ASP.NET 4.0 and its confliects with ASP.NET 2.0
How to secure my ASP.Net web Application (XSS)
mmm, I’m not good enough in wrting a good introduction to my posts, so i’m going to get into the point directly. How to write a secure ASP.Net web application.
I will show you in this post the most common attacks on ASP.Net applications and how to prevent these attacks to happen on our Application.
1) Cross site scripting(XSS)
is the most common attack, it represents about 85% from web sites attacks. XSS happens when the attacker tries to inject a java script in any input controls like textboxs for example then submit this input to the server.
example: try to input this code in a test page has a one textbox to take ur user name and a button to preview this username –
<script>alert("Hacked using XSS");</script> –
i hear someone says, hehehe, i can validate the input text to see if it contains the tag <script> or not !!
ok, please make ur check then compile, and enter this text in ur textbox and tell me the results
-<body onload="alert("Hacked too ??!!?");"> –
sure any attacker will not write these kind of scripts, s/he may get ur cookies values, may be s/he put a script on ur server which make an automatically redirect any user to any other page may be may be may be …
I think now it is clear what is XSS, but how can we secure our ASP.Net application aginst this famous attack? there are many good practices like,
- Make sure that ValidateRequest attribute in Page tag is always true ( try to make it true and try this attack again.
- Use HtmlEncode Method in HttpUtility class which applies HTML encoding to a specified string and return the encoded string not to be executed as a client-side script(try to set ValidateRequest=”False” and use HtmlEncode Method ).
- Don’t trust user’s input and always keep validating aginst any special characters in the input.
C u in the next post
Limitations on using Cookies
Make note of the following limitations when using Cookies (I’m not sure if that applies to all Web-technologies or just Asp.Net, but I’ve just solved a bug related to this issue using Asp.Net):
- A cookie size is limited to 4096 bytes. It is not much, so cookies should be used to store small amounts of data. For larger amounts of data
- Also, number of cookies is limited to 20 per website. If you make new cookie when you already have 20 cookies, browser will delete oldest one.
.NET Framework 3.5 Service Pack 1 has been released
ASP.NET in the .NET Framework 3.5 Service Pack 1 release includes numerous bug fixes. In addition, it includes features for the following:
- Enabling high-productivity data scenarios by using ASP.NET Dynamic Data.
- Supporting the browser navigation in ASP.NET AJAX applications by using ASP.NET AJAX browser history.
- Increasing the download speed for ASP.NET applications by using ASP.NET AJAX script combining.
More about .NET Framework 3.5 Service Pack 1, Press Here
How to create a multi-lingual web site Step By Step
As usual there are two ways to make a multi-lingual web site:
· The easy , beautiful and half functional way.
· The hard , ugly but full functional way.
We will go first through the common steps for the both ways
First create your ordinary web site with your VS
In the design view add one label and one button and leave them with their default values
From your solution explorer right click on your web site and click add new item and choose Resource File and rename it with you page name and extension (Default.aspx)
A Massage will pop for you asking for creating a Global Resources folder click no
Add a new folder with the name APP_LocalResources and put your Resource file on it
In the Label and the Button add new attribute meta:resourcekey=”ResourceName”
Add a new string value in the resource file with the same resource key name and add .Text like ResourceName.Text and give it the Default language value like English
Copy the resource file and rename the new one to the secondary language name like Default.aspx.as-EG.resx
Give the ResourceName for the button another values in the Arabic resource file like عربي
Here come the easy way
Set the Culture and UICulture to Auto from designer or from aspx file like Culture=”Auto” UICulture=”Auto”
And now just run you application , The Button and the label now should have the default language values from the resource file
Change the default language for you explorer (most explorers will be from Tools->Internet Options->Language(Button)
If the Arabic language is not already there add it and move it up
Now refresh you page and the label and button should change their text to عربي
That’s easy as you can see :d but what is the user don’t know about how to change the browsers language, then we should use the bit harder way and use a button to change the Culture and the UICulture values from the code.
*You need now to change the Culture information on the button Click event, But the problem here is that the culture information will be reset on the postback, so you can use whatever way to keep its value but here I will use cookies .
