ASP.NET

Writing Secure ASP.NET applications

Raúl Alarcón García-Cuevas — Wed, 06 Jul 2005 09:54:00 GMT

I just have read a post from Anil John blog who referees to four articles from Msdn Patterns and Practices about techniques to avoid common attacks to web applications:

How To-Protect from Injection Attacks in ASPNET

How To-Use Regular Expressions to Constrain Input in ASP.NET

How To-Protect from SQL Injection in ASP.NET

How To-Prevent Cross-Site Scripting in ASP.NET

Very interesting information for every body who deals with .NET web application development.

.NET Exception Handling

Raúl Alarcón García-Cuevas — Wed, 23 Feb 2005 10:14:00 GMT

Here is an article, from "The Code Project" factory, about best practices for exception handling in .NET. The article covers all aspects about this matter, sometimes risky when we are writing code. Everybody knows that exception handling is one of the mechanism provided by high level languages with which coders must deal daily, in my opinion, only the forty percent of the wrote code is related with the logic of the problem, the other sixty percent is wrote to control errors and exceptions, this is the importance of exception handling!.

Enjoy the article!

ASP.NET Error: The server tag is not well formed

Raúl Alarcón García-Cuevas — Thu, 28 Oct 2004 15:21:00 GMT

This is the error that I get if try to view an aspx page with any server control that uses the DataBinder.Eval function, like the following

<asp:Button id=but Text="Button" runat="server" CommandArgument="<%# DataBinder.Eval(Container.DataItem, ("ColIndex")) %>"> </asp:Button>

The problem is that the ASP.NET parser does not allows nested double quotes. The solution is very easy, use single quotes for the HTML property instead of double quotes:

<asp:Button id=but Text="Button" runat="server" CommandArgument='<%# DataBinder.Eval(Container.DataItem, ("ColIndex")) %>'></asp:Button>

The most probably is the problem raises before you are trying to view the page in the browser, when you want to switch between the HTML view and the Design view in the Visual Studio editor, the development environment show a message with the following text:

---------------------------
Microsoft Development Environment
---------------------------
Could not open in Design view. Quote values differently inside a '<% ..."value"... %>' block.
---------------------------

I think that the message doesn't help you too much to identify the problem...

Hiding secrets in ASP.NET

Raúl Alarcón García-Cuevas — Tue, 18 May 2004 15:01:00 GMT

Sometimes, we need store sensible information, such connections strings or the identity to impersonate our ASP.NET application, in the web.config file. Well, it could be a best practice encrypt this information to keep aware from possible security risks. In this way, you may think that there are no problem if you store sensible information in the web.config file because of the IIS never serves this kind of pages... well, remember what happened with the "Global.asa" file and IIS 4.0, because of security hole an experimented user was able to get the Globa.asp file and, by the way, all the information stored inside (normally connection strings with user and password information, file locations...).

To make easy the hard task of encrypting info, here is a "How to:" article that show us how to protect the sensible information stored in the web.config file in a simple way: http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

The best: the capability of encrypt the identify information in the web.config. Think that this information is managed only by the framework, the developers can't interact with (to decrypt) when the framework reads this information.

The worst: this encryption mechanism relies on DPAPI, this means that the keys used to encrypt / decrypt data are stored in a safe place and are based in the Hardward configuration of the local machine... the information encrypted in, by example, develop machine, can't be decrypted in the production machine. This could be an problem at the deployment time, specially if in our production environment we have a farm of front-end servers, we must configure the web.config file for each server at the deployment time.