How to prevent CSRF attack in asp.net webform? - webforms

How to prevent CSRF (Cross-site Request Forgery) attack in ASP.NET WebForms?
Is there anything like [ValidateAntiForgeryToken] in ASP.NET MVC?

When you are talking about protecting the ViewState, there is the 'ViewStateUserKey', which you can use.
Basically you need to use a specific key per user, that is derived from the ASP.NET Session. Here's an example:
/// <summary>
/// Raises the <see cref="E:System.Web.UI.Control.Init" /> event to initialize the page.
/// </summary>
/// <param name="e">
/// An <see cref="T:System.EventArgs" /> that contains the event data.
/// </param>
protected override void OnInit(EventArgs e) {
base.OnInit(e);
// Validate whether ViewState contains the MAC fingerprint
// Without a fingerprint, it's impossible to prevent CSRF.
if (!Page.EnableViewStateMac) {
throw new InvalidOperationException("The page does NOT have the MAC enabled and the view state is therefore vulnerable to tampering.");
}
ViewStateUserKey = Session.SessionID;
}
You can learn more e.g. from the Microsoft Docs.

Related

Signin Cards for bot in Teams

Can anyone tell Where can I get a JSON for Microsoft Sigin card for Teams bot and how to view it in a visualizer and can it be used to mask the password.
This is the OauthCard.cs file:
// <auto-generated>
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License. See License.txt in the project root for
// license information.
//
// Code generated by Microsoft (R) AutoRest Code Generator.
// Changes may cause incorrect behavior and will be lost if the code is
// regenerated.
// </auto-generated>
namespace Microsoft.Bot.Schema
{
using Newtonsoft.Json;
using System.Collections;
using System.Collections.Generic;
using System.Linq;
/// <summary>
/// A card representing a request to perform a sign in via OAuth
/// </summary>
public partial class OAuthCard
{
/// <summary>
/// Initializes a new instance of the OAuthCard class.
/// </summary>
public OAuthCard()
{
CustomInit();
}
/// <summary>
/// Initializes a new instance of the OAuthCard class.
/// </summary>
/// <param name="text">Text for signin request</param>
/// <param name="connectionName">The name of the registered
/// connection</param>
/// <param name="buttons">Action to use to perform signin</param>
public OAuthCard(string text = default(string), string connectionName = default(string), IList<CardAction> buttons = default(IList<CardAction>))
{
Text = text;
ConnectionName = connectionName;
Buttons = buttons;
CustomInit();
}
/// <summary>
/// An initialization method that performs custom operations like setting defaults
/// </summary>
partial void CustomInit();
/// <summary>
/// Gets or sets text for signin request
/// </summary>
[JsonProperty(PropertyName = "text")]
public string Text { get; set; }
/// <summary>
/// Gets or sets the name of the registered connection
/// </summary>
[JsonProperty(PropertyName = "connectionName")]
public string ConnectionName { get; set; }
/// <summary>
/// Gets or sets action to use to perform signin
/// </summary>
[JsonProperty(PropertyName = "buttons")]
public IList<CardAction> Buttons { get; set; }
}
}
It can be found here. That being said, AFAIK, there is no visualizer for it, it's not in JSON, and there's nothing there to mask.
You can create a Sign In card in c#
SigninCard signincard = new SigninCard()
{
Text = "Click here to sign in",
Buttons = new List<CardAction>() {
new CardAction()
{
Title = "Authentication Required",
Type = ActionTypes.OpenUrl,
Value = $"{authenticationUrl}?{encodedCookie}"
}
}
};
Please give a try.

