Security :: Best Way To Include Some Protection Against XSS In A Web App?
Jun 10, 2010
I'm trying to see what is the best way to include some protection against XSS in a web app but it needs to be easy for the developer!
Let me explain. I'm going to provide a library for the developers which will include the security controls. I'm thinking I have two choices:
1) Include some HTML encoding functions in that library e.g. AntiXSS and let the developer call the function every time he needs to output something
e.g.
Response.Write(AntiXss.HtmlEncode(value));
2) Create a new write method
Response.Writesecure(value)
The writesecure method would then call the appropriate functions and it would be transparent to the developer.
Additionally, I can write some easy code analyis scripts that will identify the use of the standard Write method...
View 3 Replies
Similar Messages:
Mar 3, 2010
I am working on a very basic ASP.Net 2.0 website that will have a backend based on SQL Server 2005. The website has three basic pages (Home, About, and Contact) that are fully viewable by everyone. However, there is a fourth page called "Employee Login" that must present a Login/Password system to the visitor of the page. Upon successful login, a few more pages shall become accessible to authenticated users only.I need the simplest Form based authentication here however; the User Names and their Passwords are going to be coming from the SQL Database. Setting up the authentication to Form simply locks out the whole website. I need the basic pages to be login-free. Only certain pages need a login.
View 3 Replies
Apr 21, 2010
We upgraded the ASP version in IIS to ASP 4 and now experiencing an odd issue with password protected directories. The directory uses a Web.config file that only allows a single login to access the directory. This worked fine until we did the upgrade to ASP 4. Now when the user logins in, it recursively prompts them to login. If the user hits cancel, they are able to access the page like normal. Is this a ASP 4 or IIS bug?
View 3 Replies
May 1, 2010
I'm hoping this is a simple configuration setting that I have incorrectly defined. I have an application that has a secure (members) area. If a customer tries to browse directly to the secured page (http://www.mysite/members/memberpage.aspx) asp.net loads up my login.aspx page. When the user successfully authenticates from the login.aspx page in they are taken to the secured page they originally requested (so far so good!).The problem I have is that I run some SQL using the User.Identity.Name on the secured page as a reference to who the logged in user is. This way I can show some customer specific information. When I take the login route outlined above, the SQL doesn't seem to run (or the Session Variables aren't loaded yet?)... my page loads up with no customer information in it. If I browse to another page and then back the customer information shows up and all is well.
View 1 Replies
May 20, 2013
I have just started with ASP.NET.
I like the idea of using Include files so that I can create various versions of individual parts of a site and decide in code which to display. I used:
<%Response.WriteFile("contentcontent.aspx")%>
to include a content.aspx file within my default.aspx page.
I would like to include a Left.aspx, Main.aspx and Right.aspx file inside the content.aspx file. I tried using the reponse.writefile function but noticed when I debug the website that the text "reponse.writefile..." displays instead of the code contained within the referenced file(s).
Can this not be done?
View 6 Replies
Mar 8, 2014
I have tried many protectors and obfuscators on my projects but havent anyone that works well. I know there isnt any protection that cannot be cracked but there must be some that is hard = requiring alot of time for the cracker, perhaps too much time so they skip trying?
Another problem with protection is that they often show false AV alerts which scare away many potential customers.
In my last .NET project I used .Net Protector which seems to be working well so far but the problem is that it shows false AV Alerts also what concerns me a little about this protection is that the protector itself have been cracked, check here: [LINK REMOVED BY MODERATOR] .
What protection to use for C#, .NET or C++ as it is these languages I mainly work with.
View 2 Replies
Jun 9, 2010
I have develop one website in asp and access. But now a day it is facing a problem of sql injection. So how can I protect the .asp pages from sql injection. I have gone through some of the post and get that some function have to written to overcome the sql injection.Function as below...
[Code]....
View 1 Replies
Apr 9, 2010
I have create a class SqlHelper in window console client project, then test it it works fine. In my SqlHelper class I make all methods are public static. Then I created an assembly, add it to my unit testing project. Whne I try to access the public function of SqlHelper class, I got error like "Error 1 'CreateDatabase.SqlHelper' is inaccessible due to its protection level ".
