Tag Archives: Security

Useful Features of ASP.NET


In this post, lets discuss about some of the useful features of ASP.NET

1. Faster compilation.

This configuration setting was introduced post .NET 3.5 SP1. Add it to web.config file.

<compilation optimizeCompilations="true">

Refer MSDN for details.

2. Retail mode at the machine.config

<configuration>
  <system.web>
    <deployment retail="true"/>
  </system.web>
</configuration>

It overrides the web.config settings to enforce debug to false, turns custom errors on and disables tracing. No more forgetting to change attributes before publishing – just leave them all configured for development or test environments and update the production retail setting.

3. Intellisense for MasterPages in the content pages

Most of the time you have to use the “findcontrol” method and cast the controls in master page from the content pages when you want to use them, the MasterType directive will enable intellisense in Visual Studio once you do this

Just add one more directive to the page

<%@ MasterType VirtualPath="~/Masters/MainMasterPage.master" %>

If you don’t want to use the Virtual Path and use the class name instead

<%@ MasterType TypeName="MainMasterPage" %>

4. Is Client Connected?

Check to see if the client is still connected, before starting a long-running task

if (this.Response.IsClientConnected)
{
   // long-running task
}

5. Server control properties based on target browser

<asp:Label runat="server" ID="labelText" ie:Text="This is IE text" mozilla:Text="This is Firefox text" Text="This is general text" />

6. Page.ViewStateUserKey to Counter One-Click Attacks

Consider using Page.ViewStateUserKey to counter one-click attacks. If you authenticate your callers and use ViewState, set the Page.ViewStateUserKey property in the Page_Init event handler to prevent one-click attacks.

void Page_Init (object sender, EventArgs e) {
ViewStateUserKey = Session.SessionID;
}

Set the property to a value you know is unique to each user, such as a session ID, user name, or user identifier.

A one-click attack occurs when an attacker creates a Web page (.htm or .aspx) that contains a hidden form field named __VIEWSTATE that is already filled with ViewState data. The ViewState can be generated from a page that the attacker had previously created, such as a shopping cart page with 100 items. The attacker lures an unsuspecting user into browsing to the page, and then the attacker causes the page to be sent to the server where the ViewState is valid. The server has no way of knowing that the ViewState originated from the attacker. ViewState validation and HMACs do not counter this attack because the ViewState is valid and the page is executed under the security context of the user.

By setting the ViewStateUserKey property, when the attacker browses to a page to create the ViewState, the property is initialized to his or her name. When the legitimate user submits the page to the server, it is initialized with the attacker’s name. As a result, the ViewState HMAC check fails and an exception is generated.

Check out this link for details.

7. Emails to local folder

While testing, you can have emails sent to a local folder on your computer instead of an SMTP server

 <system.net>
    <mailSettings>
        <smtp deliveryMethod="SpecifiedPickupDirectory">
            <specifiedPickupDirectory pickupDirectoryLocation="c:\EmailFolder\" />
        </smtp>
    </mailSettings>
</system.net>

This is not a complete list, but will keep adding and updating this.

Sites to Check if your email has been compromised in a data breach


Have you heard about the data breach? Is data leaked online and public? Are you a member of the website and want to know that you are a part of a leak?

Then these sites will help you to know.

  1. haveibeenpwned.com

hibp

The site allows you to enter an email address to see if it is compromised in a data breach for free of charge. It is developed by Troy Hunt, a Microsoft MVP awardee for developer security, international speaker and the author on Pluralsight.

If your email is not compromised, then you will get such message.

hibp-check

No pwnage

Otherwise, you will see details of the pwnage.

hibp-check-fail.png

Pwnage found!

The site also provides a free notification service through email, if the future data breach occurs and your account is compromised.

hibp-notify.png

If you want to find emails on a particular domain, you need to go through the verification process.

hibp-domain

It also provides an API which allows the list of pwned accounts to be quickly searched via a RESTful service.

2. breachalarm.com

Breach-Alarm.png

The site provides a service that allows you to check if your email has been posted online, and sign up for email notifications about future password hacks that affect you.

Once you enter your email id, it will show you message on the screen saying they will record your IP for records.

Breach-Alarm-check.png

If your email is not found in the leaks then you will get an appropriate message.

Breach-Alarm-check-safe

Otherwise, you will see a generic message with the date of the recent breach.

Breach-Alarm-check-fail

The site provides “Email watchdog” service which falls in 2 categories.

Individuals and Families where they cover the number of email Id(s).

Breach-Alarm-paid

Business where they cover a domain. Companies that subscribe the service are notified when any of their email addresses appear in a data breach.Breach-Alarm-domain.png

They also provide API which enables third parties to check the breach status of email addresses or domain names. It is a paid service.

3. pwnedlist.com

pl-site.png

Before using the service, you need to do sign up.

pl-site-signup.png

Once you verify your email id, your email will be added into the watchlist. You can then monitor up to 3 email Ids at no charge.

pl-site-watchlist.png

There is no way to know whether you have been compromised in the existing data breaches.

Please comment down here if there are any similar services, I’ll review and add them to this post.

I’ll say that data breaches will happen, but you always try to secure from your side. I’ll recommend using strong and unmemorable password for each account. Use password managers like Keepass, Lastpass, 1password etc to keep track of all that information. Wherever possible turn on 2 step authentication. Use services like Abine to mask your email id and use it on the sites you don’t trust.

CryptSharp – A Password Crypt Algorithms Library for .NET


Safely store a password:

Why Not (SHA-1, SHA-3, MD5 etc etc)?

These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in a short period of time as possible. This means that they are fantastic for ensuring the integrity of data and utterly rubbish for storing passwords.

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

Modern supercomputer can process around 700,000,000 passwords a second. And that rate you’ll be cracking those passwords at the rate of more than one per second.

It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks.

Bcrypt Solves These Problems:

It uses a variant of the Blowfish encryption algorithm’s keying schedule, and introduces a work factor, which allows you to determine how expensive the hash function will be. Because of this, bcrypt can keep up with Moore’s law. As computers get faster you can increase the work factor and the hash will get slower.

Why CryptSharp?

It’s been always a challenge for .NET developers to securely store the passwords in the database.

CryptSharp provides a number of password crypt algorithms like BCrypt, LDAP, MD5 (and Apache’s htpasswd variant), PHPass (WordPress, phpBB, Drupal), SHA256, SHA512, and Traditional and Extended DES. Additionally it includes Blowfish, SCrypt, and PBKDF2 for any HMAC (.NET’s built-in PBKDF2 implementation supports only SHA-1).

If you are looking to store passwords, odds are CryptSharp has the algorithm you want.

To install CryptSharp, run the following command in the package manager console in visual studio.


Install-Package CryptSharpOfficial

OR You can download it from It’s official site and add a reference to your project.

Using CryptSharp is very simple. To crypt a password, add the assembly to References and type:


using CryptSharp;

 // Crypt using the Blowfish crypt ("BCrypt") algorithm.
 string cryptedPassword = Crypter.Blowfish.Crypt(password);

To test the crypted password with plain text password use following lines of code:


using CryptSharp;

 // Do the passwords match?
 // You can also check a password using the Crypt method, but this approach way is easier.
 bool matches = Crypter.CheckPassword(testPassword, cryptedPassword);

If you choose the BCrypt algorithm, be aware that it only uses the first 72 bytes of a password.

Here is the sample output of CryptSharp from my code:

Source Code Download:

Github [Repository Link]

Box.com [Direct Link to Zip file]