IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [asp.net-core]

For use only on 'ASP.NET Core' related. ASP.NET Core is a lean and composable framework for building web and cloud applications. This is not used for 'ASP.NET Framework'.

ASP.NET Core is a lean and composable framework for building web and cloud applications. ASP.NET Core is fully open source and available on GitHub. ASP.

This is not to be confused with a separate technologies by Microsoft; ASP.NET Framework.

34 questions
27
votes
2 answers

How to avoid using System.String with Rfc2898DeriveBytes in C#

I am creating a .NET core webapp in C# that takes in a user password and hashes it to be stored on a server. I'm using Rfc2898DeriveBytes along with a randomly generated salt. I've read, however, that I should avoid using strings in the entire…
Jeff
  • 373
  • 3
  • 6
6
votes
2 answers

Is it ok to write OidC Bearer token to log?

During development we added to error logs details of http requests, including headers, to have better understanding for error investigation. Our architect pointed that we should not place sensitive information in logs. My question was should we…
Michael Freidgeim
  • 163
  • 6
5
votes
1 answer

ASP.NET - why default SecurityStamp validation interval is set to 30 minutes?

I'm currently studying authentication mechanisms in ASP.NET Core and came across SecurityStamp feature, which is known also from ASP.NET Standard. From what I understand from the answer here, this was added to perform sign out from all active…
PJDev
  • 165
  • 5
4
votes
0 answers

Architecting a solution with native login and 3rd party login via OAuth/OpenID Connect using dotnet core

I am building an API driven application that will have a native login with username and password, and will also need to grant 3rd party access via OAuth/OpenID Connect in the near future. A pattern I have used in the past is this (below) and just…
Mark McGookin
  • 141
  • 3
3
votes
1 answer

A couple of questions about ASP.Net Core default implementation for login security

By default, ASP.Net Core configures the login exercise with a couple of things that seem strange to me. I'd like someone who knows more about infosec than I to comment on these please. First, it sends an email to a user upon registration containing…
Bob.at.Indigo.Health
  • 199
  • 8
3
votes
1 answer

Why is TLS still commonly referred to as SSL?

I am developing in Visual Studio 2017 and I'm writing an asp.net core 2.0 web application. In the project properties there is a checkbox for Enable SSL. Any idea why this is called SSL instead of TLS? Also, it seems folks refer to certificates as…
IEnjoyEatingVegetables
  • 150
  • 7
2
votes
0 answers

What are these requests that appear to be phoning home?

I have a .NET 5 application running on AWS which has these requests constantly attempting to run: GET http://app-10-irules.com/ GET http://www.simpleexample.com/ GET http://ssl-app-default-backend.com/ Currently they all 404, but nothing in my code…
yeahtheboys
  • 21
  • 1
2
votes
1 answer

Is there benefit to an Anti-forgery cookie with sameSite:none?

We have a form that is using asp.net core AntiForgery validation. Recently encountered an issue with a form on the site hosted on www.domain.ie not being able to POST to the API at api.domain.co.uk due to AntiForgery validation. The recommendation…
Fishcake
  • 123
  • 5
2
votes
2 answers

Is CSRF prevention logic required for api that is consumed only by mobile app?

I am developing an ASP.NET Core web api project whose only client will be a mobile app developed in Xamarin. There will be no web frontend for the application. Can CSRF attacks be executed if the user can only login and consume the api from the…
CristisS
  • 123
  • 5
2
votes
2 answers

Alternative to bcrypt in .NET Core?

I'm porting an app from Node to ASP.NET Core, and discovered that the .NET Core framework doesn't have a bcrypt implementation. There are community supported bcrypt implementations but they are very old or have not undergone review, like those…
lonix
  • 363
  • 3
  • 11
2
votes
2 answers

Why are top-level wildcard bindings unsafe?

Microsoft has the following to say about configuring asp.net core with http.sys: Top-level wildcard bindings (http://*:80/ and http://+:80) should not be used. Top-level wildcard bindings create app security vulnerabilities. This applies to…
Voo
  • 651
  • 5
  • 14
2
votes
1 answer

My ASP.NET core application executable detected as Trojan

I wanted to copy from a local publish location of my ASP.NET Core project on a production IIS Server, and Windows Defender detected a Trojan in my main executable file. When I scan this folder on my local machine, Defender does not find any…
vpetrovic
  • 133
  • 1
  • 6
2
votes
0 answers

Web application making a call to a REST API when already authenticated

I'm new to ASP.NET Core and OpenID connect/AzureAD, so I'm looking for some validation (or otherwise) of my approach. Extensive reading/googling over the last couple of weeks while I've been learning this hasn’t turned up an exact answer (although a…
Paul Nearney
  • 121
  • 2
2
votes
1 answer

Are there any security risks associated with having static files on the server be publicly available?

I am going to frame this question using ASP.NET Core in mind since that is what I'm using, though my question is applicable to any scenario in which you have a client that makes requests to a server storing static files. In the Microsoft docs on how…
Drew
  • 123
  • 4
2
votes
1 answer

ASP NET Core Identity password reset form prompts for email address

I notice that the default ASP.NET Core Identity templates ask for email address after the reset email notification link has been followed (i.e. the "choose a new password" form in the ResetPassword.cshtml view). Why would having the user re-provide…
Steve S
  • 121
  • 2
1
2 3