Security :: Secure Code - Import A Third Party DLL
Apr 26, 2010Code in DLL can only be obfuscated. IN my DLL how can I import a third party DLL into my DLL? Can I obfuscated the code but not the functions and sub header names?
View 3 RepliesCode in DLL can only be obfuscated. IN my DLL how can I import a third party DLL into my DLL? Can I obfuscated the code but not the functions and sub header names?
View 3 RepliesI'm working on a SharePoint solution which makes use of a third party dll (Telerik for Asp.Net Ajax - Telerik.Web.UI.dll) for rich experience. Since Telerik dll is a common assembly i have to deploy it to the bin folder of the webapplication instead of GAC. So here comes the problem.
WSPBuilder automatically deploys the dll to gac if the dll presents in the GAC folder. To deploy the telerik dll in bin i created the folder 80in and copied the dll there. I tried to build the wsp again and then went through the manifest.xml created. Great. The deployment target for the dll changed to WebApplication and wspbuilder was smart to create the cas policy itself.
<CodeAccessSecurity>
<PolicyItem>
<PermissionSet class="NamedPermissionSet" version="1" Description="WSPBuilder generated
[code]....
But Wspbuilder was not smart enough to put the four part name of SharePointPermission IPermission class. But i learnt that CAS actually requires the four part name. So i decided to make use of the -CustomCAS command line option of wspbuilder.exe to pass my custom cas policy file.
Here is my custom policy file -
<IPermission class="AspNetHostingPermission" version="1" Level="Minimal" />
<IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Flags="Execute" />[code]....
After i deployed the wsp i verified
* the dlls going to bin
* the trust level changed to custom trust level
* custom policy file being added to config folder
But when i run the page i get the following error -
screen shot -
Error -Execution Permission Denied
I've checked my entire application for any assembly references of the dll. But i was not able to find one.
I will have my asp.net site on a shared hoster. Whats the best way to prevent others hacking and viewing my code? The code I most want to secure is in usercontrols and some more code is in class modules. vb.net/MSVS2005/Ajax) Or do I secure the whole site? I also here some encypting code tools cant handle sophisticted code. Also does encryption slow down code and make the site harder to manage...
View 4 RepliesI have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
I understand that we can easily secure the menu pages by enabling SecurityTrimming and putting role information in web.sitemap.
But my problem is that we have to use a 3rd party authentication piece. The ASP.NET application gets the UserId and roles from the authentication module.
I need to show/hide ASP.NET pages based on the incoming user's roles.
Is it possible somehow to use web.sitemap with these roles?
Or should I come up with my own way to map a web page to role/s?
In my present project i have to convert some file formats into PDF.The source file formats may be MSOffice(.doc,.docx,.xls,.xlsx,.ppt,.pptx) and Images(.jpg,.png,.jpeg,.tiff).We wish not to use any third party library.The code should be in c#.
View 3 RepliesI have a web application in asp.net 3.5 where i have been using some third party controls i.e. Devexpresv9.2 and on the pages where i am using these controls i normally has to call the register tag on the page markup like for ex:
<%@ Register Assembly="DevExpress.Web.v9.2, Version=9.2.9.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a"
Namespace="DevExpress.Web.ASPxCallback" TagPrefix="dxcb" %>
<%@ Register Assembly="DevExpress.Web.ASPxGridView.v9.2.Export, Version=9.2.9.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a"
Namespace="DevExpress.Web.ASPxGridView.Export" TagPrefix="dxwgv" %>
Now i have updated the version of devexpress controls installed on my machine and it has stopped working because the version installed on my machine is v10.0 but my code is looking for v9.2 how can i modify my code in such a way that in future if i install another version then i don't have to modify all the pages and references again.
I want to create a digital signature, for my product, for creating the digital sigmature i want digital certificate. I came to know there are lot of third party available for creating digital signature. If any one know can tell some of third party for this.
View 1 RepliesI have an intranet site that is used to pull several other intranet applications/tools and database info to one place.One of the most popular features uses iFrames and jQuery tabs to give a broad overview of activities, signal etc in a network node. Chrome and Firefox eat it up with no problems, IE will work if you override the cookie policies that restrict 3rd party cookies
without a valid p3p (what a worthless standard). IE also works if you already authenticated yourself on the individual sites and the session cookies are still valid.
Is it possible to log the user automatically into a third-party website if we have their details on record? For example, if I had a users facebook/hotmail username/password stored in my database, is it possible to use these details to log them into facebook/hotmail, then open up facebook/hotmail.com with them already logged in?
Basically my Client uses Basecamp for their customers and wants a way of automatically logging his customers into basecamp from their website without them having to go through the trouble of logging in again (after they've already logged in through my clients website).
I need to convert a web site using traditional ASP.Net login,membership/role with SQL to a custom system. I need to use a third party (CAS) authentication system while still using membership and roles to control access to content and User.Identity functions.What would be the best way to accomplish this? I use the <deny> and <allow> user throughout the site to control page access.
View 3 RepliesI am using third party tool in my web site.Its running fine on my dev. PC.but when I upload it to serverm it says "System.Security.SecurityException: That assembly does not allow partially trusted callers."when I read about this error, many suggest to get it set trust level to high by admin bacause developer can not.
