I've seen several questions on SO about this, but none of them quite fit what i'm looking for. I've got an ASP.NET Site on my machine that i recently finished, but i'm a little worried about Security. I'm pretty sure I've managed it pretty well, but there's always an offchance i've missed something.
So, I'm looking for a tool that meets the following reqs
Scans a locally hosted (as in, on the same machine as the tool) website for vulnerabilities
Can be installed (i.e, no web based stuff)
(elaborating on #1)... tests ASP.NET (Web Forms, but MVC would be nice too) for SQL or XSS problems. (I figure XSS is hard to test, but SQL injection should be easier to find)
Thanks! Lemme know if i'm not specific enough or if this is better suited for Webmasters SE.
There are a few scanning tools around, some of which are open source, which is nice. The exploits you are talking about are technology agnostic - any app could suffer from them regardless of whether it's .net, java, ruby, etc. This makes testing for them slightly easier. Also, SQL injection and XSS bugs are usually application specific, which makes automagically testing for them harder.
The best thing you can do is not be worried about security, but take specific steps to address issues. Security should always be designed into your application. So carry out a code review on your app. Look for specific things.
Do you have any in-line SQL? Do you modify it any way? Are you using parameters?
Are you escaping any user input before you use it?
The above 2 steps will eliminate most SQL injection/XSS bugs. There are other issues to do with your server setup. Vulnerability scanning tools usually know most of these and can test for them.
Related
I am after recommendations for a framework (or project template) for rapid application development using C# on the back-end. It must support the following:
User login/authentication
SPA
Responsive client
Easy to understand client and server (not a steep learning curve like AngularJS)
Clean/uncluttered project structure (both client and server). Some OOTB ASP.Net project templates are very cluttered (eg the the VS2012/2013 SPA MVC/Knockout/BackBone template) - maybe I could be convinced, but just looking at a new project it puts me off instantly.
Easy DB access.
Flexibility on the client (for custom functionality eg adding maps and other UI libraries like D3) - don't want a client framework that you have to wrangle to paint outside the lines.
Would appreciate any/all suggestions/opinions.
Thanks
Tim
Like anything in software, there are so many ways to do this. You are essentially asking for a complete system architecture. You could try to be more specific, but your question is going gather opinionated answers and this will probably end up getting closed.
But I'm bored and will throwin a couple of pennies before that happens:
C# most likely means you'll be going .NET on IIS (though maybe its docker on linux?? refer back to my first line above)
User login/authentication
If its IIS, you could be running Windows Auth, or if in an enterprise, Kerberos or Federation. Or if its going against social sites, maybe OAuth? This one depends on what authentication your users need and is really separate of the other areas below.
SPA / Responsive client / Easy to understand...
You listed some very popular frameworks (Angular/Knockout) used in modern SPAs. You may not like them but these are becoming industry standards. Responsive web is pretty much bootstrap or foundation. Though, angular material seems to be gaining popularity too.
Easy DB access.
Whats your definition of easy? Looking for an ORM? If so, Entity Framework is popular in .net apps. Or if you are more of an SQL person, maybe LINQ is easier. Many options here too.
Flexibility on the client ...
Though you may not like some of them, using popular frameworks means you get a lot of developer support behind it - and a lot more answers here on SO if you have problems. One man's sunset is another man's sunrise. What you consider difficult might be viewed as easy by another. Hard to say whats most flexible but going popular means you got more help.
My last project is a medium size asp.net web forms application. It is built using:
asp.net 3.5
ling to sql dbml --> sql server database (9 tables)
ext.net 1.6 (www.ext.net)
structuremap 2.5.3.0
This time I believed I did my best in terms of architectural design, code and data transfer optimizations. I followed all advice I could to work with the database efficiently through linq to sql and I built layers (model, repository, service, presentation) to separate concerns and lightweight the code in the aspx code behind files.
The problem is: I've installed the application in various web hosting servers with the same pitiful result: the application is struggling to work... pages are loading like in slow motion...
In the past I would say 'OK, I didn't do all I could to speed things up' but in this case I really tried to apply the best practices...
Is there anything else I can do about it? Or is it just asp.net for really small projects only?
thank you.
ASP.NET is fine for building large scale websites. As Brad mentioned, StackExchange sites are built using it, and StackOverflow is a very busy site indeed.
What you need to do first is measure performance; until you do that, you're just guessing at where the problem areas are.
So start with the browser - use a tool such as Firebug, or YSLOW, Google Chrome dev tools, whatever takes your fancy and run your site using the tool enabled. The tools can let you know how long things are taking to process eg requests, how long content is taking to download etc.
YSLOW will also give you some tips on anything it finds as being a bit slow e.g. you're making to many HTTP requests, you should consider minifying your CSS/JS files. You will get a general overview of how the site is performing and where problems could be.
To dig a bit deeper, use a tool like RedGate's ANTS Profiler, use the trial version and measure your website, and server side code, with that tool. There are other tools, though I'm not aware of any free ones.
My first question is that when its slow. Did you try your project in Local area network. Please check first there. If there slow then you need to improve little bit.
