Code Junkie : .NET

TAM v3.0 beta is live!

anilkr — Tue, 21 Jul 2009 21:33:11 GMT

A new version of threat analysis and modeling tool has been released. This version has significant improvements from previous version as identified in previous posts. You can find more information on the download link and bugs link from TAM 3.0 Beta is Now Live!.

Thanks
RV

Connection String Injection Attack

anilkr — Tue, 21 Jul 2009 00:58:11 GMT

Today I was looking at some new classes in .NET 2.0 and stumbled across DbConnectionStringBuilder class. This class provides compile time checks around building connection strings with user input. If you are constructing connection string dynamically by accepting server name from the user you could be vulnerable to this attack. Here is an example on how to mitigate that using SqlConnectionStringBuilder class.

System.Data.SqlClient.SqlConnectionStringBuilder builder =
  new System.Data.SqlClient.SqlConnectionStringBuilder();
builder["Data Source"] = "(local)";
builder["Integrated Security"] = true;
builder["Initial Catalog"] = "AdventureWorks";
builder["Persist Security Info"] = "false";
Console.WriteLine(builder.ConnectionString);

If you re using user input to create a connection string, you must use this class. Additionally you should perform input validation before passing data to this class. For more information about this class and generic connection string security check the following links.

Connection String Builders (ADO.NET)
Using the SqlConnectionStringBuilder to guard against Connection String Injection Attacks
Securing Connection Strings

Thanks
Anil

AJAX approach to localizing Date Time

anilkr — Fri, 29 May 2009 18:48:42 GMT

I am pretty confident most of you people out there have developed web applications for global use which display date time according to the user’s local time zone. Although it is possible to do this on the server side, it is very efficient and easy to do this on the client side specially on the browser as JavaScript inherently provides Date() object which does UTC to Local conversion.

Imagine you have lot of labels and text boxes which require you to convert UTC date and time to local date and time. With the help of AJAX extenders you can do this on the client side very easily. So I have written an AJAX extender which runs on the client side to do the conversion automatically. When attached to a label or text box it will get the date and time in the control and convert it to the local date and time.

<asp:Label ID="DateLabel" runat="server" Text='<%#Eval("Date") %>' />
<cc2:UTCToLocalExtenderControl ID="UTCToLocalExtenderControl1" runat="server" TargetControlID="DateLabel" DateTimeFormatString="g" />

Majority of the work is being done in the extender behavior.js file.

Thanks
Anil

System.Security.SecureString Part II

anilkr — Thu, 18 Dec 2008 03:11:22 GMT

Second part of the SecreString blog post. Check it out at http://blogs.msdn.com/cisg/archive/2008/12/17/secure-string-in-net-part-ii.aspx.

Thanks
RV

How the Anti-XSS 3.0 SRE Works

anilkr — Tue, 16 Dec 2008 22:03:12 GMT

Published a new blog on how SRE works internally. Kind of a starter course on Anti-XSS SRE code. Check it out at How the Anti-XSS 3.0 SRE Works.

Thanks
RV

Anti-XSS Webcast

anilkr — Wed, 10 Dec 2008 04:13:01 GMT

On January 9th there will be a webcast on technet about Anti-XSS v3.0. This will showcase some of the improvements done to the Anti-XSS library. The webcast registration url is http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032398771&Culture=en-US.

Thanks
RV

Security Deployment Review Tool Webcast

anilkr — Thu, 04 Dec 2008 20:48:07 GMT

Deployment Reviews is a process to check a host for security settings, mostly those affect the applications that are hosted on that. A technet webcast has been scheduled to reveal an automated tool to check for deployment security settings. The webcast is on 12/15/2008 from 10:30 AM to 11:30 AM and the following is the registration link for the webcast.

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032396517&Culture=en-US

Thanks
RV

Oslo M Language

anilkr — Tue, 11 Nov 2008 00:58:26 GMT

The M language is awesome, I have been experimenting with it for quite some time now. it allows you to create models of types in a descriptive language. The idea behind M language is to capture developers intent in a descriptive language for modeling purposes. Additionally, it converts these types into SQL schema for application storage. Imagine if you have a type called Developer you could then create data for the types, write methods for the types etc. All of this will be automatically converted into T-SQL Tables, Views and Functions to be created in SQL Server. Once you have these tables and views, you can use any middle ware to write data to these views. In essence, you no longer need to create sql tables using sql management studio, just create the types in M language and you are good to go. M language syntax also supports LINQ expressions which could be used to write powerful methods which are created as functions in SQL. The following is a sample type, and attached is the SQL code for it which was automatically generated.

