By -
Canonicalization issues

ASP.NET 1.1 has an issues known as canonicalization issue. In fact canonicalization is the process by which all equivalent forms of a name were mapped to a standard unique name which is thus called the canonical form.

According to Netcraft The security hole involves a bug in ASP.NET's handling of URLs, so taht if a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass authentication screens. The technique may also work if a space is subsituted for the slash.It also apparently allows authenticated users to bypass password protection on administrative areas of a site.

But Microsoft published a pretty nice article in it's knowledge base which shows "how to bypass the issue".

Remember that after being authenticated by an ASP.NET form we usually create an authentication cookie which contains users credential and others importants information (like roles informations).

In Application_BeginRequest we can analyze the url information to cope with the issue: this is an example published by Microsoft.

void Application_BeginRequest(object source, EventArgs e)
{
if (Request.Path.IndexOf('\\') >= 0 System.IO.Path.GetFullPath
(Request.PhysicalPath) != Request.PhysicalPath)
{
throw new HttpException(404, "not found");
}
}

Comments

Post a Comment

Popular posts from this blog

By -
We are taking off for a new adventure in development: It's about developing a framework which will enable us to persist our business objects into databases, file systems or xml file system. STEP 1: CREATING A BUSINESSOBJECT ATTRIBUTE namespace ORMCore { /// /// This attribute is used to enable the ORMFramework /// to create an associate table on the RDBMS /// [ AttributeUsage(AttributeTargets.Class, AllowMultiple = false)] public class BusinessObjectAttribute:Attribute { private string _databaseName; public string DatabaseName { get { return _databaseName; } } private string _databaseConnexionString; public string DatabaseConnexionString { get { return _databaseConnexionString; } } public BusinessObjectAttribute(string databaseName) { this._databaseName = databaseName; } public B
Read more
By -
Image
Sql Server adapters for Biztalk Server One of the greatest difficulties I found when I started working with BizTalk 2004 was the lack of documentation about the SQL Adapter. In this article, I'm going to demonstrate how we can use this adapter in an Orchestration of BizTalk. The Example To build this example, we're going to use the Northwind database. We're going to simulate a hypothetical situation where we receive an XML message as a file, containing the order number, a customer ID, and the date of the order. In the orchestration, we will use SQL Server to search the additional information about the customer, using the SQL Adapter. Creating the Project We'll start this article by creating a new BizTalk Server project in Visual Studio. In the Visual Studio .NET menu, select the "New Project" option, and for the type of project, select "BizTalk Projects". Select the template "Empty BizTalk Project" and create a project named OrderManager.
Read more
By -
Writing effective adapters for Biztalk Server Introduction Many people, both within Microsoft and in third-party companies, have written successful adapters for Microsoft® BizTalk® Server. This task can be difficult, and this paper is intended to present some of the "tricks of the trade" that these developers have learned, in the hope that these will help others avoid common problems. This document is structured as a set of issues that programmers face when writing adapters, and provides guidelines for resolving these issues. These guidelines can be read in any order, although you may find that reading the whole document first will make the individual guidelines easier to understand. Effective Writing for Adapters Much of the complexity in writing adapters for BizTalk Server is centered on the problems of batched operations and that is what we will look at first. Operations, Messages, Batching, and Transactions Adapters commonly support sending messages to and receiving messa
Read more