I am using asp.net 3.5 and have validateRequest="true" in the machine.config.
Do I need to do something special to stop CSRF and Cross Site scripting or asp.net will handle all these?
WebApp1: on IIS and configured with Windows authentication. Get User account from AD.
WebAPP2: a java web app on another windows box in same domain with authentication from AD
On web app1, I have a http handler like
public class MyHandler : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
string url = "http://WebApp2/Test";
HttpWebRequest myReq = (HttpWebRequest)WebRequest.Create(url);
CredentialCache myCache = new CredentialCache();
NetworkCredential netCredential = new NetworkCredential("myname", "mypassword", "");
myCache.Add(new Uri(url), "Basic", netCredential);
//...
myReq.Credentials = myCache;
//....
}
}
in above way, I can set authentication in code and pass it WebApp2.
But I don't want to put name and password in code. User info already available on WebApp1: in context.User I can find out the user info who already logined into WebApp1, so I want to pass this credential to WebApp2. I have tried to do following:
myReq.Credentials = CredentialCache.DefaultCredentials;
but I am failed becuast there is no data in CredentialCache.DefaultCredentials.
I'm still new to windows authentication. Basically, we have a page on http://externalsite.com that needs to be accessed only by an authenticated user originating from http://internalsite. The user on internalsite is already authenticated using windows authentication.I'm confused here. How can I validate the user and obtain their role so that i can not only validate that they are authentic, but to authorize them to use this page on externalsite.com?
View 2 Repliesa major problem from Cross-Site ScriptingAttack, Below is sample script which automatically gets inserted into my HTML and ASPX Pages.
"<script src=http://avidmarketing.ie/images/rc3/companybuttonwhite.php ></script>"
Dear, I want to stop sorting in cross tab report header. And also want to sort in specific order. How can i do that?
View 5 RepliesI have integrated Third party advertise module in my website. their domain s "http://rotator.adjuggler.com/".they read cookie from this domain and display advertise based on cookies value. now I want to set cookies on this domain from my website.though this is not possible. they have provided url to set cookies.http://rotator.adjuggler.com/servlet/cookie?action=set&name=test&value=1&maxage=2592000we can set cookies on their doemain by calling above ur.Problem:1) we can't make xmlHttp request because this is cross-doamin link.2) we can't use jquery because it uses xmlHttp as native implementation.3) i have tried to set above url in <img src="..." > and <script src="...">. both not working.but when i paste above url in address bar it works.can anybody have idea how to call above url from Code.
View 2 RepliesI am building a website, within a large intranet, that wraps and adds functionality to another site within the same intranet. I do not have access to the other site's source and they do not provide any api's for the functionality they provide. I need to, somehow, have my server-side code go to that site, fill in some forms, then press a submit button. Is this possible? If so, how can I accomplish this?
Note: I am working in asp.NET if that matters at all.
we host catalog data and UI for our clients. we do not build entire web site for them. so for the time being client puts an iframe and points URL to our hosting site. it was working fine but now just because of iframe they are lossing SEO.so my question is how to achieve my goal without iframe.
1) how can i embed/inject/merge UI hosted by US to our client web site.
2) Get SEO benefits
I want to pull down a feed (like twitter) and place in on a page using javascript (jquery). Ultimately, the "service" just needs to hand off JSON. I created a web service that allows me to do that, sort of. I don't know if using a stream reader is all that efficient and I was a little bothered by having to use what amounts to 2 evals on the clientside.
My question is twofold: is there a better method than using a web service and two, is there a problem with my implementation?
asmx:
[WebMethod]
public string World()
{
WebRequest request = WebRequest.Create("http://twitter.com/statuses/user_timeline/username.json?count=1");
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
StreamReader reader = new StreamReader(response.GetResponseStream());
string tmp = reader.ReadToEnd();
response.Close();
reader.Close();
return tmp;
}
aspx
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js" type="text/javascript"></script>
<script>
$(document).ready(function() {
$.ajax({
url: "WebService1.asmx/twitter",
type: "POST",
data: "{}",
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function(obj) {
var t = eval(obj.d)[0].text;
$('div').html(t);
}
})
});
</script>
We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:
[Code]....