Now make a new class with name common and put it in the App_Code folder
Make a bool attribute with the name ISArabic like
public static bool IsArabic
{
get
{
if (Thread.CurrentThread.CurrentUICulture.Name == “ar-EG”)
return true;
else
return false;
}
}
Now on the button Click we will create a new cookie(if it doesn’t already exist) and give it the culture value just as fallows
HttpCookie myCookie = (HttpCookie)Request.Cookies[“Localization”];
if (myCookie == null)
myCookie = new HttpCookie(“Localization”);
Then we will set the cookie value acording to the current choosen culture
if (Common.IsArabic)
myCookie.Values[“Language”] = “en-US”;
else
myCookie.Values[“Language”] = “ar-EG”;
then we set the cookie and add it and Then we redirect to the same page
myCookie.Expires = DateTime.Now.AddYears(1);
Response.Cookies.Add(myCookie);
Response.Redirect(Request.Url.AbsoluteUri);
Now add a new Item and choose Global Application Class
Add a new event called Application_BeginRequest and put the code which checks for the current culture on it just like that
void Application_BeginRequest(Object sender, EventArgs e)
{
HttpCookie myCookie = (HttpCookie)Request.Cookies[“Localization”];
if (myCookie != null)
{
//Read culture from cookie
System.Threading.Thread.CurrentThread.CurrentUICulture = new System.Globalization.CultureInfo(myCookie.Values[“Language”]); System.Threading.Thread.CurrentThread.CurrentCulture = System.Globalization.CultureInfo.CreateSpecificCulture(myCookie.Values[“Language”]);
}
else
{
//Create new default cookie
myCookie = new HttpCookie(“Localization”);
myCookie.Values.Add(“Language”, “en-US”);
myCookie.Expires = DateTime.Now.AddYears(1);
Response.Cookies.Add(myCookie);
//Set the thread default culture
System.Threading.Thread.CurrentThread.CurrentUICulture = new System.Globalization.CultureInfo(“en-US”);
System.Threading.Thread.CurrentThread.CurrentCulture = System.Globalization.CultureInfo.CreateSpecificCulture(“en-US”);
}
}
Don’t forget to remove the Auto values for the Culture And UICulture
Now everything should work just fine
You can now use the resource file and change strings, pictures and icons just according to the chosen language
source files could be found here
Another Solution to DateTime problems (.Net)
Now that I read th last post, I remembered another solution that can be implemented on the Application level rather than the implementing it in your SQL statements,
Of course we have three parts of the problem. The first is how to display dates without any problems; like misinterpretation (dates like 2/3/2007 & 3/2/2007, if you don’t know how your DB interpret dates) or throwing exceptions. The second is how to read user-input dates. The third is how to write dates to the DB in the right form & again without misinterpretation.
Displaying dates in the right form:
Remember that the problem is not just about the user misinterpret the displayed date, it’s also your problem when you come to next part. for eg when displaying dates for the user to edit.
In this part we have to display the date with an enforced format that’s:
string myDateFormat = ConfigurationManager.AppSettings[“myDateFormat”];
Date.ToString(myDateFormat);
This way we can enforce the date format we want & also it’s just a matter of configuration (just edit the configuration file to change the format of dates across a whole solution without rebuilding).
Reading user-input dates:
Now we come to last part, which much related to the previous part. Now after displaying the dates properly to the users, we need to make sure that the input of the user through editing the displayed ones or just typing new ones won’t be misinterpreted. the solution itself comes in two parts:
- First, the input field must be validated according to the same format we are using through the solution, better be by retrieving the format string from the configuration file as we did in the previous part (for the same reasons; allowing all-in-one configuration).
- Given that that enforced a When parsing the date, use “ParseExact” not “Parse” to parse your date.
DateTime myTime = DateTime.ParseExact(myStringTime, myDateFormat, null);
Writing dates to your DB:
Now that we have the properly parsed date we should format in like the format below while writing to the DB
“yyyy-MM-dd”
Enforce the above format when writing dates to DB. The format is the standard format that won’t be misinterpreted by the DB.
Conclusion:
Don’t use Date.Pasre(…), unparameterized Date.ToString(), always use Date.ParseExact(…), & parametrized Date.ToString(). This way our application won’t be affected by the date format of the machine it’s running on or that of the DB server it’s communicating with (either on the same machine or not).
.netBUTTON
.netBUTTON provides real-time dynamic button generation with results that look so attractive it is difficult to believe they were not individually hand crafted in Photoshop .
