ASP.Net View State Contains information on ASP.Net Page Cycle as well
Sunday, April 17, 2011
Cross Site Request Forgery Attack
Cross site request forgery attacks constitute of tricking a user to unknowingly send a request, of, say, transferring funds to the attacker's account.
Formal Definition:
" is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts"
~Wikipedia
AKA (Also Known As):
One-click attack
Session riding
Abbreviated as:
CSRF or XSRY (pronounced as sea-surf)
Difference from XSS(Cross-Site Scripting):
Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
To understand how it works, we first need to understand the concept and working of cookies and session.
Cookies:
If a user has cookies enabled on his/her web browser, every time the user makes a request to a web server, (that is, accesses a web site) the web server stores information in a piece of text called cookie.
This cookie is hereafter used for identifying this user uniquely.
Session:
Session is another way to identify users uniquely. If you have worked on ASP.Net applications you will know that values that need to be stored for a particular user are added in Session. Each session is uniquely identified by an ID called Session ID.
When a user makes a request to an application that implies session and if the user has cookies enabled the Session ID generated would be stored in the cookie. And for every subsequent request this Session ID would be sent to the server. The server would use this Session ID to identify the user. This way the user would not need to authenticate himself/herself for each request.
Once the user's session has been assigned an ID, it is returned to the server for every request. However, if the time elapse between two requests is more than the timeout value, the session is said to be expired and the user will have to identify himself again, (for e.g. login again) if the user wishes to continue using the web site.
Cookies:
If a user has cookies enabled on his/her web browser, every time the user makes a request to a web server, (that is, accesses a web site) the web server stores information in a piece of text called cookie.
This cookie is hereafter used for identifying this user uniquely.
Session:
Session is another way to identify users uniquely. If you have worked on ASP.Net applications you will know that values that need to be stored for a particular user are added in Session. Each session is uniquely identified by an ID called Session ID.
When a user makes a request to an application that implies session and if the user has cookies enabled the Session ID generated would be stored in the cookie. And for every subsequent request this Session ID would be sent to the server. The server would use this Session ID to identify the user. This way the user would not need to authenticate himself/herself for each request.
Once the user's session has been assigned an ID, it is returned to the server for every request. However, if the time elapse between two requests is more than the timeout value, the session is said to be expired and the user will have to identify himself again, (for e.g. login again) if the user wishes to continue using the web site.
How CSRF Works?
Consider the following scenario:
1. You are logged into your internet banking account.
2. Simultaneously you are also checking out a forum.
3. Let's say you click on an innocent looking link on the forum.
4. Though this link "looks" innocent, it actually isn't. In fact, it sends a funds transfer request of say, Rs. 1000 destined for his own account.
5. How is this possible?..
It is possible if the internet banking website you are visiting does not have a multi step funds transfer process, or even if it does, the last step, which is the final step where funds are actually transferred to the destination account does not check if the previous steps have been performed, and simply transfer funds without verifying the user sending the request. Here, the site blindly trusts the Session ID sent by the client browser (through cookie) to authenticate the user.
How does the hacker know the web page of the final step.
Simple.. The hacker may also have an internet banking account and has, therefore, noticed the link of the funds transfer page and also that the amount and destination account number are made a part of the link. For e.g, the link may look something like:
www.internetbanking.com/funds/amount=1000&account=123567890
(Normally, web sites that provide features which involve money transactions or that provide any type of crucial information should never ever make even minor fields like amount a part of the URL.)
So, here's a small introduction to CSRF.
Helpful Links:
Saturday, April 16, 2011
Data Transfer Objects
While writing softwares there can be a need of any/all of the following:
Problems:
When faced with such a dilemma it is wise to use a design pattern called a "Data Transfer Object".
MSDN describes DTO as:
From the above definition we gather that a DTO:
MSDN also gives two possible ways of writing DTOs:
Referenced Links:
http://msdn.microsoft.com/en-us/library/ms978717.aspx
- Transferring data across applications/boundaries/network
- Sending a long list of parameters to a function
- Returning multiple objects
Problems:
- When you communicate over a network, multiple calls may be involved in order to accomplish a single task.
- Sending a long list of parameters may incur unnecessary errors, as the developer might make a mistake in giving input parameters.
- Although returning multiple objects is possible through the "out" parameter, a long list of "out" parameters is cumbersome.
When faced with such a dilemma it is wise to use a design pattern called a "Data Transfer Object".
MSDN describes DTO as:
A DTO is a simple container for a set of aggregated data that needs to be transferred across a process or network boundary. It should contain no business logic and limit its behavior to activities such as internal consistency checking and basic validation. Be careful not to make the DTO depend on any new classes as a result of implementing these methods.
From the above definition we gather that a DTO:
- may be a simple class with properties exposed.
- may contain only basic validation code.
- should not contain any business logic.
MSDN also gives two possible ways of writing DTOs:
- Writing Custom Classes: Let's say you have an application that requires login. For login applications normally have a user object with properties like User Name, Password, Creation Date, Permissions etc. This information is normally validated through database. But there is also a possibility that data is required from different sources.