Which executes an alert window when clicked.
After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this:
<a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This
is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>
but the alert window still fires! What am I doing wrong?
I am trying to find a good pattern to use for user access validation.
Basically on a webforms application I had a framework which used user roles to define access, ie, users were assigned into roles, and "pages" were granted access to a page. I had a table in the database with all the pages listed in it. Pages could have child pages that got their access inherited from the parent.
When defining access, I assigned the roles access to the pages. Users in the role then had access to the pages. It is fairly simple to manage as well. The way I implemented this was on a base class that every page inherited. On pageload/init I would check the page url and validate access and act appropriately.
However I am now working on a MVC application and need to implement something similar, however I can't find a good way to make my previous solution work. Purely because I don't have static pages as url paths. Also I am not sure how best to approach this as I now have controllers rather then aspx pages.
I have looked at the MVCSitemapprovider, but that does not work off a database, it needs a sitemap file. I need control of changing user persmissions on the fly.
I need to make my site work well on a blackberry, i haven't put too much effort into getting this working yet, but i have a few questions which google is struggling with.I've read about detecting brower type and modifying the default behaviour of asp.net controls hereHow would I go about supplying a differant stylesheet to a specific browser, should i just do this?
if (Request.Browser.Browser.ToString() == "blackberry") //pseudocode
{
Response.Write("bb.css");
}
else
{
Response.Write("bb.css");
}
This will work fine, but i feel like there is a better method, i'm sure i've read about something in the past but i can't seem to recall.I'm also considering a response.redirect to a differant page for a blackberry, which at the moment i would implemenet in a similar way.
We have a lot of domains running on one IIS WebSite/AppPool.
Right now we are in the process of implementing SSO with Windows Identity Foundation.
in web.config the realm has to be set with
<wsFederation passiveRedirectEnabled="true" issuer="http://issuer.com" realm="http://realm.com" requireHttps="false" />
My problem is that the realm is dependent on which domain the user accessed the website on so what I did is that I set it in an global action filter like this
var module = context.HttpContext.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule;
module.Realm = "http://" + siteInfo.DomainName;
My question is. When I set the realm like this, is it set per user instance or application instance.
Scenario.
User A loads the page and the realm get set to domain.a.com.
User B is already logged in on domain.b.com and presses login.
Since user A loaded the page before User B pressed login, user A will hit the STS with the wrong realm set.
What will happen here?
If this is not the way to set the realm per user instance, is there another way to do it?
I have an interesting issue I have racked my brain trying to find a solution to.
I have a site with a single master page. Part of that master page is a text field and button. They are not part of a content placeholder, they are simply part of the master page, itself, and are intended to allow people to search the site from any page on the site.
So, all search requests are routed to a search.aspx page, regardless. I am doing this by setting the PostBackUrl attribute of the button control to "search.aspx".
This all works great, except when I try to use this search capability from the search.aspx page, itself. I figure this is because I am using the Page.PreviousPage object and since a postback from the search.aspx page, itself will result in the Page.PreviousPage being Nothing, it is not performing the proper action.
where does following HTTP error message come from:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't Our setup is ASP.NET MVC / IIS 7.5 / IE8. It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.
this exception is caused by entering scripts or disallowed text as "<script>", "<h1>" by the user. This exception will be thrown while processing the request.
After searching and trying, most of the solutions were to:
1- disable request validation in the page header (validateRequest="false") or in the pages section in web.config.
I dont see this is a solution, the XSS problem is still there, it just does not throw the exception.
2- To encode the text and decode it using Server.HtmlEncode and Server.HtmlDecode.
This is a good one, but have to go every single textbox and call this method (Server.Encode(txtAddress.Text)), but this require alot of effort to change the whole site, and some of them may be forgotten.