Empty model property description on ASP.NET Web API Help Pages

Introduction
I've followed this tutorial to setup my ASP.NET Web API Help Pages.
Using <package id="Microsoft.AspNet.WebApi.HelpPage" version="5.2.3" targetFramework="net452" />
The documentation seems to be fine, but I'm getting empty model property descriptions.
They are empty in both controller method/endpoint and model details doc.
Controller method example
/// <summary>
/// POST: api/remitent
/// </summary>
/// <param name="remitent"></param>
public void Post([FromBody]Remitent remitent)
{
}
Model property example
/// <summary>
/// First name property summary
/// </summary>
[Required]
[MaxLength(49)]
public string FirstName { get; set; }
Results
I would expect the FirstName property summary to fill the model property description on docs. Instead the description column is empty:
Does anyone know how to solve that?
Did you uncomment this line of code in Areas/HelpPage/App_Start/HelpPageConfig.cs:
config.SetDocumentationProvider(new XmlDocumentationProvider(
HttpContext.Current.Server.MapPath("~/App_Data/XmlDocument.xml")));
Can you use Swashbuckle instead of Microsoft.AspNet.WebApi.HelpPage. I find Swashbuckle provides better documentation and friendly UI to explore your API. You can also use it to test your API.

ASP.NET MVC 3.0 Razor, load View from anywhere out of the box?

