In this advisory concerning the oracle padding exploit, Microsoft posted the following recommended error page:
<%# Page Language="C#" AutoEventWireup="true" %>
<%# Import Namespace="System.Security.Cryptography" %>
<%# Import Namespace="System.Threading" %>
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<div>
An error occurred while processing your request.
</div>
</body>
</html>
What's with the Thread.Sleep for some value between 0-255? I don't want my server threads tied up for up to quarter of a second.
The reason is to alter the timing of the result. By making the return take a variable amount of time, you can't use the timing of the error return to determine the reason for failure, which is the approach that is used for the attack
Related
I am a c# guy but I need to get a small vb.net test harness working. For the life of me I can't get this to work, and can't discover why. Here's the aspx:
<%# Page Language="vb" AutoEventWireup="false" CodeBehind="Default.aspx.vb" Inherits="_Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
<title>Source Page</title>
</head>
<body>
<form id="form1" runat="server">
</form>
</body>
</html>
And here is the .vb:
Public Class _Default
Inherits System.Web.UI.Page
End Class
Always the error "Could not load type '_Default'." I even turned the folder into a true Application in IIS but it made no difference. What am I missing?
What am I missing?
Try the below two -
If your code-behind contains a namespace then modify your inherits attribute in Page directive as Inherits="namespace._Default".
If it doesn't, simply remove this Inherits attribute from Page Directive.
Changing the Codebehind attributename to CodeFile worked for me:
vb
CodeFile="Default.aspx.vb"
C#
CodeFile="Default.aspx.cs"
So I am using the below code to do a xslt transformation. But I am pretty new to ASP.NET development so the errors are slightly misleading. This code is generating an error that states it doesn't understand physical paths and only virtual paths. What is a virtual path and how do I make one from a specified physical path?
<%# Master Language="C#" AutoEventWireup="true" CodeBehind="Site.master.cs" Inherits="ViewerASP.SiteMaster" %>
<%# Import Namespace="System.Xml" %>
<%# Import Namespace="System.Xml.Xsl" %>
<%# Import Namespace="System.Xml.XPath" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head runat="server">
<title>Viewer</title>
<link href="~/Styles/Site.css" rel="stylesheet" type="text/css" />
<script language="C#" runat="server">
public void Page_Load(Object sender, EventArgs E) {
string xmlPath = Server.MapPath("physicaladdresshere");
string xslPath = Server.MapPath("physicaladdresshere");
//Instantiate the XPathDocument Class
XPathDocument doc = new XPathDocument(xmlPath);
//INstantiate the XslTransform Class
XslTransform transform = new XslTransform();
transform.Load(xslPath);
//Custom format the indenting of the output document using XmlTextWriter
XmlTextWriter writer = new XmlTextWriter(Response.Output);
writer.Formatting = Formatting.Indented;
writer.Indentation=4;
transform.Transform(doc,null,writer);
}
</script>
<asp:ContentPlaceHolder ID="HeadContent" runat="server">
</asp:ContentPlaceHolder>
</head>
<div class="main">
<asp:ContentPlaceHolder ID="MainContent" runat="server"/>
</div>
</body>
</html>
Server.MapPath maps virtual path - that is path in a virtual IIS directory - to the physical path on a server. Apparently you do not need that, since you already have an absolute server-side path. Just remove these Server.MapPath calls:
string xmlPath = "C:\\Users\\kyle\\Desktop\\file.xml";
...
I call flush but the page just hangs for 5second (purposely) then renders completely. Why isnt it showing me the first part then the last?
Firefox 7 and chrome both do this
code file
using System;
namespace ABC
{
public class Test
{
static public void Apple()
{
System.Web.HttpContext.Current.Response.Flush();
System.Threading.Thread.Sleep(5000);
}
}
}
page
<%# Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication1._Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
hi
<form id="form1" runat="server">
<div>
starting
<% ABC.Test.Apple(); %>
<% WebApplication1._Default.RecurseMe(Response, #"/var/www/wordpress", 0); %>
</div>
</form>
</body>
</html>
I don't think a web browser will show the page before it's done loading the HTML. Think about it this way.. there are tags that need to be closed before the page can be rendered correctly and is a tag.