It works throw Dot Net 2005 ( for both desktop and web application controls ) .
It Supports ASP.NET validation controls .
it Sets text font, size and style along with color, background color and more .
See more features here .
“How Do I” Videos — ASP.NET
I’ve received that from Shawon, .NET Community founder
On this page you will find dozens of videos designed for all ASP.NET developers, from the novice to the professional. If you are new to ASP.NET, you can learn the basics of how to create dynamic web applications with ASP.NET 2.0 and Visual Web Developer 2005 Express Edition, using either Visual Basic or C#. If you have a bit of development experience, you will learn how to employ some of the great new features introduced in ASP.NET 2.0. New videos are added every week, so check back often.
More on http://msdn2.microsoft.com/en-us/asp.net/bb498194.aspx
Thanks Microsoft
Types of web site in ASP.NET 2.0
2- Local IIS Web sites .
4- Remote Web sites .
1-Local IIS Web sites :
First of all to create a local Web site:
- *you need to have administrative rights (Windows administrator) .
- *you must have IIS installed on your computer.
Local IIS Web sites store the pages and folders in the IIS default directory structure (that is, \Inetpub\wwwroot). By default, Visual Studio creates a virtual directory under IIS. However, you may create a virtual directory ahead of time and store the code for your Web site in any folder. The virtual directory just needs to point to that location. One important reason to create a local Web site is to test your application against a local version of IIS, for example, if you need to test such features as application pooling, ISAPI filters, or HTTP-based authentication. Even though a site is accessible from other computers, it’s often much easier to test these aspects of your application when you can see it interact with IIS on your computer.
2-File System Web Sites :
- *File system Web sites live in any folder you specify .The folder may be on your local computer or on another computer sharing that folder.
- *File system Web sites do not require IIS running on your computer. But , you run pages by using the Visual Studio Web server( Visual Studio 2005 includes its own built-in Web server. This lets you develop Web applications effectively even if you don’t have IIS installed on your development machine).
Form File System Web Sites advantage is you may develop your Web site on your computer even when logged on as a user without administrative rights. This scenario is only useful for developing and testing those features of your site that you develop. Because IIS is out here, you won’t be able to work with (or have to deal with) such IIS features as ISAPI filters, application pooling, or authentication.
3-FTP Web Sites :
Via Visual Studio you can create HTTP-based sites or manage Web sites available through an FTP server. For example, if you use a remote hosting company to host your Web site, an FTP offers a way to move files back and forth between your development location and the hosting location. You then use Visual Studio to manage the content on the remote FTP server.
- *You might use this option to test the Web site on the live server where it will actually be deployed.
- *By default, Visual Studio logs you in to the FTP server as an anonymous user. However, some FTP servers require you to provide a username and password. In that case, you can deselect the Anonymous Login option and then enter your username and password. The username and password are saved until you end the Visual Studio session.
4-Remote Web Sites
- *Remote Web sites use IIS on another computer that is accessible over a local area network.
- *To create this type of web site, FrontPage Server Extensions must be installed on the remote computer.
- *By default, a web application that you create on a remote server doesn’t have the permissions needed to change files in the web site at runtime. If an application needs to change a file, then, you’ll need to contact the system administrator about giving it the appropriate permissions.
This option is useful if you decide you want to test the Web site on its actual deployment server. In addition, the entire development team can work on the site simultaneously.
My source : http://en.csharp-online.net/How_to_Test_and_Debug_an_ASP.NET_Application%E2%80%94How_to_create_a_remote_IIS_web_site
Recent Comments
harry on How to make your controls… Internet Marketing E… on Building ASP.NET Reporting OLA… william on How to secure my ASP.Net web A… suchin on J2EE Design patterns Part… Mohamed Reda on Optimizing Hibernate Usage
FCIHelwan RSS- Building ASP.NET Reporting OLAP-Based Application Part-3
- Building ASP.NET Reporting OLAP-Based Application Part-2
- Building ASP.NET Reporting OLAP-Based Application Part-1
- ASP.NET 4.0 and its confliects with ASP.NET 2.0
- J2EE Design patterns Part 1
- Optimizing Hibernate Usage
- Happy BizTalk to you – part 2
- Introduction to XML
- Community Calender
- Handling Hibernate Session
FCI-Helwan blog 