All Questions

Tagged with
475 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
7votes
0answers
1kviews

Azure Web app vulnerable to HTTP Slow Post attack

We have a web app that is being hosted on Azure and have run Qualys security scans against it that tell us that it is vulnerable to an HTTP Slow Post attack. The analysis from Qualys tells us that it ...
user avatar
  • 71
7votes
1answer
4kviews

Microsoft EDGE - Security certificate required to access this resource is invalid

We are getting following error in Microsoft EDGE in our Dev environment when we run our ASP.NET Application Hosted in IIS 8 in Windows 2012 R2 Server. Error: XMLHttpRequest: Network Error 0x800c0019, ...
user avatar
7votes
0answers
1kviews

Asp.Net webresource.axd open redirection security flaw?

Running WebResource.axd through Burpe Suite’s active scan gave indication of a possible open redirection flaw in the function WebForm_DoCallback. This function does a post based upon a generated url. ...
user avatar
  • 316
6votes
1answer
1kviews

Code Access Security - Understanding why SecurityTransparent can call SecurityCritical

I am researching Code Access Security. It's taking some effort to get my head around, so I thought that I would finally make some use of Reflector and start investigating how .NET 4.0 uses security ...
user avatar
  • 7,406
5votes
0answers
1kviews

Upgrading Microsoft.CodeDom.Providers.DotNetCompilerPlatform to version 2.0.1 causes CVE-2017-0248 to be reported by WhiteSource Bolt

I added WhiteSource Bolt to my Azure DevOps pipeline and noticed that it was reporting CVE-2017-0247, CVE-2017-0248, CVE-2017-0249 vulnerabilities after I upgraded the Microsoft.CodeDom.Providers....
user avatar
5votes
1answer
1kviews

Change error message for password policy validation in System.Web.Security.MembershipProvider (EPiServer)

here is my case. I am using EPiServer 9 and I have configured a SqlServerMembershipProvider as follows: <add name="SqlServerMembershipProvider" type="System.Web.Providers....
user avatar
  • 641
4votes
1answer
432views

Working with Secure implementation of web api

I am new to Web-Api, Cloud etc. I have some requirements with my project but as lots of resources are available over internet, I am not able to decide which way should i go. Requirements: The user ...
user avatar
  • 8,612
4votes
1answer
862views

Is it OK to keep OAuth access token in user's cookie?

I think that it's ok, but I thought I would see what others think. Specifically, the token string would be part of the userdata string of an asp.net FormsAuthentication ticket, and therefore would ...
user avatar
  • 1,841
3votes
0answers
655views

SameSite=None and secure cookies are still blocked by Chrome in incognito, any solution (clean or workaround)?

We are facing issue related to samesite=none cookie being ignored by chrome in incognito mode. Details: We are trying to open an asp.net webform application inside an iframe from our another ...
user avatar
3votes
0answers
152views

asp.net mvc/web api replay attack remediation

I'm trying to do remediation for asp.net mvc/web api auth cookie replay attack. We have a web farm so storing token/state in session doesn't work for me. I know I can go ahead and store tokens/flag ...
user avatar
3votes
3answers
410views

Why injecting javascript code is a bad idea

I have a web project which is developed by asp.net In my web project, i have a page called as (MainPage). In MainPage according to query string, the last user can see a survey edit form (www.a.com?...
user avatar
  • 1,981
3votes
0answers
1kviews

Access SSRS 2016 ReportViewer (URL Access) Securely without Username/Pwd Prompt

I've searched the better part of 2 days for an answer (here and elsewhere on the net) and I am thoroughly stumped. In brief- I have an app with an IFrame that I want to have render certain reports ...
user avatar
  • 33
3votes
0answers
57views

web server connection closes before completing the execution in javascript

I have 3 servers. One Web server and one Application server and one Database server. The web server contacts the application server and the application server contacts the Database server. The ...
user avatar
3votes
0answers
136views

Securing settings in ASP.NET 5

I am working with ASP.NET 5 in an effort to get some web apps ready to port when it goes mainstream. One of the things I haven't been able to find yet is a way to secure configuration settings. In ...
user avatar
  • 1,450
3votes
0answers
3kviews

Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration

I recently migrated a web forms solution from windows authentication to forms authentication. Everything works fine in dev server, but when I get it to production, as soon as I make an Http Post I get ...
user avatar
3votes
0answers
720views

Setting Thread.CurrentPrincipal in MVC Application so that it can be used in service layer

I am confused as to whether or not it is safe to set the Thread.CurrentPrincipal equal to the signed in user in an MVC application i.e. so that I can perform authorization checks in my service layer? ...
user avatar
  • 1,269
3votes
0answers
290views

Block IP addresses after concurrent attempts on specific API calls

I recently had penetration testing performed on my website and as a result of that there is a certain API call which I would like to implement an IP based form of throttling on to prevent abuse. What ...
user avatar
  • 2,994
3votes
0answers
886views

How to implement IUserTokenProvider to generate token with userId inside?

