Wednesday, November 30, 2011

Right place to put Response.Redirect

One of my Friend was encountered with this a issue in security auditing where redirect wasn't working as expected.


Actual issue:


He was new with asp.net so instead of using form authentication/authorization he used simple session to maintain logged in user. so on each page he was checking if session contain valid information like user name and role to access internal page. If it doesn't exists the user redirected to log in page.
               For a normal user it was fine it was working as it should but for hacker it contain where while looking pages response into some tool she will be able to see response code 302 change(redirect response code) and body of undisplayed page. Just by changing status code to 302 change to 200 OK she was able to see the page in browser. and by sending it again server it can lead to other exception or other uses are also possible.

page_Load()
{
..........
..........
// some code to check authenticate/authorize user
if (failed)
{
Response.Redirect("Login.aspx?target=http://...../currentpage.aspx",false);
}
else
// continue with page
}

Suggested Solution:


Page_Load is state where our page is already loaded so there isn't any benefit of using false (which indicates not to load page control).


So better place to put validation code is OnInit() method:

OnInit()
{
..........
..........
// some code to check authenticate/authorize user
if (failed)
{
Response.Redirect("Login.aspx?target=http://...../currentpage.aspx",false);
}
else
// continue with page
}

So i suggested him to put it on OnInit and i dont know if its working. I am waiting for his response :).


Happy Living, Happy Coding.


Thanks
Yashpal Sharma


Thursday, November 24, 2011

Split a Value in SqlSever



If we want values in the from of individual text so we can use following way:
1. If we have a text value combination so here is the way to separate these 2 values :


Declare @CompositeValue as Varchar(500)
set @CompositeValue='Text_Value'

Select Substring(@CompositeValue,0,CharIndex('_,@CompositeValue,1')) as Text

Select Substring(@CompositeValue,CharIndex('_,@CompositeValue,1')+1,Len(@CompositeValue)) as Value

2. There is another way to get split-ed value in a form of table :


/****** Object:  UserDefinedFunction [dbo].[Split]    Script Date: 05/10/2012 20:30:30 ******/
SET ANSI_NULLS ON
GO

SET QUOTED_IDENTIFIER ON
GO

CREATE FUNCTION [dbo].[Split]
(
    @String nvarchar(max),
    @Delimiter char(1)
)
returns @Results TABLE (ID int identity, Item nvarchar(4000))
as
   begin
   declare @index int
   declare @slice nvarchar(max)

   select @index = 1
   if @String is null return

   while @index != 0
       begin
        select @index = charindex(@Delimiter,@String)
          if @index !=0
           select @slice = left(@String,@index - 1)
          else
             select @slice = @String

          insert into @Results(Item) values(ltrim(rtrim(@slice)))

          select @String = right(@String,len(@String) - @index)
          if len(@String) = 0 break
       end  
  
    return
end
GO


Happy Living , Happy Coding 
Yashpal Sharma

Remove Caching of a Html Page

Remove Caching from a Html Page is an easy work but if it has been done in a right way.
So remove caching form Html page we need to add a few basic tags on Head Part of Html document

<Html>
<Head>
<Meta http-equiv="Expires" content="0">
<Meta http-equiv="Pragma" content="No-Cache">
<Meta http-equiv="Cache-Control" content="No-Cache">
</Head>
<Body>
</Body>
</Html>



This the thing we mostly do to remove caching , by inserting following meta tags into header part or Html page:

<Meta http-equiv="Expires" content="0">
<Meta http-equiv="Pragma" content="No-Cache">
<Meta http-equiv="Cache-Control" content="No-Cache">

Actual Happening:


But what actual happen in this case , A page that Internet Explorer is browsing is not cached until half of the 64 KB buffer is filled. In most cases we enter metadata in header tag so when page is parsed it start form top to bottom. While it read meta tag for no caching it checks in temporyfolder to remove if page exists. but not at the end of page.


So what we should do to ensure we are not supporting caching of our html page, we must  add meta tags at
the bottom of the page here is the example.

<Html>
<Head>
<Meta http-equiv="Expires" content="0">
<Meta http-equiv="Pragma" content="No-Cache">
<Meta http-equiv="Cache-Control" content="No-Cache">
</Head>
<Body>
Here is the content can not be cached.
</Body>
<Head>
<Meta http-equiv="Expires" content="0">
<Meta http-equiv="Pragma" content="No-Cache">
<Meta http-equiv="Cache-Control" content="No-Cache">
</Head>
</Html>

Happy Living , Happy Coding


Yashpal Sharma