Quantcast
Channel: Security
Viewing all 4737 articles
Browse latest View live

Set relaxedUrlToFileSystemMapping true Does it pose a security risk?

$
0
0

Hi, we are having a problem with a url parameter that contains the string "AUX", looking for possible solutions indicate that you should set relaxedUrlToFileSystemMapping to true, but I am in doubt if this implies security risks, I have been looking for some official reference, but I find nothing.

Here is the post that explains the problem in more detail.

http://haacked.com/archive/2010/04/29/allowing-reserved-filenames-in-URLs.aspx


HTTP Strict Transport Security (HSTS) and 301 Redirect in Global.asax

$
0
0

Hi,

I have recently moved my entire site over to HTTPS. I use rewriting in the Global.asax file to do this, inside the Application_BeginRequest block.  The code basically checks if the request is http and if it is then it does a redirect, adding 301 headers:

if (!HttpContext.Current.Request.IsSecureConnection)
{
    HttpContext.Current.Response.Clear();
    HttpContext.Current.Response.Buffer = true; 
    HttpContext.Current.Response.Status = "301 Moved Permanently";
    HttpContext.Current.Response.AddHeader("Location", GetWebsiteUrl() + r.Path);
    HttpContext.Current.Response.End();
}

...so this all works great. However, now I need to get HSTS working. To do this I have added the following lines of code, which only applies to the response once it has been 301'd or is already on https:

if (HttpContext.Current.Request.Url.Scheme == "https")
   HttpContext.Current.Response.AddHeader("Strict-Transport-Security", "max-age=31536000");

...so this also seems to work fine. BUT the problem is that now every time someone requests the http: version of  a page the browser sends them straight to the https: version with a 307 internal redirect which means the 301 is not being applied anymore... Which I think is a problem?

Can anyone explain if I am doing something wrong here or am missing something?

Thanks in advance,

Chris

LdapConection using LDAPS port 636 and OU?

$
0
0

Hi all,

the code below works but I need to use LDAPS (on port 636) and  OUpath="UsersPath".

What do I need to change to get LDAPS and OUPath working?

try
{
using (var ldapConnection = new LdapConnection("1sttouch.local:636"))
{
ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.AuthType = AuthType.Negotiate;
var networkCredential = new NetworkCredential(username, password, domain);
ldapConnection.Credential = networkCredential;
}
return true;
}
catch (LdapException ldapException)
{
if (ldapException.ErrorCode.Equals(ldapErrorInvalidCredentials))
return false;
throw;
}

another weird IIS authentication issue

$
0
0

I have been working on a C# web service that someone else created and I feel like I have an understanding of how the authentication works, however, I always manage to find some weird issue that isn't addressed by the typical MSDN articles.  The authentication in my web.config file is set to Windows mode.  However, in the IIS manager the Authentication for the Default Web Site is set to Anonymous Authentication.  The result is that when I try to test the app using my localhost I get a pop-up screen asking for a username and password but there does not seem to be a username and password combination that it will accept and I always get Error 403 - Forbidden page to come up.

The support articles and all the help I can find seems to suggest that it is as simple as going into IIS and selecting another Authentication mode.  The problem is that under my IIS management I only have the option for Anonymous Authentication.  I can enable it or disable it but I do not have any other choices listed.  I haven't found any other references to this specific issue.  Would appreciate if anyone can explain what is going on.

Identy not authentication webforms project.

$
0
0

I am trying to implement asp.net identy in a web forms project but the usermanager is returning null even though there is a active record in the system.

      protected void SignIn(object sender, EventArgs e)
        {

            try
            {


                var userStore = new UserStore<IdentityUser>();
                var userManager = new UserManager<IdentityUser>(userStore);
                var user = userManager.Find(txtEmail.Text, txtPassword.Text);

                if (user != null)
                {
                    var authenticationManager = HttpContext.Current.GetOwinContext().Authentication;
                    var userIdentity = userManager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);

                    authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = false }, userIdentity);
                    Response.Redirect("~/Login.aspx");
                }
                else
                {

                }
            }
            catch (Exception ex)
            {


            }

        }

I added the sql server connection string instead of local db and the tables are there with the correct user there

<add name="DefaultConnection" connectionString="Data Source=DESKTOP-JHIMUM4\SQLEXPRESS2014;Initial Catalog=solitude;Integrated Security=True" providerName="System.Data.SqlClient" />

Edge problems with web config authorization rules

$
0
0

Hi. I Have ASP.NET Webforms application. I want, that all users, even unauthorized would access some page "AllowAccess.aspx"

In web config I have

<location path="Public/AllowAccess.aspx"><system.web><authorization><allow users="*" /></authorization></system.web></location>

This is working on IE, Chrome, FireFox. But on Edge it is not working. When I access this page I am prompted for user name and password.

