Web applications are at great risks due to the fact that most applications are widely available to anyone with internet access. They often get compromised by script exploits.
Most script exploits require the application to accept malicious input and inject it into a page where it will be executed on the server or in the client browser. The potential damage from such an exploit depends on the script that is being executed (taking over a system, install malware, deleting data...)
The primary defense against script exploit is to never trust the information obtained from users. This apply to both incoming and outgoing data from users (data written to and data pulled from database).
There are many things a developer can do to protect application against script exploits. Data input by users should always be validated. Form elements should be HTML-encoded. Dynamic SQL might be flexible but yet it can compromise your data. Consider parameterized query against SQL queries using string concatenation.
In this simple example:
"Select * From Customers where LastName = " & txtLastName.Value
A malicious user who knows a something about database could turn that SQL statement into:
Select * From Customers Where LastName = 'a'; Delete From Customers Where LastName > ''
And when it gets executed, the database is compromised.
It is very important to understand how users and their data interact with your application. That way you can better protect your data, application and users from script exploits.
For more information on how to protect your web application see Basic Security Practices for Web Applications.
Monday, August 13, 2007
How To Set Access Key For ASP.net Web Server Controls
Access key combination allows users to press ALT key plus another key to focus or jump to a specific control.
Some controls have Access property where you can set this like TextBox or ListBox. As an alternative, you can set an Access key for a Label control and then tell the browser to associate it with another control. With this approach, you can use the Label control as caption to indicate the access key with an underlined letter.
To set the access key using label control you must:
1. Add the control to be associated
2. Add a Label control
3. Set the access key
4. Associate the control to receive focus
Here's an example:
<asp:Label ID="lblLastName" runat="server"
AccessKey="L"
AssociatedControlID="txtLastName"
Text="<u>L</u>ast name: ">
</asp:Label>
<asp:TextBox ID="txtLastName" runat="server"></asp:TextBox>
Note that setting focus by using access key from a Label control requires that client scripting is enabled in the browser.
Some controls have Access property where you can set this like TextBox or ListBox. As an alternative, you can set an Access key for a Label control and then tell the browser to associate it with another control. With this approach, you can use the Label control as caption to indicate the access key with an underlined letter.
To set the access key using label control you must:
1. Add the control to be associated
2. Add a Label control
3. Set the access key
4. Associate the control to receive focus
Here's an example:
<asp:Label ID="lblLastName" runat="server"
AccessKey="L"
AssociatedControlID="txtLastName"
Text="<u>L</u>ast name: ">
</asp:Label>
<asp:TextBox ID="txtLastName" runat="server"></asp:TextBox>
Note that setting focus by using access key from a Label control requires that client scripting is enabled in the browser.
Download File with Visual Basic
My.Computer.Network namespace provides the DownloadFile method which can be used for downloading a remote file to a specific location.
The basic syntax for calling DownloadFile method is to specify the file's location as a string or URI and the location to store the file as seen below:
My.Computer.Network.DownloadFile("http://www.server.com/readme.txt", "c:\docs\readme.txt")
The overloaded methods allow you to specify more advanced parameter like timeout, username & password for protected file. The example below downloads password protected file.
My.Computer.Network.DownloadFile("http://www.server.com/readme.txt", "c:\docs\readme.txt", "myusername", "mypassword")
Note that FTP protocol is used by the DownloadFile method to send information including username & password in plain text. It should not be used to transmit sensitive information.
The basic syntax for calling DownloadFile method is to specify the file's location as a string or URI and the location to store the file as seen below:
My.Computer.Network.DownloadFile("http://www.server.com/readme.txt", "c:\docs\readme.txt")
The overloaded methods allow you to specify more advanced parameter like timeout, username & password for protected file. The example below downloads password protected file.
My.Computer.Network.DownloadFile("http://www.server.com/readme.txt", "c:\docs\readme.txt", "myusername", "mypassword")
Note that FTP protocol is used by the DownloadFile method to send information including username & password in plain text. It should not be used to transmit sensitive information.
Tuesday, July 31, 2007
Tuesday, July 17, 2007
Cisco Command Aliases
Alias command allows you to define aliases for long commands. Alias command breaks down into three modes:
Alias Exec for Privileged Mode.
Alias Configure for Global Configuration Mode.
Alias Interface for Interface Configuration Mode.
Let say that you want to shorten Show Running-Configuration command to just two keystrokes, you could define it as follow:
Router(Config)# alias exec sr Show Running-config
Or if you want to use ns to perform No Shut command on an interface you could define it as:
Router(Config)# alias interface ns no shutdown
So now instead of typing out all those long commands you could type sr for show runn or ns for no shut down and still achieve the same desired effects.
Cisco IOS includes some built-in command aliases. You can view these aliases by using the "show alias" command. Here are the default command aliases:
Alias Exec for Privileged Mode.
Alias Configure for Global Configuration Mode.
Alias Interface for Interface Configuration Mode.