I need to know userId from token which was sent user in HTTP request header. I need to know userId before token validating, because token was encrypted by default Microsoft.AspNet.Identity....
user avatar
  • 904
3votes
1answer
604views

Session hijacking counter measures in ASP.NET

I want to implement measures to prevent/mitigate session hijacking. Thus, I want to know the options, either from built-in ASP.NET or custom components. Please note that session hijacking refers to ...
user avatar
  • 6,840
3votes
2answers
366views

Is XSS possible through the MailAddress class?

Considering I parse user input, which is supposed to be an email address, into the MailAdress class: var mailString = Request.QueryString["mail"]; var mail = new MailAddress(mailString); Is there ...
user avatar
  • 12k
3votes
2answers
2kviews

how to switch between Http and Https in asp.net

i want to apply SSL security on few pages of my website. Do you have any idea for it? Can you tell me how i can switch between Https and Https? Actually the matter is i have big web application and i ...
user avatar
  • 6,269
3votes
1answer
1kviews

how to force showing login window with windows intergrated autentication

I have an silverlight application configured with windows integrated security. I would like to emulate the "Sign in as different user" functionality I would like to give the user, the option to ...
user avatar
  • 165
3votes
1answer
3kviews

Extend Membership API, MembershipUser

I created my own database schema to store user information. CREATE TABLE [dbo].[MyCustomMembership_Users]( [UserId] [uniqueidentifier] NOT NULL, [UserName] [nvarchar](256) NOT NULL, [LoweredUserName] ...
user avatar
  • 3,794
2votes
0answers
90views

Azure HSTS security on ports 454 and 455

I'm working with a client on their Azure instance to get them PCI compliant. Scans from BeyondSecurity.com continue to come back with HSTS Missing From HTTPS Server [site.com:454] HSTS Missing From ...
user avatar
2votes
2answers
684views

How to prevent XML injection

I got a vulnerability report. XML is injected in the URL "XInclude". I'm trying to find a validation to prevent the XML to be executed. My web application is built using Visual Studio C# ...
user avatar
  • 71
2votes
1answer
357views

How do i store sensitive data (such as Database passwords) in an Oracle Database

Basically i'm building a WebApp (ASP.NET MVC5) working with Oracle Database. The application connects to multiple oracle databases and an admin should be able to dynamically add new database ...
user avatar
  • 373
2votes
1answer
483views

Request validation in ASP.Net Core API

According to this question, Request Validation does not exist in dotnet core. If I understand this question correctly, I need to implement a custom method to validate each single string in all ...
user avatar
  • 2,382
2votes
1answer
230views

Gracefully handling potentially dangerous Request.Form values in Umbraco CMS

I am close to launching my first Umbraco site, but am just running through the last-minute testing. I tried being a 'hacker' and entering dangerous stuff in my search form and contact form, which ....
user avatar
  • 255
2votes
0answers
668views

Restrict user to one device (logout other devices)

I'm trying to work out how to prevent users from using my webapp from different devices at the same time. I would like to logout any older sessions when a new user loggs in. However, I do not wish to ...
user avatar
  • 2,960
2votes
0answers
2kviews

How to slow down too many requests in web api instead of returning 429?

We have an API that is an interface to a huge database. We sell the access to it as a service, and our clients are then able to get the data. However, one of our goals is to deny any bot that ...
user avatar
  • 4,897
2votes
0answers
291views

How to pass the UsernameToken in header of SOAP Webservice with prefix asp.net?

Here is my Security xml that i need to pass from the header: NOTE: I got this xml from the SOAP UI. <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/...
user avatar
2votes
0answers
216views

Microsoft Asp.net Identity security

I am developing a WebApp based on ASP.net MVC with Login authentication. I got asp.net identity for authentication: standard controllers (from template) such as Login with SignInManager and so on. Is ...
user avatar
  • 596
2votes
0answers
173views

How to prevent a textbox from executing script?

