Murat Odabasi

Sharepoint 2013 Document Library Drag&Drop feature requirements

2013-04-16T15:28:00Z

One of the coolest new feature of Sharepoint 2013 is drag&drop functionality when uploading a file from your computer to a sharepoint library. But this has some limitations. Html 5 capable browser has this feature by default so if you have internet explorer 10 you can use it by default. But if you are using ie 8.x or 9.x you do not have this functionality by default. You need an activex control named SharePoint DragUpload Control. In order to have this add on you need to install Office 2013 or installing sharepoint designer 2013 also does the job for you. So if we summarize these browsers

Internet Explorer 10
Internet Explorer 9 with Office 2013 or Sharepoint Designer 2013 installed
Internet Explorer 8 with Office 2013 or Sharepoint Designer 2013 installed
FireFox 3.5 (or later)
Chrome and Safari 5.x (or later)

will do the job for you.

Unable to view Sharepoint Web application General Settings

2012-12-28T15:27:00Z

If you try to open general settings of a web application in sharepoint and get an error "Updates are currently disallowed on GET requests. To allow updates on a GET, set the 'AllowUnsafeUpdates' property on SPWeb.”

You can try this script from powershell.

$myweb = get-spwebapplication http://nameofproblemwebapp
$myweb.HttpThrottleSettings
$myweb.Update()

Failed to install the product: Drive Name:\global\oserver.msi error code: 1603(0x643) error when installing sharepoint 2013

2012-12-28T15:20:00Z

Today when installing a virtual development environment for Sharepoint 2013 I got

"SharePoint Server 2013 encountered an error during setup"

error. When I checked the details of the error in error log file

I found an entry

"Failed to install the product: c:\global\oserver.msi error code: 1603(0x643) error when istalling sharepoint 2013"

I tried many different things but the solution was very interesting:) Virtual machine was using just one CPU. After increasing the processor on virtual machine from 1 to 4 magic happened and installation finished successfully.

How many lines of code do i have?

2012-08-28T14:31:19Z

I am doing code reviews from time to time to my customers. When asking how lines of code do they have generally they do not know how to find it with an easy way.

Visual studio 2012 and 2010 has a cool feature called code metrics which you can use under analyze tab or just by right clicking the solution.

Code metrics results shows you how many lines of code do you have. Also this report has some useful info that may help you. The maintability index ratio is calculated by a formula using Cyclomatic Complexity and lines of code. Bigger ratio means easier maintability. There is also a color in front of it which means

Green High Maintainability Between 20 and 100

Yellow Moderate Maintainability Between 10 and 20

Red Low Maintainability Between 0 and 9

Cyclomatic complexity measures the structural complexity of the code. High number for cyclomatic complexity indicates that the code may be too complex, and should be refactored.

Depth of inheritance indicates the number of class definitions that extend to the root of the class hierarcy.

Class coupling indicates the total number of dependencies that a class has on other classes.

Secure Coding Basics

2012-05-04T10:03:00Z

Most developers are reluctant to take the responsibility in security and assume that this is the job of web administrators and network engineers. You may have best infra in terms of security but if your developers are not writing secure code your system can easily be hacked.

Security is a broad concept but I just want to give some simple examples and speak about best practices in secure code writing.

First of all there is no fully secured system. If you want a fully secure system just turned off the serverJ
What is our job in terms of security is making the attack surface smaller and making our systems much more secure. We should also keep in mind that security is an ongoing process and we should continuously review our applications in terms of security.

Let's speak on some of the well known attack technics with examples;

Sql Injection

SQL Injection happens when a malicious user manipulates the data input in such a manner to perform other operations against the database or any resource in the server. Think that we have a webpage asking for username and password and after validating this username and password we are authenticating the user.

My sql query is ;

string strQry = "SELECT Count(*) FROM M_USERS WHERE UserName='" + txtUser.Text + "' AND Password='" + txtPassword.Text + "'";

If the count is more than 0 this means password is correct and in normal scenario I will have a query like this

SELECT Count(*) FROM M_USERS WHERE UserName = 'KORFEZ' AND Password= 'pswd';

But fraud login scenario an attacker can use such values and change the query

SELECT Count(*) FROM M_USERS WHERE UserName='KORFEZ' Or 1=1 --' AND Password='XXXX

1=1 everytime and return of this query is more than 0 everytimeJ Attacker is in…

Take another example ;

This is a car passing through an automatic passing system (which is reading plate numbers) with a manipulated plate numberJ and dropping the database. This is just for humor but if you were the victim of such an attack it would not be funny for youJ

Cross Site Scripting (XSS)

XSS exploit vulnerabilities in web page validation by injecting client-side script code into a vulnerable application.

Let's continue with an example

This is an internet banking webpage to transfer money to another customer. I am adding a javascript to the description textbox.

When the victim customer wants to see his/her transactions, an alert pops-up

You may think that this is just a simple alert but I can also write a script which pops-up a site and send session id of the user and hijack user's session.

There are more attack technics but what can we do in order not to be the victims of such attacks.

Adopt the principle of least privilege. The principle of least privilege requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task. Processes that run script or execute code should run under a least privileged account to limit the potential damage that can be done if the process is compromised.

Don't trust user input. Applications should thoroughly validate all user input before performing operations with that input. The validation may include filtering out special characters. This preventive measure protects the application against accidental misuse or deliberate attacks by people who are attempting to inject malicious commands into the system.

Don't rely on security by obscurity. Trying to hide secrets by using misleading variable names or storing them in odd file locations does not provide security. In a game of hide-and-seek, it's better to use platform
features or proven techniques for securing your data.

Assume external systems are insecure. If you don't own it, don't assume security is taken care of for you.

Reduce surface area. Avoid exposing information that is not required. By doing so, you are potentially opening doors that can lead to additional vulnerabilities. Also, handle errors gracefully; don't expose any more information than is required when returning an error message to the end user.

Fail to a secure mode. If your application fails, make sure it does not leave sensitive data unprotected. Also, do not provide too much detail in error messages; meaning don't include details that could help an attacker exploit a vulnerability in your application. Write detailed error information to the Windows event log.

Remember you are only as secure as your weakest link.
Security is a concern across all of your application tiers.