Is it Edge problem or maybe I'm doing something wrong?

IE 11 Issue

$
0
0

Hi,

We have an asp.net MVC 3 C# web application, application is working fine on chrome and Firefox and some versions of Internet Explorer like IE9,IE10.

But on IE11  after successful login when we click on any link or button it kick out us to login page. some IE 11 version it works fine.

Following are the solutions we tried,

1) Updated web.Config cookieless="UseCookies"

2) Added <meta http-equiv="X-UA-Compatible" content="IE=11" /> tag in header.

3) Added app browser BrowserFile.browser 

Please provide is there any setting for above.

Regards!

Am I on the right track for LDAP querying?

$
0
0

Hi, 
Brand new to MVC and LDAP.  I'm having problems understanding how to go about a project. Reading past submissions mainly deal with Authentication. Something I don't need to do.

What I need to figure out

-Connect to an Active Directory server using LDAP.
-Create text box for user input 
-Take user input and query server using value inputted. For example the input will be something called an i-Number. A unique id for computers/laptops.
-Return user data based on user input from the server. 

What I've figured out
-I created a class that can return data from the server, but only to the console. I'm finding trouble knowing where to place the code in MVC.

How to do this (I think) 
-Connect using connection string in Web.config(?) I think I'm wrong on this one. 
-Create input box in one of the views. 
-Create a model. The controller receives the model. Not too sure why exactly. 

Mainly I am confused where do you put the connection part for the LDAP server and how to pass the user input along and return some data. 

Secondly is MVC 5 appropiate for this project? I will need to port over some Web Form code in the future and I felt MVC would allow go practices for maintainability. 
I read somewhere that API would be better for my use cases. 

Cheers for any advice! 


String in memory

$
0
0

I have this code:

Char[] secretKey = "theSecretKey".ToCharArray();

My question is, am I exposing the string "theSecretKey" in the memory or it wont and just create a char array in the memory?  Thanks!

Security Implementation For MVC web and web API

$
0
0

I want to develop the security module for authorization and authentication for my MVC web site and web api. Currently we have only one web site, but in future we have more web site and APPs. Both the web site and api will hosted on different server. We want the signal sign on functionality for webs and API. All the web site will call the same API.  

Should I write my custom code to create the cookie and authorization & authentication? In this custom code I will generate JWT token from the web and send it to web server and API.

Or should I use OWIN and other stuff. Kindly suggest me. What to do? If it OWIN then how I can create the custom token cookie.

 

Restrict a user to one page or folder only

$
0
0

Hi All, this is my first post for a LONG time!

I am having some difficulty understanding Authentication/Authorization and could do with some help...
I have tried looking in various forums and found plenty of threads on the subject but nothing I have tried has worked...
So now I am posting my specific problem in the hope that someone with more knowledge than me can point me in the right direction.

(I am an experienced programmer but no expert in web technology!)

I am using Windows Authentication as my application is only for the employees of my customer.
They have now asked me to allow an external user to have access to a specific page that I have recently created.
My initial idea was to get my customer to create a 'guest' account that the external user could use to login with.
I would then deny access to everything except the page (or more simply anything in a directory).

Here's the relevant part of my Web.config (the one in my Test environment)

I was hoping this would prevent me ('d.mcreynolds') from accessing anything except pages in the 'Project' location.
However, it doesn't have any effect at all?!
I'm pretty sure I'm not doing this right but I can't find out how it should be done!

<system.web>

<authentication mode="Windows" />
<authorization>

<deny users="d.mcreynolds" />
<deny users="?" />

</authorization>

</system.web>

<location path="Project">
<system.web>
<authorization>
<allow users="d.mcreynolds" />
</authorization>
</system.web>
</location>

Many thanks in advance for anyone who can help

David

changing from aspnet identity security model to OpenId

$
0
0

I initially setup my web app to use asp.net identity so my database had the necessary AspnetUsers, AspnetRoles, AspnetUserClaims tables, etc, etc.

After changing the model to use single sign on (Azure active directory)  data migrations removed all the above tables and created just one UserTokenCaches table.

