Wednesday 18 September 2013

Absolute Beginner's Tutorial on Cross Site Scripting (XSS) Prevention in ASP.NET

In our last post we saw Trick to download facebook Photo Album-Link in this post we will see what is Cross Site Scripting(XSS). We will try to see some samples that are vulnerable to XSS and try to inject some scripts. We will then see how we can prevent XSS attacks in an ASP.NET website. Cross Site scripting is one of the problem that has plagued a lot of websites. According to WhiteHat Security Top Ten more than 50% of the websites are vulnerable to cross site scripting. As a web developer, it is important to understand what is cross site scripting and how can we safeguard our site from such attacks.

Cross site scripting is nothing but injection of client side scripts into a website. These scripts can be HTML scripts or JavaScript scripts. Now the question would be how can a person inject scripts on a running page. This can easily be done using all the various ways a website is collecting inputs. Cross site scripting can be performed by passing scripts in form of:

-TextBox (input controls)
-Query Strings
-Cookies
-Session variables
-Application variables
-Retrieved data from an external or shared source

Now let us see some very rudimentary example of cross site scripting and then we will try to see what ASP.NET provides to prevent cross site scripting. We will also look at the best practices that needs to be followed in order to make our website safe from cross site scripting attacks.

Now before writing applications that are vulnerable to cross site scripting we should know that ASP.NET provides some security out of the box against such attacks i.e. RequestValidations. This is a good thing for an ASP.NET developer. We will talk about it in the later part of the article but for now lets us see how can we disable this prevention mechanism.


Getting your Test Project Ready

The first thing that we need to do to disable the request validations is to set the ValidateRequest property of the page directive to false. If we need to do this for the whole website then we can do this from the web.config pages element.

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest="false" %>


Now, in order for the above setting to work we also need to change the requestValidationMode of the http Runtime to 2.0. The request validation will only be turned off when this mode is set to 2.0 otherwise it will not work.

<httpRuntime requestValidationMode="2.0"/>


We are disabling the request validation because we want to test the cross site scripting. without disabling it wont be possible to see cross site scripting in action. It is not recommended to turn off requestvalidation in production environment because this will open the website for cross site scripting attacks.


Perform XSS using Query Strings

Now let us create a simple web form that will simply accept a query string from the user and display the query string values on page.




The code behind this page looks like this: protected void Page_Load(object sender, EventArgs e)

{

      string id = Request.QueryString["id"] as string;

  

      if (id == null)

      

      {

               lblId.Text = "NA";

      }

      

      else 

      

      { 

      

               lblId.Text = id;



      }

}


Now under normal circumstances this will work just fine but if we try to pass some script in the query string variable then we have a problem. Let me now pass the query string parameter as:

Default.aspx?id=<h3>Hello from XSS"</h3>


and now when we open the page






And now herein lays the problem. The user can pass any HTML from the query string and that HTML will be rendered on the page. This was a very basic example but imagine an HTML with absolutely positioned tags and images could possibly wipe out the original page and show something else entirely.

Same thing can happen with JavaScript too. I can inject any javascript into this page. Let us try this:

Default.aspx?id=<script>alert('you have been hacked');</script>

and the output will be:





Preventing Cross Site Scripting:

ASP.NET websites developers have some advantages over other technologies because ASP.NET has some cross site scripting prevention logic baked into the framework itself i.e. RequestValidations. In our earlier examples we disabled it to check the cross site scripting but it is not at all recommended and should not be disabled unless it is a must.

If we enable the page with RequestValidation as true then we will get an error rather than modified page.






But apart from this in built default prevention mechanism developer should always follow the following guidelines to prevent XSS.

1. Constrain the user input to the characters that are acceptable for that particular field.
2. Never trust user input. Always encode all the user inputs before processing them.
3. If data is coming from an external source or a shared source, never show raw data. Always encode the data before displaying it to the user.

Now let us go back to our XSS prone page again. We will add one more textbox and button on the page to see how we can constrain user input.

We can always use JavaScript filters to constrain the user input. Let us apply some javascript based filters on this new text box so that we will only accept alpha numeric characters and noting else.


<asp:TextBox ID="TextBox2" runat="server" onkeypress="return AcceptAlphaNumericOnly(event, false, false);"></asp:TextBox>

Now this will prevent the user from typing any unwanted characters in the textbox. We should also check for and remove the unwanted characters on server side too because client side scripts can be bypassed easily(even in the above text box we can paste the copied scripts).