Here is my class:
[Code]....
at this line: SqlHelper.setUpTestDatabase I got above error, Where goes wrong?
View 2 Replies
Oct 5, 2010
I wrote a small web service (asmx) to write stuff to a file on the server. It works fine when run in the VS2008 test container. But when I run it under IIS on a remote machine, I get:
System.IO.DirectoryNotFoundException: Could not find a part of the path 'y:grahammiscprops.txt'.
'y' is a mounted drive on both the test and remote machines. The path really does exist. It works on the test machine; not remotely. So:
Is it the fact that 'y' is a mounted drive causing it to fail remotely? or Is it the fact the the path lies outside of the web application directory structure? Is there something I should put in web.config??; or
Is something else the problem? I would have thought that the service running on the server could do anything it wanted! It's not denying me access to the file; it's saying it can't find it??!!
View 1 Replies
Jun 7, 2014
I have an aspx file and a aspx.vb file. It's a simple new user Web form in VS 2013:
aspx debug errors:
'password' is not declared. It may be inaccessible due to its protection level.
'strEmail' is already declared as 'Private strEmail As Object' in this class.
'strEmail' is already declared as 'Protected WithEvents strEmail As System.Web.UI.WebControls.TextBox' in this
'strEmail' is not declared. It may be inaccessible due to its protection level.
'username' is not declared. It may be inaccessible due to its protection level.
'username' is not declared. It may be inaccessible due to its protection level.
I have four form fields:
Code:
ID="username"
ID="password"
ID="ConfirmPassword"
ID="strEmail"
In my aspx.vb file I have:
Code:
Imports Microsoft.AspNet.Identity
Imports Microsoft.AspNet.Identity.EntityFramework
Imports Microsoft.AspNet.Identity.Owin
Imports System
[Code] .....
When I preview my form in the browser, I get:
Line 13: Dim strEmail As Object
Compiler Error Message: BC30260: 'strEmail' is already declared as 'Protected WithEvents strEmail As System.Web.UI.WebControls.TextBox' in this class.
Source File: C:UsersSteveDocumentsVisual Studio 2013WebSitesWebSite11AccountRegister.aspx.vb Line: 13
Yet, line 13 in my aspx.vb file is commented out.
View 11 Replies
Feb 24, 2010
do you know/have you tried any code protection system which works with IronPython assemblies? Can you list it/them here?
View 1 Replies
Jul 17, 2015
With reference to the following link: [URL] ....
I have some challenge with "hfCount" which can be found in SetData function and btnDelete of the above link. The error i get is: hfCount is not declared. It may be inaccessible due to its protection level. it works on Visual Studio 2010 but gives the above error in Visual Studio 2012 ...
What could be the problem?
View 1 Replies
Apr 29, 2010
I use SqlWebEventProvider to log the exceptions to sql server, and it works fine.
I also want to log custom exceptions to aspnet_WebEvent_Events table programmatically. Similar to - [URL]
WebBaseEvent.Raise(new WebErrorEvent("My Error message", null, 5000, e)); I get an error saying "Cannot access constructor 'WebErrorEvent' here due its protection level.
View 2 Replies
Nov 21, 2010
I am connecting to an Oracle database and calling a stored procedure in a package but when I run the following, I get the error on the .Parameters line below:
With objCommand
.ActiveConnection = Connection
.Parameters.Append(objCommand.CreateParameter("i_AppID", ADODB.DataTypeEnum.adNumeric, ADODB.ParameterDirectionEnum.adParamInput, , Val(AppID)))
.CommandText = "{call Monitor_Pkg.AM_GetChecks(?," & _
" {resultset 200, o_application_name, o_applicationID,o_CHECK_DESCRIPTION , o_check_status, o_Last_Updated, o_Comments,o_icon, o_checkid,o_INAC_INTERFACE_ID})}"
View 1 Replies
Jul 1, 2010
I have a problem, with a gridview. When I try to make a OnRowDataBound I get the error "Gridviewroweventargs is inaccessible due to its protection level" I cann't figure out why.My aspx code for the gridview:
[Code]....
Now I have comment out everything in the function grdWaitingApproval_RowDataBound:
[Code]....
When I remove the line in the aspx file
[Code]....
the project runs fine and I get a list of users with username date and so on. But I nead to use the RowDataBound to select a picture to each row.