Is this correct behaviour ?  I will obviously need to be able to restrict access to parts of my app depending on the role of the authenticated user (RBAC), so will I have to provide my own mechanisms for this (tables & code) ?  I was hoping i could have used parts of standard identiy to track what users could do without having to write too much of this stuff myself

FormAuthentication + MVC

$
0
0

Has any one implemented FormAuthentication in mvc.. in my implementation User.Identity.Name becomes blank after redirect. my app is hosted on shared hosting and issue arises on server only. Looking forward for the reason / solution. 

override AD login authentication

$
0
0

I am making some changes to a web application (C#, MVC) that currently uses AD authentication to login. The startup.auth.cs determines that an account/login page loads initially and the controller handles the AD lookup. what i would like to do is override/ignore access by login for scenarios such as running the application in dev mode. How would i do this while retaining AD authentication for normal access? 

Click once application and false positive

$
0
0

I have some click once application published using the publish wizard on a network folder.

Those application work fine, no problem. But where I also have TrendMicro Office Scan installed it report the application as a 'ransom ware' . which is of course false.

I have also have some application that does not give those false positive.

Is there something a need to do to make them all work ?

 


Implement HPKP in ASP.Net MVC Site

$
0
0

Hello,

I have learned about the HPKP recently and I wanted to know how to correctly implement this in a MVC application. 

Thanks in-advance.

DMZ account app pool identity from web server to SQL Server

$
0
0

We have a very strange problem on our production web app. Our web application is external facing and uses impersonation for app pool identity using a DMZ account. However randomly we see our application crashing while the user trying to login to the application. We get an exception as shown below-

As you can see when the authenticate method is called we get a failure indicating:

Is authenticated: False
Authentication Type:
Thread account name: DMZ account

It appears as though the SQL Server does not allow the asp.net app pool identity to connect randomly, which is the DMZ account. Now this happens intermittently , not always. The asp.net application impersonates as pool identity, however it connects to SQL Server via a SQL login.

The weirdest thing is if we connect to production sever from Visual Studio, it connects to the same production SQL Server ok and the production site magically starts working ! It's almost as if the local domain account that Visual Studio impersonated as unlocked the production DMZ account.


Exception information:
Exception type: NullReferenceException
Exception message: Object reference not set to an instance of an object.
at eCertsFormsAdmin.ControllerBase.OnException(ExceptionContext filterContext)
at System.Web.Mvc.ControllerActionInvoker.InvokeExceptionFilters(ControllerContext controllerContext, IList`1 filters, Exception exception)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)



Request information:
Request URL: https://appurl:443/Home/Authenticate?param={'AccessCode' :'demo', 'UserName' :'user'}
Request path: /Home/Authenticate
User host address: web server ip address
User:
Is authenticated: False
Authentication Type:
Thread account name: DMZ account

Thread information:
Thread ID: 5
Thread account name: DMZ account
Is impersonating: True
Stack trace: at eCertsFormsAdmin.ControllerBase.OnException(ExceptionContext filterContext)
at System.Web.Mvc.ControllerActionInvoker.InvokeExceptionFilters(ControllerContext controllerContext, IList`1 filters, Exception exception)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


Custom event details:

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ASP.NET 4.0.30319.0" />
<EventID Qualifiers="32768">1309</EventID>
<Level>3</Level>
<Task>3</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-03-28T13:56:18.000000000Z" />
<EventRecordID>425417</EventRecordID>
<Channel>Application</Channel>
<Computer>Web server</Computer>
<Security />
</System>
<EventData>
<Data>3005</Data>
<Data>An unhandled exception has occurred.</Data>
<Data>3/28/2017 9:56:18 AM</Data>
<Data>3/28/2017 1:56:18 PM</Data>
<Data>3accff4bebb74aa5823c9d05fe7ae5c0</Data>
<Data>135</Data>
<Data>4</Data>
<Data>0</Data>
<Data>/LM/W3SVC/6/ROOT-1-131351820594338174</Data>
<Data>Full</Data>
<Data>/</Data>
<Data>C:\www\apppath\</Data>
<Data>Web server</Data>
<Data>
</Data>
<Data>6768</Data>
<Data>w3wp.exe</Data>
<Data>GTSDMZ\eValid</Data>
<Data>NullReferenceException</Data>
<Data>Object reference not set to an instance of an object.
at eCertsFormsAdmin.ControllerBase.OnException(ExceptionContext filterContext)
at System.Web.Mvc.ControllerActionInvoker.InvokeExceptionFilters(ControllerContext controllerContext, IList`1 filters, Exception exception)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.&lt;&gt;c__DisplayClass25.&lt;BeginInvokeAction&gt;b__22(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.&lt;&gt;c__DisplayClass1d.&lt;BeginExecuteCore&gt;b__18(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.&lt;&gt;c__DisplayClass4.&lt;MakeVoidDelegate&gt;b__3(IAsyncResult ar)
at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.&lt;&gt;c__DisplayClass4.&lt;MakeVoidDelegate&gt;b__3(IAsyncResult ar)
at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.&lt;&gt;c__DisplayClass8.&lt;BeginProcessRequest&gt;b__3(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.&lt;&gt;c__DisplayClass4.&lt;MakeVoidDelegate&gt;b__3(IAsyncResult ar)
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)

