CreateUserWizard Username and Email Enumeration - asp.net

I've been doing a security review of our website and found an issue with CreateUserWizard.
We do not let people sign up with a duplicate email address or username. The CreateUserWizard will verify this for me but the problem is that I can write a script to hit our server and try username and pretty quickly get a list of username by enumerating through them.
I want to add recaptcha but I can't seem to get it to verify this before it verifies the username. Is there a way to do this?
<asp:CreateUserWizard ID="CreateUserWizard1" runat="server" OnCreatedUser="CreateUserWizard1_CreatedUser" ContinueDestinationPageUrl="~/PleaseVerify.aspx" CssClass="CreateUserWizard" StepNextButtonStyle-CssClass="NextButton" StartNextButtonStyle-CssClass="NextButton" FinishCompleteButtonStyle-CssClass="FinishButton" CreateUserButtonText="Create my ID"
CompleteSuccessText="Your account has been created, but before you can login you must first verify your email address. A message has been sent to the email address you specified. Please check your email inbox and follow the instructions in that email to verify your account."
DisableCreatedUser="True" OnSendingMail="CreateUserWizard1_SendingMail" DuplicateUserNameErrorMessage="That username is already in use, if you think this is you can LINK REMOVED Otherwise try a different username."
DuplicateEmailErrorMessage="That email is already in use, try to <a href='/ForgotPassword.aspx'>recover your password</a>." InvalidPasswordErrorMessage="Please supply at least five letters in your password.">

I don't believe that the username is validated on the client side, so you could override your CreateUserWizard's CreateUserError event handler, check your captcha and NOT pass back an error about the username being already in use. I use a custom control captcha that I pieced together from www.codinghorror.com (http://www.codinghorror.com/blog/2004/11/captcha-control-coda.html), and it triggers before the backend code attempts to create the user and determines that the username/email is in use.

I ended up not using the create user wizard and just doing the simple login in the button handler.
recaptcha.Validate();
if (!recaptcha.IsValid)
{
ErrorMessage.Text = "Invalid Code.";
return;
}
if (!IsValid)
{
return;
}
var duplicateEmail = Membership.FindUsersByEmail(Email.Text);
if (duplicateEmail.Count > 0)
{
ErrorMessage.Text = "That email is already in use, try to <a href='/ForgotPassword.aspx'>recover your password</a>.";
return;
}
var duplicateUsername = Membership.FindUsersByName(UserName.Text);
if (duplicateUsername.Count > 0)
{
ErrorMessage.Text = "That username is already in use, if you think this is you can <a href='http://www.nanaimo.ca/dashboard/'>login</a>, otherwise try a different username.";
return;
}
var newUser = Membership.CreateUser(UserName.Text, Password.Text, Email.Text);
newUser.IsApproved = false;
Membership.UpdateUser(newUser);

Related

MVC 5 - change password on demo accounts

I have an MVC 5 demo application that uses asp.net security. Within that application I have 75+ user accounts.
The person who gives the demos left, so I'd like to be able to reset all of the passwords for all of the accounts without having to change the email on each account to my personal email and do them individually where a link would be sent to my personal email.
Is there a way I can type in the user name and new password and use built in IdentityUser functionality to reset the password?
Assuming your app is in standard MVC5 format, put this ViewResult into the Account controller:
[AllowAnonymous]
public async Task<ViewResult> ResetAllPasswords()
{
// Get a list of all Users
List<ApplicationUser> allUsers = await db.Users.ToListAsync();
// NOTE: make sure this password complies with the password requirements set up in Identity.Config
string newPassword = "YourNewPassword!";
int passwordChangeSuccess = 0;
int countUsers = 0;
// Loop through the list of Users
foreach (var user in allUsers)
{
// Get the User
ApplicationUser thisUser = await UserManager.FindByNameAsync(user.UserName);
// Generate a password reset token
string token = await UserManager.GeneratePasswordResetTokenAsync(thisUser.Id);
// Change the password, using the reset token
IdentityResult result = await UserManager.ResetPasswordAsync(thisUser.Id, token, newPassword);
// Record results (extend to taste)
if (result.Succeeded)
{
passwordChangeSuccess++;
}
countUsers++;
}
ViewBag.CountUsers = countUsers;
ViewBag.PasswordSuccess = passwordChangeSuccess;
return View();
}
and set up a new View with ViewBag.CountUsers and ViewBag.PasswordSuccess to check the results.
Then set up an ActionLink pointing to ResetAllPasswords in Account controller and press to go.
Obviously the formatting can be changed (maybe a form with a confirm instead, maybe with an input field to specify the password .. ), but the basic controller code should hopefully be good. And note the [AllowAnonymous] attribute is there just for one-off access - not a good idea to leave it there for anything more than testing!
This should reset all Users to the same password specified in the code.
yes in Account Controller just go to the forget Password function and change that code a little where first of all user search the email id and after that system send a mail to that user .
There just write down a code where user send mail to your specific email id then you can get that link in your account click that link and reset the Password

How validate for domain name of email address

I have a form in which user enters email address.I am validating it through java script.I want to validate the Domain name of email address
What is the best way to validate domain name of email address in .net ?
best way for check domain name in Email address is use regular expression
this Expression use for validation email
\w+([-+.']\w+)#\w+([-.]\w+).\w+([-.]\w+)*
you can edit domain part in this expression \w+([-.]\w+)*\
this webservive is checking domain:
http://www.ecocoma.com/domain_webservice.aspx
you must substring domain name from email address and send to webservice
notice: for testing this webservive, you must online
sample code for working it:
protected void btnwhoIs_Click(object sender, EventArgs e)
{
try
{
Whois_Service service = new Whois_Service();
Whois whois = new Whois();
service.SoapVersion = SoapProtocolVersion.Soap12;
whois = service.GetWhois("DOM-T36309683M", "", txtWhoIs.Text);
divRes.InnerText = whois.Description;
}
catch (System.Net.WebException ex)
{
divRes.InnerText = ex.Message;
}
}
As #KingCronus said, there's no good method built in the framework for doing this. The most reliable method I know of is using this commercial component: http://cobisi.com/email-validation/.net-component
I've once done work using it for a client and it seemed reliable. You can use it to detect bogus email services (like http://mailinator.com/), but unfortunately, I don't know of any free component that performs this functionality.

