Thu 16 Oct 2008


Web application security is not just about attackers hacking websites, stealing sensitive information from websites, sending high traffic to websites with denial of service attacks, viruses, worms and Trojan horses. Are these are the only problems that we have? The answer is no. There are other problems that are frequently overlooked.

The objective of this article is to give you an insight on various areas that a design architect should focus on while designing a web application to make more secured. This article discusses almost all types of vulnerability that can be exploited by the hacker and the counter measure to avoid the same.

Effective way of analyzing the various security issues on a web application by decomposing the problem domain into various areas of focus. I have discussed the same in detail below. If you follow this approach, you get your focus on the key design and implementation choices that affect your application's security.

Input validation

Identifying the validation needs for type, length, format or range of input data avoids hacker discovering the vulnerability in your application. An attacker can compromise your application if any such vulnerability is identified. It is a must to validate the input before processing it by your application. So, how do you know that your application is safe enough? You just need to answer whether your application trusts the input blindly. If the answer is yes, may be your application is susceptible for following threats.

  • Buffer Overflow
  • Cross-site scripting
  • SQL injection
  • Canonicalization

Buffer Overflow

This vulnerability leads to denial of service attacks and it eventually leads to process crash. Another vulnerability of buffer overflow is code injection which eventually alters the program execution address to run an attacker's injected code. The following piece of code demonstrates the example for occurrence of buffer overflow.

// Vulnerable function
void vulnerable(char *str)
char buffer[10];
strcpy(buffer, str);
// overrun buffer !!!
int main()
// declare buffer that is bigger than expected
char large_buffer[] = "This string is longer than 10 characters!!!";

Managed .NET code is not susceptible to this problem because array bounds are automatically checked whenever an array is accessed. It is still a concern, however, especially where managed code calls unmanaged APIs or COM objects.

Countermeasures to prevent buffer overflows

  • Perform thorough input validation
  • Wherever possible, limit application's use of unmanaged code
  • If unmanaged API is called in your application, check the values passed for the parameters of unmanaged API to avoid this attack
  • Compile your code with /GS flag if it is developed in Microsoft Visual C++ system. The /GS option detects some buffer overruns, which overwrite the return address - a common technique for exploiting code that does not enforce buffer size restrictions. This is achieved by injecting security checks into the compiled code.

Cross-site scripting

It is commonly referred as XSS occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user in order to gather data from them.

Because the script code is downloaded by the browser from a trusted site, the browser has no way of knowing that the code is not legitimate. Internet Explorer security zones provide no defense. Since the attacker's code has access to the cookies associated with the trusted site and are stored on the user's local computer, a user's authentication cookies are typically the target of attack.

Attacker normally exploits this by identifying the vulnerable page that outputs the unvalidated input back to the browser. The following snippet of code shows the input that is accepted a vulnerable page that exploits this vulnerability<script>alert('Your page is hacked')</script>

When this link is clicked, it will show an alert message because of the script tag embedded in the url. The legitimate url is suppose to carry the original user name which can be exploited as above

Counter measure to prevent XSS

  • Perform thorough input validation on form fields, query strings, cookies. Always check for scripting tags and filter the same. Regular expression is the best way of validating input
  • User inputs should be encoded using HTMLEncode and URLEncode functions

SQL Injection

Using this attack, the attacker can run the code of his choice in the database. The same will be achieved by exploiting the unvalidated input. Typical scenarios where this could be exploited are application that constructs dynamic SQL statements based on the user input and application that executes stored procedure with arguments based on the user input. The attacker can go to a maximum extent of running operating system commands if the account under which the SQL statements executed were over privileged. The extent to which the data being destroyed, manipulated and retrieved is based on the privilege of the account under which the SQL command is being executed.

Following snippet of code shows how this vulnerability can be exploited.
SqlDataAdapter myCommand = new SqlDataAdapter("select * from tablename where fieldname = '" + userinput + "'", myConnection);
The above code gets executed based on the user input. This code can be exploited if the input is entered/passed as value'; Any valid SQL command

Counter measures to prevent SQL Injection

  • Validate the input received by the application using regular expression
  • Set appropriate privileges to execute the SQL commands
  • Stored procedures executed using arguments should be parameterized stored procedures


When the different forms of input accepted resolves a standard name otherwise called canonical name, it is referred to as canonicalization. The application code is susceptible to canonicalization related issues when it makes a security decision based on the name of a resource that has been received as input. Files, paths and URLs are susceptible for this vulnerability.

A single file can be represented in many different ways as shown below

Countermeasures to prevent this vulnerability

  • Avoid accepting file name as input. When there is a need for accepting input to grant access, convert the name to canonical form prior providing security decisions
  • Assure well formed filenames are received and check whether they are within your application's directory hierarchy
  • Ensure that the character encoding is set correctly to limit how input can be represented. Check that your application's Web.config has set the requestEncoding and responseEncoding attributes on the <globalization> element.


Authentication is the act of validating the user to whom s/he claims to be. .NET framework has provided several authentication mechanisms that user can choose upon and implement in the application. An attacker can find a vulnerability if they are not properly implemented. Following are the possible vulenerabilities that an attacker can find in improper implementation

  • Network eavesdropping
  • Brute force attacks
  • Dictionary attacks
  • Cookie replay attacks
  • Credential theft

Network eavesdropping

This can be exploited only when passwords are passed in plain text format from client to server. This is accomplished by using network monitoring software that can capture traffic leading to host which is on the same network.

Countermeasure to prevent eavesdropping

  • Use Kerberos authentication or Windows authentication which doesn't transmit the password over the network
  • When there is a necessity for transmitting password through network, use an encryption communication channel like SSL which will encrypt the contents passed through network channel

Brute force attacks

Hacking the sensitive data like password or other such secrets by relying upon the computational power to identify the hash string and encryption technique used for securing the sensitive information.

Countermeasure to prevent Brute force attacks

  • The only way is by using a very strong hash key strings

Dictionary attacks

Typically, sensitive information like password will not be stored in plain text format or encrypted form in the application. Rather the application normally uses a hashing technique and stores the hashed strings. If an attacker gains the access to hash strings stored in the application, a dictionary attack can be performed. That is, iterate through all the words in a dictionary of all possible languages to arrive to the hashed string retrieved by the attacker.