</Data>
<Data>https://appurl:443/Home/Authenticate?param={'AccessCode' :'demo', 'UserName' :'user', }</Data>
<Data>/Home/Authenticate</Data>
<Data>server ip</Data>
<Data>
</Data>
<Data>False</Data>
<Data>
</Data>
<Data>DMZ account</Data>
<Data>5</Data>
<Data>DMZ account</Data>
<Data>True</Data>
<Data> at OurApp.ControllerBase.OnException(ExceptionContext filterContext)
at System.Web.Mvc.ControllerActionInvoker.InvokeExceptionFilters(ControllerContext controllerContext, IList`1 filters, Exception exception)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.&lt;&gt;c__DisplayClass25.&lt;BeginInvokeAction&gt;b__22(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.&lt;&gt;c__DisplayClass1d.&lt;BeginExecuteCore&gt;b__18(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.&lt;&gt;c__DisplayClass4.&lt;MakeVoidDelegate&gt;b__3(IAsyncResult ar)
at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.&lt;&gt;c__DisplayClass4.&lt;MakeVoidDelegate&gt;b__3(IAsyncResult ar)
at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.&lt;&gt;c__DisplayClass8.&lt;BeginProcessRequest&gt;b__3(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.&lt;&gt;c__DisplayClass4.&lt;MakeVoidDelegate&gt;b__3(IAsyncResult ar)
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
</Data>
</EventData>
</Event>

Our Environment:

Windows 2008 R2 Enterprise
IIS 7.5
Web server is in DMZ

Ways to reduce dependency on Thread.CurrentPrincipal.Identity.Name in service layer!

$
0
0

Hi all, I have inherited a rather, shall we say, organic project that I have been asked to improve authroization and authentication to the web.api for which I have used Oauth2 and Identity2 which is all good BUT for some bizarre reason the service layer of this project has a dependency on Thread.CurrentPrincipal.Identity.Name which I think is a bad idea as it makes it massively problematic to decouple this layer and ideally should be passed in as a property in my opinion. Unfrotunately there is no concept of dependency injection for this project and I certainly cannot rewrite everything to accommodate it. So my question is does anyone have any idea how best I could get around the Thread.CurrentPrincipal.Identity.Name problem. 

I am thinking of maybe a base class that all services inherit that has a propertyfor the name, but is there a way that I can set this without having to set it on every instantiation of every single class that inherits the base class? is there a way to globally set it someway else?

Allow access to specific pages based on role.

$
0
0

Hello All,

I have a current project that is working as expected. I use ADFS to authenticate the users to a simple asp.net site. This is not a MVC. I used an empty site and then created the pages. After the ADFS authentication I want to restrict what pages are available based on their AD account, admin or user. I have researched myself into stupidity at this point and not sure how to get this working. My setup includes, Windows 2012 R2, SQL 2014 Enterprise and IIS (not express). I have read that this requires a database to store the roles and users. However I am unsure how to setup this in the project. Others have mentioned that once I create the roles, just use IsInRole(role) and add it to my web.config, this was the example provided:

<location path="Page.aspx"><system.web><authorization><allow roles="Admin, OtherAdmin" /><deny users="*" /></authorization></system.web>

I only need two roles, admins and users. I believe I have the claim rule setup correctly in my relying trust.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);

I am stuck on how to implement the database and creating the roles, associating that to the project and having the AD account role limit the users view in the site. Any help would be greatly appreciated. One point to keep is that I have never coded nor do have any experience with asp.net, this is my first project. Thanks in advance.

Need help with Mixed Authentication

$
0
0

Dears,

Greetings,

I have issue with my application when i tried to use Mixed authentication

I create page to allow user authenticated via Active directory and got Employee ID (attribute stored on AD) and create Form Authentication to store Employee ID but when i tried to use  Page.User.Identity.Name it returns AD Username

Please i need your support

Thank you.

Viewing all 4737 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>