Is it true that it is possible to load View from anywhere without
implementation of custom VirtualPathProvider in MVC 3.0?
If it is true how to do it?
Basically it is not a problem to implement custom VirtualPathProvider which would load the
View from anywhere but my implementation working only in MVC 2.0 and not working wih MVC 3.0, fore some reason method GetFile newer called for not existed views in MVC 3.0 and in that case I am getting "Server Error in '/' Application."
I followed the same code for my custom VirtualPathProvider from here: http://buildstarted.com/2010/09/28/mvc-3-razor-view-engine-without-a-controller/
UPDATE 1
OK i did fix my problem with my custom VirtualPathProvider after i put registration of my custom VirtualPathProvider provider first line in the Application_Start()
protected void Application_Start()
{
//Should be first line before routes and areas registration.
HostingEnvironment.RegisterVirtualPathProvider(new MyVirtualPathProvider());
AreaRegistration.RegisterAllAreas();
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes(RouteTable.Routes);
}
When registration of custom VirtualPathProvider in Global.asax.cs folowing after AreaRegistration.RegisterAllAreas(); or RegisterRoutes(RouteTable.Routes); method method override VirtualFile GetFile(string virtualPath) wont work for "virtual Views".
UPDATE 2
does it means that the classes RazorView and RazorViewEngineRender is the answer?
UPDATE 3
If i have string representation of my razor view which does not exists in the file system (e.g i store razor views in database) how may i render it using this kind of approach http://buildstarted.com/2010/09/28/mvc-3-razor-view-engine-without-a-controller/
For example string representation of my View looks like this:
"#{
ViewBag.Title = ""About Us"";
}
<h2>About</h2>
<p>
Put content here.
</p>"
UPDATE 4
Now i see, to be able to use #Html.<something> custom TemplateBase should be implemented.
The sample of implementation of HtmlTemplateBase<T> could be fount here http://www.fidelitydesign.net/?p=239, but it won't work with RazorEngine v2, i am successfully getting template compiled, then after assembly loaded method public override void Execute() won't be executed i am getting an error: The method or operation is not implemented (stacktrace: http://tinypic.com/r/dcow4/7)
To make “public override T Model” happened i did change declaration of “public TModel Model” to “public virtual TModel Model” in “public abstract class TemplateBase : TemplateBase, ITemplate”. May be there is some another changes should be done? Or something in HtmlTemplateBase<T> should be done another way?
Don't be confused by Ben's (#BuildStarted) sample code in his article. He is detailing how to use an early version of the Razor ViewEngine to render templates without using a controller action. The intention was to be able to render templates in a generic fashion, rather than as specific page views. (This is what has evolved into our RazorEngine templating framework # http://razorengine.codeplex.com).
The VirtualPathProvider is still a core part of ASP.NET. There appears to be a general confusion about MVC 3's DependencyResolver being a replacement of a VirtualPathProvider but this is not the case, you still require a provider to be able to access content on a virtual path (which incidentally, all paths in ASP.NET are virtual).
Reverting my original answer, you should be able to achieve what you want purely through subclassing the RazorViewEngine and using that to create your views.
Have a look at this topic: http://coderjournal.com/2009/05/creating-your-first-mvc-viewengine/
No, loading a view from the database is not supported by default. You need to write your own VirtualPathProvider.
Note that Ben's blog post does not actually address directly the problem that you are trying to solve. The following blog post looks a lot closer to what you want: http://rebuildall.umbraworks.net/2009/11/17/ASP_NET_MVC_and_virtual_views. Note that it does not matter if you are trying to store razor or aspx views in the database. Virtual path providers in Asp.Net are simply about mapping a path to a stream of bytes that are the contents of the file represented by that path.
I ran into a similar issue implementing a VirtualPathProvider for embedded resource views. The solution was to implement GetFolder as well as GetFile. The view engine doesn't just call GetFile when you request that view. On the first request it looks through the views folder to find all available views. If that call doesn't include your database views in the list, they won't be found when you try to load them.
Everyone is correct. My post was not how to load Razor as a replacement but as a way to call razor without using MVC. Now...what you want is most likely related to my post here How to Download Razor View Engine Where I show how to create your own ViewEngine to host a razor page. It uses the same engine #Matthew Abbott and I use for the RazorEngine - which you can get from CodePlex. Unfortunately it's not complete but it should give you an idea on how to do it. (I'll post it here too)
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Web.Hosting;
using System.IO;
using System.Text.RegularExpressions;
using System.Xml.Linq;
namespace RazorViewEngine {
/// <summary>
/// ViewEngine for the RazorView. Provides basic file handling to load views.
/// </summary>
public class RazorViewEngine : IViewEngine {
string[] SearchLocations { get; set; }
Tuple<string, string, RazorView> Cache { get; set; }
VirtualPathProvider VirtualPathProvider { get; set; }
public RazorViewEngine() {
//{1} == Controller name
//{0} == View name