Countermeasure to prevent dictionary attacks

  • Use strong passwords with that are complex. Use mixture of uppercase, lowercase, numerals, special characters in the password that makes difficult to crack.
  • Store non-reversible password hashes in the user store. Also combine a salt value (a cryptographically strong random number) with the password hash.

Cookie replay attacks

The attacker can read authentication information that is submitted for the application to gain access. The attacker can then replay the same information to the application causing cookie replay attacks

Countermeasure to prevent cookie replay attacks

  • Use SSL that encrypts al the information including cookie information passed through the channel
  • Always use timeout property for the cookie information. This will reduce the probability of attack.

Credentials theft

If your application implements its own user store containing user account names and passwords, compare its security to the credential stores provided by the platform, for example, a Microsoft Active Directory directory service or Security Accounts Manager (SAM) user store. Browser history and cache also store user login information for future use. If the terminal is accessed by someone other than the user who logged on, and the same page is hit, the saved login will be available

Countermeasures to prevent credential theft

  • Use and enforce strong passwords
  • Store password verifiers with one way hash with added salt
  • Enforce account lockout for end-users after a set number of retry attempts
  • Set the expiry property for the content rendered in the browser or force the browser not to cache the information


Authorization is all about granting or denying access to the resource for which access is requested by the user. It will be accomplished based on user identity and role membership. Top threats that exploit authorization are

  • Elevation of privilege
  • Disclosure of confidential data
  • Data tampering
  • Luring attacks

Elevation of privilege

An attacker trying to elevate privileges to become a member of the local administrator group or local system account by calling the RevertToSelf API referred as Elevation of privilege. This will enable the attacker to take complete control over application and local machine.

Counter measure to prevent elevation of privilege

  • While designing the system, ensure that application gains access only to least privileged process, services and user accounts.

Disclosure of confidential data

Unauthorized users gaining access to sensitive data is referred as disclosure of confidential data. Confidential information should be secured in persistent store like databases, xml files and other configuration files. Care should be taken while transmitting the information through the network. Access to system level configuration data should be restricted to administrators

Counter measure to prevent disclosure of confidential data

  • Before providing access to sensitive data perform a role check
  • Always secure windows resources using strong Access Control Lists (ACL)
  • Persistent stores like database and configuration files should store the sensitive information in the encrypted form

Data tampering

Data tampering refers to unauthorized modification of data. An attacker, who gains access to the information transmitted through the network, can modify the information and the application while receiving will get the tampered data.

Countermeasures to prevent data tampering

  • Always secure windows resources using strong Access Control Lists (ACL)
  • Use role-based security to differentiate between users who can view data and users who can modify data.

Luring Attacks

A luring attack occurs when an entity with few privileges is able to have an entity with more privileges perform an action on its behalf.

Countermeasures to prevent luring attacks

  • Restrict access to trusted code with appropriate authorization. Code access security (CAS) of .NET framework can be used whenever a request is made to secure resources

Configuration management

Many applications provide configuration management interfaces and functionality to allow operators and administrators to change configuration parameters, update web site content, and to perform routine maintenance. If these interfaces were carefully not designed, it could lead following threats

  • Unauthorized access to administration interfaces
  • Unauthorized access to configuration stores
  • Retrieval of plain text configuration secrets
  • Lack of individual accountability
  • Over-privileged process and service accounts

Unauthorized access to administration interfaces

Most of the web applications provide interfaces to administrators, operators and content developers to manage site content and configuration. It should be available only to the restricted users. An attacker who gains access to the configuration management data can bring down the system by altering the configuration data.

Countermeasures to prevent unauthorized access to administrative interfaces

  • Minimize the number of administration interfaces
  • Use strong authentication like using digital certificates or multiple gatekeepers
  • Avoid remote administration interfaces. If it is a must, provide access through VPN or through SSL.

Unauthorized access to configuration stores

Because of the sensitive nature of the data maintained in configuration stores, you should ensure that the stores are adequately secured.

Countermeasures to prevent unauthorized access to configuration stores

  • Configure restricted ACLs on text based configuration files. For e.g. Machine.config and web.config should be configured for restricted access
  • Keep custom configuration files outside the directory that doesn't have web access

Retrieval of plain text configuration secrets

Configuration files such as web.config that stores password or connection string should not store the details in plain text format. External attackers who gains access can then see the sensitive information as it is stored in plain text format. Similarly, disgusted employees and administrators can misuse this sensitive information.

Countermeasure to prevent retrieval of plain text configuration secrets

  • Rather than storing the data in plain text format, store the sensitive information n encrypted formats.

Lack of individual Accountability

It is important to log when the changes were made and who made those changes. If not, it could lead us to a threat of not being able to track the changes made by whom and when. If a malicious change is encountered or any other breaking change is made in the application, corrective action can be taken immediately provided we could identify it from the log.

Countermeasures to prevent Lack of Individual Accountability

  • Administrative accounts must not be shared
  • While using user/application/service accounts, ensure that any damage to the privileges using this account can be identified
  • Apply preventive measures for all the possible violation that you foresee

Over-privileged process and service accounts

There might be a need for an application or service account to change the configuration information on the system. An attacker can take advantage of the same to modify configuration information.

Countermeasures to prevent over-privileged process and service accounts

  • Avoid providing rights to change the configuration information unless it is mandatory. In that case, enable auditing and logging to track each and every change made by the account.

Sensitive Data

Sensitive data is always at great risk as attackers try to view or modify sensitive information from the persistent data storage and networks. It is subjected to variety of threats by the attackers. Often, they are

  • Access to sensitive data in storage
  • Network eavesdropping
  • Data tampering

Access to sensitive data in storage

When the data is stored in a persistent data stores, action should be taken to prevent the attacker from gaining access to the data store. That is the attacker should not be able to either view or modify the information.

Countermeasures to protect access to sensitive data in storage

  • Use Access Control Lists to ensure that required users alone are provided with rights to view or modify the information stored in data storage
  • Always store the sensitive data in encrypted format. Never store it in a plain text format
  • Differentiate view and modify operations separately and provide access accordingly. Use identity and role based authorization to achieve the same.

Network Eavesdropping

In a web application, an http requests and responses travel through the network is sent in a plain text format. An attacker can use network monitoring tool to capture the information sent in the network and can even modify the information sent in the network

Countermeasures to prevent network eavesdropping

  • Use encryption for sensitive data so that it will not be sent in a plain text format when it is transmitted through the network
  • If required, consider encrypting the communication channel by implementing SSL

Data tampering

Data tampering refers to unauthorized modification of data. When sensitive data is passed in plain text format through the network, information can be modified resulting in tampered information reaching the destination.