View 5 RepliesI've developing an ASP.NET application that interfaces with Google Maps and retrieves marker information from a database. The marker information is split into tables in the database, where the name of the table reflects a company (e.g. CompanyA_MarkerData, CompanyB_MarkerData etc). In order to periodically update the map with new marker data, I use setTimeout in JavaScript to regularly call my 'UpdateMarkers' JavaScript function. 'UpdateMarkers' makes a call to a web service which performs the database query and returns a list of markers back to the JavaScript, which in turn updates the map.
The main issue I have with this method is that my web service requires that I pass it the name of the company so that it knows which table in the database to access. As you can imagine , this poses a security risk as anyone can pass a different company name to the web service and be able to retrieve the data from other companies, as well as their own.
In order to avoid this problem, I am restructuring my program as follows: When the system administrator creates users for my application, they can also assign a company ID to this user. The company ID is stored using the Profile object in ASP.NET. I am moving the web service code into a class with shared functions so that they can be called only within my pages (but not by anyone, like with web services). The functions will still require a company name passed to be passed to them. However, rather than the JavaScript making direct calls to these shared functions, the JavaScript will call a set of page methods (which as I understand it, are not public like web services). These page methods will then use the Profile object to retrieve the company name attached to the user currently logged in and then make a call to my shared database functions and return the info back to the JavaScript.
I think that this second method is more secure than the first, because I don't allow the client to pass different options to my code and retrieve unauthorized data. The server side code works out the parameters that need to be sent. However, I am wondering if there is a better way of doing this that I am missing out?
If I deploy my ASP.NET project to a shared server web hosting, then is there a way to secure my source files so that the provider will not be able to access the source?. For example, the provider of my web hosting may download my files and then he will be able to get access to all my source.
View 9 RepliesI recently came aware of some knowledge I was not aware of before. One of my friends said that publishing a website with the code behind is a security risk. Instead, he insisted I only publish with the DLL's to prevent hackers from altering your code. Is this true? What are the advantages and disadvantages for doing this?
View 3 Repliesi am creating a web app for a small buisness enterprise in which i have added a node in my menu (stocks) accessible to limited users
every time a user try to access this node , it will ask for his/her credentials. iam using asp.net login control( in built ) for this . Also i used
<authentiaction mode='forms' />
<authorization>
<deny users='?'>
</authorization>
for these pagesin my web.config file now apart from that , how can i made it more secure using asp.net membership provider.
I have a graphical user interface for my company product.I want to secure the data being sent back and forth between client and server.
Is SSL one of the options? some1 tell me the steps on how to implement it in my application code.
Do i need to buy the certificate or can i make it.. which is the best choice?
I am logging in using FormsAuthenticationTicket as follows:
Session["userName"] = UserName.Text;
Session["password"] = Password.Text;
Session["domain"] = Domain.Text; [code]....
I'm creating a ASP.NET/SQL Server 2005 Express app which requires users to upload supporting attachment or documents in .docx and .pdf format. The web server is IIS 6/Win 2003. I'm trying to come up with a good way of securing these documents so anonynous users cannot see them and creating a separate Windows login for every user is not an option. SQL Server Express does not have blob data types. I'm storing each user's authentication information in the SQL database and not really using forms authentication.
View 1 RepliesI would like to send email securely to third party with attachments containing sensitive info. The website is configured with SSL. I'd like to know how to send email securely via asp.net app.
View 3 Repliesi have asp.net 2.0 web site and in the main root i have some secure pages so if any unauthenticated user try to visit my page the browser redirect him to login.asp page (it was correct) but in my web i have subfolder named (Admin) and i want to secure all pages under this folder and redirect any user to new login page. how can i do it?
View 7 RepliesI've got IIS 6 with a self-signed certificate installed. This is now securing the whole site (all urs are HTTPS). How do I only apply HTTPS to logged in areas, leaving publicly viewable data with HTTP?
View 8 RepliesI'm auto-generating a form in my ASP.NET page. This is already tested and working. I want to know if:If there are any security problems with storing the database ID as part of my controls ID? I can see think of 2 issues: the id will be visible in page source (not really important in this case), and the possibility someone could change the name of the control somehow? This second possibility is more serious. Is this a potential problem and how to void it?If there would be a better preferred way to associate a unique data with any type of control? Is it possible to store a custom item in the viewstate for the control?
View 5 RepliesI'm building a forgot password feature for my first secure backend.
I want to email a url containing an encrypted parameter to the user which will lead them to a password reset form that can only be accessed via the url with the encrypted parameter.
But what if the email gets intercepted?? then anyone who intercepts it will have the link to the reset page.
Is there a way I can send a secure email? I know nothing about email really. Is it even possible to send a secure email? Can I encrypt the email, will that help? But if it is encrypted then how does the recipient read it?
From what i know Random() is initialize to the current time. If two connections hit during the same second i should get the same two random numbers? With a large site that can be likely. Locking is bad so how should i solve it? note: the number is used for the session id.
-edit- i am stuck using a long. It feels wrong to shorten a 128bit GUID
In my environment, we use Active Directory as our password repository. I'm writing an app that uses the users windows session (windows auth) to authenticate the user. This is working well, but I need to provide a way for users to log in as a different user. I setup a web form to accept a username and password. My question is this, I need a secure way to validate the user's credentials against AD. I cant have the credentials passed as clear text. Ive come across the impersonate user functions, but i'm leary because you have to pass a clear text password into the password field. I know I could also use LDAP, but without a certificate, I know plain LDAP is relatively insecure. Can someone point me in the right direction of a more secure solution to query AD with the credentials?
View 3 Replies