ASP.NET

Threat Modeling Web Applications

Michael Falconer — Wed, 18 May 2005 13:28:00 GMT

Well, felt it was finally time to start posting again. I've been working on quite a few interesting applications over the past few months, so I hope to add some useful posts soon.

In the meantime there's an interesting new series of posts on MSDN about developing threat models for web applications. While you may be aware of most of the threats, and the steps to prevent them becoming attacks, it's always good to review your knowledge, and to read about formalising the processes you hopefully already go through.

ViewStateUserKey

Michael Falconer — Sun, 13 Feb 2005 12:04:00 GMT

While reading through an article titled 'Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks' on MSDN recently, I came across a new property for the Page class I'd never noticed before: ViewStateUserKey. The documentation for this property states:

Assigns an identifier to an individual user in the view state variable associated with the current page

It turns out what this can be used for is to add a user specific string to the ViewState of a Page which can be verified on PostBack. Why? This means you can be sure that any form information submitted came from the same user who requested the original page, thus preventing one-click attacks.

I highly recommend you read the article above for more information, and for techniques to prevent other common attacks...

New site - journalonline.co.uk

Michael Falconer — Mon, 25 Oct 2004 12:07:00 GMT

Last week a site I've been working on for a couple of months went live - www.journalonline.co.uk. Developed for the Law Society of Scotland and working with Connect Communications, the site is an online resource of information that appears in the printed magazine 'The Journal'.

The site is entirely developed in ASP.NET (using c#) and has a SQL Server 2000 backend. I made use of Paul Wilson's master pages for maintaining the site templates, and also used the Data Provider and Configuration Management application blocks. Note that if you plan to use the Configuration Management application blosk, I strongly recommend you check out the forum on the gotdotnet site where the component is hosted - there are a number of known issues with it.

The search facility provided on the site (to search the library of articles) makes use of a Full Text Index. Having used Index Server a number of times in the past to provide search facilities, I understood the ease of integration this approach would offer, and the in built facility for ranking results. It was also a low cost solution, as no third party software was required. The main downside can be the performance of the index population, but in this case that wasn't an issue as the frequency of updates was low.

The backend of the system also uses FreeTextBox (the same component used to manage this blog!).

Feel free to have a look and let me know what you think!

ASP.NET security vulnerability

Michael Falconer — Thu, 07 Oct 2004 10:57:00 GMT

As everyone by now hopefully knows, there is a vulnerability in ASP.NET that could allow an attacker to bypass security and access secured content.

The fix is relatively straightforward, and there will hopefully be a proper patch from MS soon...

Accessing current HttpContext from a static method

Michael Falconer — Sun, 29 Aug 2004 10:49:00 GMT

I was writing a class to hadle the caching of objects for the ASP.NET application I'm currently developing, and suddenly wondered if I could access the current HttpContext from within a static method. The answer, of course, is yes..

System.Web.HttpContext context = System.Web.HttpContext.Current

Another quick and easy answer thanks to .NET 247.

UPDATE: Thanks to Scott (see comments below) for pointing out you can also access the Cache directly via the HttpRuntime class, without requiring a context.

Caching features in ASP.NET 2.0

Michael D. Falconer — Mon, 05 Jul 2004 10:13:00 GMT

If you've not already had a chance to read Stephen Walther's article on Improved Caching in ASP.NET 2.0, I'd highly recommend you do so now. I've been looking forward to the billed SQL Cache features added to ASP.NET 2.0, but what really caught my eye was right at the end of the article. Namely post-cache substitution.

I've already been in situations where I'd love to cache the main part of a page, but just want a single user control to be dynamic (i.e. not cached). For examlpe, many sites include a user control to allow members to log-on, and when they do the panel contents change to show user specific information. In some cases you might want to cache the page contents, but what if the user then uses the panel to log-on? You can't use the cached version of the page...

Thankfully ASP.NET 2.0 introduces a new Substitution control. This allows you include dynamic content in a cached page. I'd highly recommend looknig at the example in the article above, or in Caching Improvements in ASP.NET Whidbey by G. Andrew Duthie. You can also read the BETA documentation for the Substitution Class.

[UPDATE] - Looks like the first article has disappeared! I'll re-link to it when it appears again...

Handling postbacks in composite web controls

Michael D. Falconer — Mon, 07 Jun 2004 12:20:00 GMT

I've been developing a composite web control lately to provide numeric paging for a web form. One problem I hit was how to change the structure of the child controls after handling a postback event. The typical order of events for a composite control is:

Load -> CreateChildControls -> Handle Postback -> Render

I was dynamically creating some of the child controls based on fields that could be modified by the Postback events. The problem was, as you can see from the order above, the child controls are created before the fields are set.

Thankfully I found this post on .NET 247 by Arthur Mnev. He had exactly the same problem and had found a neat solution. If you set the controls ChildControlsCerated flag to False in the event handler, the .net framework will then regenerate the child controls after the event handler has completed. It does incur a penalty as the CreateChildControls method is run twice, but it works very nicely. As he points out you do have to make sure the that the controls are created is the correct order the first tmie the code runs, but in most cases this will not be an issue.

To get round the double running of the code, he does mention that he 'changed it to redirect itself to its own page with Get Parameters instead of events'. Something else for me to take a look at soon...!

Rob Howard : Farewell and Teched slides

Michael D. Falconer — Tue, 01 Jun 2004 13:02:00 GMT

Rob Howard has announced that he's leaving Microsoft, but has thankfully posted up slides from some TechEd US presentations. I've just had a flick through the presentation titled 'Running www.asp.net', and it looks very interesting. There's certainly a nice list of recommendations to follow.