In our MVC website log I can see lot of errors with message "A public action method was not found". Requests are coming with junk action method name.
For example if I have action name "GetProducts" then requests are coming with actiona name as "GetProducts AND 1=1" , "GetProducts;id'" , "GetProductswhscheck".
is this because of internet bots are trying to access my website with junk values?
It may be bots, it may be script kiddies, or it may be crackers. Either way - somebody is trying to find vulnerabilities on your site.
Let's look at the first one:
GetProducts AND 1=1"
This looks like an attempt at SQL Injection. There was probably a longer query after the "1=1", trying to get information out of your database - like usernames, e-mail addresses, and so on.
To defend yourself, make sure your queries are parameterized. You may also want to add some form of rate-limiting on your system; if possible, see if you can add captchas.
You may also want to look at this answer on Information Security Stack Exchange, and the OWASP top 10 security vulnerabilities.
Do this as soon as possible, because somebody's trying to break in to your system.
Related
we have just added Application Insights to our WebAPI 2.2 application and it looks like a winner.
However, we have some controllers that receive sensitive information that we cannot store due to compliance regulations, even in Application Insights. We want to capture information level trace events on some of our controllers, but we need to not capture or obscure the information when sent through other controllers. Can anyone suggest a way that we can achieve that?
Since you're using the Microsoft.ApplicationInsights.TraceListener package, I don't think there's any way to directly filter the data. If you can add something special to the Trace.WriteXxx() call, then one option might be to implement a TraceFilter and register it through your configuration for the ApplicationInsights Trace Writer.
Then in your TraceFilter.ShouldTrace(), you could check for that special value (maybe it's the event ID, maybe some prefix in the trace message, or something like that) and simply return false to cause it to be skipped.
I asked the same question on the Azure MS website and got a reply that works well.
Anyone looking here for an answer should look there.
https://azure.microsoft.com/en-us/documentation/articles/app-insights-get-started/#comment-2309233065
I'm still in a learning phase with PHP and Laravel 5 and since I upgraded to L5, I struggle with where my code belongs to. There are so many files and folders which seem to have the same purpose or at least are very similar. There are Commands, Controllers, Events, Services, Requests, etc. I give an example with my workflow and where I would place the code and I hope you guys can comment on that and correct/help me.
Situation
I want to register a new user in my application and send a welcome e-mail when he registered successfully.
Workflow
Controller (UserController): Returns requested view (register).
Request (RegisterRequest): The "RegisterRequest" validates the entered data.
Controller (UserController): Passes the validated data to the "UserRegistrar" (service) in 'App/Services'.
Service (UserRegistrar): Creates a new user and saves it to the database.
Controller (UserController): Fires the "UserWasRegistered" Event.
Event (UserWasRegistered): This Event call the "SendWelcomeEmail" Command.
Command (SendWelcomeEmail): This Command will send/queue the welcome e-mail.
Controller (UserController): Redirects the user to a view with the information that he has been registerd successfully and a message has been send to him.
Logic
Okay, let's discuss some logic:
Controller:
Doesn't hold much code.
Mainly there to return views (with requested data).
Handles workflow and "connects" modules (Services, Requests, Events).
Request: Validates the data for a specified request
Service: A service "does" something. For example it's doing requests to the database.
Event: An Event is a central place to call one or more tasks if it is fired (SendConfirmationMail, SendWelcomeMail).
Command: Mainly there to handle the logic for ONE certain task. For example sending a confirmation mail. Another command will hold the logic for sending the welcome mail. Both commands are called in the Event described before.
Repositories: What is that?!
So this is what I understand. Please help me and feed me with information.
Thanks,
LuMa
Your question is a little vague and will likely attract downvotes as being "too broad". That said, here's my take on this...
The biggest issue I see is that your application structure is very different from the recommended L5 structure - or even the standard MVC structure - that it's no wonder you're getting confused.
Let's talk about your "Logic" section:
controller - you're on the right track here. The controller is the glue between your models and your views. It can do some processing, but most should be offloaded to classes that handle specific tasks.
request - what is this? L5 includes a Request class that includes methods for examining the HTTP request received from the client. Are you talking about subclassing that? Why? If your idea of a "request" class is primarily concerned with examining input, you can either do that in your model (ie. validating stuff before sticking it in the database) or in your controller (see the L5 docs on controller validation)
service - again, what is this? You talk about "doing requests to the database", but L5 provides a class for that (DB). At a higher level, database access should primarily be done through models, which abstract away most of the low level database access. As for other services, what I usually do is create libraries to perform specific processing. For example, my application has a particular third party project management application that it accesses via an API. I have a library for that, with methods such as getProject or createProject.
event - An event is a way of ensuring that some code is called when the event happens, without a whole lot of messing about. It sounds like you have the right idea about events.
command - again, it sounds like you have the basic idea about commands.
repositories - these are way of abstracting the connection between a resource (primarily the database, but it can apply to other resources too) and the code that uses the resource. This gives a way to switch the underlying resource more easily if you (for example) decide to change database servers in the future. They are optional.
You also haven't mentioned anything about models. L5 provides an excellent way to deal with your data in understandable chunks via Eloquent models - this will make your life much easier.
