I am looking for a very insecure ASP.NET application. Ideally i'm looking for an application that was written by a noob who has made a lot of security mistakes. If the app has a MS-SQL back-end that would be a bonus. I know of two cool projects for PHP and J2EE which fill my needs. Do you know anything like this for ASP.NET?
Hacme Bank is a pretty good example from Foundstone of what not to do. It's an older example, written in .NET 1.1 against SQL 2000, but covers most of the common vulnerabilities found in web applications.
I know one... there's a business near where I live, and I refuse to join their loyalty program because I accidentally stumbled across a SQL injection vulnerability on their site. I can't tell you who it is though, because they're a real business and I'm sure they don't want your students to hack them.
Why not write your own? Maybe start a codeplex project called LearnSecurity, which has a combination of pages - some which use bad security practices and some which don't.
Yes, as Rob suggested ... you could make a couple of pages ... on the first get the input from a field and execute it against the database :) On the second, just get some text from the db that contains javascript alert or something and render it directly on the page :) Just an idea ...
You can search the vulnerabilities databases, like NISTs one.
Related
I am after recommendations for a framework (or project template) for rapid application development using C# on the back-end. It must support the following:
User login/authentication
SPA
Responsive client
Easy to understand client and server (not a steep learning curve like AngularJS)
Clean/uncluttered project structure (both client and server). Some OOTB ASP.Net project templates are very cluttered (eg the the VS2012/2013 SPA MVC/Knockout/BackBone template) - maybe I could be convinced, but just looking at a new project it puts me off instantly.
Easy DB access.
Flexibility on the client (for custom functionality eg adding maps and other UI libraries like D3) - don't want a client framework that you have to wrangle to paint outside the lines.
Would appreciate any/all suggestions/opinions.
Thanks
Tim
Like anything in software, there are so many ways to do this. You are essentially asking for a complete system architecture. You could try to be more specific, but your question is going gather opinionated answers and this will probably end up getting closed.
But I'm bored and will throwin a couple of pennies before that happens:
C# most likely means you'll be going .NET on IIS (though maybe its docker on linux?? refer back to my first line above)
User login/authentication
If its IIS, you could be running Windows Auth, or if in an enterprise, Kerberos or Federation. Or if its going against social sites, maybe OAuth? This one depends on what authentication your users need and is really separate of the other areas below.
SPA / Responsive client / Easy to understand...
You listed some very popular frameworks (Angular/Knockout) used in modern SPAs. You may not like them but these are becoming industry standards. Responsive web is pretty much bootstrap or foundation. Though, angular material seems to be gaining popularity too.
Easy DB access.
Whats your definition of easy? Looking for an ORM? If so, Entity Framework is popular in .net apps. Or if you are more of an SQL person, maybe LINQ is easier. Many options here too.
Flexibility on the client ...
Though you may not like some of them, using popular frameworks means you get a lot of developer support behind it - and a lot more answers here on SO if you have problems. One man's sunset is another man's sunrise. What you consider difficult might be viewed as easy by another. Hard to say whats most flexible but going popular means you got more help.
I am taking part in Imagine Cup and got only three months for building a site in ASP.NET. Is it possible to learn enough to build a working site containing an cms, login system in a month. Its not that I am beginning web development, I already know a little asp.net and know AJAX, JAVASCRIPT, CSS, HTML, SQL but have never worked with databases. I was never into web development but started because of Imagine cup. In 2 months I already know HTML, CSS, JAVASCRIPT, HTML and AJAX but I am worried about the complexity of server-side scripting and ask for the best way to get me working in ASP.NET in a month. I know c#.
Although you can't be an expert in a month, you can get up and running fairly quickly with webforms. Since it already includes a login system, you can get that up and running quickly.
As far as CMS, it depends what you need. An advanced CMS system is a major undertaking.
Getting going with ASP.NET
Actually, if you want to re-apply everything you know about creating JS enabled static html sites, you'd have a smoother path using MVC because you don't have to guess what the tag id's are, you don't have to guess what kind of HTML a server side control is going to create, etc.
That said, Jonathan Wood is correct, to just create a page with labels and buttons, Web Forms has fewer concepts you need to learn, but you will find it harder to apply the same techniques that work well with JS + static html.
Data bases
If you use SQL Compact, then it is easier to get started because you needn't learn to mess with the numerous things going on with SQL Server (like a security model appropriate for big companies, but not for learners). Another easy alternative is MS-Access because the "Query by Example (QBE)" query designer is still better than anything that the Visual Studio or SSMS teams ever put together.
Keep in mind that if you use MS-Access, while it will be really easy to learn (more so than SQL Compact), MS-Access uses Jet SQL and has many other differences from SQL Server, where as everything you learn about SQL Compact will apply to SQL Server.
Not sure what the conditions etc of Imagine cup are, but I strongly recommend to use an existing CMS (in particular Umbraco) instead of developing all from scratch. Some advantages are:
No need to dive into SQL and databases right away
Building blocks are available (login system) and leverage existing ASP.NET technologies
Razor can be used instead of xslt which will be a skill you'll be able to apply to pure ASP.NET MVC development later on
Very friendly and helpful community if you need some help
Starter kits available - basic web sites can be created easily
By diving into any detail of the CMS, you'll learn a lot (source code available)
You could probably pick up the basics with a few good books. Sam's, Wrox, APress and O'Reilly are great. You can also check http://www.asp.net/get-started for Microsoft's official tutorials.
You can also download the express versions of Visual Studio 2010 and SQL Server. If you want to continue on after the competition I'd strongly recommend you learn database programming on SQL Server 2010 Express. (It'll help you down the road)
Good luck with it.
