Security :: Improve Security Vulnerabilities To Prevent Future Attacks?
Aug 17, 2010
I am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.
I have a ASP.NET XML web service (asmx) running on .NET 3.5. I am trying to figure out how best to prevent replay attacks. Is there any inherent security by .NET 3.5 that should mitigate this issue, or do I need some kind of SOAP header token value?
We have some review coming up and my boss gave me a list of web page security vulnerabilities to look through and consider for our public site. I really don't understand the Get versus Post:
8Misusing HTTP POST and GET Use POST to submit forms Use GET to access resources
–NEVER use GET to authenticate users as it leaves a residual trace of all users in the web server access logs (not to mention web application proxy tools)
I have the following procedure and noticed during my first test that my first insert worked, but due to table design issue with the 2nd insert it failed. When i checked only 1 table had been updated.. i cant have that once its in production.
So can someone suggest on how i can improve the logic so that both inserts have to work or none at all.. We cant have broken links between the tables.
I've set up a page where create logins with createuserwizard. I can login with created account but I get logged out after like 20min if I dont do anything (reload etc). How can I remove this timeframe? I dont want a timeframe at all, i want to stay logged in until i close the browser.
I have a ajaxPopupExtender in where I placed a login control. But when I login i get a full postback. I've tried to put it all in an updatepanel but that didnt help.
What I want is for the client to login from the popup Window, in case of login error I want to show that error message in popup (still visible). But if the login in successful I can in codebehind do a full postback.
As of now, even when error is presented the page is doing a full postback and the popupExtender with login control is collapsed.
I managed to user to perform multiple log on from other IE window session in my web application if the same log on is currently being used.Unfortunately I have problem to control multiple log on if the user is logging in using tab browsing in the same session. I know this is due to the same session Id but is there any way to trace down to the tab level within the same session?
i want to protect webpage from saving from browser file->save as. i found some sites did it(facebook,orkut). when i try to save pages on that sites only home page saved. how to do this in c#
Since I need user click a link from his/her email once they registered, currently after user registered, and click the "Continue" button (CreateUserWizard1_ContinueButtonClick) or CreateUserWizard1_UserCreatedSuccess, it will be authenticated, how do I prevent this until they click the active link from their email?
At the moment i,m working at a websit (ASP.net 3.5). I have build the project and till my surprise it is possible to reverse engineering the created dll's to the code (with Red Gate's .NET Reflector).
I have found several tools like Xheo and dotfuscator, but does there realy protected the created dll's ?? Does Microsoft have build a method to secure this ?? If this is not possible everybody can steal your code....
I have took a lot of time reading about this article, but is there a method or tool to make this secure?
I will have my asp.net site on a shared hoster. Whats the best way to prevent others hacking and viewing my code? The code I most want to secure is in usercontrols and some more code is in class modules. vb.net/MSVS2005/Ajax) Or do I secure the whole site? I also here some encypting code tools cant handle sophisticted code. Also does encryption slow down code and make the site harder to manage...
i use the CreateUserWizard in order to create users. Asp.net generates automatically a password which is sent to the user by email.
The emailaddress must be like this: firstname.name@ourdomain.be . If 'firstname.name' doesn't exist in our Exchange server ('ourdomain.be'), then:
1) the user is still created 2) the message page with: 'Mailbox unavailable. The server response was: 5.1.1 User unknown' appears
E.g: if user John Wayne introduces by error Jhn.Wayne@ourdomain.be , then this user must not be created, and only a simple Alert-message must appear.
I tried a lot of Try / Catch / Endtry but all my attempts fail: the user is always created and the whole message page appears. I also tried with CreateUserWizard1_SendMailError sub.1
I am modifying an existing page where I am doing an insert into tables, adding an email address for the team, both fields input from the user.
However, Each email can only exist once for a given team (I have a unique index constraint in my code) so when this exception happens I am showing text something like "you cannot add the same email address for this team" and I am also changing the following property of my CreateUserWizard:
[Code]....
before this it was displaying something like "you have successfully created your user..."
However if the user attempts to add the same email address again for a given team I want to prevent the user from registering.
Anyways, my question is that its good I am hiding the "successfully created..." text however I am still seeing the following:
1. "Complete" word
2. A button with the text "Continue" on it.
I also need to hide both the "Complete" text and the "Continue" button.
This is confusing to the user because it suggests that the user was created successfully but this is not the case in the scenario I described.
I have a folder within my website called 'ProtectedPages' which contains pages which users can only see if they have logged in (MyAccount.aspx etc). If they bookmark that page and try to go to it without logging-in, they are immediately bounced to my login page.However, if I have text files, images etc. in there, then it seems users can get to these fine without the need to login - all they need is the URL. For example, I could send the URL http://mysite.com/ProtectedPages/MyAccount.aspx to a friend and he wouldn't be able to access it until he had logged in. However, I could send himttp://mysite.com/ProtectedPages/ATextDocument.txt and it would show it to him without any problems.How would I go about protecting ALL files within this folder? I have a web.config file within the ProtectedPages folder which just has this information in it (I don't want TrainingAdministrator's to have access to that folder at all)
Id like for people only to access the content via default.aspx and not the dynamically generated content generateimage.aspx. Any attempt to browse here directly should be redirected to an error page
I usually use HttpUtility.HtmlEncode and HttpUtility.HtmlDecode for this but my fear is that someone injects some nasty javascript, I encode it before committing it to the database so it doesn't harm me but the next person who pulls up the page, gets the javascript because I decode the HTML before rendering the page.
What's the best way to handle this in public facing websites?
My application is windows authenticated. The application pulls JUST the userName from the current windows account. Then I provide site access to this user depending on his account privileges. If his userName belongs to the admins list he is directed to admin screens. If his username belongs to users list he is directed to users screens. I handle this security in C# and some SQL tables(No membership provider and no Active directory security in the app).
I need to be able to prevent multiple concurrent logins for the same userName.