This slow performance depends on many things
such as large data load, multiple logic on one page etc.
Please let me know.
Thanks
Basit.
I am a big fan of Firebird DB, I am using it since 1.5.0 version, but I am curious why FB is not that much popular as web sites back-end DB. I would like to use embedded Firebird DB on my websites (after 2.5 version improvements), advantages are obvious (no need to install anything, all dll-s you can put in your web site bin folder and FDB in App_Data – I am using asp.net technology).
My question is: does anybody has some experiences with this approach (Medium Trust shared hosting), and what limitation I might expect? How many concurrent users can be acceptable in such scenario, are there some known issues I need to be aware of and so? Is lack of security mechanism in embedded that big disadvantage for this approach?
Thanks in advance.
First off, I do not have any experience with Firebird. When googling though, I do see reports of problems using it in medium trust. But if you want to know for sure, just try! It might well be that the information I'm reading is old.
Concurrent users is a difficult question to be fairly honest. I suppose it (how many) depends on too many factors to give a good answer. But the most important thing you want to look at is concurrent writing. For example SQL Lite does not support this (afaik), and in a web application this is bound to happen. I think FB supports this, but you might want to check this to be sure.
About security; as far as I know FB does not support encryption nor password protection. This is a valid concern you express, if anyone compromises your server the FB file is there for grabbing. Methods to work around this are not pretty (encrypting before insert/update and decrypting at retrieval, or filesystem encryption), so if security is important this will be your biggest concern.
I'd like to state again that I do not have experience with FB myself, I just express the concerns I would have myself when thinking of such a scenario and try to get some information on the internet.
I'm making an asp.net web application which will run locally on IIS
for a single user
I don't want this user to access my application files (in the www root ) or bring another programmer and steal my code
I just want the user to have the ability to access the website only and
stop any programmer from knowing my source code
I heard about an USB security system called "Dongle" but can it be used in a situation like this ?
any Ideas ?
thanks in advance
The website is just running code, but like anything, once the user has it they can do what they like to it, whether you like it or not. That's why there is a multi-million {currency} industry around securing applications.
You could use dongles but they're expensive and not trivial to implement. As #volleyball said, obfuscation would slow down most people from decompiling your app. without odfucation any licensing or dongles could just be patched out of your code.
Your most secure route would be to not give it to them. It's a web app, host it. This may not of course not meet your requirements.
Simon
I have never heard of a web application that uses a dongle. This is normally reserved for regular windows apps; and even then it's falling out of vogue. Generally speaking some of the more expensive software packages still use them.
However, the cost of duplicating a dongle is pretty low. Combined with the fact that getting around such security is relatively easy anyway and you have a situation in which you really shouldn't bother.
As Simon said, if it's a web app host it. Otherwise obfuscate it.
If neither of those are possible, then I'd recommend you change your licensing deal with your client to include the possibility of them going elsewhere. Perhaps for an additional charge you'll give them a non-exclusive site license permitting them to do whatever they want with the code short of selling it or giving it to another entity.
did you look at obfuscators. They do a good job at encrypting code. 99% of the time your code cannot be reverse engineered. But if someone sits on your stolen code they can reverse engineer.. In the sense that ordinary people may not obfuscate it. If the person is very intellingent, he will not reverse engineer he will write better code.
I think many developers know that uncomfortable feeling when users tell them that "The application is slow (again)."
In a complex web application there can be many possible reasons for a degradation in (perceived) performance: slow database response, bandwidth issues, bad caching etc. There certainly are issues which will never occur in a development or staging environment.
Now my question:
Is there a set of tools and/or methods which would provide a comprehensive "live" state on a IIS/ASP.NET/SQL Server production system in a visually way (not just performance counters):
Current HTTP requests (say the last n minutes)
Exceptions / timeouts
Bandwidth data
Number of open database connections / database calls
...
The primary goal is to see at a glance (or after looking closer) what problem is causing the performance problems.
I think the category of software you're looking for is ".net profiler" or ".net tracer". One such tool that you might consider is JetBrains' dotTrace. It gives you runtime stack traces and an array of counters that indicate possible bottlenecks.
Previously mentioned tools will certainly work. At our shop we needed finer information and built our own solution (long story: it was easier to code than to argue about tools and retrievable data).
I used LogParser to flip through the IIS logs and create output reports of those logs (e.g. result code breakdowns etc).
I used a combination of performance counters and WMI values to get the rest - you can read these using some pretty straightforward C# - this gives you full control that you can then dump to .csv etc for viewing/processing in excel or if you are updating a page as a control center.
I would probably also look at IIS.net as a great resource for IIS tools including debugging, security etc.
I followed urig's advice and found this software called SmartInspect.
Does anybody know this logging/monitoring tool? It seems to be a combination of real time console and developer library.
CLR 4.5 will have some new capabilities that will help you monitor ASP.NET performance live - without restarting your app. Basically you can re-JIT your code to include some monitoring-hooks in it, and then inspect time spent in classes/methods etc.
I'm sure dotTrace and other profiling tools will leverage this automatically, but it's worth checking out: C9 - Inside Re-JIT with David Broman