Everyday Learning

Issue description: Asp.net Server error [Unable to redirect to custom error page] when three dots (…) placed after directory name in url, Custom error page will not work if below attribute is set to false. www.yourwebsite.com\somefolder\ ... By default in asp.net  application will be configured relaxedUrlToFileSystemMapping = " false, which means each http request will be validated by ‘Server OS file path validation component’. So when we pass (.) or (..) in URL first it will be validated by this component then the valid request will be passed to IIS. By setting relaxedUrlToFileSystemMapping = " true " it will bypass the ‘Server OS file path validation’, so all the http request will directly reach to IIS. Same scenario has been explained in below figure. Mitigation:                              ...

Asp.Net CSRF  Step 1: Add this code in master page, if there is no master page than add it in page. //This is code is to generate the random token protected void Page_Init(Object sender, EventArgs e)         {             if (!IsPostBack)             {                 var pageName = Path.GetFileName(HttpContext.Current.Request.Url.AbsolutePath);                 var pageToken = pageName + "_ID";                 RandomNumberGenerator rng = new RNGCryptoServiceProvider();                 var tokenData = new byte[32];                 rng.GetBytes(tokenData);                 var token = Convert.ToBase64String(tokenData);           ...

Add below script to master page and replace Logon with your login page. <script type="text/javascript"> var LoginPageName = "Logon"; var AttachClearSessionEvent = true; var IsFormSubmit = false; $(window).submit(function () { AttachClearSessionEvent = false; IsFormSubmit = true; window.onbeforeunload = null; }); $(document).ready(function () {var myEvent = window.attachEvent || window.addEventListener;var chkevent = window.attachEvent ? 'onbeforeunload' : 'beforeunload'; /// make IE7, IE8 compitable myEvent(chkevent, function (e) { // For >=IE7, Chrome, Firefox try {if (AttachClearSessionEvent) {var caller = '(document).ready';var urlToDisposeSession = LoginPageName; $.ajax({cache: false,type: "POST",url: urlToDisposeSession,data: JSON.stringify({ RandomString: caller }),contentType: "application/json; charset=utf-8",dataType: "json",async: false,success: function (msg) {}});} }catch (ex) { }...

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it. Ref: https://www.owasp.org/index.php/Session_fixation Session Fixation Protection The idea is that, since ASP prohibits write access to the ASPSESSIONIDxxxxx cookie, and will not allow us to change it in any way, we have to use an additional cookie that we do have control over to...

Sensitive Server Data Info Leakage

http://www.pdfescape.com PDFescape is a free, online PDF reader, editor, form filler, & form designer. Free PDF Reader Free PDF Editor Free PDF Form Filler Free PDF Form Designer Free Webmaster Tools No Downloads No Watermarks A new way to open and edit PDF files online, PDFescape frees users from the typical software requirements for using the de facto document file format. Completely online, PDFescape requires no more than a modern internet browser and an active internet connection. Select any of the major features above to learn more.

Retrieve inserted row ID in SQL EmpTable: Column | Type --------|-------------------------------- ID | * Auto-incrementing primary key EmpName | Age | Query Sample: insert into Emp (Emp Name , Age ) values ( 'John' , 22 ) SELECT SCOPE_IDENTITY ();

Generate Unique ID in C#.Net and SqlServer. To Generate UniqueID in C#.Net: Guid.NewGuid() method will be useful to Achieve the task, It generates 36 character UniqueID. Example: Guid  guid =  Guid .NewGuid(); string  StrID = guid.ToString(); To Generate UniqueID in Sql Server 2008: newid() in build function will be useful to Achieve the task, It genrates 36 character UniqueID. Example: select newid() as UniqueID

SQL SERVER – Delete Duplicate Records DELETE FROM  Demo  WHERE  ID  NOT  IN  ( SELECT MAX ( ID )  FROM  Demo  GROUP BY  ColumnA ,  ColumnB )  The table must have identity column, which will be used to identify the duplicate records. Table in example is has ID as Identity Column and Columns which have duplicate data are ColumnA, CoumnB