Questions tagged [asp.net]

ASP.NET is a Web application framework developed and marketed by Microsoft to allow programmers to build dynamic Web sites, Web applications and Web services.

ASP.NET is a Web application framework developed and marketed by Microsoft to allow programmers to build dynamic Web sites, Web applications and Web services. It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft's Active Server Pages (ASP) technology. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language. The ASP.NET SOAP extension framework allows ASP.NET components to process SOAP messages.

225 questions

votes

1 answer

How did the Code Red worm work?

So I've been reading a bit about the Code Red worm, and I get the gist but the overflow string doesn't make sense to me. From this site, it says that the overflow string the worm used was…

buffer-overflow asp.net

asked Aug 06 '15 at 17:21

YazanLpizra

votes

1 answer

Client Certificates

After countless hours of reading I have come to the find that mutual authentication via client certificates seemed to be a viable and appropriate solution for the following scenario. I have a ASP.NET MVC Website, call it example.com, with an area…

tls authentication asp.net

asked Apr 11 '15 at 21:44

matt.

votes

2 answers

_ _ VIEWSTATE to Protect Against CSRF

I am not a .NET developer and I am trying to understand how exactly does __ViewState protect against CSRF/XSRF attacks. I came across the following : security Stack exchange discussion on similar topic and OWASP Guide to CSRF Protection I am a…

csrf asp.net viewstate

asked Nov 18 '14 at 06:48

qre0ct

1,492
3
19
30

votes

3 answers

Is it necessary to encrypt an ASP.NET view state hidden field when using SSL certificate?

If you have an SSL certificate for a web site, is it necessary to make the ViewState more difficult to decode. Without any extra development, it appears that ASP.NET encodes it as a base 64 string. I found some sample code to easily decode this…

appsec web-application asp.net

asked Aug 04 '11 at 18:53

MacGyver

votes

2 answers

How to determine if ViewState has MAC enabled when crawling a page?

I was using Burp Suite to do some security testing on a site and I noticed that when it detects ViewState it will automatically tell you whether it has MAC enabled. I'm curious if anyone know of a programatic way to determine if MAC is enabled if…

web-application asp.net viewstate

asked Jul 24 '13 at 18:12

Abe Miessler

8,155
10
44
72

votes

4 answers

"Forgot my password page" best practice

On a "forgot my password" page, is appropriate when user doesn't have an account to display the message "this account doesn't exist"? Or in the interest of security, should I display a success message ("you received an email with a reset password…

web-application asp.net user-interface

asked Jul 22 '13 at 14:25

nramirez

votes

2 answers

Vulnerable framework and IIS server version's are being displayed in an error page of a 3rd party application

As security tester, I need to report and justify that a security misconfiguration in a 3rd party application is a risk to us. Following is the scenario: 1.) There is a 3rd party application which the customers use to submit their applications to…

penetration-test asp.net iis vulnerability-assessment

asked Nov 06 '17 at 11:01

Sai Dutt Mekala

votes

1 answer

Secure flag not set to Cookies in .Net MVC application

I have included the below lines of codes in my Web.Config and Glbal.asax.cs files, but still when I use developer tools in the browser I the secure flags were not set for the below cookies. Also Configured SSLSettings in my IIS (selected checkbox…

tls web-application cookies asp.net

asked Oct 11 '17 at 06:49

Tech Learner

votes

1 answer

ASP.NET - why default SecurityStamp validation interval is set to 30 minutes?

I'm currently studying authentication mechanisms in ASP.NET Core and came across SecurityStamp feature, which is known also from ASP.NET Standard. From what I understand from the answer here, this was added to perform sign out from all active…

authentication web-application asp.net asp.net-core

asked Aug 19 '17 at 21:15

PJDev

votes

1 answer

ASP.Net Secure Connection String in Cloud Hosting

Background In a normal bare metal hosting (IIS) we can use Integrated Security(eg : With AD) and hence, the config entry do not contain the connection string's plain text password. Or we can encrypt the connection string and can use a secure key…

encryption key-management asp.net

asked Jul 13 '17 at 16:06

user3496510

1,257
2
12
26

votes

2 answers

Security web scanner tool for IIS/SQL Server

I'm trying to do penetration testing of our ASP.NET web-site to check for security loopholes (specifically for SQL injections). We bought a commercial web scanner tool (IBM Rational AppScan), however it only does black box scanning for IIS and fails…

asp.net sql-server sql-injection

asked May 04 '12 at 00:13

Michael Narinsky

votes

2 answers

When I turn off request validation in asp.net, am I vulnerable?

So I have request validation off in my web application. You can add /foo?=