Wrox Programmer Forums
|
BOOK: Professional ASP.NET 3.5 : in C# and VB ISBN: 978-0-470-18757-9
This is the forum to discuss the Wrox book Professional ASP.NET 3.5: In C# and VB by Bill Evjen, Scott Hanselman, Devin Rader; ISBN: 9780470187579
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional ASP.NET 3.5 : in C# and VB ISBN: 978-0-470-18757-9 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old September 5th, 2010, 01:35 PM
Registered User
 
Join Date: Sep 2010
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default General Website Security in ASP.net 3.5 logon forms

Hi Kind contriutors to this forum,

Just wandering how secure the website is that i have written. I mean i have written code for a logon form and it prevents access to a section of the site that as it should. But i was wandering how else i should test the site. What I have done so far is tried to access the site URL directly with the URL then tried with the wrong password, and it does not work as it shouldnt. Are there any other ways to test site security that i do not know about, because i am about to go live with a similar site.
 
Old February 4th, 2011, 08:12 AM
Authorized User
 
Join Date: Jan 2010
Posts: 31
Thanks: 5
Thanked 2 Times in 2 Posts
Default

Hi Emmanuel,

Are you using code from the Book Professional ASP.NET 3.5: In C# and VB or is it your own code?

If its the book, can please you indicate the chapter and page so the guys can help you?

If its your own code, please post it so we have more info, as you haven't provided enough to get a meaningful answer. If isn't related to the book, it should go in the general discussion forum.
 
Old February 4th, 2011, 03:27 PM
Registered User
 
Join Date: Sep 2010
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default General question about login security

Dear Adam,

I havent looked at it for a while but it was an altered version of a login control on wrox beginning ASP.net 3.5 in C# and VB; taken from page 520 to page 554. My question is a general one about security but since then i have found out about some basic things like sql injection attacks and there are internet resources on how to protect against them. I would ideally like to find out about all the types of attacks that can happen to an asp.net login control and how i can protect against them, though this may be a tall order kind sir.
 
Old February 4th, 2011, 03:27 PM
Registered User
 
Join Date: Sep 2010
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default General question about login security

Dear Adam,

I havent looked at it for a while but it was an altered version of a login control on wrox beginning ASP.net 3.5 in C# and VB; taken from page 520 to page 554. My question is a general one about security but since then i have found out about some basic things like sql injection attacks and there are internet resources on how to protect against them. I would ideally like to find out about all the types of attacks that can happen to an asp.net login control and how i can protect against them, though this may be a tall order kind sir. I was using C#.
 
Old February 5th, 2011, 07:11 AM
Authorized User
 
Join Date: Jan 2010
Posts: 31
Thanks: 5
Thanked 2 Times in 2 Posts
Default

Most of the security issues with sql injection were with classic asp. With asp.net, there are more built-in protections against attacks. For example, variables are strongly typed, so an integer variable cannot accept a decimal or text and data sent to the sql server has be match the data type of the variable sending it.
Also, the use of special folders such as app_data with special built-in permissions - only visible to the asp.net process.
The use of login controls is something I believe improves security over having to code them yourself. They have been designed and bug tested very intensively. If you build the code yourself, you have to be a very good programmer to make anything as robust as the built in .net classes.

web.config should have
customerrors="true" so if a hacker breaks a page, he won't see the eact error message and therefore be able to see variable names etc.
and I use the Imar's sendmailonerror code - so I can see if a page is breaking - it could indicate an attack and therefore a vulnerability I can try to fix.
Some people advocate wrapping code that takes user input in

try

catch statements

But others say only to use it during development as it has a performance hit.

Last edited by AdamPembs; February 5th, 2011 at 07:16 AM..
 
Old February 6th, 2011, 07:46 PM
Registered User
 
Join Date: Sep 2010
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Thank you for clearing that up

Hi Adam,
I will need to do some research to see exacltly how what you have said applies to my project. It is essentailly the same as the code in the book. I will have to try and find out about execptions and how they apply to my code. I dont remember Imars code appearing in the book which is sendmailonerror. Thanks for the kind reply but one more question. I only know of penetration testing and i wondered if the code in all the book concerning security had been penetration tested. Kind sir is that are you a member of the design team from wrox.
 
Old February 7th, 2011, 05:09 AM
Authorized User
 
Join Date: Jan 2010
Posts: 31
Thanks: 5
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by EmmanuelEgobu View Post
Hi Adam,
Kind sir is that are you a member of the design team from wrox.
No, I'm a relative beginner too and only connection with wrox is that I own 3 books by them. I completed the beginning asp.net 3.5 book and have been working as a developer for 2-3 years using classic asp and about a year doing asp.net. I used to work for a company that was attacked quite heavily, although it was more denial of service than sql injection. We used to get a lot of mailforms that were used to relay spam, and this led to some of our customers domains getting blacklisted. I believe one of they key features of asp.net is that data from external sources can't be posted back to the application so this rules out this type of attack, which was a problem for classic asp.
 
Old February 8th, 2011, 10:12 AM
Registered User
 
Join Date: Sep 2010
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Hacking Blues

I have a book on hacking which i will have to use before deploying any secure data. But thanks for the insight into some of the other strategies others can use maybe we can share knowledge on wrox. My website was for a church and some of the people have reached senior positions in the army and navy and were concerned about having an online contact management database with there names in IT.
I intend to steer clear of logins and forms for confidential data until i have a reasonable degree of potential attack knowledge. Please if you get the time could you direct me to any resources on the internet on hacking in asp.net and how to protect against it.

From my knowledge of the Network + and server+ i believe turning of ICMP broadcasts or (IP address broadcasts) could prevent someone from pinging an IP address and launching an attack based on it as a source address.

Thanks for your time.
 
Old February 8th, 2011, 05:57 PM
Registered User
 
Join Date: Sep 2010
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Lightbulb Sitelock

Hello Contributor,

Just wondering if you tried a solution like www.sitelock.com on your website to avoid the attacks and still had issues or am i missing something.
 
Old February 8th, 2011, 06:28 PM
Registered User
 
Join Date: Sep 2010
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Cool

Finally,

The url of sitelock with the anti spoof ip address spam source is http://www.sitelock.com/products.php
Though i cant see how to add you as a friend on this forum anymore





Similar Threads
Thread Thread Starter Forum Replies Last Post
Logon Problem using Crystal Report and Asp.net ??? charles Crystal Reports 13 March 1st, 2007 02:49 PM
ASP.NET Forms Auth security problem englere BOOK: ASP.NET Website Programming Problem-Design-Solution 0 October 6th, 2004 03:49 PM
"Logon failed" error in ASP.NET Dmitriy Pro VB 6 0 August 18th, 2004 12:23 PM
ASP.NET Website Programming: ... VB.NET ed. slowhand BOOK: ASP.NET Website Programming Problem-Design-Solution 0 November 29th, 2003 09:56 PM
Logon Fail in Crtystal Report with ASP.Net charles Crystal Reports 0 October 1st, 2003 10:01 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.