Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
Apologies if this is in the wrong category. I'm currently developing and application in ASP, due to my inexperience with ASP I'm worried about vulnerabilities that a user can exploit.
My application is being coded from scratch, no templates used or defaults from Visual Studio, completely blank projects. The user is greeted with a login page where depending on there user access in active directory depends on which pages the user can access.
The exploit I'm worried about is if the user will be able to commit a directory traversal and access a page in which they're not allowed to access and change critical information.
I'm afraid my inexperience has caught up with me. Could someone explain to me how I could limit the access to the user or, If I'm over thinking the process, correct me? Constructive criticism is accepted.
Microsoft does try to help protect your application through their defaults, so if you're running in IIS, make sure the user the application pool is running under only has write access to the folders it needs to write into.
This is a very open-ended question and depends on many factors such as version of .net, server OS/IIS version, other handlers installed, etc. But a good start is to review the OWASP Top 10:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#OWASP_Top_10_for_2013
Here's a list of some automated tools you can use for testing your implementation:
https://geekflare.com/online-scan-website-security-vulnerabilities/
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
In my test, I can automatically open IE with:
public void OpenIEtoAppURL()
{
System.Diagnostics.Process.Start("iexplore", "www.google.ca");
}
Will this work on other computers that may not have admin access? Will this method cause false alarms for a virus?
I'm not sure if this is the best way to open IE, any improvements are appreciated.
Note: the target users are people who aren't good with computers so I don't want to alarm them with authorization checks.
I'm trying to make some kind of executable so that they can just click on it and it will run a suite of automated tests for specific web applications on a weekly basis.
That will work, but it's the wrong way to do it.
Instead, you should open the URL itself:
Process.Start("https://google.com");
This will open the page in the user's default browser.
Note that the protocol is required.
What are you trying to accomplish? You mention people who are not good with computers but your tags are for testing. Do you have non-technical people running automated tests?
If you want IE ONLY, you could try ShDocVw.InternetExplorer.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Currently I am working on multiple projects as a third party (outsourced) where I have no control over the hosting. My application is modular enough to be changed on the fly, all that's required is slight edit in Html / CSS and it'll become a brand new site.
I do not want my proprietary codes to leak on the web without my consent.
Since I'm contracted to only work on a few particular domains, I wish to "lock" them down in the sense there won't be multiple instances of the same application running in the wild.
Domain locking comes to mind, but this will be rather restrictive as my client will no longer be able to change domain in the future.
Any other inexpensive ideas?
You could try having a registration server somewhere that requires various libraries in the system to register infrequently.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I wanted to crate an mobile app (using Flex) that let user upload some user generated content (eg. Text, Picture) to my website and also able to display/view it on the website as well.
I don’t much on the back end (web programming, website database, cloud).
What is the best way to do this or is there any ready build solution out there?
Thanks.
Look at httpService for your user upload and tie it to a back end web service using POST or GET parameters. Personally, I recommend PHP but any web capable service would work. Then, tie that service to store your images on your web server or in a database. Reverse the process to get it back out. Can this all be done in Flex? No. Can you tie it in with a web service easily? Yes. Good luck.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
I'm newbie when talks about Error Handling. It's a subject that i want to study but right now i just don't have free time, so i'm looking to implement an error/exception handler one a few projects i've developing last weeks (C#, .NET 3.5).
What do you recommend me to implement for this? Other point is where to store the errors logs. In database or .xml file? Well, i really need some help on this!
By the way, is there any book about error handling?
Thanks in advance,
Guilherme Cardoso
For unhandled exceptions you might want to use ELMAH. Its super simple to setup - just a dll and some settings in your web.config.
Log4net is a robust tool for logging to a variety of sources. Where I work, we use the Logging Application Blocks from the Enterprise Library. You can read up about these resources on their websites.
As for logging to XML files vs. databases, there are tradeoffs to each approach. Using local files reduces how many breakable components are required for a functioning application. Imagine that the database goes down, and your app tries to log to the database that the database went down... Hmmm.
On the other hand, logging to a database can dramatically improve your ability to query and gain intelligence on the nature of errors that get logged.
No one will be able to tell you absolutely what you should do; just weigh the tradeoffs and your expectations, and you'll be good to go.
If you want to go with some home-brewed error handling, you can tap into the Application_Error method of your Global.asax and manually log members of the HttpContext.Current.AllErrors property. You can also use the ClearError() method on the context to wipe out the errors, and then redirect to a safe page if you want to log-and-continue.
Good luck!
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed last year.
Improve this question
I would like to give web designers autonomy to publish web pages but letting them to edit aspx files is a serious security risk as they don't have the required programming skills.
I was thinking about two approaches:
They are only able to edit html files and call services with ajax;
Let them to edit xslt files associated to services that return xml.
But both have a drawback: limited use of templates.
How would you deal with this situation?
If the developer is on his own domain then its safe to give him full access to JavaScript. However if he is sharing this domain then by giving him access to javascript you open the door to XSS. This allows the publisher to hijack other user accounts (usually by access document.cookie, but there are other same-origin policy abuses). One possilbity is to use Html Purifier, which prevents javascript all together.
There is a better alternative and that is a Google-Caja, which places restrictions on the javascript a developer can execute. This is important for apps written for social networking sites.
This is an issue that's already been addressed in most CMS systems. Have a look at joomla, drupal, SharePoint, etc etc.