ASP.NET Web Forms Application Paths Related

This article is going to list all ASP.NET Web Forms application paths related properties and their values on the Request object. Below the test result are based on this scenario: local hosted IIS site named VirtualSite, first we access to http://localhost/VirtualSite/Redirect/dummy.aspx and there is a HttpModule to redirect the request to http://localhost/VirtualSite/Redirect/Redirect.aspx. The request has parameters "a=1&b=2&c=3". So here it is:

Request Property	Value
ApplicationPath	/VirtualSite
AppRelativeCurrentExecutionFilePath	~/Redirect/Redirect.aspx
CurrentExecutionFilePath	/VirtualSite/Redirect/Redirect.aspx
FilePath	/VirtualSite/Redirect/Redirect.aspx
Path	/VirtualSite/Redirect/Redirect.aspx
QueryString	{a=1&b=2&c=3}
RawUrl	/VirtualSite/Redirect/Dummy.aspx?a=1&b=2&c=3
Url.AbsolutePath	/VirtualSite/Redirect/Redirect.aspx
Url.AbsoluteUrl	http://localhost:25739/VitualSite/Redirect/Redirect.aspx?a=1&b=2&c=3
Url.Authority	localhost:25739
Url.DnsSafeHost	localhost
Url.Host	localhost
Url.LocalPath	/VitualSite/Redirect/Redirect.aspx
Url.OriginalString	http://localhost:25739/VitualSite/Redirect/Redirect.aspx?a=1&b=2&c=3
Url.PathAndQuery	/VitualSite/Redirect/Redirect.aspx?a=1&b=2&c=3
Url.Port	25739
Url.Query	?a=1&b=2&c=3
Url.Scheme	http

Since there is a redirect, as you can see, only the RawUrl contains the very original request, all other values are for the redirected Url, event the Request.Url.OriginalString

Do not mix using HtmlTextWriter and WebControl itself to set its attributes

Have a look the simplified code below first. The code is inside a ButtonControl class (assuming there is no null reference exception for CssClass property).

What does it do? First in the Render method we set the class to "Disabled" if Enabled property is false. Later when AddAttributesToRender method fired during base.Render() it will attach more CSS classes on the web control. All look good, right? No. It won’t work when Enabled == false.

Why? Check what the base.AddAttributesToRender() in line 16 does first. The AddAttributesToRender method will copy every single attribute from the web control into the HtmlTextWriter for page rendering later. If the attribute name has already existed in the HtmlTextWriter then the value of this attribute is abandoned to avoid value overwritten. This rule doesn't apply for Style attribute. For Style attribute, the value will be appended at the end of existing style string.

Ok, in our case when Enabled == false, since we have already set the Class attribute equal to "Disabled" then no matter how many other CssClass values assign to the web control directly those values will be abandoned when base. AddAttributesToRender() called.

So here is my simple advice: see the title of this article. Since we can always set attributes value on web control level it is unnecessary to touch the HtmlTextWriter under any condition.

Uhuru Cloud - My First App

I recently had a chance to test a newly release cloud service provided by Uhuru. The service is named Uhuru .NET Services for Cloud Foundry and you can find all information about it by accessing Products page of Uhuru website.

Uhuru Cloud support JAVA, .NET, php and other web applications but I'd like to start with the simplest one, my company website, a single html/js webpage.

To deploy app to Uhuru Cloud you will need either install a MMC (Microsoft Management Console) or Uhuru Visual Studio plugin. I choose MMC because the multi page user guide for installation of Visual Studio plugin is quite scary. Uhuru gives a very detailed PDF doc to help deploying app through MMC and the whole process is very straight forward.

One thing worth mentioning, when pushing your app to Uhuru CloudFoundry, it will automatically identify the suitable framework and runtime version for your app. In my case, since it is just a html/js site, CloudFoundry treat it as a php app (fair enough, compare with JAVA and IIS, php host cost less).  While after couple of mouse clicking and filling one small windows form, my first app is officially online now. See here: wandj.uhurucloud.net

Cheat Sheets for Web Development you must have

The original article is from: Cheat Sheets for Web Development you must have. Here I only copy those I am familiar with as a back up.

Tips of securing your ASP.NET MVC3 application

Tip 1, Always encode user input content before showing it on web page. You can do this simply by using Html.Encode() for innerHTML, Html.AttributeEncode() for attribute values and Url.Encode() for href link values.

You should know code expressions in Razor are implicitly HTML encoded, therefore in cases you do need to render some HTML value that should not be HTML encoded you can use the Html.Raw() method to ensure that the value is not encoded. BUT by doing so you have thrown open the door to evil.

Tip 2, Always JavaScript Encode user input values in your JavaScript code. You can use Ajax.JavaScriptStringEncode() to do this. The reason behind this is the html encode methods mentioned in Tip 1 cannot fully stop the XSS attacks because the html encoding cannot handle hex escape string but DOM does. Therefore the hacker may use your JS code to pass hex escape string into DOM object and the DOM object will convert the string back to JavaScript code and hurt you. Have a look the code below:

   1:  <div id="test">Text here is suppose to be replaced</div>

   2:  <script type="text/javascript">

   3:      $(function () {

   4:          $("#test").html(

   5:              '@Html.Encode("\\x3cscript\\x3e alert(\\x27oops\\x27) \\x3c/script\\x3e")');

   6:      });

   7:  </script>

Copy the code into your razor page and run it you will see an alert message says “oops”.

Tip 3, Follow the listed principles below to prevent CSRF attacks (if you don’t know what CSRF is please google it).

• First thing first, you need follow Tip1 and 2 to make you site XSS proof
• Always use POST instead of GET to submit data changes
• Validate HTTPReferrer by checking the HttpContext.Request.UrlReferrer to see if the client that posted the data was indeed from your site page
• Put token Verification in your form. You can use Html.AntiForgeryToken() to create a hidden token value in your form and in the related controller use ValidateAntiforgeryToken attribute to check if the token is matched

Tip 4, Protect your open redirection URL. The ASP.NET MVC 3 template includes code to protect against open redirection attacks in its AccountController after user successfully log on. You need also do similar thing in other places where a potential URL redirection may occur.

Tip 5, Use the AuthrizeAttribute to require a login access or role membership access. AuthrizeAttribute can be used on Action level or Controller level. You can use FormsAuthentication.SetAuthCookie() to keep the user login info into http cookie and it can be read by calling User.Identity.IsAuthenticated() in the requested Controller.

Tip 6, Use ValidationAttibute to do view-model level data value validation automatically. Most of the ValidationAttributes support client side validation if related jQuery lib file included which is a huge benefit for us developers.

Tip 7, Prevent over posting data through ASP.NET MVC3 model binding feature which can allow your attacker an opportunity to populate model properties you didn’t even put on your input forms. You can use BindAttribute to specify the name of properties which allow auto model binding. Alternatively you can do a manual data binding by calling UpdateModel() or TryUpdateModel() methods in the controller.

Still another way to deal with over-posting is to avoid binding directly to the data model. You can
do this by define a View-Model class that holds only the properties you want to allow the user to set.