In my application i have a search textbox which uses two way binding (ng-model). As soon as i append following script as a search keyword, it starts executing it. i find an Alert message pop up. If ...
user avatar
2votes
0answers
153views

Getting error on server while sending email with ASP.NET

I have hosted a website zedsteels.com and with a subdomain I have given admin login which is admin.zedsteels.com under that I have a page http://admin.zedsteels.com/ForgotPassword.aspx in which on ...
user avatar
2votes
0answers
1kviews

ASP.NET site, format string attack on dropdownlist

I'm using OWASP ZAP software to test a simple asp.net site for vulnerability. I'm getting a medium alert of Format String Attack type that I'm not understanding well. In details I'm getting these ...
user avatar
2votes
0answers
573views

ASP.NET Trust Level other than Full

Background My company hired a security firm to assess our website. One of their recommendations was to run the site under minimal trust. I believe this will be too restrictive, but I would like to ...
user avatar
  • 4,060
2votes
0answers
1kviews

Securing the ASP.NET_SessionId cookie

Unfortunately our application still has to run on HTTP along with HTTPS. I'm trying to secure just the .net session cookie for requests over HTTPS, but it seems to ignore the secure flag. if (...
user avatar
2votes
0answers
899views

OWin cookie / wsfederation expires time / sliding expiration ignored

I have a Startup.cs class configured like this: app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieHttpOnly = true, SlidingExpiration = true, CookieSecure = ...
user avatar
2votes
1answer
2kviews

configure antiforgerytoken single use mvc asp.net

I want to modify the AntiForgeryToken for each request. I read these posts: Is it possible to make the AntiForgeryToken value in ASP.NET MVC change after each verification? ASP.NET MVC Anti ...
user avatar
2votes
0answers
440views

Security risk with HTML email template using Razor

The client's current application has a an email functionality that sends out emails using a predefined HTML template. The application performs a Replace on certain identified meta data elements like ...
user avatar
2votes
0answers
876views

How can I block read access to pdf files in an asp.net website?

I have an asp.net website, using .Net 4.0, and IIS 7.5, and using Classic Pipeline Mode in the Application Pool. I'm using forms authentication, and the authorization setting in the web.config at the ...
user avatar
  • 3,559
2votes
0answers
429views

How to get or create a Token

I am trying a token tutorial with web-api and I'm a little confuse, I can't figure how to get my Token, according to the tutorial the token comes from endpoint of Web Api, but I dont understand what ...
user avatar
  • 1,300
2votes
0answers
96views

Adding Farsi characters to AntiXSS library

I'm using the AntiXSS as the default engine for my Asp.Net MVC website. The problem is, it encodes Farsi characters like "راهنما". I'm not an expert in security but I think these characters are fine ...
user avatar
2votes
1answer
135views

Adding Ip security for many locations

How to add multiple rules for multiple locations I have an MVC application I added the following section in Web.Config: <system.webServer> <security> <ipSecurity ...
user avatar
2votes
0answers
351views

Verifying Client-Signed X509 Request in Web API without installing to Store

We have Web API 2 application exposed to outside vendors for various integrations. We're adding a new one with DocuSign through their Connect service and they will be signing their requests with their ...
user avatar
2votes
0answers
1kviews

ASP.Net WebApi Two step authentication

One step authentication is easy, by either using Authorize attribute or any custom authorize attribute. But can anyone suggest any way to implement a two step authentication in asp.net web API ...
user avatar
  • 5,877
2votes
0answers
208views

Swap to ASP.NET membership provider from Simple membership provider?

We have an existing system written in MVC4 that uses the SimpleMembershipProvider. It was initialised using the WebSecurity.InitializeDatabaseConnection() method. We have a need to integrate "Yet ...
user avatar
  • 1,407
2votes
1answer
208views

IIS 7 permissions issue when trying to isolate my web application

I'm trying to set up permissions for my web application running on IIS 7 so that other web applications did not have any access to it. I first set it up to run under my own application pool that I ...
user avatar
  • 15.5k
2votes
1answer
254views

MVC 4 Web Api Security from C.S.R.F. Attacks

I am using asp.net mvc4 web api. I am using Form Authentication for security. I have asp form pages(.aspx) at client side. Is there any way to implement Antiforgery in this scenario. please describe i ...
user avatar
  • 69
2votes
0answers
130views

Statistical Attack on website

Backdrop (a bit of a read) We created a shortened url redirector (using asp.net Url Routing with a catch-all for 404 to do routing) in which bar codes are scanned from devices and then redirected to ...
user avatar
  • 700

15 30 50 per page
1
2 3 4 5
10