Countermeasure to prevent Data tampering

  • Use tamper resistant protocols such as hashed message authentication codes.

Session Management

Sometimes application stores sensitive information in the session objects. Session objects should be managed by application layer. However, storing sensitive information in the session objects leads to potential threats. They include

  • Session Hijacking
  • Session Replay
  • Man in the middle

Session Hijacking

In most of the applications, the authentication is stored in a cookie for a particular user's session. An attacker can use a network monitoring tool to capture this information. Having captured the authentication token, an attacker can spoof the user's session and gain access to the system. An attacker can perform all the operations as that of legitimate user.

Countermeasures to prevent session hijacking

  • Avoid storing anything in the session objects. However, if the application demands that then use the following prevention technique
  • Implement SSL as it will encrypt all the information that is transmitted via the network. In that case, the authentication token stored in the cookie too will be encrypted and sent via the communication channel.
  • Allow only one session per user at a time. If a new session is started for the same user, implement logout functionality.
  • Incase if SSL is not implemented and still there is a need to store information in the session object, ensure you set a time period for expiry. Though it doesn't prevent the user from session hijacking, it reduces the risk of attack when the user is attempting for stealing cookie information.

Session Replay

If an attacker gains access to the authentication token stored in a cookie, then the attacker can then frame a requests with the authentication cookie received from another user to the application from which the authentication cookie is sent. An attacker gets access to the system as that of legitimate user.

Countermeasures to prevent session replay

  • Do not store authentication information on the client
  • Whenever a critical function is being called or an operation is performed, re-authenticate the user
  • Set expiry date for all cookies

Man in the middle attacks

When communication happens between sender and receiver, an attacker can come in the middle and intercept all the messages transmitted between the sender and receiver. An attacker can then change the information and send it to receiver. Both sender and receiver will be communicating with each other without the knowledge of a man in the middle who intercepts and modifies the information.

Countermeasures to prevent man in the middle attacks

  • Use strong encryption. When the data is sent in a encrypted format, even though the man in the middle gains access to the information, s/he will not be able to intercept the original message as it is encrypted
  • Use Hashing. When attacker tries to modify the hashed information, recalculation of hash will not be successful and hence it can be discovered that the information is modified in the middle.


Applications use cryptography to store sensitive information and transmit sensitive information across the network. However, if an attacker gains access to encrypted information, attacker should not be able to decrypt to the original information. When encryption information, common threats that it can lead to are

  • Poor key generation or key management
  • Weak or custom encryption

Poor key generation or key management

An attacker can decrypt to original information, if they get access to either encryption key or they can intercept or arrive to encryption key from the encrypted information. Attacker can identify this key only if they are poorly managed or they were not generated in a random fashion.


  • Use built-in encryption routines that include secure key management. Data Protection application programming interface (DPAPI) is an example of an encryption service provided on Windows 2000 and later operating systems where the operating system manages the key.
  • Use strong random key generation functions and store the key in a restricted location - for example, in a registry key secured with a restricted ACL - if you use an encryption mechanism that requires you to generate or manage the key.
  • Encrypt the encryption key using DPAPI for added security.
  • Expire keys regularly

Weak or Custom encryption

When users define their own encryption algorithm, it has to be properly tested. Weak encryption algorithms are easy to break. Users should go for well known encryption algorithms that are been used for long time. If there is a need for using custom encryption algorithm, it has to be properly tested.

Countermeasures to address weak or custom encryption

  • Avoid using custom encryption algorithms
  • Use the well known encryption algorithm that are been in use for longtime that withstood against all attacks
  • Be aware of algorithms that are cracked and techniques used to crack them

Parameter Manipulation

In web application, communication that happens through http protocol between client and server is transmitted as a plain text over the network. Information captured from the user is either sent in the form of query string, form fields, cookies and HTTP headers in the communication channel. These parameter data are sent as a plain text through the channel and attackers can manipulate these data before it reaches the server. This leads to following major threats that needs to be taken care

  • Query String manipulation
  • Form field manipulation
  • Cookie manipulation
  • HTTP header manipulation

Query String manipulation

When user information is sent through query string, it would be clearly visible to the user as the query string information is appended with the URL address and sent to the server. If the security mechanism of your application relies on the query string values to check the user credentials or any other security decisions are taken based on that, the application is vulnerable to security attack.

Countermeasures to address query string manipulation

  • Do not pass security related information through query string
  • Use encryption to send the information passed via query string
  • Use HTTP POST rather than using HTTP GET.

Form field manipulation

As the HTTP Protocol transmits the information in plain text, it is still possible for the attackers to modify any form fields and their values that are sent to the server. So, do not rely on the hidden fields for passing security credentials as it can be modified bypassing the client script validations.

Countermeasures to address form field manipulation

  • Use session identifiers to reference state maintained in the state store on the server.

Cookie manipulation

Cookie manipulation does refer to modification of cookie values that are of both persistent cookies and memory resident cookies. If cookie value stores information used for security mechanism of the application, the application is vulnerable to attack.

Countermeasures to address cookie manipulation

  • Use SSL which encrypts the information that are transmitted via the communication channel
  • Incase of persistent cookies stored in the client computer, use encryption or hashing to protect the information

HTTP Header manipulation

In web application, the client always makes request through HTTP protocol and the server responses through HTTP Protocol. During submitting the requests, client prepares the request HTTP headers and during response, server prepares the response HTTP headers. Application should not make any security decisions based on request and response headers. If so, the application is vulnerable to attack.

Countermeasures to HTTP Header manipulation

  • Do not use HTTP Headers to make security decisions

Exception Management

When exceptions are thrown from the application, sometimes the information shown in the exception might not be making sense for the end user but might be a very interesting message for an attacker. Especially, when it reveals the internals of the underlying system. While handling all types of exception is very important, the message that is shown to the user is also equally important. If not it leads to threats that includes

  • Attacker reveals implementation details
  • Denial of service

Attacker reveals implementation details

When the exceptions are thrown from the application, it might reveal the SQL information like tables, connection strings, column names, etc… that will become a open door for an attacker to take the entry into the application.

