ASP.NET Security and Avoid Attack

ASP.NET Security and Avoid Attack

1.Cross-site Scripting (CSS ,XSS)
2.SQL Injection
3.Validate your User Inputs
4.Use Hashing to Store your Passwords
5.Store Secure Information in the Registry
6.Do Some Housekeeping before You Deploy Your Web Application
7.Use Sessions, but Not Cookie-less Sessions
8.Encrypt Sensitive Data

Common Web application attack types

1. SQL Injection -
a security vulnerability that occurs in the database layer of an application

2. Cross-Site Scripting

causes a user's Web browser to execute a malicious script

3. Web site defacement
occurs when a hacker breaks into a web server and alters the hosted website or creates one of his own

4. Buffer Overflow

hackers exploit buffer overflows by appending executable
instructions to the end of data and causing that code to be run after it has
entered memory

5. DOS -Denial Of Service -

an assault on a network that floods it with so
many additional requests that regular traffic is either slowed or completely
interrupted

6. Password Cracking

the process of recovering secret passwords from data
that has been stored in or transmitted by a computer system, typically, by
repeatedly verifying guesses for the password


In order to eliminate application security problems the developers have to
pay attention to security and have to code securely. In this paper we have
shown that ASP.NET, and now ASP.NET 2.0, integrates a number of defense
mechanisms that can be easily applied:
• Classes for SQL parameters that prevent SQL injection,
• Automatic checking for CSS attack, and
• Custom error pages and centralized exception handling.

JQuery

JQuery

JQuery is another javascript library which eases javascript developemt - and it also (of course) includes some Ajax functionality.

jQuery is a lightweight JavaScript library that emphasizes interaction between JavaScript and HTML. It was released January 2006 at BarCamp NYC by John Resig.

Dual licensed under the MIT License and the GNU General Public License, jQuery is free, open source software.

Both Microsoft and Nokia have announced plans to bundle jQuery on their platforms, Microsoft adopting it initially within Visual Studio and use within Microsoft's ASP.NET AJAX framework and ASP.NET MVC Framework whilst Nokia will integrate it into their Web Run-Time platform.


Features
jQuery contains the following features:

DOM element selections
DOM traversal and modification, (including support for CSS 1-3 and basic XPath)
Events
CSS manipulation
Effects and animations
Ajax
Extensibility
Utilities - such as browser version and the each function.
JavaScript Plugins

Using Stored Procedures in LINQ

CREATE PROCEDURE dbo.GetPeople
AS
Select PersonId, FirstName, LastName
From People
GO



CREATE PROCEDURE dbo.GetPersonByPersonId

@PersonId int

AS

Select PersonId, FirstName, LastName

From People

Where PersonId = @PersonId

Return

public class Program {



rivate static string _conn = ConfigurationManager.ConnectionStrings["lin@"].ConnectionString;



public static void Main(string[] args) {

Blog db = new Blog(_conn);

foreach (var person in db.GetPeople()) {

Console.WriteLine("PersonId: {0} Name: {1} {2}", person.PersonId, person.FirstName, person.LastName);

}

// we maintain the expressiveness of linq

var query = from p in db.GetPeople() orderby p.LastName select new {p.FirstName, p.LastName};

foreach (var person in query) {

Console.WriteLine("{0}, {1}", person.FirstName, person.LastName);

}

// calling a sproc which takes an arg

var bart = db.GetPersonByPersonId(4).Single();

Console.WriteLine("{0} {1}", bart.FirstName, bart.LastName);

}

}

}

Different accessibility levels defined in .NET

public : Access is not restricted.

protected : Access is limited to the containing class or types derived from the containing class.

internal : Access is limited to the current assembly.

protected internal : Access is limited to the current assembly or types derived from the containing class.

private : Access is limited to the containing type. Outside classed can't access private type

Only one access modifier is allowed for a member or type, except when using the protected internal combination

ModalPopupExtender in AJAX

The ModalPopupExtender that this popup is attached to has a hidden TargetControl. The popup can be shown via server in code behind

<script type='text/javascript'>
function onCancel()
{
window.location = "../Pages/Home.aspx";
}
</script>



