Showing posts from March, 2012

Safe ASP.Net MVC application against cross site attacks - 2

Session Hijacking: ASP.Net identifies users by session ID cookie which called ASP.Net_SessionId by default, and if we use Forms Authentication, then a second cookie is used called .ASPXAUTH . If an attacker can obtain these cookies, then they can include them in a request to our server and impersonate one of our users. The browser by default preventing the javascript from a site to access cookies of another site. But if the attacker has been able to inject a script into one of our pages, then the browser believes that the script is part of our application and grands access to the session cookies. We can protect our site by keeping a record of each client IP address when a session starts, we can deny any requests that originate from a different IP. But you should avoid this technique when you deal with the public internet. We can mark a cookie with the HttpOnly flag, and the browser will hide its existence from javascript but will continue to send it via all HTTP requests. By d

Safe ASP.Net MVC application against cross site attacks - 1

Do you trust user input?!!!!!!!. If your answer is YES, stop reading and do something else. If your answer is NO, I think reading this article may help you to make your site more secure. All user's inputs can be a back door for attacker to attack your site. User's inputs that we will categorize as un-trusted inputs are : Incoming URLs including Request.QueryString[] values Form post data ( Request.Form[] values including values from hidden fields and disabled fields) Cookies Data in HTTP Headers (such as Request.UserAgent and Request.UrlReferrer ). Your site could be attacked by altring the query string, form values, or cookies data. The solution is not to prevent request manipulation but to check that each request is a legal request for the logged-in visitor. Cross-Site Scripting and HTML Injection: If an attacker can get our site to return some javascript to our visitors, then the attacker's script can take control of our visitors' browsing session and

5 tips to get started LINQ in C#

1-LINQ is not just for Iteration : LINQ ( Language integrated Query ) is not just for queries a collection of objects, but it will be better if you think about it as a data iteration engine. If you called a method that return data of some type that you needed to convert to another datatype before passing it to another method. Assume you have a method A() that return Array of integers and you need to pass this array to method B() that accepts array of string. You should iterate over array items, one by one, to convert it.But with with LINQ you can do that with just one line of code. Int32[] nums = {23 , 45 , 65 , 23}; String[] numbers = nums.Select(i => i.ToString()).ToArray(); 2-Use the var keyword:  If you are confused about the type of the sequence result of your query and want to get your code to compile use var keyword. Your query will return an IEnumerable sequance of some type but you don't know exactly what is that type so the best choice is using var ke