How to defend against Cross Site Scripting with Microsoft .NET 4.5 AntiXss

| 0 comments

One of the most common threats to websites is cross site scripting (XSS) which is the idea that a malicious user is attempting to load content into your website. Examples include JavaScript and HTML. This attack is carried out typically via a form input or query string. XSS can result in very nasty results which include content modification or worse hijacking user account information. If you’re asking yourself how you can possibly reduce the likelihood of this threat, the answer is simple. Encode and never trust user input under any circumstance. It is not that all users are attackers, but mistakes do happen and for this reason if you never trust the input you will find that you are ahead of the game. There are three basic types of XSS vectors. Reflected: This type of attack is the act of injecting code either thru input or output as part of the request. Stored: This type of attack stores the injection in a persistent state on the target server. Typically this often is a database. DOM: The document object model attack is delivered via the HTTP response which typically resulted from the stored attack vulnerability. A1-Injection description A1-Injection Injection flaws, such …

Continue reading

August 2012: .NET SQL Server Database Code Snippets

| 0 comments

How many times have you looked for a piece of code you’ve written in the past? You probably search high and low on your hard drive, scouring through past projects and code files. Or maybe you’ve tried searching your source code control repository with unsuccessful results. How much time do you waste looking for a particular routine only to not find it, which then causes you to rewrite the routine all over again? Let’s face it, as developers we beg, borrow, and steal as much code as we can in order to get our jobs done as quickly as possible. After all, the grand utopian vision of developers is code reuse – the ability to write blocks of code once and then reuse them again and again without having to rewrite them. But how often does that actually happen? Unfortunately, not often enough. Feel free to add the following snippets to your tool belt. /// <summary> /// Checks if a database exists /// </summary> /// <param name=”Database”>Name of the database</param> /// <param name=”ConnectionString”>Connection string</param> /// <returns>True if it exists, false otherwise</returns> public static bool DoesDatabaseExist(string Database, string ConnectionString) { return CheckExists(“SELECT * FROM Master.sys.Databases WHERE name=@Name”, Database, ConnectionString); } /// …

Continue reading

Find And Address Security Vulnerabilities With Tenable Nessus

| 0 comments

Have you ever really stopped for a moment to consider just how vulnerable you are every time you turn on your computer? If your answer is no, I implore you to take security seriously as the threat is real and the reality is it is not difficult at all for the black hat (attacker) to find a vulnerability on your end and possible then exploit that vulnerability. HP’s 2011 Top Cyber Security Risks Report states that while vulnerabilities are down over recent years roughly 24% of recent vulnerabilities were classified as critical. The percentage is important because even though vulnerabilities are decreasing the fact that a quarter is classified critical, poses a severe risk. For those of you that do not like to get into the weeds, the single best advice I can provide is to always check your software for any updates and install these updates as soon as possible in order to reduce the timeline that an attacker could target you. At this point I want to take this conversation into the weeds by taking a close look at your computer or even your home network with Nessus. Introduction to Nessus Tenable states the Nessus vulnerability scanner is …

Continue reading

Series DropDownList: Cascading DropDownList

| 0 comments

This is the second article on the subject of DropDownList. If for any reason you missed the earlier post titled Series DropDownList: Binding XML Data to a DropDownList, I would recommend that you take the time and read that post as well. In part two of this series I will focus on accomplishing cascading selections with your DropDownList. Since the bulk of the work was accomplished in DropDownList: Binding XML Data to a DropDownList we will pick up from there. Web Form Here we will incorporate a small change from the previous example. Notice that in this example I have added a new event titled OnSelectedIndexChanged. <label for=”ddlCountry”>Country:</label> <asp:DropDownList ID=”ddlCountry” runat=”server” AutoPostBack=”True” OnSelectedIndexChanged=”ddlCountry_SelectedIndexChanged” Width=”160px”> </asp:DropDownList> <label for=”ddlRegion”>Region:</label> <asp:DropDownList ID=”ddlRegion” runat=”server” AutoPostBack=”True” OnSelectedIndexChanged=”ddlRegion_SelectedIndexChanged” Width=”160px”> </asp:DropDownList> <label for=”ddlCity”>City:</label> <asp:DropDownList ID=”ddlCity” runat=”server” Width=”160px”> </asp:DropDownList> Code Behind Each selected index change event fires the appropriate method which in turns makes a call back to the server and reads in the appropriate data to return and bound to out DropDownList. protected void ddlCountry_SelectedIndexChanged(object sender, EventArgs e) { ddlRegion.Items.Clear(); string strCountry = string.Empty; strCountry = ddlCountry.SelectedValue; List<string> list = null; if (ddlCountry.SelectedIndex != 0) { list = RetrieveDataFromXml.GetRegionByCountry(strCountry); if (list != null && list.Count != 0) …

Continue reading

Series DropDownList: Binding XML Data to a DropDownList

| 0 comments

Who doesn’t love XML? Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards.  The design goals of XML emphasize simplicity, generality, and usability over the Internet. It is a textual data format with strong support via Unicode for the languages of the world. Although the design of XML focuses on documents, it is widely used for the representation of arbitrary data structures, for example in web services. Bottom line XML is easily created, consumed, and understood. In this article we will focus on the basic idea of binding XML data to a DropDownList. When it is all said and done your DropDownList will look similar to the following example. XML Source First we need a XML file. In this example we have XML that contains countries, regions, and cities. <?xml version=”1.0″ encoding=”utf-8″ ?> <Countries> <Country name=”Korea”> <Region name=”South Korea”> <City> Seoul </City> <City> Taegu </City> <City> Songtan </City> </Region> </Country> <Country name=”USA”> <Region name=”California”> <City> Los Angeles </City> <City> Bakersfield </City> <City> …

Continue reading