Now as for the encoding the user input part. Let us add a similar textbox again and put the the logic for encoding the user input in for this.


protected void lblMessage3.Text = "Hello " + encodedinput; Button3_Click(object sender, EventArgs e)



{

           string rawInput = TextBox3.Text; 

           string encodedinput = Server.HtmlEncode(rawInput);

       lblMessage3.Text = "Hello " + encodedinput;

}

Now if we try to inject something in using this textbox, the output will be:




Same should be done if the data is coming from an external or shared source. We should never trust the data that is not created by us.

So now we know some basic prevention mechanism that could prevent our site from cross site scripting. Along with these mechanism, use of some stable third party cross site scripting protection library is also advisable. One such library is AntiXSS (http://wpl.codeplex.com/). Use of such libraries will provide the prevention in conditions where the framework and framework functions are falling short.









Tuesday 17 September 2013

Trick to download facebook Photo Album-Link

In our last post we saw Delete Facebook Account Permanently in this post we will see how to download facebook Photo Album-Link .

Sometimes when you want to download all the photos of your friend then it becomes difficult to download each and every single photo manually.Here I am going to introduce a simple application using which you can download all the photos of Facebook Album in a single click.


 

Steps to Download Facebook Photo Album:

1.Go to facebook2zip.com[link].
2.Make sure that you are logged into your Facebook Account.
3.Click the button Login with Facebook.
facebook2zip

4.Choose one of your friends whose album you want to download.Then hit next.
choose+one+of+your+friends
5.Now choose the Photo Album which you want to download.
select+albums+to+download

6.Now your download will be ready and you can download the photo album by clicking on Download button to desired location on your PC.
Download+the+album

7.That's it friends.There are many applications to Download Facebook Photo Albums but this method seems to be easiest,fastest and safest method.
Hope that you liked this short tutorial on How To Download Facebook Photo Album.For more Facebook Tips and Tricks stay connected with us on Facebook.
- See more at: http://www.alltechbuzz.net/2012/01/download-facebook-photo-album.html#sthash.s2RKzT9G.dpuf

Steps to Download Facebook Photo Album:

1.Go to facebook2zip.com[link].
2.Make sure that you are logged into your Facebook Account.
3.Click the button Login with Facebook.
facebook2zip

4.Choose one of your friends whose album you want to download.Then hit next.
choose+one+of+your+friends
5.Now choose the Photo Album which you want to download.
select+albums+to+download

6.Now your download will be ready and you can download the photo album by clicking on Download button to desired location on your PC.
Download+the+album

7.That's it friends.There are many applications to Download Facebook Photo Albums but this method seems to be easiest,fastest and safest method.
Hope that you liked this short tutorial on How To Download Facebook Photo Album.For more Facebook Tips and Tricks stay connected with us on Facebook.
- See more at: http://www.alltechbuzz.net/2012/01/download-facebook-photo-album.html#sthash.s2RKzT9G.dpuf
 Steps to Download Facebook Photo Album:
1.Go to facebook2zip.com[link].
2.Make sure that you are logged into your Facebook Account.
3.Click the button Login with Facebook.

facebook2zip

4.Choose one of your friends whose album you want to download.Then hit next.

choose+one+of+your+friends

5.Now choose the Photo Album which you want to download.
select+albums+to+download

6.Now your download will be ready and you can download the photo album by clicking on Download button to desired location on your PC.

Download+the+album

7.That's it friends.There are many applications to Download Facebook Photo Albums but this method seems to be easiest,fastest and safest method.

Hope that you liked this short tutorial on How To Download Facebook Photo Album.For more Facebook Tips and Tricks stay connected with us on Facebook.

----------------------------------------------------------------------------------------------

 

Steps to Download Facebook Photo Album:

1.Go to facebook2zip.com[link].
2.Make sure that you are logged into your Facebook Account.
3.Click the button Login with Facebook.
- See more at: http://www.alltechbuzz.net/2012/01/download-facebook-photo-album.html#sthash.s2RKzT9G.dpuf

Steps to Download Facebook Photo Album:

1.Go to facebook2zip.com[link].
2.Make sure that you are logged into your Facebook Account.
3.Click the button Login with Facebook.
- See more at: http://www.alltechbuzz.net/2012/01/download-facebook-photo-album.html#sthash.s2RKzT9G.dpuf

Steps to Download Facebook Photo Album:

1.Go to facebook2zip.com[link].
2.Make sure that you are logged into your Facebook Account.
3.Click the button Login with Facebook.
facebook2zip