My suggestion is this: start small. Build a simple MVC application with L5 - A model (to save some data), a view (to display the data), and a controller (to put the model & view together by handling the client request). Once you have that, start extending it.
There are tutorials out there that will give you this basic structure for Laravel - most are for Laravel 4, but see if you can follow the basic ideas and build something similar for Laravel 5.
I asked this question last week but only got 8 views.
A part of the application I'm working on requires creating a ton of user-to-user requests and validating they all get processed correctly in the application. This requires countless hours of QA work and could be automated with a simple script like
users_api = Koala::Facebook::TestUsers.new(config)
users = test_users.create_network(10, true, "email,user_likes,publish_actions")
users.permutations(2) do |u1, u2|
graph = Koala::Facebook::API.new(u1['access_token'])
requests_types.each do |req|
graph # .user_to_user_request(u2, req) Oh noes I can't do this part
end
end
Everything I've seen points to the fact that it's impossible to create user-to-user requests in a script, even for test users. Is there any other (automated) way to do this?
Edit
What I'm trying to find is a way to create user-to-user requests. The validation would still be manual by the QA team. The problem we're facing is that they need to create 90 requests and make sure they didn't skip a single one, then validate the data.
Solution to this is tricky one. You probably have two solutions, depending on what you need.
First one is to manually provide access tokens for tests. That would require creating several fictional users or gathering access tokens from friends via Api Explorer. This is of course very inconvenient, but probably needed for second idea so I'm mentioning it. The question is how much users will you need to test? In most situations 3-4 users should be enough to provide test case.
Second idea will require actually running tests suite once using first idea and recording results using gems like webmock or fakeweb. This will allow you to remember what API response will serve and using it in later tests without need to regenerate tokens. This should also speed up your tests significantly as will avoid waiting for each request from FB API.
I created an ASP.NET MVC4 Web API service (REST) with a single GET action. The action currently needs 11 input values, so rather than passing all of those values in the URL, I opted to encapsulate those values into a single class type and have it passed as Content-Body. When I test in Fiddler, I specify the verb as GET, and enter the JSON text in the "Request Body" input box. This works great!
The problem is when I attempt to perform Load Testing in Visual Studio 2010 Ultimate. I am able to specify the GET action and the JSON Content-Body just fine. But when I run the Load test, VS reports exceptions of type ProtocolViolationException (Cannot send a content-body with this verb-type) in the test results. The test executes in 1ms so I suspect the exceptions are causing the test to immediately abort. What can I do to avoid those exceptions? I'd prefer to not change my API to use URL arguments just to work-around the test tooling. If I should change the API for other reasons, let me know. Thanks!
I found it easier to put this answer rather than carry on the discussions.
Sending content with GET is not defined in RFC 2616 yet it has not been prohibited. So as far as the spec is concerned we are in a territory that we have to make our judgement.
GET is canonically used to get a resource. So you are retrieving this resource using this verb with the parameters you are sending. Since GET is both safe and idempotent, it is ideal for caching. Caching usually takes place based on the resource URI - and sometimes based on various headers. The point is cache implementations - AFAIK - would not use the GET content (and to be honest I have not seen any GET with content in real world). And it would not make sense to include the content in the key generation since it reduces the scalability of the caches.
If you have parameters to send, they must be in the URI since this is part of what defines that URI. As such, I strongly believe sending content with GET is wrong.
Even when you look at implementations such as OData, they put the criteria in the URI. I cannot imagine your (or any) applications requirements is beyond OData query requirements.
I'm working on a Web Service project to provide data to a partner. Our app is really light weight and has only a handful of APIs. Because of time constraint and in-house pre-existing knowledge we went the Spring MVC / Spring Security path to serve those restful APIs.
At any rate this is a B2B project where we are expecting only that partner to hit our servers. So it seems a little over kill to modify are very small db schemas to add tables that would contain only 1 user access record for that partner...
Heard someone say though that it's possible to use an encrypted file, or at least a file where the password information is encrypted, instead of the database to hold the Spring Security user access information... Is that true? If it is can anyone point me to some references? I couldn't find anything relevant on Google at first glance... :(
Thanks.
http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/
See the '' under the authentication-provider; this allows you to use encrypted passwords (use sha). If you only have a single user and you wanted the information in an external file, then you could use a property file configuration placeholder to simply specify
${user.1.id} ${user.1.passwordenc},etc... kinda hacky, but it would work.
It's VERY possible. In fact, you can do it without coding; it's pretty simple to include the credentials directly in the XML defining the Spring Security stuff. You usually see this in examples, followed by warnings to "DON'T DO IT LIKE THIS!"
If in-house security is no big deal and you're not worried that your developers can see your password (as if they needed it, heh!) and no one else is likely to access your configuration files, then this is a quick and easy yet workable solution.
I'm going to post this, but I'm off to go dig in the Spring Security documentation for the example I was talking about I'll be back!
Update
Trever Schick was a bit faster with the example. I had a different example in mind but his code shows exactly what I was talking about. You define your security provider in the XML and provide user ID/password right there. There are a number of utilities available on the 'net for you to MD5 or SHA encode your password for you so you can cut and paste it into the file.
You need to implement a new org.springframework.security.core.userdetails.UserDetailsService that reads the user's information (username, password, enabled flag, and authorities) from a file. I don't know if someone already implemented it.