module CISGType
{
    type Developer
    {
        FirstName : Text where value.Count <=255;
        LastName : Text;
        ID : Integer32 = AutoNumber();
    } where identity(ID);

    Developers : Developer*
    {
        { FirstName="Anil",LastName="Revuru" },
        { FirstName="Anil", LastName="Chintala" },
        { FirstName="Mark", LastName="Curphey" }
    };
}

As shown in above example you can do bunch load of things with this, you could put constraints on the type members, auto generate identifiers, specify identity columns etc. Check the full list in M Language reference. Here are some more links for M language. If you want to get started look at the PDC 2008 video and download the SDK.

M Grammar in nutshell
M Language Reference
Oslo Developer MSDN Page
Oslo SDK Download
PDC 2008 OSLO video

Thanks
Anil RV

SECURITY Q&A #1

anilkr — Fri, 07 Nov 2008 03:37:11 GMT

From a security perspective what's wrong with this code?

   1: <html>

   2: <head>

   3: <title>Welcome Page</title>

   4: <script language="JavaScript">

   5: function openNewWindow()

   6: {

   7:    window.open('<%=Server.HtmlEncode(Request.QueryString["URL"])%>');

   8: }

   9: </script>

  10: </head>

  11: <body>

  12: Welcome <%=Context.User.Identity.Name %>

  13: <br/>

  14: Click <a href="javascript:openNewWindow();">here</a>

  15: to open the link in new window.  15: </body>  16: </html>

Answer: 2 bugs. I always start with input and see where it is going. We have two inputs here, one is from a query string (line 7) and the other one is from context (line 12). First lets start with line 7, it is very obvious that QueryString data is untrusted so the developer is encoding it using Server.HtmlEncode. But Server.HtmlEncode does not work inside JavaScript as it does not encode all bad characters, thus this is a bug. For more information on what Server.HtmlEncode does check this http://blogs.msdn.com/cisg/archive/2008/08/28/output-encoding.aspx. Second input seems to be benign as it is just username which is usually simple. Wrong, in cases where user registers on the site, and wishes to give any username he wants he could very well put javascript in it which will in turn be returned by Identity.Name. Line 12 also need to be output encoded using AntiXss library.

More AntiXss Library blogs:

What is the Microsoft Anti-XSS Library-

Real World XSS Vulnerabilities in ASP.NET Code

Developer Security IQ

anilkr — Fri, 07 Nov 2008 03:07:42 GMT

There is a very good article on MSDN magazine about security bugs. A good Q&A to determine your security IQ. Check it out at http://msdn.microsoft.com/en-us/magazine/cc982154.aspx.

In this spirit I will try to post some security Q&A specially on web and windows applications.

Security Runtime Engine

anilkr — Fri, 24 Oct 2008 20:12:18 GMT

We have been working on this project for some time now. It is a http module to protect web applications from certain attacks.

http://blogs.msdn.com/cisg/archive/2008/10/24/a-sneak-peak-at-the-security-runtime-engine.aspx

Thanks
RV

System.Security.SecureString in .NET

anilkr — Thu, 09 Oct 2008 00:50:01 GMT

Varun in our team has posted part I of series about SecureString in .NET. Awesome blog entry talks about internal details on how secure strings work in .NET with some samples.

Check it out at http://blogs.msdn.com/cisg/archive/2008/10/08/secure-strings-in-net-part-i.aspx

Thanks
RV

XmlDocument vs XElement Performance

anilkr — Thu, 09 Oct 2008 00:46:40 GMT

I have been using XElement class a lot lately, I was doing some performance tests on this to figure out the difference between this and XmlDocument class and here is what I found.

First of all XElement class is part of .NET Framework 3.5, it was introduced with XML to Linq and is part of System.Xml.Linq namespace. This class has been totally written from scratch to get better usability with LINQ. XElement.Nodes and XElement.Attribtues return IEnumerable which could be easily used to traverse nodes. You can also use them Lambda expressions. For more information on XML to LINQ check http://msdn.microsoft.com/en-us/library/bb387098.aspx.

In my case, I have created a test bench (console application) with two static methods, one uses XMLDocument and the other uses XElement to generate XML. The test case is very simple, iterate through the System assembly exported type, construct a giant XML and save it to a stream. Here is the code for both of the static methods.

