To have a better secure application, we have to prevent cross site scripting.
I have application that use a bll.
All inputs have to pass bll before they were pass to database.
To prevent cross site scripting, is bll the correct place to validate the input?
To be exact, are all the properties of object should be validated?
a major problem from Cross-Site ScriptingAttack, Below is sample script which automatically gets inserted into my HTML and ASPX Pages.
"<script src=http://avidmarketing.ie/images/rc3/companybuttonwhite.php ></script>"
this exception is caused by entering scripts or disallowed text as "<script>", "<h1>" by the user. This exception will be thrown while processing the request.
After searching and trying, most of the solutions were to:
1- disable request validation in the page header (validateRequest="false") or in the pages section in web.config.
I dont see this is a solution, the XSS problem is still there, it just does not throw the exception.
2- To encode the text and decode it using Server.HtmlEncode and Server.HtmlDecode.
This is a good one, but have to go every single textbox and call this method (Server.Encode(txtAddress.Text)), but this require alot of effort to change the whole site, and some of them may be forgotten.
I was thinking of creating a new TextBox control (MyTextBox) to inherit from System.Web.UI.WebControls.TextBox and override the Text property, then Encode base.Text in the get accessor, and Decode base.Text in the set accessor.
This will also require to change the whole site, to use MyTextBox instead of TextBox.
I want to pull down a feed (like twitter) and place in on a page using javascript (jquery). Ultimately, the "service" just needs to hand off JSON. I created a web service that allows me to do that, sort of. I don't know if using a stream reader is all that efficient and I was a little bothered by having to use what amounts to 2 evals on the clientside.
My question is twofold: is there a better method than using a web service and two, is there a problem with my implementation?
asmx:
[WebMethod]
public string World()
{
WebRequest request = WebRequest.Create("http://twitter.com/statuses/user_timeline/username.json?count=1");
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
StreamReader reader = new StreamReader(response.GetResponseStream());
string tmp = reader.ReadToEnd();
response.Close();
reader.Close();
return tmp;
}
aspx
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js" type="text/javascript"></script>
<script>
$(document).ready(function() {
$.ajax({
url: "WebService1.asmx/twitter",
type: "POST",
data: "{}",
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function(obj) {
var t = eval(obj.d)[0].text;
$('div').html(t);
}
})
});
</script>
We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:
[Code]....
Which executes an alert window when clicked.
After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this:
<a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This
is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>
but the alert window still fires! What am I doing wrong?
where does following HTTP error message come from:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't Our setup is ASP.NET MVC / IIS 7.5 / IE8. It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.
I am aware of a tool which MS has provided which tells you about coss site scripting attack etc.
The tool is [
But are there tools which you have used for ASP .NET applications which do similar to this and which one is widely used in ASP .Net applications ?
I have an interesting issue I have racked my brain trying to find a solution to.
I have a site with a single master page. Part of that master page is a text field and button. They are not part of a content placeholder, they are simply part of the master page, itself, and are intended to allow people to search the site from any page on the site.
So, all search requests are routed to a search.aspx page, regardless. I am doing this by setting the PostBackUrl attribute of the button control to "search.aspx".
This all works great, except when I try to use this search capability from the search.aspx page, itself. I figure this is because I am using the Page.PreviousPage object and since a postback from the search.aspx page, itself will result in the Page.PreviousPage being Nothing, it is not performing the proper action.
I am building a website, within a large intranet, that wraps and adds functionality to another site within the same intranet. I do not have access to the other site's source and they do not provide any api's for the functionality they provide. I need to, somehow, have my server-side code go to that site, fill in some forms, then press a submit button. Is this possible? If so, how can I accomplish this?
Note: I am working in asp.NET if that matters at all.
we host catalog data and UI for our clients. we do not build entire web site for them. so for the time being client puts an iframe and points URL to our hosting site. it was working fine but now just because of iframe they are lossing SEO.so my question is how to achieve my goal without iframe.
1) how can i embed/inject/merge UI hosted by US to our client web site.
2) Get SEO benefits
I need to make my site work well on a blackberry, i haven't put too much effort into getting this working yet, but i have a few questions which google is struggling with.I've read about detecting brower type and modifying the default behaviour of asp.net controls hereHow would I go about supplying a differant stylesheet to a specific browser, should i just do this?
if (Request.Browser.Browser.ToString() == "blackberry") //pseudocode
{
Response.Write("bb.css");
}
else
{
Response.Write("bb.css");
}
This will work fine, but i feel like there is a better method, i'm sure i've read about something in the past but i can't seem to recall.I'm also considering a response.redirect to a differant page for a blackberry, which at the moment i would implemenet in a similar way.
We have a lot of domains running on one IIS WebSite/AppPool.
Right now we are in the process of implementing SSO with Windows Identity Foundation.
in web.config the realm has to be set with
<wsFederation passiveRedirectEnabled="true" issuer="http://issuer.com" realm="http://realm.com" requireHttps="false" />
My problem is that the realm is dependent on which domain the user accessed the website on so what I did is that I set it in an global action filter like this
var module = context.HttpContext.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule;
module.Realm = "http://" + siteInfo.DomainName;
My question is. When I set the realm like this, is it set per user instance or application instance.