I was thinking of creating a new TextBox control (MyTextBox) to inherit from System.Web.UI.WebControls.TextBox and override the Text property, then Encode base.Text in the get accessor, and Decode base.Text in the set accessor.
This will also require to change the whole site, to use MyTextBox instead of TextBox.
To have a better secure application, we have to prevent cross site scripting.
I have application that use a bll.
All inputs have to pass bll before they were pass to database.
To prevent cross site scripting, is bll the correct place to validate the input?
To be exact, are all the properties of object should be validated?
I am aware of a tool which MS has provided which tells you about coss site scripting attack etc.
The tool is [
But are there tools which you have used for ASP .NET applications which do similar to this and which one is widely used in ASP .Net applications ?
I have an ASP.NET (C#) page that has a long load time (like 2 minutes). The user is presented with a little animation and a "please wait" message. If the user accidentally loads this page, they need to wait for it to load.
My question is: Is there a way to stop the page load?
How can I test an application that I am publishing to a remote provider's IIS7 hosted site, with the VS2008 development server that is built in with VS2008 on an XP Machine?
My membership/roles work perfectly up on the remote host. On ths hosted IIS7 site when I try to access a secure directory it redirects to login, and I am able to login, however when I launch (debug - F5) from VS2008, it will provide that folder/resource, no questions asked. Same build, config, etc... nothing has changed.
I am running XP, and local IIS version installed is 5.1.
My guess is what is happening is that the new format required in the web.config is configured properly for IIS7 deployment, which is why it works remotely, but when running locally through VS2008/XP it is running with an older version on IIS and does not recoginize the new tags.
I want to be able to (in code) tell the page to refresh at that point ignoring anything else it was going to do.
Explanation:
I have a property lets call it AllUsers
AllUsers
{
return Database.GetAllUsers();
}
Now I have put it like this because in my code I want to just use this property to browse all the users and not have to check if its null or not up to date. The problem is if my method .GetAllUsers() throws an exception e.g. database is unavailable. If this happens I want to display a message to the user and reload the page to its initial state.
e.g. something like this
AllUsers
{
try
{
return Database.GetAllUsers();
}
catch(Exception e)
{
AbortAllCodeAndReloadAndDisplayMessage(e.Message);
}
}
Now I can reload the page using Response.AppendHeader("Refresh", "0;URL=ThisPage.aspx");
but how can I abort all code? because if I use this where I have placed my method the code will run and then reload on the next page load.
Should I change by property design? I wanted to have a property which would always be valid and up to date so any code using it wouldn't have to worrie
There are two web applications App1 & App2. A user would submit his information on App1 though a form. On click of a specific button/link on App1, the same data should be posted to a page on App2 and the user should also be redirected to the same page on App2.I would like some help in finding out the best way to implement this functionality.
One of the approaches that I have already tried out is by creating a temporary HTML form at runtime, setting the action attribute of the form to the App2 Page and get the form posted by using javascript submit. The data can then be fetched on App2 page by using the response.form object.This approach works well, but i was still wondering if there is any other way to implement the required functionality.
give some insights on using RESTful webservices to implement this, or else, using some HttpModule to intercept requests at App1 and modify redirect response to app2 or any other approach that you might find fit for the purpose.
Edit: Using querystring isnt an option for me.
How can I get a user's geolocation information (City and Country - internet service provider and internet speed would also be great) based on their IP address?
I've searched and found several tools for doing this but I seem to run into problems using them with asp.net mvc. Many of them relate to using json and the "security risk" involved in cross domain ajax calls.
I wont to restrict my web service only for few domains.
I wont to have access to web service from using ajax and my page, and I don't want that anybody can create client to my WebService and view my web service methods.
I am browsing the page (http://jessie.mydomain.com/), then i click the Logout button in this page, it will be logout successful but it will not redirect to the page (http://www.mydomain.com/Default.aspx), it will show (http://jessie.mydomain.com/Default.aspx).
(1) In master page,
[Code]....
[Code]....