This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.

Monday, 14 December 2009

Preventing an error 403 ever reaching the client

I was put in the strange position of preventing an ASP.net web application sending an error HTTP 403 to the client.  This was following 'security recommendations from the experts' that an error 403 confirms to an attacker that they have identified a part of the file structure.

Anyway this is how I managed to do it.

Add an Application_Error method to Global.asax which directs the user to a known page:

   1:  protected void Application_Error(object sender, EventArgs e)
   2:              {
   3:              
   4:                  Response.Redirect("Default.aspx");
   5:              
   6:  }

and configure IIS custom error page to direct to a non-existing page,  this will show in the logs so choose something like /AttemptToAccess403.aspx.

When the server encounters a 403 it will look up the non-existing page which will cause an error in the application.  This is caught via the Application_Error method and will direct the user to a valid page (Default.aspx).  To the user this is invisible, however the server has logged the attempt to access a directory structure (403) as an attempt to access page /AttemptToAccess403.aspx and an error 403 is never propogated to the client and hence satisfies the security requirement.

Headers returned to the client:

(before)
HTTP/1.x 301 Moved Permanently
HTTP/1.x 302 Found

(after)


HTTP/1.x 200 OK
HTTP/1.x 200 OK

As for the initial 'security' concern....


Thursday, 3 December 2009

ASP Menu bug in IE8 and Chrome

Well it turns out there is a bug in the ASP Menu control that stops the dynamic part of the menu rendering when the user rolls their mouse over a static part of the menu.

It appears the problem is to do with the way the control checks if the browser has javascript enabled, and it decides both IE 8 and Chrome don't, hence nothing is shown to the user.

The only work arounds I've come across are:

Obviously we cannot expect our users to have to follow special procedures to view our site, and with the only other solution being a hack, we'd rather go with something else completely...

Monday, 23 November 2009

Regular Expressions are fun

I've finally made the effort to fully understand how to write my own regular expressions.  In the past I just had no idea what something as cryptic as ^.+[a-zA-Z][a-zA-Z]\d\d\d\d\d\d.+?.pdf|^.+\w+\.xml (I just wrote that) meant.

Plugging that into my application now means that it fully validates my input, and does it perfectly.  How did we manage before these things were invented?

If you want to learn more about regular expressions then take a look here.

Wednesday, 4 November 2009

Using the @MasterType directive instead of the @Page directive with MasterPageFile=""

Just a quick snippet for future use.  When referencing a master page within your aspx file its best to use the @MasterType directive rather than the MasterPageFile="" attribute of the @Page directive.  Doing so will allow strongly typed access to any methods you've put in the master page rather than having to do something ugly.

Example:

((DefaultLayout)this.Master).SetPageHeading("This heading is set from inside Default.aspx");

becomes:
Master.SetPageHeading("This heading is set from inside Default.aspx");

Much better dont you think?

Tuesday, 3 November 2009

Browser discrepancies, arghh!

Why oh why do browsers from different vendors (Internet Exlorer, Firefox, Chrome etc) STILL have problems agreeing on the correct way to display a web page and correctly interpret javascript?

The World Wide Web Consortium has been around for 15 years now and defines the standards required for web developers to follow (which I must say I attempt to do very carefully) only to find that most browsers out there don't (or even worse have their own interpretation of them).

The problem here is the W3C leaves it up to the software manufacturers in order to become 'compliant', which doesn't mean much, as there are different standards of compliance, huh?

Microsoft's latest version of Internet Explorer claims it is "standards compliant" and has been riled all over the internet forums for breaking existing websites. Which I think is a very positive move as now these websites must also begin to follow standards or start losing traffic.

I think the only way this can be tackled would a scheme which checks new web browser software prior to market for compliance, and only if it passes 100% of tests can it legally be called a browser. Such a scheme could work in the same way that SSL certificates are issued, and would work something like this:
  • Software is submitted to an independent authority which performs tests on the browser for compliance with current standards
  • Following a successful result a certificate is issued based on a signature of the software, and is unique to that software
  • In order resolve domain names this certificate must be included in DNS requests, failure of which would mean the request is ignored
Assuming this is possible would mean that non-compliant browsers would be less convenient to use for end users (who wants to type in IPs each time they want to visit a page?) and would result in loss of custom, forcing them elsewhere.