Scenario.
User A loads the page and the realm get set to domain.a.com.
User B is already logged in on domain.b.com and presses login.
Since user A loaded the page before User B pressed login, user A will hit the STS with the wrong realm set.
What will happen here?
If this is not the way to set the realm per user instance, is there another way to do it?
We have a GUI which runs on ASP.NET 2.0 framework (Client-Server model). From the support perspective how can one find whether the pages which are opening on GUI at any point of time is a server side scripting or Client side scripting.
The reason why I ask this is because I understand that some of the codes are executed by the browser such as Javascript. So, if there are such scripts which are handled by the client browser, how can one find out that it is the Client side scripting which is running at that moment.
I am using asp.net 3.5 and have validateRequest="true" in the machine.config.
Do I need to do something special to stop CSRF and Cross Site scripting or asp.net will handle all these?
I'm new to web dev. and I'm using asp.net/C# to build a website. I currently have a class called DataLayer that I'm using to perform all of my database functions, and also store some queried information. I initially had this class as static, because that's how I wanted it to behave, but then realized that will be all kinds of bad for multiple users.
I have to make an instance out of this class in order to use it, but I need to maintain the same instance throughout several webpages for that user. Any thoughts or ideas on how to go about this approach? How to pass this object from page to page? Store in session variable, as a global object somehow?
How can I prevent my asp.net 3.5 website from being screen scraped by my competitor? Ideally, I want to ensure that no webbots or screenscrapers can extract data from my website. Is there a way to detect that there is a webbot or screen scraper running ?
View 7 RepliesI have a subdomain on which I have put up all the js code for my webiste to interact with another application. For eg: at code.example.com Whenever, the user types this address,code.example.com, all the contents of the directory are listed. How do I prevent this thing? I do not have nay index.html or index.aspx here.
View 1 RepliesI have a folder within my website called 'ProtectedPages' which contains pages which users can only see if they have logged in (MyAccount.aspx etc). If they bookmark that page and try to go to it without logging-in, they are immediately bounced to my login page.However, if I have text files, images etc. in there, then it seems users can get to these fine without the need to login - all they need is the URL. For example, I could send the URL http://mysite.com/ProtectedPages/MyAccount.aspx to a friend and he wouldn't be able to access it until he had logged in. However, I could send himttp://mysite.com/ProtectedPages/ATextDocument.txt and it would show it to him without any problems.How would I go about protecting ALL files within this folder? I have a web.config file within the ProtectedPages folder which just has this information in it (I don't want TrainingAdministrator's to have access to that folder at all)
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
[code]...
I am new to this .NET what is the difference between N-Tier and 3- Tier Architecture. If they are same. How to pass the values from presentation layer to business logic layer.
For Example
I have 10 controls in presentation layer. I passing values to these controls. How the architecture works.
I am building a web site following the tutorials on asp.net. I am using dataset as data access lay, and writing classes to access the dataset. But the example is just basic ideas, how do I retrieve individual table column value in the business layer?For example, if I have a table called Product, I only want to find out what is the product name by product id. I did this in my ProductBLL:
public ProductBLL
{
public int GetProductName(string productId)
{
ProductDataSet.ProductDataTable prodData = Adapter.GetProductById(productId);
[code]...
Is there a better way, or am I doing this correctly? Can anybody give me a reference to a more complicated business logic model?
how the data pass from one layer to another layer in mvc design pattern...
View 2 RepliesI am in trouble in to remove malicious code from our so many site , develope in asp.net andn in asp.
Most of the time hacker inject the code in Body tag at onload evenet and also at the end of html tag using Java Scriprt.
how to prevent it by programing a code in asp.net or in java script or by other...
I've even got my JQuery Ajax submission going on now but I've encountered another problem. I *think* it's something to do with the structure I'm using but like I say, I'm fairly newo this.I have my AJAX form submission which builds my "PersonViewModel" (model for the presentation layer) in JSON and sends it to "@Url.Action("RegisterSubmit")" in my Person Controller. Now, I seperate my business layer from my View/presentation layer so in "RegisterSubmit"I'm verifying the model is valid then instantiating a new instance of my business model "Person", adding the values from "PersonViewModel" and then calling my "Save" function.
View 7 RepliesWe're building a large web app that has numerous layers. In order to communicate to the business layer we're using a service layer that the web layer calls when data is needed. Unfortunately, it seems that if exceptions are thrown in the business layer, it seems that the services on the web side are wrapping the exceptions and re-throwing them. We're looking for a clear way to encapsulate the error and log it, without WCF wrapping a new exception around the original.
View 2 RepliesMy repositories throw exceptions (System.Exception) when some things go bad and I know this is bad practice.. so i will create a custom exception (DataException). My question is should this custom ex class be in the repository layer or the domain layer? Im thinking it should be in Domain layer where all business objects and repository interfaces live but just want to make sure.
View 3 Replies