SearchLocations = new string[] {
"~/Views/{1}/{0}.cshtml",
"~/Views/Shared/{0}.cshtml",
};
VirtualPathProvider = HostingEnvironment.VirtualPathProvider;
}
#region IViewEngine Members
public ViewEngineResult FindPartialView(ControllerContext controllerContext, string partialViewName, bool useCache) {
return CreateView(controllerContext, partialViewName, null, null, useCache);
}
public ViewEngineResult FindView(ControllerContext controllerContext, string viewName, string masterName, bool useCache) {
return CreateView(controllerContext, viewName, masterName, GetLayoutPath(controllerContext), useCache);
}
/// <summary>
/// Meat of the FindView methods.
/// </summary>
/// <param name="controllerContext">The current controller context for this request.</param>
/// <param name="viewName">The requested view name. </param>
/// <param name="masterName">The master page view name (currently unused)</param>
/// <param name="layoutPath">The layout path location (Replaces the masterpage in other view engines)</param>
/// <param name="useCache">Cache the viewpage?</param>
/// <remarks>The layout path is currently hardcoded to "Layout" and will look in the SearchLocations for that path</remarks>
/// <returns>Returns a ViewEngineResult with the requested view</returns>
public ViewEngineResult CreateView(ControllerContext controllerContext, string viewName, string masterName, string layoutPath, bool useCache) {
//grab the current controller from the route data
string controllerName = controllerContext.RouteData.GetRequiredString("controller");
//for proper error handling we need to return a list of locations we attempted to search for the view
string[] SearchedLocations;
//get the actual path of the view - returns null if none is found
string viewPath = GetViewPath(viewName, controllerName, out SearchedLocations);
if (viewPath != null) {
RazorView view = new RazorView(this, controllerContext, viewPath, layoutPath);
return new ViewEngineResult(view, this);
}
//we couldn't find the view - return an array of all locations we've looked in
return new ViewEngineResult(SearchedLocations);
}
/// <summary>
/// Look for the view in the current file system
/// </summary>
/// <param name="viewName">The name of the View you're looking for</param>
/// <param name="controllerName">Current controller name</param>
/// <param name="SearchedLocations">out a list of locations searched</param>
/// <returns>A string value of the relative path</returns>
public string GetViewPath(string viewName, string controllerName, out string[] SearchedLocations) {
return FindPath(viewName, controllerName, out SearchedLocations);
}
/// <summary>
/// Look for the view in the current file system
/// </summary>
/// <param name="viewName">The name of the View you're looking for</param>
/// <param name="controllerName">Current controller name</param>
/// <param name="SearchedLocations">out a list of locations searched</param>
/// <returns>A string value of the relative path</returns>
public string FindPath(string viewName, string controllerName, out string[] SearchedLocations) {
SearchedLocations = new string[SearchLocations.Length];
for (int i = 0; i < SearchLocations.Length; i++) {
string virtualPath = string.Format(SearchLocations[i], viewName, controllerName);
SearchedLocations[i] = virtualPath;
//check the active VirtualPathProvider if the file exists
if (VirtualPathProvider.FileExists(virtualPath)) {
//add it to cache - not currently implemented
return VirtualPathProvider.GetFile(virtualPath).VirtualPath;
}
}
return null;
}
/// <summary>
/// Get the layout virtual path
/// </summary>
/// <param name="controllerContext">The current Controller context for this request</param>
/// <returns>A string virtual path</returns>
public string GetLayoutPath(ControllerContext controllerContext) {
//This should probably be added to a list of locations - I'm not sure exactly
//what I need to do with this yet.
string[] locations;
return FindPath("Layout", controllerContext.RouteData.GetRequiredString("controller"), out locations);
}
/// <summary>
/// Current irrelevant
/// </summary>
/// <param name="controllerContext">The active controller context</param>
/// <param name="view">View to release</param>
public void ReleaseView(ControllerContext controllerContext, IView view) {
IDisposable disposable = view as IDisposable;
if (disposable != null) {
disposable.Dispose();
}
}
#endregion
}
/// <summary>
/// Implements IView and renders a Razor
/// </summary>
public class RazorView : IView {
ControllerContext ControllerContext;
string ViewPath;
string LayoutPath;
RazorViewEngine Engine;
public RazorView(RazorViewEngine engine, ControllerContext controllerContext, string viewPath, string layoutPath) {
//load the file
this.ControllerContext = controllerContext;
this.ViewPath = viewPath;
this.LayoutPath = layoutPath;
this.Engine = engine;
}
#region IView Members
/// <summary>
/// Converts Razor to html and writes it to the passed in writer
/// </summary>
/// <param name="viewContext"></param>
/// <param name="writer"></param>
public void Render(ViewContext viewContext, System.IO.TextWriter writer) {
//View contents
string contents = new StreamReader(VirtualPathProvider.OpenFile(ViewPath)).ReadToEnd();
string layoutContents = LayoutPath == null
? null
: new StreamReader(VirtualPathProvider.OpenFile(LayoutPath)).ReadToEnd();
contents = Parse(contents);
string output;
output = contents;
writer.Write(output);
}
/// <summary>
/// Converts Razor to html
/// </summary>
/// <param name="Razor">Razor text</param>
/// <returns>Html formatted Razor text</returns>
string Parse(string Razor) {
//Where do I get the model From
return RazorEngine.Razor.Parse(Razor);
}
#endregion
}
}

