Why is using a URL containing a colon considered as a “potentially dangerous request”?
Someone (probably a bot) sent a request with the following URL to my ASP.NET 4.0 web forms application (running on IIS 7.0):
security
What is the non-standard HTTP verb “DEBUG” used for in ASP.NET/IIS?
I am reading a report from a “web application security” company, whom have been scanning a few websites of the company I am working for. It appears from the report – which seems written without any human involvement – that several attempts where made to break our sites using requests like this:
How to implement authorization checks in ASP.NET MVC based on Session data?
This will be my first ASP.NET MVC application with forms authentication so I am trying to make sure I don’t miss anything. The scenario is this: Public / Secured Areas.
Denying direct access to a folder (only allow through app)
I need to prevent someone from directly accessing a pdf, instead only allowing them to be pulled through the app itself. How can this be done?
Resetting ASP.NET password – security issues?
I’ve seen various questions regarding this issue, but there are a couple of questions that haven’t been asked. If the user forgets their password, I would like them to be able to reset it with only their email address (i.e. there’s no security question/answer). The password is stored as a salted hash, so there’s no recovery possible. Instead, I’d just like the user to enter a new password after confirming that they have requested a reset.
How to find out which account my ASP.NET code is running under?
I am getting an ‘Access to the path is denied” error message when running in debug mode. I have tried granting permissions to {MACHINENAME}ASPNET and to NETWORK SERVICE but this hasn’t made any difference. I have also tried < impersonate = true /> using an admin account, this also made no difference. So how do I establish exactly which account is being used?
Is encrypting session id (or other authenticate value) in cookie useful at all?
In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption.
Security with QueryString values in Asp.net MVC
How do you properly ensure that a user isnt tampering with querystring values or action url values? For example, you might have a Delete Comment action on your CommentController which takes a CommentID. The action url might look like /Comments/Delete/3 to delete the comment with the id 3.
Compute SHA256 Hash in Android/Java and C#
I am trying to generate a SHA256 hash in android, that I then pass to an ASP.NET Web API web service and compare the hash there. As such, I need to construct a hash in Android, that given the same inputs in ASP.NET will generate an equivalent hash. I’m pulling my hair out trying to figure out what I’m doing wrong.
Building an ASP.NET MVC Master Page Menu Dynamically, Based on the current User’s “Role”
I’ve seen some similar questions, but none that look like what I’m trying to do.