'<di v align="center">
<table align="center">
<tr>
<td align="center">

<br />
<asp:LinkButton ID="LinkButton1" runat="server" Text="Choose the Access Permission"></asp:LinkButton><br />
<br />
<div>
<br />
<asp:Panel ID="Panel1" runat="server" CssClass="modalPopup" Style="display: none" Width="233px">
<br />
<br />
<asp:Label ID="Label1" runat="server" Text="Access Permission" SkinID="HeaderLabel"></asp:Label>
<br />
<br />
<asp:Label ID="Label2" runat="server" Text="Access for :"></asp:Label>
<asp:DropDownList ID="ddlAccessFor" runat="server" AutoPostBack="True"
onselectedindexchanged="ddlAccessFor_SelectedIndexChanged" Width="140px">
</asp:DropDownList>
<br />
<br />
<div align="center">
<asp:Button ID="CancelButton" runat="server" Text="Cancel" />
</div>
<br />
<br />
</asp:Panel>
<br />
<ajaxToolkit:ModalPopupExtender ID="mdlPopup" runat="server"
TargetControlID="LinkButton1"
PopupControlID="Panel1"
BackgroundCssClass="modalBackground"
DropShadow="true"
CancelControlID="CancelButton"
OnCancelScript="onCancel()"
/>
</div>
</td>
</tr>
<tr><td>
<asp:Label ID="lblAccessfor" runat="server" ></asp:Label>
</td></tr>
</table>
<table>
<tr>
<td align="left" >
<asp:Label ID="lblFaculty" runat="server" Text="Faculty :" Visible="False"></asp:Label>
</td>
<td align="left">
<asp:DropDownList ID="ddlFaculty" runat="server" AutoPostBack="True"
onselectedindexchanged="ddlFaculty_SelectedIndexChanged" Visible="False"
Width="280px">
<asp:ListItem Value="0">-Select Faculty-</asp:ListItem>
</asp:DropDownList>
</td>
</tr>
<tr>
<td align="left" >
<asp:Label ID="lblDepartment" runat="server" Text="Department :" Visible="False"></asp:Label>
</td>
<td align="left">
<asp:DropDownList ID="ddlDepartment" runat="server" AutoPostBack="True"
onselectedindexchanged="ddlDepartment_SelectedIndexChanged"
Visible="False" Width="280px">
<asp:ListItem Value="0">-Select Department-</asp:ListItem>
</asp:DropDownList>
</td>
</tr>
<tr>
<td align="left" >
<asp:Label ID="lblAbbreviation" runat="server" Text="Abbreviation :"
Visible="False"></asp:Label>
</td >
<td align="left">
<asp:DropDownList ID="ddlAbbreviation" runat="server" AutoPostBack="True"
onselectedindexchanged="ddlAbbreviation_SelectedIndexChanged"
Visible="False" Width="180px">
<asp:ListItem Value="0">-Select Abbreviation-</asp:ListItem>
</asp:DropDownList>
</td>
</tr>
</table>
</div>

http://www.asp.net/ajax/ajaxcontroltoolkit/samples/modalpopup/modalpopup.aspx

Full Text Search in SQL Server 2005

Full text search is the search functionality that enables a fast and easy way of searching text based data in SQL Server.

Full-Text Search Queries
For samples on full-text search, created a table named Documents.

CREATE TABLE Documents(
[DocumentId] [int] IDENTITY(1,1) NOT NULL,
[Title] [nvarchar](1000) NOT NULL,
[Text] [nvarchar](max) NULL,
[FullText] [ntext] NULL,

CONSTRAINT PK_Documents PRIMARY KEY CLUSTERED
(
[DocumentId] ASC
)

)

Then created the full-text catalog named FTCatalog

CREATE FULLTEXT CATALOG FTCatalog


Enabled the fulltext indexing by running the sp_fulltext_database

exec sp_fulltext_database 'enable'

Then created the full-text index on table Documents

CREATE FULLTEXT INDEX ON Documents
(
Title,
[Text],
[FullText]
)
KEY INDEX PK_Documents ON WorksFTCatalog
WITH CHANGE_TRACKING AUTO

Creating the fulltext index will return a warning message:

Warning: Table or indexed view 'Documents' has full-text indexed columns that are of type image, text, or ntext. Full-text change tracking cannot track WRITETEXT or UPDATETEXT operations performed on these columns.

After the population status is set to idle after the indexing has finished by running the below FULLTEXTCATALOGPROPERTY select query,

SELECT FULLTEXTCATALOGPROPERTY('WorksFTCatalog', 'Populatestatus')


We can now run our first search query on the documents table.



CONTAINS

SELECT * FROM Documents WHERE CONTAINS(Text, N'songs')
This query will return me rows that the [Text] columns containing the word "songs".

But when I run "SELECT * FROM Documents WHERE CONTAINS(Text, N'song')", this query will return me no rows. Since the [Text] column values does not contain the word "song" but contains the word "songs"

If you wish to search for more than one words you can use OR. But the syntax changes a little bit: N' "songs" OR "song" '

SELECT * FROM Documents WHERE CONTAINS(Text, N' "songs" OR "song" ');
The character "*" can be used for zero or more any characters. So I can get any words with containing "song" in it.

SELECT * FROM Documents WHERE CONTAINS(Text, N' "song*" ');
The below sample query will search for all rows where Text column contains words of the form "song", like "songs", etc.

SELECT * FROM Documents
WHERE CONTAINS(Text, N' FORMSOF (INFLECTIONAL, song) ');


FREETEXT

The following query will find the given search criterias in a text "By alerting you to potentially unsafe attachments, ...". This query will search for all rows containing the words related with ones in the search terms.

SELECT * FROM Documents
WHERE FREETEXT(Text, N'safe potential attachment');

CONTAINSTABLE

CONTAINSTABLE has the functionality of ranking within our searches.

SELECT *
FROM Documents
INNER JOIN CONTAINSTABLE(Documents, [Text], 'songs') AS KEY_TBL
ON Documents.DocumentId = KEY_TBL.[KEY]


The last two columns in the result set that are named as "KEY" and "RANK" are from ContainsTable command table KEY_TBL

Key is the primary key value on the Documents table. And Rank is the search rank for the search term in the related row. Run the ContainsTable part alone.

SELECT * FROM CONTAINSTABLE(Documents, [Text], 'songs') AS KEY_TBL