ActiveDirectory query performance for not including

I'm curious as to whether the following will negatively impact performance in a significant way...
I have a web form with an input box and grid (could be any form of application really) and allows the user to search Active Directory for users...I don't want user accounts that have the $ as part of there sAMAccountName and so am wondering whether I should have them returned and then filter them out in a loop in the application or whether they should be excluded in the ActiveDirectory filter like the following:
(&(objectCateogry=person)(objectClass=user)(!(sAMAccountName=*$*))(cn=<Insert User Query>))
I guess it's the *$* that i'm concerned will impact performance...any insight would be greatly appreciated!
I would include (!(sAMAccountName=*$*)) in the query for the following reasons:
It is indexed in Active Directory so searches are quick.
In most environments domain controllers aren't hit as hard as web servers and have CPU and RAM to spare.
I'm just guessing but I would think that the extra entries that the domain controllers will have to process and send to the web server would actually make everything take a little longer. You could try it both ways in your environment and measure the difference.
Also, you could take a look at the classes in System.DirectoryServices.Protocols if you're concerned with performance.
The filter about AD as follwing:
class ExpressionTemplates
{
/// <summary>
/// The start with expression. eg: "({0}={1}*)".
/// </summary>
public readonly static string StartWithExpression = "({0}={1}*)";
/// <summary>
/// The end with expression. eg: "({0}=*{1})".
/// </summary>
public readonly static string EndWithExpression = "({0}=*{1})";
/// <summary>
/// The has a value expression. eg: "({0}=*)".
/// </summary>
public readonly static string HasAValueExpression = "({0}=*)";
/// <summary>
/// The has no value expression. eg: "(!{0}=*)".
/// </summary>
public readonly static string HasNoValueExpression = "(!{0}=*)";
/// <summary>
/// The is expression. eg: "({0}={1})".
/// </summary>
public readonly static string IsExpression = "({0}={1})";
/// <summary>
/// The is not expression. eg: "(!{0}={1})".
/// </summary>
public readonly static string IsNotExpression = "(!{0}={1})";
/// <summary>
/// The and expression. eg: "(&{0})".
/// </summary>
public readonly static string And = "(&{0})";
/// <summary>
/// The or expression. eg: "(|{0})".
/// </summary>
public readonly static string Or = "(|{0})";
/// <summary>
/// The parenthesis expression. eg: "({0})".
/// </summary>
public readonly static string Parenthesis = "({0})";
/// <summary>
/// The join expression. eg: "{0}{1}".
/// </summary>
public readonly static string Join = "{0}{1}";
}
You can refer my OSS project which base on ActiveRecord pattern as following(Because it is open source you can find out how to operate the AD with DirectoryEntry, DirectoryEntry is not only support the LDAP protocol but also IIS, WIN and so on, so I develop this lib):
class ComplexFilterUnitTest : BaseUnitTest
{
[TestCase]
public void TestComplexFilter()
{
IFilter filter =
new And(
new IsUser(),
new Is(OrganizationalUnitAttributeNames.OU, "pangxiaoliangOU"),
new Or(
new StartWith(AttributeNames.CN, "pang"),
new And(
new EndWith(AttributeNames.CN, "liu"),
new Is(PersonAttributeNames.Mail, "mv#live.cn")
)
)
);
Assert.AreEqual("(&(objectClass=user)(ou=pangxiaoliangOU)(|(cn=pang*)(&(cn=*liu)(mail=mv#live.cn))))", filter.BuildFilter());
foreach (var userObject in UserObject.FindAll(this.ADOperator, filter))
{
using (userObject)
{
Console.WriteLine(userObject.DisplayName);
}
}
}
}
https://landpyactivedirectory.codeplex.com/documentation
And you will find it easy to operate the AD with it, if you have no interest with it please ignore my answer.
Any question about AD please contact me :)

Automatically adding .Net code comments

Where can I find a Visual Studio plug-in that automatically generates documentation header for methods and properties?
Example the comment to a property could look like this:
/// <summary>
/// Gets or sets the value of message
/// </summary>
public static string Message
{
get
{
return message;
}
set
{
message = value;
}
}
Ghostdoc from http://www.roland-weigelt.de/ghostdoc/
GhostDoc is the usual suspect.
As another poster mentioned, Visual Studio also does this to an extent by entering 3 '///' (forward slashes) on the line preceding a property/method/class definition.
Visual Studio does this automatically. Just position the cursor directly above the method and enter three '/'s
for example:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
namespace MvcWidgets.Models
{
/// <summary>
/// This is a summary comment
/// </summary>
public class Comment
{
/// <summary>
///
/// </summary>
/// <param name="name"></param>
/// <param name="birthdate"></param>
/// <param name="website"></param>
/// <returns></returns>
public int SomeMethod(string name, DateTime birthdate, Uri website)
{
return 0;
}
}
}
You can then generate an XML comment file and then generate a Help file using SandCastle.
You may have to enable this feature in the Text Editor/C#/Advanced options dialog.

Resources