Countermeasures to prevent important information being shown in exception to users

  • Handle all types of exception in your application through out the code base.
  • Log all the exceptions that rose in the application for internal use. However, show appropriate information in the front end to the user who received this exception

Denial of Service

The objective of the attacker is to make application to behave abnormally such that either it reveals internals of the underlying system or crashes the application process such that no other user can use the application. Application crash can occur if the exceptions are not properly caught and handled.

Countermeasures to prevent denial of service

  • Each individual input received from the user should be thoroughly validated
  • Handle all types of exception in your application through out the code base.

Auditing & Logging

Auditing and logging enables to identify whether any one is trying to exploit the application. Any attempt to exploit the application, if logged can help to identify which user is trying to exploit and necessary actions can be taken to prevent the system from such attacks. If not enabled, it is harder to find out whether any one is actually exploiting the system without the system administrator being aware. This could lead to following threats

  • User denies performing an operation
  • Attackers exploit an application without leaving a trace
  • Attackers cover their tracks

User denies performing an operation

To address the issue of repudiation that concerned with user denying that he/she performed an action or initiated a transaction, a defense mechanism should be in place to ensure that all the user activity can be tracked and recorded

Countermeasures to prevent

  • Enable auditing and logging in web server, database server and application server.
  • Identify the key events and log them. For eg. Login, logout events
  • Avoid shared accounts. It will lead to difficulty as we cannot trace out the original source

Attackers exploit an application without leaving a trace

Detection mechanism should be there to identify the suspicious activity that occurs in the system. It should be logged to identify the occurrence of exploit or whether someone is trying to exploit.

Countermeasure to detect such suspicious activities

  • All critical application level operations should be logged
  • Read the log files every day to detect suspicious activity. Always maintain the back up of log files
  • If the platform provides any support to log important transactions, make use of that

Attackers cover their tracks

What if your log file can be tampered? Situation should never be worse like this. So, it should be well protected to ensure that an attacker does the exploit and clean the audit file too.

Countermeasures to prevent

  • Do not keep the log files in the default location folder. Move it to a different location.
  • Secure log files using Access Control Lists


This article contributed by krishnan.rama  August 31, 2004 explained you the doorsteps that attacker takes to exploit your application. Now that you will be aware of the techniques used by attackers. The next step should be protecting your application against all the techniques described above. For more information on security, follow this url


Comments (1)
Sat 13 Sep 2008

A quick overview!...

NET framework 2.0:

It brings a lot of evolution in class of the framework and refactor control including the support of

Anonymous methods
Partial class
Nullable type
The new API gives a fine grain control on the behavior of the runtime with regards to multithreading, memory allocation, assembly loading and more
Full 64-bit support for both the x64 and the IA64 hardware platforms
New personalization features for ASP.NET, such as support for themes, skins and webparts.
.NET Micro Framework

.NET framework 3.0:

Also called WinFX,includes a new set of managed code APIs that are an integral part of Windows Vista and Windows Server 2008 operating systems and provides

Windows Communication Foundation (WCF), formerly called Indigo; a service-oriented messaging system which allows programs to interoperate locally or remotely similar to web services.
Windows Presentation Foundation (WPF), formerly called Avalon; a new user interface subsystem and API based on XML and vector graphics, which uses 3D computer graphics hardware and Direct3D technologies.
Windows Workflow Foundation (WF) allows for building of task automation and integrated transactions using workflows.
Windows CardSpace, formerly called InfoCard; a software component which securely stores a person's digital identities and provides a unified interface for choosing the identity for a particular transaction, such as logging in to a website

.NET framework 3.5:

It implement Linq evolution in language. So we have the folowing evolution in class:

Linq for SQL, XML, Dataset, Object
Addin system
p2p base class
Active directory
Anonymous types with static type inference
Paging support for ADO.NET
ADO.NET synchronization API to synchronize local caches and server side datastores
Asynchronous network I/O API
Support for HTTP pipelining and syndication feeds.
New System.CodeDom namespace.


Comments (4)
Fri 4 Jul 2008

Web Service Security using SOAP Extension


Yesterday I was trying to secure my webserice from unauthorized use.

Although there are many ways to secure webservices. Using WSE, WS-security, SOAP Extension, restricting through IP access, implementing certificates etc etc etc.


WSE would be the comfortable way but in my case it was time consuming to implement at both server and client end as there were hundreds of services. Restricting IP throu IIS or http handler / modules would be a good choice. I tried to do it with SOAP Extension that could be plug and play with a single entry in web.config. It works like httpmodule that reside in pipeline of communication between client and server.


Here after enough googling I have a very simple SOAP Extension that would help anyone if just want to secure service that request is coming from authenticated source. Although there would be still many security breaches but here you go.



What this SOAP extension will do?

Before passing request to webserver, this extension will add a string or any unique token to header of SOAP message then will pass it over network. Before server entertain the request it will look for that token or string in the header of incoming SOAP message request. If exsit then will allow to consume service else will throw an exception or whatever the action depending upon scenario.



SOAP Message Lifecycle.


Client = Going to accessing service

Server = Where service exists and entertaining client request.



SOAPExtension Life.gif


Client side

1.    A client invokes a method on the proxy class.

2.    A new instance of the SOAP extension is created on the client.

3.    If this is the first time this SOAP extension has executed with this XML Web service on the client, then the GetInitializer method is invoked on the SOAP extension running on the client.

4.    The Initialize method is invoked.

5.    The ChainStream method is invoked.

6.    The ProcessMessage method is invoked with the SoapMessageStage set to BeforeSerialize.

7.    ASP.NET on the client computer serializes the arguments of the XML Web service method into XML.

8.    The ProcessMessage method is invoked with the SoapMessageStage set to AfterSerialize.

9.    ASP.NET on the client computer sends the SOAP message over the network to the Web server hosting the XML Web service.


Server side

1.    ASP.NET on the Web server receives the SOAP message.

2.    A new instance of the SOAP extension is created on the Web server.

3.    On the Web server, if this is the first time this SOAP extension has executed with this XML Web service on the server side, the GetInitializer method is invoked on the SOAP extension running on the server.

4.    The Initialize method is invoked.

5.    The ChainStream method is invoked.

6.    The ProcessMessage method is invoked with the SoapMessageStage set to BeforeDeserialize.

7.    ASP.NET deserializes the arguments within the XML.

8.    The ProcessMessage method is invoked with the SoapMessageStage set to AfterDeserialize.

9.    ASP.NET creates a new instance of the class implementing the XML Web service and invokes the XML Web service method, passing in the deserialized arguments. This object resides on the same computer as the Web server.

