Using a Generic Method to Encode String Properties In Order To Avoid Cross Site Scripting Attacks

Cross Site Scripting Attacks (XSS Attacks) are a real problem, don’t make the mistake of thinking they aren’t in widespread use or that you are not vulnerable. During the development of your project you need to explicitly take steps  to avoid exposing your sites visitors to this serious issue. You can use the Microsoft Web Protection Library to reduce the risk of XSS attacks, get it here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651

Recently I developed a simple generic method that I can pass objects to which will loop over the properties and automatically HTML encode any that are strings. This is useful when you use ORM systems such as Linq2Sql or ADO.NET Entity Framework, which generate an object model of your database which often include properties of type String.

Here is how to call the method:

 

Here is the code:

 

ASP.NET ViewState: Approach with Caution

You already know this, somewhere in the back of your mind your little inner voice keeps telling you that you shouldn’t be putting into ViewState anything that’s even remotely close to looking as if it could ever be sensitive.

Although ViewState provides some built in mechanisms to prevent tampering and hijacking (via Machine Authentication Check, know as MAC), and is very useful to developers, the thing to remember is that it is completely readable text, stored on the client’s browser, in the markup of the page.

What do you mean “completely readable”? I mean just that, it’s a base 64 encoded string that is easily decoded into human (or hacker software) readable. To see for yourself just download and use the ViewState Decoder, available from the awesome guys at PluralSite (http://www.pluralsight-training.net/community/media/p/51688.aspx ).

It’s not uncommon to store custom items in ViewState, while this can be extremely useful it’s important to remember that this information will be packaged up into the Base 64 encoded string (ultimately ended up as the Value of a Hidden Field) and easily viewable to the world with little effort.

If you don’t need ViewState then turn it off. This is easily accomplished at the control and/or page level or globally via the Web.config file (a.k.a. ViewStateEnabled = “false”). To learn more about ViewState please visit http://msdn.microsoft.com/en-us/library/ms972976.aspx pay special attention to the section about ViewStateMAC and Server.Transer, read the KB Article which explain in detail the security whole you open up when disabling the ViewStateMAC security feature (http://support.microsoft.com/default.aspx?scid=kb;EN-US;316920 )

An important thing to remember is that ViewState can grow to be extremely large, bloating the page size that must be downloaded to the end users computer both on the initial visit to the page and with each postback, resulting in slower site performance and heavier loads on the server and network.

Widely available, simple to use, hacker tools make it easy for you to become a victim, no effort required

Got BeEF? If you have no idea what I’m talking about, or think it’s a Wendy’s commercial, you are in for a big surprise. Go to http://www.bindshell.net/tools/beef/ and you will forever be changed.  Here is the description of what BeEF is, directly from the source:

“BeEF is a browser exploitation framework. This tool will demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers.”

Recently I saw BeEF in action, showing how it can be used with a Cross Site Scripting (XSS) attack to silently turn an unsuspecting user’s browser session into a Zombie that does the hackers bidding, all without the victim ever knowing anything.

Imagine someone getting you to commit crimes, steal for them, or whatever they wanted all while you thought you were doing something else, it was a serious eye-opener. There are lots of tutorials to show you how to use BeEF: http://www.bindshell.net/tools/beef/tutorials

Now that I have your attention it’s time to start thinking about hacking and how to avoid becoming a victim. Learn about the tools available, the threats that are common, and what you can do to prevent them. Consider taking one of the many courses offered from the SANS Institute, believe me it will be worth it!

You Cannot Stop a Hacker

Securing your applications, network, and everything in between involves implementing staggered levels of security (known as a “Defense In Depth” strategy), each a small deterrent that when combined together create a defensive strategy that is quite frankly to much of a pain in the ass for the hacker, resulting in the hacker moving on to easier targets.

The keyword here is “deterrent”, if a hacker wants in they will eventually accomplish their goal, making it take a thousand years, as opposed to a thousandth of a second, is up to you. Visit the SANS Institute, learn what your up against, the threat is real and you will eventually become a victim.