I've been trying to learn how develop websites with ASP.NET as well as setup a personal website to use as a online porfolio/resume. With my website I've decided to not try to reinvent the wheel and thus decided to use a premade ASP.NET based CMS.
After reading a lot of reviews I settled on Umbraco, but now I'm seeking out alternatives. I like Umbraco a lot but I keep running into problems. Since installing it on my host I haven't made any changes through the file system, or database directly. All changes have been through the admin site. Yet somehow I kept getting it into some state where I could not delete a datatype, and now I'm having problems removing or renaming one of my templates. I've searched for Umbraco forums for solutions and usually find that I have to run some SQL script workaround on the database to clean things up. This kind of thing is really not something I want to fiddle with for my personal site.
Has anyone else had a lot of problems with Umbraco like I have? Are there other free CMS systems out there that are more reliable, yet similar to Umbraco? Specifically I really like how Umbraco gives me total control over the HTML generated by my site. Simple is also better in this case. I'm not trying to create some kind social network/community portal/forum/blog site. There won't be multiple people logging onto this site or anything like that.
I've been reading a bit about N2, which I'm now starting to consider. I like that it's more developer based and that you setup page types through real .NET classes in Visual Studio. Again I don't want to attempt to build my own CMS from scratch, but at the same time I really don't like how hard it is to see what's going on under the hood with most other CMS systems.
I haven't used N2 so I can't comment on that, but alternatives you can consider are Orchard or FunnelWeb, both are on MVC 3 and Razor.
If you're wanting a blog that is mostly just a blog then FunnelWeb is a good option.
I'm currently writing a comparison between Orchard and Umbraco if you're interested as well.
I think you'll be happy you stuck with Umbraco. I was so frustrated with Umbraco when I first started working with it for the exact reasons you stated above. The issue with not being able to delete data types could mean that it's connected to something (IE: document or media type) somewhere and if you force delete it (IE: via the db) you could really mess up your install. <- speaking from experience.
I'm absolutely in love with Umbraco now though. I am completely confident that I can build just about anything I need with it now.
I think that my best piece of advice I can pull from my own experience is make sure that you've got your site architecture planned out thoroughly before starting to build it out in Umbraco. You don't want to be fiddling around in there afterward changing things and that's where you can really get yourself into some hot water.
Have fun!
if you want a minimal .net mvc4 cms with good performance check out puck https://bitbucket.org/yohsii/puck/overview
it adds very few concepts on top of what you need to know for .net mvc but it does require .net4.5 (and therefore VS2012) to work with.
it also uses localdb out of the box but if you don't want to install that just attach the database mdf file to regular sql server and change the connection string
We need to increase our knowledge on deployment of ASP.NET Web sites/Web App. We are getting increasingly bigger and more traffic and need a more professional approach. Not too mention, we are also moving up to multiple database/multiple back end/ multiple front end server deployments and we just don't want to screw it up.
What type of skills should we be looking for and is there a typical title people with these skills use?
Thanks,
Actually, We have most of the talents the two answers mention, what we are looking for is I guess what Dave calls the web server guru. I simply want someone to handle the deployment aspect. The developers we have need to be working on their end of it not trying to figure out dpeloyment best practices. Also, we may end up with multiple projects and teams and I don't think each team having a seperate person rolling their own solutions would be as good as 1 dedicated resource for all the teams.
If you're looking to take an ASP.NET application to the next level, you need the development talent.
At least four years of intensive ASP.NET development experience.
A current certification to go with the experience would be good, but don't take the cert over the experience.
Find someone familiar with the techniques used in your app- if it's a Webforms app, don't go looking for an MVC wizard unless he/she also has the Webforms chops, etc.
It sounds like you may be handling the hosting yourself. If this is the case, you may also need to either hire a webserver guru or look into managed hosting. Don't be snookered into thinking you can get your dev to care and feed the hosting environment, it's too much work for one person.
Sounds like you will need at least three people, as the skills may not typically be what one person can do.
You may need a database administrator, to ensure that your multiple databases stay in sync, or backed up properly and configured correctly.
You will need a sysadmin to set up the multiple webservers and to ensure that all the hardware and infrastructure is configured properly.
And, you will need .NET developer that knows ASP.NET as well as the database layer.
If you were hosted then the first two you don't need as your hosting site would be responsible.
If you went with cloud computing then the same, you don't need the first two.
But, regardless, sounds like you need the third.
For the developer, you need to be careful about what skills you need, for example, C# for 4 yrs, ASP.NET for 2yrs, if you need javascript or css then specify that. If you are using any particular libraries then specify that.
I've got an upcoming project that is going to be dealing with 70,000+ users (education). I was wondering if the ASP.NET SqlMembership Provider has been used at such large capacities? Assuming the hardware is there, is there anything special that needs to be done to make it work smoothly? We're doing all the obvious things like separating boxes for databases and applications, but is there anything code wise that I need to watch out for?
I know one site that, owner of this site wrote a brilliant article about asp.net performance(http://www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx)
On this article there is one subject that author describes a patch about profile provider for higher performance. Please read that section.
Inbuilt SqlMembershipProvider is very reliable and workable. They tightly integrate with FormsAuthentication and Login Controls. So authentication is reliable and it is also quick to implement.
Only problem I see is the complexity of the Database table structure, they are quite tidy and not so straight at first. So you can basically write your own MembershipProvider that will talk to your own users table with more simplistic design and implementation. Also Managing Members on admin is also painful due to table design but in a way it is fairly possible to do so. For these reasons we wrote our own MembershipProvider based on Sql. It's working amazingly and we've had good experience of the same.
If you have a small website or project
you can straight go on with inbuilt
SqlMembershipProvider but for a large
project like yours I'd recommend
writing your own MembershipProvider.