10.  The XML Web service method executes its code, eventually setting the return value and any out parameters.

11.  The ProcessMessage method is invoked with the SoapMessageStage set to BeforeSerialize.

12.  ASP.NET on the Web server serializes the return value and out parameters into XML.

13.  The ProcessMessage method is invoked with the SoapMessageStage set to AfterSerialize.

14.  ASP.NET sends the SOAP response message over the network back to the XML Web service client.


Client side

1.    ASP.NET on the client computer receives the SOAP message.

2.    The ProcessMessage method is invoked with the SoapMessageStage set to BeforeDeserialize.

3.    ASP.NET deserializes the XML into the return value and any out parameters.

4.    The ProcessMessage method is invoked with the SoapMessageStage set to AfterDeserialize.

5.    ASP.NET passes the return value and any out parameters to the instance of the proxy class.

6.    The client receives the return value and any out parameters.



Here what exactly the code contains.

There are three classes.


That will contain our security token or string that server will be looking for.


using System;

using System.Collections.Generic;

using System.Text;

using System.Web.Services.Protocols;

using System.Xml.Serialization;



    public class MyHeader : SoapHeader


        private string _MyHeaderValue;


        public string MyHeaderValue


            get { return _MyHeaderValue; }

            set { _MyHeaderValue = value; }






SOAP Extension that will add security token in header header to outgoing SOAP message


using System;

using System.Web.Services;

using System.Web.Services.Protocols;

using System.IO;

using System.Net;

using System.Diagnostics;


    public class MySOAPExtensionClient : System.Web.Services.Protocols.SoapExtension


        Stream oldStream;

        Stream newStream;


        public override object GetInitializer(LogicalMethodInfo methodInfo, SoapExtensionAttribute attribute)


            return null;



        public override object GetInitializer(Type WebServiceType)


            return null;



        public override void Initialize(object initializer)





        // Save the Stream representing the SOAP request or SOAP response into

        // a local memory buffer.

        public override Stream ChainStream(Stream stream)


            oldStream = stream;

            newStream = new MemoryStream();

            return newStream;



        public override void ProcessMessage(SoapMessage message)


            switch (message.Stage)


                case SoapMessageStage.BeforeSerialize:

                    if (message is SoapClientMessage)



                case SoapMessageStage.AfterSerialize:

                    newStream.Position = 0;

                    Copy(newStream, oldStream);


                case SoapMessageStage.BeforeDeserialize:

                    Copy(oldStream, newStream);

                    newStream.Position = 0;


                case SoapMessageStage.AfterDeserialize:





        private void AddHeader(SoapMessage message)


            MyHeader header = new MyHeader();

            header.MyHeaderValue = "MyValue";

            header.MustUnderstand = false;




        private void Copy(Stream from, Stream to)


            TextReader reader = new StreamReader(from);

            TextWriter writer = new StreamWriter(to);










SOAP Extension that will will expect a security token or string in incoming SOAP request.


using System;

using System.Web.Services;

using System.Web.Services.Protocols;

using System.IO;

using System.Net;

using System.Diagnostics;


    public class MySOAPExtensionServer : System.Web.Services.Protocols.SoapExtension


        Stream oldStream;

        Stream newStream;


        public override object GetInitializer(LogicalMethodInfo methodInfo, SoapExtensionAttribute attribute)


            return null;



        public override object GetInitializer(Type WebServiceType)


            return null;



        public override void Initialize(object initializer)





        // Save the Stream representing the SOAP request or SOAP response into

        // a local memory buffer.

        public override Stream ChainStream(Stream stream)


            oldStream = stream;

            newStream = new MemoryStream();

            return newStream;



        public override void ProcessMessage(SoapMessage message)


            switch (message.Stage)


                case SoapMessageStage.BeforeSerialize:


                case SoapMessageStage.AfterSerialize:

                    newStream.Position = 0;

                    Copy(newStream, oldStream);


                case SoapMessageStage.BeforeDeserialize:

                    Copy(oldStream, newStream);

                    newStream.Position = 0;


                case SoapMessageStage.AfterDeserialize:

                    if (message is SoapServerMessage)


                        if (!IsRequestValid(message))


                            LoggerSecurity.GetInstance().WriteLog("Invalid Service Call | Action = " + message.Action + " | Url = " + message.Url);

                            throw new SoapException("Invalid Service Call", SoapException.ClientFaultCode);







        private bool IsRequestValid(SoapMessage message)


            bool result = false;



                foreach (SoapHeader header in message.Headers)


                    if (header is MyHeader)


                        MyHeader head = (MyHeader)header;

                        if (head.MyHeaderValue.Equals("MyValue"))

                            result = true;




                    else if (header is SoapUnknownHeader)


                        System.Xml.XmlElement elem = ((SoapUnknownHeader)header).Element;

                        if (elem.Name.Equals("MyHeader"))


                            System.Xml.XmlNode node = elem.SelectSingleNode("/");

                            if (node != null && node.InnerText.Equals("MyValue"))

                                result = true;





            catch (Exception ex)




            return result;



        private void Copy(Stream from, Stream to)


            TextReader reader = new StreamReader(from);

            TextWriter writer = new StreamWriter(to);







In Client Web.Config before ending system.Web section add following




                    <remove name="HttpGet" />

                    <remove name="HttpPost" />

                    <remove name="HttpPostLocalhost" />

                    <remove name="Documentation" />



                    <add type="CustSoapExtension.MySOAPExtensionClient, CustSoapExtension" priority="1" group="High"/>








In Server Web.Config before ending system.Web section add following




                    <remove name="HttpGet" />

                    <remove name="HttpPost" />

                    <remove name="HttpPostLocalhost" />

                    <remove name="Documentation" />



                    <add type="CustSoapExtension.MySOAPExtensionClient, CustSoapExtension" priority="1" group="High"/>







Why these?

                    <remove name="HttpGet" />

                    <remove name="HttpPost" />

                    <remove name="HttpPostLocalhost" />

                    <remove name="Documentation" />


On production environment, if there is required only to consume webservices using only SOAP then don’t allow aceess to service using these protocoals. Only allow SOAP protocol.



Hope this sample code will help you to improve your security concern.