On a side note the latest version of outlook express actually uses the Word (yes Word) to render embedded HTML, surely this is a joke Microsoft?

Monday, 2 November 2009

Why I hate the bank card readers

All the major banks are now supplying the darned card readers to be used for online transactions.

If you don't know what I mean they're the little "calculator like" devices which you insert your debit card (and pin) to allow yourself to be authenticated via online banking.

However (like all security) there are downsides:

  • You have to carry one everywhere you do your online banking
  • For some reason most institutions lock them to only work with their cards (so you cannot simply borrow one from someone)
Most people mis-understand how these devices work, the clue is in the name, they are a reader, they don't have any logic on-board regarding anything financial. The processing all happens within the chip itself on the card, the readers are simply a means of communicating with your card.

Regarding having to use one for each institution would be very understandable if each used their own algorithms for card transactions, but this would be both a massive overhead and simply isn't the way its done (do they have different card readers for each bank in the shops?). Instead a marker is set on the card detailing the banks 5 digit number. The readers must simply compare this to a pre-set value and if not identical "Wrong Card", god dam!

Forcing most people to have to carry this stupid things around with them.

Regarding security they can actually make it worse. Picture this. Dark alley late at night. Thieves mug you, get your card, and demand your pin. It can be checked on the spot, without the thieves having to risk marching you to the nearest cash machine. This is stupid that these things actually issue "wrong pin, try again". A better way would to be simply issue the authentication codes anyway, which would of course be wrong had the pin being incorrect.

Nevermind, maybe the banks will catch up with technology one day...

Shame on you banks for locking down on internet banking when the whole ethos is around making it more convenient for their customers.

Thursday, 29 October 2009

.NET Framework gets more powerful by the day

Almost daily now I discover another aspect of the .NET framework which replaces manual repetitive tasks us developers are used to.

On going about setting up a membership system for a recent project I was about to go ahead and create session variables so the user can be tracked across pages, a pretty usual task in web development, when a colleague passed me a training folder entitled "Developing ASP.NET Web Applications: Hands-On".

Well blow me, everything you need (I mean EVERYTHING) is already pre-written and accessible through the System.Web.Security namespace using the Membership Provider, and anything that you need to customise is simply a case of deriving a class full of your own code.

In about 5 mins flat I put all the "members only" pages into a respective folder and changed the config file, now it'll only be shown when I drag the asp:Login control and authenticate myself. So much easier, and .NET is definitely becoming my first choice for personal and future projects

Monday, 8 June 2009

WHHAAT? HttpUtility.Urlencode() doesn't encode apostrophes?

For some obscure reason HttpUtility.Urlencode() supplied with the .NET framework doesn't encode the apostrophe! The only way around this appears to be encode it, then manually replace this "special character" with %27.

This is rather worrying actually. I've used this method plenty of times, in past projects, only to have found out they can be broken with a simple '. This is a major oversight on MS's behalf (yes have you noticed the amount of apostrophe's that appear in this post?).

Anyways, looks like a quick Ctrl+F to find all instances of this I can and to replace with:

HttpUtility.UrlEncode(URL).Replace("'", "%27");

Funny how this isn't documented anywhere in the official docs isn't it?

Update:

It turns out that it isn't apostrophes that aren't encoded but the single quotation mark ( ' ).  Thanks to SuperGypo's comment below it turns out that this has now been documented by Microsoft.  In addition to letters and numbers there are several characters ignored during conversion including the single quotation mark.

However the documentation omits to explain the reason for leaving these characters out.

Friday, 29 May 2009

I was caught Google's StreetView!

On the way to work this morning whilst sending a text message I realised the easily distinguishable Google StreetView cam flying past on the top of a foreign registered corsa, and I've a good bet it was filming at the time. 

No images are online yet...but I'll be checking on a daily basis.  I wonder how long it takes them to process and upload the images?

Tuesday, 19 May 2009

Creating a windows service using the .net framework

Today has been spent attempting to write a windows service in the .NET framework (Using C#). While reasonably hard to get of the ground, after a bit of research they are actually only slighty harder to write than a simple WinForm. I do however want to repeat some bits of my research here, hopefully to make coding a windows service easier in the future:

  • They cannot be simply ran by hitting F5 and hoping for the best. They must be tediously installed (or if like me you can write an External Tool to Visual Studio :-)
  • You need to start the service manually (or again you could write a small batch file [using net start])
  • The service will not be started from a network drive (You will get an error along the lines of: Error 403 File cannot be found) generic huh?