View 1 Replies
May 7, 2015
I tried like this but getting an error "container is not declared, It may be inaccessible due to it's protection level"
HTML
<div style="width: 100px">
<br />
<hr />
<br />
<asp:Repeater ID="rptLeftMenu" runat="server" EnableViewState="false">
<ItemTemplate>
<%-- <asp:HyperLink ID="hypLeftMenu" Font-Bold="true" runat="server" NavigateUrl='<%#Eval("Url")%>'><%#Eval("text")%> </asp:HyperLink>--%>
[Code] ....
View 1 Replies
Sep 23, 2010
I have many xml file in xmlfolder under the root director of my project. I need to protect all file to not let it open from the client browser.
My file have some credential information, and i need avoid to let it open in client browser.
View 2 Replies
Oct 7, 2010
This is my question related to object oriented programming concept. I can't find a place for it to post.
I think it is the related place for it.
so that, i am posting it here.
I have a doubt in mind related to object oriented programming concept called as "Data Protection".
Can you tell me the difference beteween Data Hiding & Data Protection ? Are they same or is there any difference between them?
If there is any difference, can you explain it to me?
I know Data Hiding concept.
It means that data is concealed within a class, so that it can't be accessed by functions outsid e the class even by mistake.
View 2 Replies
Jan 28, 2010
I have a very simple web form (in relationship to a larger project) that uses a USERCONTROL for the details [re-usable]. I believed this to be a simple process - boy was I wrong. Here is my code:
[code]....
CODEBEHIND: (podcategory.aspx.cs)
[Code]....
[Code]....
USERCONTROL Codebehind: (c_podcategory.ascx.cs)
[Code]....
WHY do i get the error CS0122: 'ASP.codes_membership_c_podcategory_ascx.CategoryName' is inaccessible due to its protection level
[code]....
View 10 Replies
Sep 23, 2010
my requirement is showing the clock in asp.net {this should show all hh:mm:ss}....
View 4 Replies
Jul 22, 2010
Since virturl directory name is not fixed, I wrote code below to include .css file in .aspx page now.
<link rel="Stylesheet" href="<%= ResolveUrl("~/Css/xxx.css") %>" type="text/css" />
The question is, when I use "ResolveUrl" in tag, IDE is always barking about that all CSS classes is undefined.
Is there any better way to define .css file including?
View 3 Replies
Sep 10, 2010
I want to use the following format of my url:
http://localhost/{url}/{options}/{hash} But since the url will be very strange with a url inside a url, how would I encode that?
I was thinking of encoding it in hex, since url encoding in .net gave me some strange result that didn't work inside a url. But I don't really know what would be the best way here.
I want to keep the structure of the url, not including any querystring.
View 2 Replies
Mar 2, 2010
I use the code bellow to dynamically include a CSS file:
HtmlHead head = (HtmlHead)Page.Header;
HtmlLink link = new HtmlLink();
link.Attributes.Add("href", Page.ResolveClientUrl("~/App_Themes/Default/StyleSheet.css"));
link.Attributes.Add("type", "text/css");
link.Attributes.Add("rel", "stylesheet");
head.Controls.Add(link);
The problem is: I want to do it only once, and only if it isn't alrealy included in the page.
How do I verify if it is already included?
Edit:
Answers telling me to include in page load using !IsPostBack won't solve my problem, as this code will be inside a Web User Control and my page may have a lot of the same user control.
For example, I use the code below to do it with javascript:
if (!Page.ClientScript.IsClientScriptIncludeRegistered("jsScript"))
{
Page.ClientScript.RegisterClientScriptInclude("jsScript", ResolveUrl("~/Utilities/myScript.js"));
}
View 3 Replies
Jul 14, 2010
Possible Duplicate: Include javascript file inside javascript file?
Including a reference to another .js that your current .js file code is reliant on instead of having to add 2 includes in every page to ensure that both those files are there? I assume the answer is no...as I have not found any info on it on the net so far.
View 4 Replies
Jun 14, 2010
Is the classic way of using include files still the best practice in ASP.NET. IS there a better way in ASP.NET to simulate include files? IF not can someone please provide an example of the .NET way?
View 5 Replies