Comments (3)
Tue 24 Jun 2008

Configuration File Tampering

If Configuration files are not protected then you should use the file system access control list (ACL) to protect them.

System Registry Tampering

If registry entries are not protected then you should use the registry ACL to protect them.

Repudiation / Logging

Security exceptions should be logged for auditing purposes; therefore, you should define and implement logging and auditing strategies in the code. Push security exceptions–related information to the event log.

Assembly Tampering

To prevent assembly tampering, consider implementing Authenticode signatures for these assemblies.

Authentication and Authorization

You should consider various Internet, intranet, and extranet-based deployment for Web servers and database servers, and then implement appropriate authentication mechanisms.

Message Protection

You should implement transport-level security (secure socket layer [SSL]) to further strengthen the communication channel. You can also implement IPsec to secure communication channel between services and the database. To implement message-level security, use either WSE 3.0 or WCF to sign and encrypt messages. Choose appropriate certificates and encryption algorithms to enforce security without compromising business operations and performance.

HTTP Replay

You can prevent these attacks by providing a secure end-to-end communication channel between server and client (for example, SSL). You should also uniquely authenticate each request (for example, use a timestamp and digital signature), by implementing message-level security. Implement IP lockout policies if required.

Denial of Service

You can prevent denial of service attacks by implementing strong authentication, authorization, and request validation mechanisms. Also, you should uniquely authenticate each request (for example, use a timestamp and digital signature) by implementing message-level security.


You can prevent repudiation attacks by implementing strong authentication, authorization, and request validation mechanisms. Also, you should implement the history and auditing feature for any database operations. You should not permanently delete the records from the database.

Dictionary Attack or Password Brute Force

You should try to prevent dictionary attacks or password brute force attacks. Implement strong password policies to prevent password hijacking. Implement a maximum retries policy, and disable the account if the number of attempts exceeds the maximum number. Also, implement an IP lockout policy, if required. Implement auditing and logging for service contracts / Web server / service host access.


You can prevent spoofing attacks by implementing strong authentication, authorization, and request validation mechanisms.

Database Security Access Controls

Use an account that has restricted permissions in the database. Ideally, you should grant execute permissions only to selected stored procedures. Consider using database role and application role database security concepts to access a different set of database objects. For example, consider using different sets of database roles and application roles for read-only operations and read-write operations.

Configuration Files Clear Text Secrets

To protect your connection strings, secret app settings, consider using DPAPI to encrypt them and store clear text secrets in a restricted registry. Use file ACLs to control access to configuration files.

Database Clear Text Secrets

The database contains secrets in clear text. For a production application, you should consider encrypting sensitive data.

Web Service Documentation Protocol

The Web.config file allows a malicious user to see the Web service documentation (wsdl file) by using documentation protocol. Using this information, the malicious user can get information about all data contracts and service contract details. The malicious user can then use the details to launch brute force attacks or false request attacks. You should configure the Web.config file to disable the documentation protocol.

Debug Attribute

The host program configuration file allows debugging. The Web.config file describes the debug = true attribute, which can allow the malicious user to debug the service implementation. This opens extra surface area, which allows a malicious user to explore injection threats. To prevent this type of attack, configure debug = false in the Web.config file.

CustomErrors Mode Attribute

The host program configuration file allows debugging. The Web.config file describes the CustomErrors Mode = off attribute, which can allow the malicious user to see the complete debug information in case of errors or exceptions. A malicious user can get the call stack information, which can launch injection or code malfunction attacks. To prevent this type of attack, configure CustomErrors Mode = on and make sure that the defaultUrl is appropriately configured in the Web.config file.


PersistSecurityInfo Attribute

The database connection string in the Web.config file does not contain a definition for the PersistSecurityInfo attribute. This attribute should be set to false. When set to false, sensitive information, such as the password, is not returned as part of the connection if the connection is open or has ever been in an open state. Resetting the connection string resets all connection string values, including the password. Set the PersistSecurityInfo attribute to false in the connection string.

SqlClientPermission Attribute

The database access assembly does not define the code access security attribute SqlClientPermission.

The CustomerRepository assembly should request minimum security permissions for SqlClientPermission.

Unrestricted Base Classes

When developing classes that will be deployed to a production environment, you should consider using sealed attributes for classes and methods.


Comments (1)
Tue 24 Jun 2008

For detail please visit following link :

Forms Authentication is one of three authentication providers. Windows Authentication and Passport Authentication make up the other two providers. In this article, we will focus on Forms Authentication

ASP.NET authentication provider


Forms authentication

A system by which unauthenticated requests are redirected to an HTML form using HTTP client-side redirection. The user provides credentials and submits the form. If the application authenticates the request, the system issues a cookie that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the cookie in the request headers; they are authenticated and authorized by an ASP.NET event handler using whatever validation method the application developer specifies.

Passport authentication

Centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.

Windows authentication

ASP.NET uses Windows authentication in conjunction with Microsoft Internet Information Services (IIS) authentication. Authentication is performed by IIS in one of three ways: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access.


Forms Authentication Flow

1.    A client generates a request for a protected resource (e.g. a secured page from your site).

2.    IIS (Internet Information Server) receives the request. If the requesting client is authenticated by IIS, the user/client is passed on to the ASP.NET application. Note that if Anonymous Access is enabled, the client will be passed onto the ASP.NET application by default. Otherwise, Windows will prompt the user for credentials to access the server's resources. Also note that because the authentication mode in the ASP.NET application is set to Forms, IIS authentication cannot be used.

3.    If the client doesn't contain a valid authentication ticket/cookie, ASP.NET will redirect the user to the URL specified in the loginURL attribute of the Authentication tag in your web.config file. This URL should contain the login page for your application. At this URL, the user is prompted to enter their credentials to gain access to the secure resource.

4.    The client must provide credentials, which are then authenticated/processed by your ASP.NET application. Your ASP.NET application also determines the authorization level of the request, and, if the client is authorized to access the secure resource, an authentication ticket is finally distributed to the client. If authentication fails, the client is usually returned an Access Denied message.

5.    The client can then be redirected back to the originally-requested resource, which is now accessible, provided that the client has met the authentication and authorization prerequisites discussed above. Once the authorization ticket/cookie is set, all subsequent requests will be authenticated automatically until the client closes the browser or the session terminates. You can have the user's credentials persist over time by setting the authorization ticket/cookie expiration value to the date you desire to have the credentials persist through. After that date, the user will have to log in again.