Let say that you want to shorten Show Running-Configuration command to just two keystrokes, you could define it as follow:
Router(Config)# alias exec sr Show Running-config
Or if you want to use ns to perform No Shut command on an interface you could define it as:
Router(Config)# alias interface ns no shutdown
So now instead of typing out all those long commands you could type sr for show runn or ns for no shut down and still achieve the same desired effects.
Cisco IOS includes some built-in command aliases. You can view these aliases by using the "show alias" command. Here are the default command aliases:
- h - help
- lo - logout
- p - ping
- r - resume
- s - show
- u - undebug
- un - undebug
- w - where
Monday, July 16, 2007
Show Running-Configuration
One of the most commonly used command when troubleshooting a switch or router is the "Show Run" command. It gives you an insight into the currently running configuration.
Sometimes, this command yields so much output one would be overwhelm with the amount of text on the screen and have to keep pressing the space key to scroll down to see more information.
Well, if you know what you are looking for then you could add a command prefix " begin keyword" and it'll start showing the configuration from that where the keyword occurs.
SwitchA# Show runn | begin spanning-tree
In the example above, the switch will show the current configuration from the line where it finds the first occurrence of the word "spanning-tree".
Using this command can really save you all the trouble of spacing through all the text only to find that you go too fast and miss the relevant information and have to scroll back to look for it.
Sometimes, this command yields so much output one would be overwhelm with the amount of text on the screen and have to keep pressing the space key to scroll down to see more information.
Well, if you know what you are looking for then you could add a command prefix " begin keyword" and it'll start showing the configuration from that where the keyword occurs.
SwitchA# Show runn | begin spanning-tree
In the example above, the switch will show the current configuration from the line where it finds the first occurrence of the word "spanning-tree".
Using this command can really save you all the trouble of spacing through all the text only to find that you go too fast and miss the relevant information and have to scroll back to look for it.
Funky Name
I had a little time to spare and wanted to have some fun to relieve the stress so I created a little application that generate some funky names based on the user's input.The name generation logic is based on a children's book, Captain Underpants And the Perilous Plot Professor Poopypants, by Dave Pilkey, in which the evil Professor forces everyone to assume new names...
The program uses some simple one dimensional arrays and use the user's input to index into the arrays and generate the new name. It also makes use of the one click deployment option.
Pretty funny. Give it a try.
The program can be downloaded from http://www.meshflowers.com/FunkyNames/
Tuesday, July 3, 2007
Reading XML File Using XMLDocument Object
In the previous blog, I discussed how to read XML file using XMLTextReader object of the System.XML namespace. In the same namespace, we also have XMLDocument which can also be used to read XML files.
You can use the Load method to read an XML file and process the elements using XPath selection if you know the structure of the XML document as follow:
Dim myXmlDoc as New XmlDocument
Dim myNode as XmlNode
myXmlDoc.Load("Cars.xml")
myNode = myXmlDoc.SelectSingleNode("/car/honda")
myTextBox.Text = myNode.InnerXml & vbCrLf
The XmlNode object provides the NextSibling method which can be used to move to the next element or node.
myNode = myNode.NextSibling
myTextBox.Text &= myNode.InnerXml
Now that works fine if you know the the structure of the XML document. If you don't know the structure, you can navigate through the document using FirstChild and NextSibling methods.
myNode = myXmlDoc.FirstChild
While myNode.NodeType <> XmlNodeType.Element And Not myNode Is Nothing
myNode = myNode.NextSibling
End While
myTextBox.Text = myNode.InnerXml
This will dump everything in that node to the textbox including the element names and attributes.
It's not possible to cover all the methods and properties of the XMLDocument and XMLNode in a short blog, but I hope this will get you going.
Further reading should be done on the following topics: XMLDocument, XMLNode, XMLAttribute, FirstChild, HasChildNodes, InnerText, InnerXML...
Download the sample project here.
You can use the Load method to read an XML file and process the elements using XPath selection if you know the structure of the XML document as follow:
Dim myXmlDoc as New XmlDocument
Dim myNode as XmlNode
myXmlDoc.Load("Cars.xml")
myNode = myXmlDoc.SelectSingleNode("/car/honda")
myTextBox.Text = myNode.InnerXml & vbCrLf
The XmlNode object provides the NextSibling method which can be used to move to the next element or node.
myNode = myNode.NextSibling
myTextBox.Text &= myNode.InnerXml
Now that works fine if you know the the structure of the XML document. If you don't know the structure, you can navigate through the document using FirstChild and NextSibling methods.
myNode = myXmlDoc.FirstChild
While myNode.NodeType <> XmlNodeType.Element And Not myNode Is Nothing
myNode = myNode.NextSibling
End While
myTextBox.Text = myNode.InnerXml
This will dump everything in that node to the textbox including the element names and attributes.It's not possible to cover all the methods and properties of the XMLDocument and XMLNode in a short blog, but I hope this will get you going.
Further reading should be done on the following topics: XMLDocument, XMLNode, XMLAttribute, FirstChild, HasChildNodes, InnerText, InnerXML...
Download the sample project here.
Subscribe to:
Comments (Atom)