How to check email address exists or not using ASP.NET?

How to check the given email (any valid email) address exists or not using ASP.NET?
You can't check if an email exists without actually sending an mail.
The only thing you can check is if the address is in a correct shape with regexes:
string email = txtemail.Text;
Regex regex = new Regex(#"^([\w\.\-]+)#([\w\-]+)((\.(\w){2,3})+)$");
Match match = regex.Match(email);
if (match.Success)
Response.Write(email + " is corrct");
else
Response.Write(email + " is incorrct");
you send invitation mail to user with encrypted key..
If user is verified you have to verified key and you have only verified email..
Here's a code solution that may work for you. This sample sends a message from address different from From: address specified in the message. This is useful when bounced messages should be processed and the developer wants to redirect bounced messages to another address.
http://www.afterlogic.com/mailbee-net/docs/MailBee.SmtpMail.Smtp.Send_overload_3.html
The full process is not so simple.
Its required a full communication with the email server and ask him if this email exist or not.
I know a vendor that give a dll that make all this communication and check if the email exist or not on the server, the aspNetMX at http://www.advancedintellect.com/product.aspx?mx
First you need to import this namespace:
using System.Text.RegularExpressions;
private bool ValidateEmail(string email)
{
Regex regex = new Regex(#"^([\w\.\-]+)#([\w\-]+)((\.(\w){2,3})+)$");
Match match = regex.Match(email);
if (match.Success)
return true;
else
return false;
}
Visit Here to full source code.

User Authentication in ASP.NET when authentication is checked by javascript functions

Please suggest or change some suitlable title for this question as i am not able to find one
I am using Facebook to allow the users to authenticate to my site.
I use Facebook Login Button and somehow i find out the user is authenticated or not.
I am developing my website in ASP.NET 4.0
I check whether the user is authenticate through Javascript.
The problem is how should i tell my server that this user is authenticated and assign some ASP.NET roles. I cannot use Ajax becuase of securoty reasons and might be a attack of Impersonation. This site may have transactions in the future so it need to be less security vunerable.
RIght now what i did is create a session using javascript and redirect to some other page and then assign roles but i am not statisfied with this method
Any help is appreciated.
The easiest way would be to use Page methods and Page methods call your service on server or authenticate directly.
http://www.geekzilla.co.uk/View7B75C93E-C8C9-4576-972B-2C3138DFC671.htm
To fix this, after facebook successfully authenticate the user i postback the website with the some arguments.
FB.api('/me', function (response) {
res_id = (response.id);
__doPostBack('SetSessionVariable', res_id + "$" + response.first_name + "$"+ response.last_name);
var uid = response.authResponse.userID;
var accessToken = response.authResponse.accessToken;
});
And in code i do :
string eventTarget = (this.Request["__EVENTTARGET"] == null) ? string.Empty : this.Request["__EVENTTARGET"];
string eventArgument = (this.Request["__EVENTARGUMENT"] == null) ? string.Empty : this.Request["__EVENTARGUMENT"];
if (eventTarget == "SetSessionVariable")
{
// Authenticate User
}

Using Custom MembershipProvider without a Login control in ASP.NET

We have got a custom MembershipProvider in ASP.NET. Now there are 2 possible scenario the user can be validated:
User login via login.aspx page by entering his username/password. I have used Login control and linked it with the MyMembershipProvider. This is working perfectly fine.
An authentication token is passed via some URL in query string form a different web sites. For this I have one overload in MembershipProvider.Validate(string authenticationToken), which is actually validating the user. In this case we cannot use the Login control. Now how can I use the same MembershipProvider to validate the user without actually using the Login control? I tried to call Validate manually, but this is not signing the user in.
Here is the code snippet I am using
if (!string.IsNullOrEmpty(Request.QueryString["authenticationToken"])) {
string ticket = Request.QueryString["authenticationToken"];
MyMembershipProvider provider = Membership.Provider as MyMembershipProvider;
if (provider != null) {
if (provider.ValidateUser(ticket))
// Login Success
else
// Login Fail
}
}
After validation is successful, you need to sign in the user, by calling FormsAuthentication.Authenticate: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.authenticate.aspx
EDIT: It is FormsAuthentication.SetAuthCookie:
http://msdn.microsoft.com/en-us/library/twk5762b.aspx
Also, to redirect the user back where he wanted to go, call: FormsAuthentication.RedirectFromLoginPage: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.redirectfromloginpage.aspx
link text
You can set your own FormsAuthenticationTicket if the validation is successful.
Something like this;
if (provider != null) {
if (provider.ValidateUser(ticket)) {
// Login Success
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
1, //version
someUserName, //name
DateTime.Now, //issue date
DateTime.Now.AddMinutes(lengthOfSession), //expiration
false, // persistence of login
FormsAuthentication.FormsCookiePath
);
//encrypt the ticket
string hash = FormsAuthentication.Encrypt(authTicket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);
Response.Cookies.Add(cookie);
Response.Redirect(url where you want the user to land);
} else {
// Login Fail
}
}
You are right in the case of storing the auth information as a cookie directly. But using a strong hash function (e.g. MD5 + SHA1) is great and secure.
By the way, if you use sessions (which is also just a hash cookie) you could attach auth information to it.

Resources