Setting Up Forms Authentication

Let's take a look at the applicable settings to execute Forms Authentication. In general, setting up Forms Authentication involves just a few simple steps.

1.    Enable anonymous access in IIS. By default, anonymous users should be allowed to access your Web application. In rare cases, however, you may opt to layer an Integrated Windows OS security layer level with Forms authentication. We will discuss how to integrate this layer with anonymous access enabled in the article succeeding this one ("Part 2 (Integration w/ Active Directory)").

2.    Configure your Web application's web.config file to use Forms Authentication. Start by setting the authentication mode attribute to Forms, and denying access to anonymous users. The following example shows how this can be done in the web.config file for your Web application:


4.  <configuration>

5.    <system.web>

6.      <authentication mode="Forms">

7.        <forms name=".COOKIEDEMO"

8.               loginUrl="login.aspx"

9.               protection="All"

10.             timeout="30"

11.             path="/"/>

12.    </authentication>

13.    <authorization>

14.      <deny users="?" />

15.    </authorization>

16.  </system.web>


Upon setting the authentication mode to Forms, you'll notice that we appended another child element. The Forms element has five attributes that implement your forms authentication configuration. The attributes and their descriptions are as follows :




This is the name of the HTTP cookie from which we will store our authentication ticket and information, respectively.


This is the URL from which your unauthenticated client will be redirected. In most scenarios, this would be your login page, where the client is required to provide their credentials for authentication.


This is used to set the method from which to protect your cookie data. The following valid values can be supplied:

All: Specifies to use both data validation and encryption to protect the cookie. Triple DES is used for encryption, if it is available and if the key is long enough (48 bytes). The All
value is the default (and suggested) value.

: Used for sites that are only using cookies for personalization and have weaker requirements for security. Both encryption and validation can be disabled. This is the most efficient performance wise, but must be used with caution.

Encryption: Specifies that the cookie is encrypted using Triple DES or DES, but data validation is not done on the cookie. It's important to note that this type of cookie is subject to chosen plaintext attacks.

Validation: Specifies to avoid encrypting the contents of the cookie, but validate that the cookie data has not been altered in transit. To create the cookie, the validation key is concatenated in a buffer with the cookie data and a MAC is computed/appended to the outgoing cookie.


This is the amount of time (in integer minutes) that the cookie has until it expires. The default value for this attribute is 30 (thus expiring the cookie in 30 minutes).

The value specified is a sliding value, meaning that the cookie will expire
n minutes from the time the last request was received.


This is the path to use for the issued cookie. The default value is set to "/" to avoid issues with mismatched case in paths. This is because browsers are case-sensitive when returning cookies.

In our web.config file, it's also important to note the value we have for the deny child element of the authorization section (as highlighted below). Essentially, we set that value of the users attribute to "?" to deny all anonymous users, thus redirecting unauthenticated clients to the loginURL.




    <authentication mode="Forms">

      <forms name=".COOKIEDEMO"







      <deny users="?" />




1.    Create your login page (as referenced in the loginURL attribute discussed above). In this case, we should save our login page as login.aspx. This is the page to where clients without valid authentication cookie will be redirected. The client will complete the HTML form and submit the values to the server. You can use the example below as a prototype.


20.  <%@ Import Namespace="System.Web.Security " %>


22.  <script language="C#" runat=server>

23.  void Login_Click(Object sender, EventArgs E)

24.  {


26.    // authenticate user: this sample accepts only one user with

27.    // a name of [email protected] and a password of 'password'

28.    if ((UserEmail.Value == "[email protected]") &&

29.        (UserPass.Value == "password"))

30.    {

31.      FormsAuthentication.RedirectFromLoginPage(UserEmail.Value,

32.                                                PersistCookie.Checked);

33.    }

34.    else

35.    {

36.      lblResults.Text = "Invalid Credentials: Please try again";

37.    }

38.  }

39.  </script>

40.  <body>

41.    <form runat="server">

42.      <h3>Login Page</h3>

43.      <hr>

44.      Email:<input id="UserEmail" type="text" runat="server"/>

45.      <asp:RequiredFieldValidator ControlToValidate="UserEmail"

46.                                  Display="Static"

47.                                  ErrorMessage="*"

48.                                  runat="server"/>

49.      <p>Password:<input id="UserPass"

50.                         type="password"

51.                         runat="server"/>

52.      <asp:RequiredFieldValidator ControlToValidate="UserPass"

53.                                  Display="Static"

54.                                  ErrorMessage="*"

55.                                  runat="server"/>

56.      <p>Persistent Cookie:<ASP:CheckBox id="PersistCookie"

57.                                         runat="server" />

58.      <p><asp:button id="cmdLogin"

59.                     text="Login"

60.                     OnClick="Login_Click"

61.                     runat="server"/>

62.      <p><asp:Label id="lblResults"

63.                    ForeColor="red"

64.                    Font-Size="10"

65.                    runat="server" />

66.    </form>

67.  </body>


It's important to note that the above page authenticates the client on the click event of the cmdLogin button. Upon clicking, the logic determines if the username and password provided match those hard-coded in the logic. If so, the client is redirected to the requested resource. If not, the client is not authorized, and thus receives a message depicting this.

You can adjust the logic to fit your needs, as it is very likely that you will not have your usernames and passwords hard-coded into the logic. It is here at the Login_Click function that you can substitute the logic with that of your own. It is common practice to substitute database logic to verify the credentials against a data table with a stored procedure.

You can also provide authorized credentials in the web.config file. Inside the forms section, you would append a user element(s), as follows :




    <authentication mode="Forms">

      <forms name=".COOKIEDEMO"





        <credentials passwordFormat="Clear">

          <user name="user1" password="password1"/>

          <user name="user2" password="password2"/>

          <user name="user3" password="password3"/>





      <deny users="?" />




Doing so allows you to authenticate against a list of users in your web.config file, easily. You can append as many users as necessary. To authenticate against that list of users, you would append the applicable logic in the click event of the cmdLogin button discussed above. Here is the code :


void Login_Click(Object sender, EventArgs E)


  // authenticate user: this sample authenticates

  // against users in your app domain's web.config file

  if (FormsAuthentication.Authenticate(UserEmail.Value,








    lblResults.Text = "Invalid Credentials: Please try again";



Client Requirements

To enable forms authentication, cookies must be enabled on the client browser. If the client disables cookies, the cookie generated by Forms Authentication is lost and the client will not be able to authenticate.