   1: //Generates XML using XmlDocument

   2: internal static void GenerateXmlUsingXmlDocument()

   3: {

   4:     MemoryStream ms =new MemoryStream();

   5:     XmlDocument xmlDoc = new XmlDocument();

   6:     xmlDoc.AppendChild(xmlDoc.CreateXmlDeclaration("1.0", "UTF-8", "no"));

   7:     XmlElement assembliesNode = xmlDoc.CreateElement("Assemblies");

   8:     foreach (Type t in Assembly.GetAssembly(typeof(Object)).GetExportedTypes())

   9:     {

  10:         XmlElement assemblyNode = xmlDoc.CreateElement("Assembly");

  11:         XmlAttribute fullTypeName = xmlDoc.CreateAttribute("FullTypeName");

  12:         fullTypeName.Value = t.ToString();

  13:         XmlAttribute isInterfaceName = xmlDoc.CreateAttribute("IsInterface");

  14:         isInterfaceName.Value = t.IsInterface.ToString();

  15:         assemblyNode.Attributes.Append(fullTypeName);

  16:         assemblyNode.Attributes.Append(isInterfaceName);

  17:         assembliesNode.AppendChild(assemblyNode);

  18:     }

  19:     xmlDoc.AppendChild(assembliesNode);

  20:     xmlDoc.WriteContentTo(new XmlTextWriter(ms,System.Text.ASCIIEncoding.ASCII));

  21: }

22:

  23: //Generates XML using XElement

  24: internal static void GenerateXmlUsingXElement()

  25: {

  26:     MemoryStream ms = new MemoryStream();

  27:     XElement assembliesNode = new XElement("Assemblies",

  28:             from Type t in Assembly.GetAssembly(typeof(Object)).GetExportedTypes()

  29:             select new XElement("Assembly",

  30:                 new XAttribute("FullTypeName", t.ToString()),

  31:                 new XAttribute("IsInterface", t.IsInterface.ToString())));

32:

  33:     assembliesNode.Save(new XmlTextWriter(ms, System.Text.ASCIIEncoding.ASCII));

  34: }

If you look at the above code, the XElement code is small and uses LINQ expressions for generating XML. By using the following code, I repeatedly test the amount of time it takes for each method to execute.

   1: Stopwatch sw = new Stopwatch();

   2: for (int index = 0; index < 51; index++)

   3: {

   4:     sw.Reset(); sw.Start();

   5:     Program.GenerateXmlUsingXmlDocument();

   6:     sw.Stop();

   7:     Console.Write("Generation time using XmlDocument " +

   8:         "and XElement: " + sw.ElapsedMilliseconds);

   9:     sw.Reset(); sw.Start();

  10:     Program.GenerateXmlUsingXElement();

  11:     sw.Stop();

  12:     Console.WriteLine(" : " + sw.ElapsedMilliseconds);

  13:     //Forcing the Garbage Collector to run to make sure,

  14:     //We dispose of all the types we created on the

  15:     //Managed heap.

  16:     GC.Collect();

  17: }

  18: Console.ReadKey();

From the above code, you can see that I am testing each method for 50 times. Additionally, after each test, I explicitly call Garbage Collector to clean up objects created by two methods. Now Here is the screen shot of the output.

You can see very clearly, the huge difference in the time it takes to create XML. The difference seems to vary from 6x to 10x times. Specially, this is very important in ASP.NET applications and Web Services where every millisecond counts. One more thing to note that XElement is part of System.Xml.Linq.dll which is part of .NET Framework 3.5, but still uses .NET 2.0 CLR, thus technically you can use a local copy of System.Xml.Linq.dll within your application in cases where you are missing .NET 3.5. But, you will loose all goodness of updations and service packs by the .NET team.

Thanks
Anil RV

AntiXss Encoding and ASP.NET Data Binding

anilkr — Wed, 01 Oct 2008 21:23:45 GMT

It's been a while since I posted my last blog entry. This time it is on few ASP.NET data binding scenarios and how you should use AntiXss encoding. Very important for ASP.NET developers. Check it out on our team blog at http://blogs.msdn.com/cisg/archive/2008/10/01/asp-net-data-binding-and-antixss-encoding.aspx

Anil RV

HTML Encoding of ASP.NET Controls

anilkr — Wed, 17 Sep 2008 20:43:12 GMT

Ever wonder which controls need HTML encoding, this is a developer nightmare. We have looked at some common controls that most of developers use and determined which properties need HTML encoding.

I have posted the blog entry on our team site, check it out at http://blogs.msdn.com/cisg/archive/2008/09/17/which-asp-net-controls-need-html-encoding.aspx

Thanks
RV