Cloning a Virtual Machine

Most of us have heard of “Virtual Servers” even though we may not really know (or care) what that means.  If you do a search on Google or Bing (or whatever search engine you use) you will find lots of results, most of which reference VM Ware or Virtual PC.

With easy to use, and often free, tools you can create a “virtual” system of servers, work stations, or whatever you want. In this post we will talk specifically about how to clone an existing Virtual Machine so that you can create new VM’s with little effort. It is assumed that you have already installed VMWare Server and that you have also created a Virtual Machine that you wish to copy. In this example we have installed Windows Server 2003 R2 on a new VM, along with all the security updates, and we want to copy this to avoid having to go through the hours of pain it takes to get a new OS installed and ready to go.

If you have not done so already go to http://www.vmware.com/products/server/  and download VMWare Server. It’s important to note that this is the Free Server product they have. They offer a TON of other stuff, but VMWare Server is where you want to start. In addition if you do not have an MSDN account, or legal copies of an operating system that you want to install on your Virtual Machines, than you may qualify for one of the programs offered by Microsoft which will get you access to the software you need.

Need Legal OS Sorftware:

You’re a Web Developer? Get involved with Website Spark:http://www.microsoft.com/web/websitespark/

You own your own business and develop software as a service to your clients? BizSpark is what you want: http://www.microsoft.com/bizspark/

Are you a student and learning software development? DreamSpark is what you want:https://www.dreamspark.com/default.aspx

Once you have the tools and the software then follow the steps to create a new Virtual Machine in VMWare. Install the OS and get all the updates installed. Once you are completely finished then follow these instructions to “clone” that Virtual Machine.

Follow these instructions

 

Step 1:

In the VMWare Console select the Virtual Machine you wish to clone. In the Commands section click the link that says “Power Off”.

Using Windows Explorer navigate to the location of your Virtual Machines (often referred to as the “Inventory Location”), in my case this was located on a Share Drive in a folder called Virtual Machines.

Locate the VM you wish to clone, copy the folder and all of its contents into a new folder. Make sure that this is also located within the same folder as your other VMs (a.k.a. it needs to be within the Inventory Location).

Step 2:

Open the VMWare console, on the right hand side under the section labeled Commands click the link that says “Add Virtual Machine to Inventory”

Expand the nodes under the inventory column until you find the folder of the copied VM, select the folder, and under the Contents section select the file that has the .vmx extension (you should only see this one file). Click OK.

Step 3:

Look back as the Inventory section of the console, you will notice that the copied VM appears in the list and has the same name as the original. Select the copied VM (the 2nd one in the list, newer appears below the older). From the right hand side of the console, under the Command section, select the link that says “Configure VM”

The VM Configuration window appears. Confirm that you have selected the correct VM by looking at the Working Directory; it should be the path to the copied files.

In the Virtual Machine Name textbox enter a new name, click the OK button.

Step 4:

If the new Virtual Machine is not running then, under the Commands section, click the link that says “Power On”

Select the tab labeled “Console”, click anywhere in the console window to open the command window in order to remote into the machine

We need to change the name of this new machine so that we don’t have duplicates on the network. Enter the same username and password that you used to access the original machine and log into the server. Using Windows Explore right click on “My Computer” and select Properties

Select the “Computer Name” tab, click on the button labeled “Change”, enter a new name for this computer and click the OK button. You will be prompted to restart the computer, click OK.

Step 5:

In the Inventory section of the console select the original Virtual Machine (the one you cloned), under the Commands section select the link that says “Power On”.

Select the Console tab and remote into the server, ensure that all is well.

Congratulations, you have successfully cloned your Virtual Machine

Error: The message with action XYZ cannot be processed at the receiver due to a contract filter mismatch at the endpoint dispatcher

Say What?!  That’s exactly what I said when I first saw this error. Come to find out the cause was nothing even close to what the message stated.

The Cause

Here’s the deal: I use the “Publish” feature built into Visual Studio to deploy my projects to our Development server. This feature keeps track of what has changed between your last deployment and the one open in Visual Studio by writing information to an XML file. For the most part this works beautifully, and I’m thankful to the VS team for providing this useful feature.

