Monday, July 25, 2011

implement ssl custom attribute in MVC

Example of how to implement your SSL Custom Attribute in MVC

· If it is login, then we must force it into secure otherwise we need to force to unsecure.

· Ideally in LoginController, we can use this attribute [CustomRequireHttps] which will force to use SSL

· For other controller, we can use this attribute [CustomRequireHttps(false)] which will force not to use SSL

· For other controller which always not required SSL we can create other attribute to force not to use SSL [CustomNotRequireHttps]

/// Represents an attribute that forces an unsecured HTTP request to be re-sent over HTTPS.
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = false)]
public class CustomRequireHttpsAttribute : FilterAttribute, IAuthorizationFilter
{
private bool _ForceOnLoggedIn = false;

///
/// Constructor
///

///
public CustomRequireHttpsAttribute() : this(false);

///
/// Constructor
///

///
public CustomRequireHttpsAttribute(bool forceOnLoggedIn)
{
this._ForceOnLoggedIn = forceOnLoggedIn;
}



/// Handles unsecured HTTP requests that are sent to the action method.
/// An object that encapsulates information that is required in order to use the attribute.
/// The HTTP request contains an invalid transfer method override. All GET requests are considered invalid.
protected virtual void ForceSecure(AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.Request.IsSecureConnection)
{
if (!string.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
{
//throw error if the request is not get
throw new InvalidOperationException("MyRequireHttpsAttribute_MustUseSsl");
}

string url = "https://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
filterContext.Result = new RedirectResult(url);
}
}

/// Force unsecure page only deal with get method
/// An object that encapsulates information that is required in order to use the attribute.
/// The HTTP request contains an invalid transfer method override. All GET requests are considered invalid.
protected virtual void ForceUnsecure(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsSecureConnection)
{
//if it is secure page
if (string.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
{
//only deal with get method
string url = "https://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
filterContext.Result = new RedirectResult(url);
}
}
}



/// Determines whether a request is secured (HTTPS) and, if it is not, calls the method.
/// An object that encapsulates information that is required in order to use the attribute.
/// The parameter is null.
public virtual void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}

if (_ForceOnLoggedIn == false)
{
this.ForceSecure(filterContext);
}
else
{
//check if Login
if (filterContext.RequestContext.HttpContext.User.Identity.IsAuthenticated)
{
//if login then need to force secure page
this.ForceSecure(filterContext);
}
else
{
//if not login then need to force to unsecure page
this.ForceUnsecure(filterContext);
}
}

}

Thursday, July 21, 2011

anti frogery for mvc and ajax

I just found very good solution to protect our sites from Anti Frogery for ASP.NET MVC and AJAX.

This solution can be easily applied to class controller and ajax.

Here is the article.

http://weblogs.asp.net/dixin/archive/2010/05/22/anti-forgery-request-recipes-for-asp-net-mvc-and-ajax.aspx

--

Wednesday, July 20, 2011

Javascript XSS Attack

Reminder for javascript XSS Attack

For example

var name = "<%= UserInput %>";

If there is a post which submit the username with
" ;alert(document.cookie);//

then this will trigger XSS Attack.

There is simple fix which I have added inside String Extension (available for Support R5)
var currentUsername = "<%= Encoder.JavascriptEncode(UserInput) %>";

Hopefully this post can be a reminder for all of us to protect our site.


Monday, July 11, 2011

Client validation in FF

Recently, I have to fix a bug where client validation doesn’t work in FF.

Finally, i notice that the problem exist in web.config which tells to force xhtmlConformance mode=”legacy”

1:
This will render the validation attribute

1:
2: 3: controltovalidate="text1"
4: id="required1"
5: evaluationfunction="RequiredFieldValidatorEvaluateIsValid"
6: validationgroup="grp1"
7: initialvalue=""
8: style="color:Red;visibility:hidden;">required

Instead of this

1: 2: yle="color:Red;visibility:hidden;">required
3:
4:
The reason why it doesn’t work is EXPANDO.

When tracing in the debugger, you can see that the expando properties are
not recognized, though they do exist in the "attributes" collection.
Expando attributes are fine in Firefox, but cannot be accessed as if they
are a part of the DOM as IE allows. Any attribute that is not part of the
DOM is only accessible via obj.getAttribute('x') or obj.attributes['x'].value.

The ASP.NET 2.0 client script library needs to be updated to avoid the
DOM-like property access to expando attributes. Instead, use getAttribute().
Some links re expandos:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/referen
ce/properties/expando.asp
http://www.xulplanet.com/ndeakin/archive/2004/9/12/
http://www.howtocreate.co.uk/tutorials/javascript/dombasics
Also, all HTML attributes are supposed to be caseless, so
and are identical. However IE 6 treats them as two
different attributes, so be sure that all references are in lowercase!