4.Choose one of your friends whose album you want to download.Then hit next.
choose+one+of+your+friends
5.Now choose the Photo Album which you want to download.
select+albums+to+download

6.Now your download will be ready and you can download the photo album by clicking on Download button to desired location on your PC.
Download+the+album

7.That's it friends.There are many applications to Download Facebook Photo Albums but this method seems to be easiest,fastest and safest method.
Hope that you liked this short tutorial on How To Download Facebook Photo Album.For more Facebook Tips and Tricks stay connected with us on Facebook.
- See more at: http://www.alltechbuzz.net/2012/01/download-facebook-photo-album.html#sthash.s2RKzT9G.dpuf

Monday 9 September 2013

Delete Facebook Account Permanently

  In last post we saw How to Create a Video With Your Pictures on Facebook    , in this post we will see how to Delete Facebook Account Permanently.

 Many of the users are confused between deleting and deactivating an account.So they dont find any option and go for deactivating an account.But deactivating and deleting a facebook account is not the same.Deactivating means staying away from your account and all your photos,updates,activities will be there as usual and you can reactivate it whenever you want to.Deleting a facebook account means earasing everything that is already existing in you facebook account like phtos,videos,updates etc.

STEPS TO PERMANENTLY DELETE A FACEBOOK ACCOUNT :-


Permanently deleting a facebook account url is not avaialble readily.It is not visible easily because it doesnt exist in your account settings/options.It exists in facebook help and very difficult to replace it with your profile link.So click the following link that will be redirected to delete facebook account page.


CLICK HERE TO GO TO DELETE ACCOUNT PAGE



NOTE:IF YOU REALLY WANT TO DELETE YOUR FACEBOOK ACCOUNT THEN SUBMIT THE ABOVE APPLICATION AND DO NOT LOGIN INTO YOUR FACEBOOK ACCOUNT TILL 2 TO 14 DAYS 
 

-----------------------------------------------------------------------------------------------

 In the next post we will see :

Trick to download facebook Photo Album-Link

CLICK HERE TO GO TO DELETE ACCOUNT PAGE
Many of the users are confused between deleting and deactivating an account.So they dont find any option and go for deactivating an account.But deactivating and deleting a facebook account is not the same.Deactivating means staying away from your account and all your photos,updates,activities will be there as usual and you can reactivate it whenever you want to.Deleting a facebook account means earasing everything that is already existing in you facebook account like phtos,videos,updates etc. - See more at: http://www.alltechbuzz.net/2011/09/permanently-delete-your-facebook.h
Many of the users are confused between deleting and deactivating an account.So they dont find any option and go for deactivating an account.But deactivating and deleting a facebook account is not the same.Deactivating means staying away from your account and all your photos,updates,activities will be there as usual and you can reactivate it whenever you want to.Deleting a facebook account means earasing everything that is already existing in you facebook account like phtos,videos,updates etc.

STEPS TO PERMANENTLY DELETE A FACEBOOK ACCOUNT:-

Permanently deleting a facebook account url is not avaialble readily.It is not visible easily because it doesnt exist in your account settings/options.It exists in facebook help and very difficult to replace it with your profile link.So click the following link that will be redirected to delete facebook account page.

CLICK HERE TO GO TO DELETE ACCOUNT PAGE

NOTE:IF YOU REALLY WANT TO DELETE YOUR FACEBOOK ACCOUNT THEN SUBMIT THE ABOVE APPLICATION AND DO NOT LOGIN INTO YOUR FACEBOOK ACCOUNT TILL 2 TO 14 DAYS
- See more at: http://www.alltechbuzz.net/2011/09/permanently-delete-your-facebook.html#sthash.vT380iHD.dpuf
Many of the users are confused between deleting and deactivating an account.So they dont find any option and go for deactivating an account.But deactivating and deleting a facebook account is not the same.Deactivating means staying away from your account and all your photos,updates,activities will be there as usual and you can reactivate it whenever you want to.Deleting a facebook account means earasing everything that is already existing in you facebook account like phtos,videos,updates etc.

STEPS TO PERMANENTLY DELETE A FACEBOOK ACCOUNT:-

Permanently deleting a facebook account url is not avaialble readily.It is not visible easily because it doesnt exist in your account settings/options.It exists in facebook help and very difficult to replace it with your profile link.So click the following link that will be redirected to delete facebook account page.