However, I recently pushed changed out that somehow didn’t make it to the target location (a.k.a. the DLL’s that should have been updated weren’t). It just so happened that these DLL’s were part of the WCF Services my Silverlight project connects to. When Silverlight made the web service call the old DLL’s executed, behaving in a manner different than what my Silverlight project expected. The end result was the Web Service puking out this error.

The Fix

Delete the files from your target prior to Publishing. You can do this by selecting this option in the Publish feature or by manually deleting them. This ensures that the most up-to-date files will be pushed to the target.

Integrated Windows Authentication: Getting FireFox to Play Nice

If you protect your web applications using Integrated Windows Authentication (IWA), typical with company Intranets, FireFox will prompt users to provide their network credentials (i.e. their Username and Password) when they try to access the site.

You can side step this by making minor changes to FireFox so that it will negotiate with the web server behind the scenes, effectively performing a “silent login” like Internet Explorer does automatically when accessing IWA protected apps.

 

IMPORTANT: Your IIS node needs to allow fall back to NTLM Authentication for this to work.

Using the Metabase Manager, part of the IIS Resource Toolkit that is available from Microsoft, will showNegotiate, NTLM under Authentication. If you removed NTLM than this tutorial is a waste of your time

Step 1:

Open FireFox, in the Address Bar type about:config, you will be prompted with a warning like the following.

FF-Intranet-Support1

Step 2:

Click the “I’ll be careful, I promise!” button. In the “Filter” textbox type network.automatic

FF-Intranet-Support2

Step 3:

Select the 2nd option named network.automatic-ntlm-auth.trusted-uris. Enter the values of your Intranet sites, separating them with a comma, and click OK

FF-Intranet-Support3

FireFox will then negotiate your login silently, eliminating the need for the Server Login prompt.

Silverlight Navigation Framework: The NavigationContext and QueryString Parameters

In the Silverlight Navigation Framework moving between pages is pretty straight forward, however you can run into some odd errors that will throw you for a loop if your not careful. As with Asynchronous development as a whole, timing is everything, and the NavigationContext is no exception.

Following the typical scenario in Silverlight, when we want to navigate to a page and pass some information across the QueryString, we do something like the this:

Then in MyPage.xaml we would look at the NavigationContext to see if a QueryString namedMyQueryStringParam existed, and if found then we would access it’s value like so:

 

However, a problem will arise if you attempt to access the NavigationContext to early in the page life cycle, resulting in it being NULL at the time you attempt to access the it or any of its properties, such as QueryString parameter.

The solution to this problem is to overload the Loaded event for the Silverlight page by placing a statement like the following in the page Constructor:

 

Then from inside the overloaded Loaded event you will access the NavigationContext like the following:

 

This ensures that the NavigationContext object has had time to be initialized, providing access to its properties in order to extract any of the QueryString values that you need.

Where Do Good Ideas Come From: Just Ask Steven Johnson

We all have good idea’s, at least we would like to think so. But have you ever really thought of “how” you get a good idea? I mean really really thought about it?

Maybe “good” ideas are cultivated over time as each of our unique experiences, both past and present, come together in a connected manner to bring meaning to things we care about and are interested in.

In this intriguing and insightful talk, given by Steven Johnson at TED 2010 in England, this exact question is raised. It’s well worth the 18 minutes of your life you will spent watching his talk.

Silverlight Error: Element is already the child of another element

Often we have objects that we manipulate in code and need to add/remove from the visual surface of a Silverlight interface. One issue that may arise is the dreaded “Element is already the child of another element” error. In Silverlight you cannot add the same object to more then one parent container (or add the same object multiple times to the same parent, a.k.a. duplicate the control).

To check and see if your object currently has a parent you can use the

If this comparison yields NULL than you know you can safely add the object to an element on the page (like adding it as a Child to a <Grid> via the .Children.Add(<child object goes here>) call). Hope this helps.