I'm not sure why you need to do this, but if you want to hide some data while it loads you should hide the area in a hidden div and then display it using javascript after the time interval or some other method such as an AJAX callback.
I tried to call my helloworld by just including javascript inside webform but when running it page is blank on both chrome and firefox. In firefox error is
"XML Parsing Error: no element found"
<%# Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="jquery01._Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js">
</script>
<script type="text/javascript">
function helloWorld() {
$("#divSample").append("Hello World!!");
}
</script>
</head>
<body>
<form id="form1" runat="server">
<div id="divSample">
</div>
<script type="text/javascript"> helloWorld();</script>
</form>
</body>
</html>
I needed to add in codebehind:
protected override void Render(HtmlTextWriter writer)
{
this.Page.ClientScript.RegisterStartupScript(this.Page.GetType(),
"startup", "<script type=\"text/javascript\">helloWorld();</script>");
base.Render(writer);
}
In that case it works but I don't understand why I just can't use the 1st syntax why it's so complicated for such a simple stuff ?
I also tried the suggestion but it didn't work either:
<%# Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="jquery01._Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js">
</script>
<script type="text/javascript">
function helloWorld() {
$("#divSample").append("Hello World!!");
}
</script>
<script type="text/javascript">
$(document).ready(function () {
helloWorld();
});
</script>
</head>
<body>
<form id="form1" runat="server">
<div id="divSample">
</div>
</form>
</body>
</html>
Update: Seems ASP.NET can be unreliable in some circumstances with ajax / jquery ?
http://chiragrdarji.wordpress.com/2010/02/17/xml-parsing-error-no-element-found/
Try wrapping your helloWorld() call in jQuery $(document).ready syntax:
<script type="text/javascript">
$(document).ready(function(){
helloWorld();
});
</script>
Have you tried to run it in a debugger, like FireBug for FIreFox or Chrome's developer tools? (Haven't tried IE's yet... I copyied and pasted your code above and it worked fine for me...
try using a delay="delay" attribute on your script tag.
<script type="text/javascript" delay="delay">helloWorld();</script>
IE does not like if you try to modify the DOM structure when the html is still being rendered. this attribute tells the browser to delay script execution until it is done with the rendering.
Did you try getting rid of the Render override?
protected override void Render(HtmlTextWriter writer)
{
this.Page.ClientScript.RegisterStartupScript(this.Page.GetType(),
"startup", "<script type=\"text/javascript\">helloWorld();</script>");
base.Render(writer);
}
I'm trying to add some share this javascript in between the head tags of an asp.net page but only if the page is not secure (!Request.IsSecureConnection). How do I get the code in the head tags to check for secure connection and then write the javascript if not secure. I've tried using <% %> blocks and RegisterStartupScriptBlock and it's not working
UPDATE:
Was able to get it to work using this in the Page_Load
if(!Request.IsSecureConnection)
{
HtmlGenericControl Include = new HtmlGenericControl("script");
Include.Attributes.Add("type", "text/javascript");
Include.Attributes.Add("src", "http....");
this.Page.Header.Controls.Add(Include);
}
This works for me:
<%# Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication1._Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<% if (!Request.IsSecureConnection)
{ %>
<script type="text/javascript">
onload = function() {
alert('Page is not secure') };
</script>
<% } %>
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
</div>
</form>
</body>
</html>
<%if (!Request.IsSecureConnection)
{%>
<script ..........> </script>
<%}%>
This didn't work?
Update From your comments this didn't work. I'm guessing it has to do with something you are doing in your code behind. Did you try calling RegisterClientScriptBlock from your code behind? If you could post your aspx and code behind we might be able to help more.