 Windows Based Authentication

When you use ASP.NET Windows authentication, ASP.NET attaches a WindowsPrincipal object to the current request. This object is used by URL authorization. The application can also use it programatically to determine whether a requesting identity is in a given role.

        If User.IsInRole("Administrators") Then
        End If                 

The WindowsPrincipal class determines roles by NT group membership. Applications that want to determine their own roles can do so by handling the WindowsAuthentication_OnAuthenticate event in their Global.asax file and attaching their own class that implements System.Security.Principal.IPrincipal to the request, as shown in the following example:

' Create a class that implements IPrincipal
Public Class MyPrincipal : Inherits IPrincipal
  ' Implement application-defined role mappings
End Class
' In a Global.asax file
Public Sub WindowsAuthentication_OnAuthenticate(
        Source As Object, e As WindowsAuthenticationEventArgs)
  ' Attach a new application-defined class that implements IPrincipal to
  ' the request.
  ' Note that since IIS has already performed authentication, the provided
  ' identity is used.
  e.User = New MyPrincipal(e.Identity)
End Sub                



Passport Authentication

This first installment of a two-part series on Microsoft Passport in ASP.NET applications discusses Passport's basic authentication mechanism and demonstrates the use of related .NET classes. It describes the design and implementation of Passport-enabled Web applications and how such applications communicate with client browsers and Passport servers.

Beginning with a general description of how Microsoft Passport acts as an authentication service, it then describes the sequence of events that occurs when a user (normally a browser client) tries to access a Passport-enabled application. The following section demonstrates the necessary setup steps, and the final section explains how to use ASP.NET classes that wrap the authentication-related functionality that the Passport server provides.

Microsoft Passport as an Authentication Service

E-commerce applications on the Internet use electronic means to identify people trying to reach their enterprise resources. For example, when you create a new Yahoo e-mail account, you enter some personal information along with a user name and a password. The name/password pair becomes your identification when you later check your e-mail messages on the site. This simple authentication mechanism is also applicable to e-commerce applications. The login and password pairs are used to identify site users.

The user-authentication mechanisms that e-commerce applications normally have to implement require the following features:

  1. A graphical user interface (GUI) for sign-up and login
  2. A database of user information (at least user names and passwords)
  3. Authentication logic at the Web server
  4. Log-out functionality, such as deleting (or destroying) server-side session objects

Microsoft .NET Passport, in its most basic form, provides all four of these features wrapped inside an easy-to-use programmatic interface. Passport provides a simple architecture, in which a single .NET Passport class named System.Web.Security.PassportIdentity wraps all authentication functionality. A Passport-enabled Web application developer need only instantiate the PassportIdentity class and use its methods to perform the complete authentication process.

This means Passport-enabled e-commerce application developers can rely on Passport to manage all the authentication features required by their e-commerce sites. In effect, Passport is a reusable authentication component, pluggable directly into an ASP.NET-based e-commerce application, which makes it very suitable for rapid application development.

Single Sign-on

Single sign-on (SSO) is another important benefit of Passport. Microsoft hosts its Passport service on its own servers and allows the use of all Passport-enabled accounts (e.g., all Hotmail and accounts) to be authenticated on all Passport-enabled Web applications. This means users with Passport-enabled accounts need to remember only one login password pair to access all partner sites. So Passport not only allows rapid e-commerce application development, but it provides ease for users as well.

On the other hand, if you host your SSO on your own server, you can offer it only to your own user base—not all Hotmail and MSN users. You'll normally find this type of SSO in enterprise integration applications, where the application is meant only for users who belong to a particular trusted domain (e.g., employees of a company).

Microsoft currently sells Passport as a hosted service, like an application service provider (ASP). Passport is not available as a software product or a component you can host on your Web servers. The disadvantage of this strategy is if you want to authenticate your own user base on a Passport-enabled site, you have to implement your own authentication mechanism in addition to Passport.

This disadvantage makes Passport a generally unsuitable authentication solution for enterprise application integration (EAI) projects. In most EAI projects, customers don't want their users authenticated on a third-party server, because third-party authentication unnecessarily exposes their business information. For such applications, SSO solutions from other vendors like Oracle or IBM are better, as they are available as software components that customers can host on their Web servers.

However, B2C e-commerce applications can take advantage of the Hotmail and MSN user base with Passport.


Comments (1)
Thu 24 Apr 2008

Would be old one but just a refreshing



What ASP.NET Developers Should Always Do
Where the Threats Come From
Cookies and Authentication
Session Hijacking
Database Perspective
Hidden Fields
E-mails and Spam
Related Resources

What ASP.NET Developers Should Always Do

If you're reading this article, you probably don't need to be lectured about the growing importance of security in Web applications. You're likely looking for some practical advice on how to implement security in ASP.NET applications. The bad news is that no development platform—including ASP.NET—can guarantee you'll be writing 100-percent secure code once you adopt it—who tells that, just lies. The good news, as far as ASP.NET is concerned, is that ASP.NET, especially version 1.1 and the coming version 2.0, integrates a number of built-in defensive barriers, ready to use.

The application of all these features alone is not sufficient to protect a Web application against all possible and foreseeable attacks. However, combined with other defensive techniques and security strategies, the built-in ASP.NET features form a powerful toolkit to help ensure that applications operate in a secure environment.

Web security is the sum of various factors and the result of a strategy that goes well beyond the boundaries of the individual application to involve database administration, network configuration, and also social engineering and phishing.

The goal of this article is to illustrate what ASP.NET developers should always do in order to keep the security bar reasonably high. That's what security is mostly about—keep the guard up, never feel entirely secure, and make it harder and harder for the bad guys to hack.

Let's see what ASP.NET has to offer to simplify the job.

Where the Threats Come From

In Table 1, I've summarized the most common types of Web attacks and flaws in the application that can make them succeed.

AttackMade possible by . . .
Cross-site scripting (XSS) Untrusted user input echoed to the page
SQL injection Concatenation of user input to form SQL commands
Session hijacking Session ID guessing and stolen session ID cookies
One-click Unaware HTTP posts sent via script
Hidden field tampering Unchecked (and trusted) hidden field stuffed with sensitive data




More at ....


Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks



Comments (1)