And last but not least....you can't use the Timer control contained in System.Windows.Forms, nope, it has to be a cousin (albeit almost identical) control within the System.Timers namespace. Use of the latter won't cause any compilation problems, it simply won't work, as I eventually found out from this obscure Microsoft article.

As you can see, writing a Windows Service is no trivial task...

Happy coding!

Friday, 15 May 2009

How to create a ComboBox in ASP.NET

The .NET framework has long been deficient in the fact it DOES NOT include a ComboBox control as standard.  For those of you who do not know what a ComboBox is, it is essentially an editable drop down list (see here) which allows the user to either type OR select from a list.  I suppose it is rather analogous to the browsers address bar.

There are other options out there to provide this functionality (such as the AJAX solution above) and countless paid for controls, but what if all you want is a simple, no frills ComboBox?

Well it is actually rather simple to create one.

What is required is to add a TextBox and a Button (or if you're feeling fancy an image) and a ListBox below them, so that you have something like:

<div>
   
    <asp:TextBox ID="TextBox1" runat="server"
        style="z-index: 1; left: 102px; top: 28px; position: absolute"
        Height="20px"></asp:TextBox>
   
    <input id="Button1" type="button" value="V" style="width:20px; height:28px; z-index: 1; left: 239px; top: 27px; position: absolute" onclick="toggle_visibility('div1')" />
   
    <div id="div1" style="display:none">
        <asp:ListBox ID="ListBox1" runat="server"
            style="z-index: 1; left: 102px; top: 59px; position: absolute"
            Width="155px" AutoPostBack="True">
            <asp:ListItem Selected="True">Sids Co</asp:ListItem>
            <asp:ListItem>Jacks Co</asp:ListItem>
            <asp:ListItem>Daves Co</asp:ListItem>
        </asp:ListBox>
    </div>
   
</div>

Then all is required is a spot of JavaScript to show/hide the ListBox when you click the button:

  function toggle_visibility(id) {
    
       var e = document.getElementById(id);    
       
       if(e.style.display == 'block')
          e.style.display = 'none';
       else
          e.style.display = 'block';
    }

Of course you may find that you'll have to play around with CSS to get it looking correctly and a bit of codebehind so that when the user selects from the ListBox the TextBox is updated correctly.  However what you have is essentially a working ComboBox that works in all browsers, and to be honest, what else do you need?

Those looking for a more elegant solution are either going to have to cough up and pay for the control, or move towards the AJAX solution (which will NOT work with JavaScript disabled).  Blame Microsoft :-)

EDIT:  I have found a nice free version of a ComboBox control .  However I would use with caution as it doesn't seem to work in FireFox :-S

Getting the Ajax Control Toolkit to work with Visual Studio 2005

Like many out there I have recently been problems attempting to get the Ajax Control Toolkit to work (correctly) in Visual Studio 2005.

After LOTS  of research it appears that most of the problems are caused by a mismatch of the referenced versions versions of the System.Web.Extensions namespace.  Just to clarify the errors that pop-up DO NOT usually mention this is the culprit.  For example the error the parser kept throwing at me was:

The base class includes the field 'ScriptManager1', but its type (System.Web.UI.ScriptManager) is not compatible with the type of control (System.Web.UI.ScriptManager). 

Now as you need a Script Manager on the page in order to use any of the controls in the toolkit this was really starting to get annoying.  I couldn't see anything wrong with the System.Web namespace, but as usual, I was looking in the wrong place.

To solve this problem involves the web.config file.

You need to check through this ensuring the versions for the System.Web.UI is using version 3.5.0.0 and NOT 1.0.61025.0

For example the line I had was:

<system.web>
    <pages>
      <controls>
        <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      </controls>
    </pages>
</system.web>


Which should have been:

<system.web>
    <pages>
      <controls>
        <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      </controls>
    </pages>
</system.web>


Which completely solved my problem.

p.s. To find the solution of this problem I edited every instance of the version in the web config, although probably not required, doesn't seem to cause any problems.