CLICK HERE TO GO TO DELETE ACCOUNT PAGE

NOTE:IF YOU REALLY WANT TO DELETE YOUR FACEBOOK ACCOUNT THEN SUBMIT THE ABOVE APPLICATION AND DO NOT LOGIN INTO YOUR FACEBOOK ACCOUNT TILL 2 TO 14 DAYS
- See more at: http://www.alltechbuzz.net/2011/09/permanently-delete-your-facebook.html#sthash.vT380iHD.dpuf
Many of the users are confused between deleting and deactivating an account.So they dont find any option and go for deactivating an account.But deactivating and deleting a facebook account is not the same.Deactivating means staying away from your account and all your photos,updates,activities will be there as usual and you can reactivate it whenever you want to.Deleting a facebook account means earasing everything that is already existing in you facebook account like phtos,videos,updates etc.

STEPS TO PERMANENTLY DELETE A FACEBOOK ACCOUNT:-

Permanently deleting a facebook account url is not avaialble readily.It is not visible easily because it doesnt exist in your account settings/options.It exists in facebook help and very difficult to replace it with your profile link.So click the following link that will be redirected to delete facebook account page.

CLICK HERE TO GO TO DELETE ACCOUNT PAGE

NOTE:IF YOU REALLY WANT TO DELETE YOUR FACEBOOK ACCOUNT THEN SUBMIT THE ABOVE APPLICATION AND DO NOT LOGIN INTO YOUR FACEBOOK ACCOUNT TILL 2 TO 14 DAYS
- See more at: http://www.alltechbuzz.net/2011/09/permanently-delete-your-facebook.html#st
Many of the users are confused between deleting and deactivating an account.So they dont find any option and go for deactivating an account.But deactivating and deleting a facebook account is not the same.Deactivating means staying away from your account and all your photos,updates,activities will be there as usual and you can reactivate it whenever you want to.Deleting a facebook account means earasing everything that is already existing in you facebook account like phtos,videos,updates etc.

STEPS TO PERMANENTLY DELETE A FACEBOOK ACCOUNT:-

Permanently deleting a facebook account url is not avaialble readily.It is not visible easily because it doesnt exist in your account settings/options.It exists in facebook help and very difficult to replace it with your profile link.So click the following link that will be redirected to delete facebook account page.

CLICK HERE TO GO TO DELETE ACCOUNT PAGE

NOTE:IF YOU REALLY WANT TO DELETE YOUR FACEBOOK ACCOUNT THEN SUBMIT THE ABOVE APPLICATION AND DO NOT LOGIN INTO YOUR FACEBOOK ACCOUNT TILL 2 TO 14 DAYS
- See more at: http://www.alltechbuzz.net/2011/09/permanently-delete-your-facebook.html#sthash.vT380iHD.dpuf

Sunday 8 September 2013

Create a Video With Your Pictures on Facebook

  In last post we saw Send SMS from Facebook , in this post we will see how to Create a Video With Your Pictures on Facebook .


You can easily create a video with your Facebook Pictures.To create a video with your facebook photos go to pixable.com[click here].



----------------------------------------------------------------------------------------------

  In the next post we will see :



Delete Facebook Account Permanently

 
 

Friday 6 September 2013

Send SMS from Facebook

In our last post we saw Watch Streaming TV Live on Facebook , in this post we will see how to Send SMS from Facebook.

Yes you are right now you can send sms from facebook.There are no country restrictions.You can send sms to any country.The message sending is instant and takes only few seconds to reach the destination.All this is possible with a cool facebook application.

  • Select your country.
  • Then in the next line enter the mobile number to which you want to send sms.
  • After that enter your message that you want to deliver.

Limitations:
  • You can send only sms upto 100 characters long.
  • You can only send 4 SMS per day.
  • Dont do any illegal things with this service as it will first display your name at the beginning of the message.

----------------------------------------------------------------------------------------------

  In the next post we will see :


Create a Video With Your Pictures on Facebook

 


Tuesday 3 September 2013

Watch Streaming TV Live on Facebook

In our last post we saw An Easy way to view Private Facebook Profile Picture in Full size , in this post we will see how to Watch Streaming TV Live on Facebook.

There is a Facebook Application that provides free streaming live TV channels on Facebook.You can watch a lot of International Channels using this Application.I am able to watch live channels without buffering on my 2G connection.This application is totally at free of cost.2012 Olympics are also broadcasted on this channel.


Application Used:http://apps.facebook.com/tvdream-app/

----------------------------------------------------------------------------------------------

  In the next post we will see :


Send SMS from Facebook

 

 

Subscribe to our Newsletter

Contact our Support

Email : ajai199@gmail.com