Or does the control protect against this internally?
where does following HTTP error message come from:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't Our setup is ASP.NET MVC / IIS 7.5 / IE8. It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.
I have a ASP.NET XML web service (asmx) running on .NET 3.5. I am trying to figure out how best to prevent replay attacks. Is there any inherent security by .NET 3.5 that should mitigate this issue, or do I need some kind of SOAP header token value?
View 1 RepliesI am creating a windows service to send automatic mails for the consumers, that are referred by our web site professional users to register in our site.
For sendind mail we are using our company mail but what we need is if customers want to reply for that mail they need to send for professional mail by clicking reply in the inbox.
I'm trying to recreate a facebook-like reply posting Wall with multiple users; 'm pretty new to the web environment but I have many years of development expierence so I should understand most of what you throw at me aanyone can put me in the right direction what type of script/lib/classes I should check. or even better some example code.
View 1 RepliesI have tried creating a comment section page using data controls like listview and repeater control to display comments and I was wondering how to add reply options on it. I want to create a comment section page with reply option and the users are able to delete its comment as well by hovering the mouse where the close button will show just like any popular websites we've known.
View 7 RepliesI have a WCF web service and jQuery AJAX implementation that appears to be working perfectly, save for a single line of code: the AJAX calls to the WCF service only have the correct HTTP header & content information if I use GET in my AJAX calls. Once I choose to use POST, the WCF service response with "Method Not Allowed". The calls are coming from domains such as sub1.domain.com, and calling svc.domain.com. How can I configure WCF to allow the cross domain AJAX POSTs?
[Code]....
Here's the relevant section of the web.config:
[Code]....
Here's the AJAX code:
[Code]....
I have indeed tried these changes to my interface:
[Code]....
i have to make a login page where user has to enter username & password to get message from remote server. actually its a API, where user send his username and password and get the reply. i have done the login page coding. but i don know how to catch the reply and disply it in window.
note that there is now database or connection string where we have to compare username & password. its simple url as:-
"http://smscgateway.com/balanceapi.asp?username=username&password=password"
here in this string i have to replace the replace name and password with textbox values and post it. but it after posting i dont know how to catch the reply.
as soon as we click it. it replies as "invalid User Name or Password".
I would like to ask for any suggestion how to let user to leave a short - limited reply on comment....
Im working on the web where user can make a new post a then leave a comments to each post I've done it so far
I am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.
View 11 RepliesI'm using the "cache tecnique" to prevent multiple logins. Reading in this forum I have read the following code:
Global.asax
[Code]....
Login.aspx
[Code]...This code works fine, If the user is already logged the second login is not permitted. But....
But if I make the logout (destroing all my session variables) and I try to login a second time... it's not possible, I read that the user is already logged!!I have also tried to clear the cache after the logout but nothing changs, even if it is illogic because the code must work even if I don't do the log off...
i have used ajax , but i am not very clear of its concepts
i just knw that it prevents full post back
1) frm where can i get a very clear concept for the use and purpose of ajax and how its to be used
2) i have a textbox with autocomplete extender and a button (button1)
button1 is in the updatepanel as i wanted tp prevent post back when i click button the datafrom the textbox is inserted in grid as the click event gave full post back i used updatepanel , now its wrking fine but the prblm is when i enter new datain textbox and fetech the deatils frm database full postback occurs i tried to put the autocomplete etext box in a update panel but its giving error.i need toprevent this post back
3) on the same button click at the end of the click process(ie after adding to grid)i need the autocomplete extetender text box shld be blank
i used textbox1.text="" but its nt working
there any way where i can make a page only accessible through a RedirectToAction? It's a bit dumb of a question given a redirect writes a URL.. I know it might sound a bit silly, but i really don't like the fact i have to be 'forced' to create a partial view to be able to make the page i want to redirect to. What i want to do is quite simply, after deleting a user account, redirecting to a page where it says, account deleted (with a bunch of other stuff), so its quite a simple task. I have no problem making a partial view here and there, but if i want to make many pages unaccessible, i think i would have to make most of the website in partial views haha. Maybe i'm getting it wrong though, i've read a couple of posts about it, including Phil Haack's ->http://haacked.com/archive/2009/11/18/aspnetmvc2-render-action.aspx But i'm still very confused about this subject,
View 5 RepliesHow to prevent the new line character at the beginning of the text entering in a multiline text box? Now, I already trimmed the white space at the beginning of the text. but i can't prevent the new line character that has to be occurred by entering the enter key on the most beginning of the text box.
View 1 RepliesI am relatively new to ASP.NET and have searched the Internet to find guidance in preventing caching of web pages (in the latest versions of IE, Firefox, Chrome and Safari). Based on my search, I found a lot of conflicting/confusing info. As best as I can tell, it appears that I need to add the following 3 lines to the <head> section of my .aspx files:
[Code]....
if the aforementioned lines are correct and if all 3 lines are necessary? I have tried using different combinations of the 3 lines, but I get conflicting results (i.e., sometimes the page is cached and sometimes it's not).
I am developing a registration process which consists of 4 steps. Each step has its own action method. As such a user could type the url for each step as follows: bogusURL/Step1 //returns the View Step1 bogusURL/Step2 //returns the View Step2 etc... I would like to prevent users from gaining access to a step unless they have completed the previous steps. i.e. If they typed in bogusURL/Step2 without having completed Step 1 they should be redirected to the first step.
What is the best way to implement this?
I'm using a file manager-type WebControl that does lots of postbacks. It's placed inside a Page that is relatively complex. I would like to prevent the WebControl from causing the whole Page to go through the lifecycle.
Is there any way to isolate the WebControl from the rest of the Page? The only way I can think of is sticking the WebControl in a separate Page and creating an iframe in the original Page. Unfortunately that also means my WebControl properties/settings are no longer in the original Page. If I want two instances of the WebControl with different settings, then I have to create a Page for each setting and reference the correct one in my iframes. Not quite as "drag & drop" as I would like.
I want to show a confirmation dialog when a specific value is selected in an asp:DropDownList. If the confirmation dialog returns false (cancel) then I want to prevent the AutoPostBack.
<asp:DropDownList id="theDropDownID" onchange="foo()"></asp:DropDownList>
However, it ignores the returned value from foo() and actually does the postback. The generated code of the onchange event is:
foo();
setTimeout("__doPostBack('theDropDownID','')", 0);
so basically controlling the setTimeout that the .net adds, will do the job.