Whatever the case, the user object remains the same. Remember that Data Transfer Objects do not contain any business logic, therefore, it does not make any difference from where the data is obtained. You simply need to create a class with properties for User Name, Password, Creation Date, Permissions etc.
- Using Collections:
Let's say you need to invoke a Web Method which would require sending a long list of parameters. In this case you can change the signature of the web method so that it expects one Array List (or any other collection) instead of a list of parameters.
Here you'll simply have to create an object of Collections (System.Collections in .Net) and fill in the required values in the collection.
The disadvantage with this approach is that each parameter/field would loose it's actual data type. You'll have to add all the required fields after casting them into a particular data type, say Object or string. And this would require casting them back to their original data types later on, which may incur errors.
Referenced Links:
http://msdn.microsoft.com/en-us/library/ms978717.aspx
Saturday, April 2, 2011
Calibre Ebook Management
In order to read any book on iPod/iPhone, the book needs to be in a format called ePub. Calibre is a software used to convert ebook into different formats.
- Download Calibre
- Install Calibre on your pc.
- Add your ebooks to Calibre (in any format PDF, .lit etc)
- Convert them to ePub Format
- Simply transfer the books from Calibre to your device.
Not all ebooks come with a cover page. To change that, edit the metadata of your book and either let Calibre search for the cover page, provide your own or enter the ISBN code and give Calibre another chance to search the cover page.
(I usually search the book on Amazon.com and enter the ISBN code given there.)
Applications with a Touch
We are all aware of the common iPod touch/iPhone applications like Fring, Nimbuzz etc. But how many of us are aware of the other more interesting applications to save the day?
Below is a list of a few applications which can help you pass an exam, polish your vocabulary or some just plain-ol fun apps.
AccelaStudy:
Planning to give SAT/GRE exams or simply looking for improving your vocabulary?
Accela Study might just be what you need.
Features:
- The free version offers 100 useful words with the option to learn the words using the “study” or “flashcard” option.
- The flashcard option gives the word and its meaning only. While the study option allows you to learn the word’s synonyms, hence giving you a chance to further enhance your vocabulary.
- The study option also gives an example sentence so that the usage becomes clear to the learner.
- Both the options come with the feature of hearing the pronunciation which is a great plus if it’s not just an exam that you are targeting.
- You can also create your own study sets of selected words.
- Moreover, you can test yourself with the “Quiz” feature.
- If you like the free version you can proceed to buying more enhanced versions of vocabulary builder by AccelaStudy.
Dictionary:
Need a dictionary on your device to assist when you need to find the meaning of a difficult word. Why not install the application of our favorite online dictionary?
The best thing about it is that you don’t need an internet connection for searching up words and their meanings. But you do need to be connected when you wish to use “Word of the Day” or hear the pronunciation of a word.
I usually read ebooks on my iPod touch and to find the meaning of any unknown word I consult this application. When I get done with reading I switch to the “Recent” tab to revise the words.
iBooks:
A lot of ebook reading applications are available where you can find a few free books as well.
iBooks is one such application and has been designed by Apple. But you have to buy books from iBookStore or transfer it in some way to your iPod/iPhone.
With a catchy interface of a book shelf and the stored books nicely placed face-up on the shelf. But the effect that really grabs attention is the slick page-turning effect which gives you afeel that you are actually reading a book and turning physical pages. To add more to this feeling, the application provides the readers with the feature to book mark a page. (More than one bookmarks can be added.)
Moreover, just like you will highlight or write small notes on a book, the same can be accomplished in iBooks with a few taps here and there.
Plus there are a few more features which are not a part of our traditional non-ebooks and these are changing fonts and switching background between Sepia and normal. Another interesting feature you wish you can have with hardbound books is the ability to search words/phrases in the book.
So, fix the brightness in accordance with the time of the day, change the background and font style in accordance with your mood and you are all set for a journey to the world of ebooks wonderland.
Enough about all the “parhakoo” type applications, let’s turn to some fun apps.
Reader’s Digest Jokes and Funny True Stories:
We’ve all enjoyed Reader’s Digest “Laughter is the best medicine” and “All in a Day’s work” columns. Then why not have them installed on your device to lift up your spirits and lighten your mood in dull moments.
The application claims to have a collection of 1000 funny true stories and jokes (I never bothered to count and confirm their claim to fame) skillfully organized into 13 categories.
55,000 Amazing Quotes:
Yet another application to inspire or make you smile is the 55,000 Amazing Quotes.
The application opens up with the search feature where you can search by author, category or keyword. If you are in the mood to simply read a few quotes without anything particular in mind, tap the “Random” button. You have the option to select from six different backgrounds and mark your favorite quotes.
You can also add your own favorite quotes to the 55K collection.
Enjoy these applications and use your iPod touch or iPhone to the max.
Photo Credits:
Subscribe to:
Posts (Atom)