i am using Model View Controller , How can I encrypt my query string URL for my edit and delete views ?
Not complete answer, but you may build/implement your logic using the technique shown at and my notes below that:
http://haacked.com/archive/2010/02/21/manipulating-action-method-parameters.aspx/
Additional logic:
Build encryption and decryption methods, which accept values.
While creating the URL/ActionLink, encrypt values using the method and attach value, and while decoding the value, decrypt and set the values to parameters. (using technique mentioned in above link)
You can also refer the project below to implement using URL Rewriting.
https://github.com/sethyates/urlrewriter
Related
I need to know how to securely store the parameters passed into a Ruby class when initializing as shown below...
myclass = MyClass.new(auth_token)
... So that it can be accessed by other methods in the class to perform their actions like this:
myclass.do_something
The parameters that I pass are very sensitive so the security should be the highest priority. How can I achieve this?
You can encrypt the value before you store it, then store the encrypted value.
Then when you want to retrieve it you would decrypt it and then display the value.
You can use AES-128/AES-256 to encrypt the data using the ruby OpenSSL::Cipher and Digest libraries
Here is a post I made showing how to use the libraries to encrypt-decrypt whatever values you want.
Keep in mind you will need to keep track of your key and
initialization vector
If intruders encompasses people who can run ruby code in your process then this cannot be done.
Ruby allows private methods to be called, instance variables to be read and so on. Even if you encrypted the data, someone who can run code inside your ruby process could monkey patch the encryption methods to not do anything or gain access to the encryption keys
I have recently have been reading a lot regarding using ASP.NET MVC5. One thing that I am not sure of is one of the books I read states that you should use HttpServerUtility. HtmlEncode in your views in order to prevent XSS attacks, however I then read something that said view items automatically use this unless you use the http raw method. When is it prudent to use HttpServerUtility.HtmlEncode in your views and how can you tell when it is needed and when it is not without having to test every piece of input for XSS injection?
You're some-what accurate. Properties on your Model that do not implement IHtmlString will be encoded by default (therefore preventing most XSS attacks). If they do implement that interface, they will be output as-is (as the interface assumes you are generating some form of markup).
To answer the primary question, "when is it prudent": When you are outputting user input to your page. If you have a custom helper written to deliver an IHtmlString, it's advisable within that method to encode it (as part of the final output). This holds true for any kind of data that may be output to the page and was originally generated (or modified thereafter) by a user.
I have a Web API project I am working on in Visual Studio 2013, and I'd like for my Controllers to accept a comma separated list of values via the query string, similar to this:
http://localhost:12345/api/Procedures/1?embed=doctors,drugs&fields=fieldA,fieldB,fieldC
The reason for this is that I'd like to be able to control if related resources (additional tables) are queried via custom embedding using the embed parameter, and control what fields are returned from the base object using the fields parameter.
I've done some searching on Google but most of what is being suggested relates to extending IModelBinder (http://www.strathweb.com/2013/04/asp-net-web-api-parameter-binding-part-1-understanding-binding-from-uri/) or setting up a custom ActionFilterAttribute (Convert custom action filter for Web API use?) which seems like overkill for something relatively simple.
FYI I am using an Entity Framework dbContext class to connect to my database.
The comma character does not have any specific meaning in HTTP query strings so it does not get treated as a separator by out-of-the-box model binding mechanisms.
As far as I know the approach you mentioned with custom attributes is the simplest you can get. And it does not look like an overkill considering you will only implement the attribute once and use everywhere.
If someone goes to our website with a query string key of ref (for example mysite.com/AboutUs?ref=Test), is it possible to maintain that query string on all future links/form posts?
So for example, I may have a link on our website to go to mysite.com/Products. I would want this to be translated into mysite.com/Products?ref=Test.
Ideally I want to know if this is possible to do by inspecting the previous URL and adding it to the current URL when the request for the page is made, maybe by intercepting the route and appending the key (if it doesn't exist already).
The project is an MVC 4 application.
You could actually pass it along by adding it to every single URL, but that would require manually adding to each use of Html.ActionLink, etc. (or I suppose you could create a custom HTML Helper to do that for you, but then every developer who works on your project would need to remember to always use the custom helper), as well as all redirects and such in your controller actions. Long and short, this would be very time consuming and very fragile.
Your best bet is to simply intercept the initial request with the querystring parameter and then set a session var. Then, you can simply check for the presence of the session var instead of the querystring parameter.
To handle all this logic, your best bet is to create a global action filter. There's pretty extensive documentation on Filters at MSDN. Once you create your filter, you just have to register it in FilterConfig.cs (in App_Start) to make it global.
Set the URL parameter in a cookie, and later in your code do whatever you want to do based on presence of that value in either the cookie or URL.
if(parameter set in cookie OR URL)
// do stuff
if(parameter set in URL)
// set the cookie so that future actions are also tagged with that parameter
Alternatively if you want such tagging to happen only for the session, set a session variable.
To do it in the way you suggested - You could rewrite all links on your page based on this tag, but that would be a roundabout, and costly, way of doing this. Most languages allow a hook that allows your code to process the HTML output before it is sent out to browser; just run a appropriate regex search and replace to get what you want. e.g. PHP has ob buffering and associated functions. You could use the equivalent for .Net.
I'm getting up to speed with the WCF Web API. I want to expose an endpoint that can accept notes, via the POST method. My issue is, I want to support multiple representations for notes. For example, I might want to accept a note using a custom XML serialization that we're using elsewhere, or as an atom:entry element. I already have formatters that can deserialize these into a Note class (our own custom class) or as a SyndicationItem.
The question comes though, how do I define the method? I've currently got this:
[WebInvoke(UriTemplate = GetNotesUriRoot,Method="POST")]
public HttpResponseMessage PostNote(ObjectContent item,HttpRequestMessage request)
Which fails when starting up:
The service operation 'PostNote' will never receive a value for the input parameter 'item' of type 'ObjectContent'. Ensure that a request HttpOperationHandler has an output parameter with a type assignable to 'ObjectContent'.
I initially tried having two separate methods (with appropriately typed parameters), but they can't share the same endpoint name. The current effort (using ObjectContent) was based on other posts I could find that suggested that it could be a parameter. There is no common base type or interface between Note and SyndicationItem
We're using v0.6.0 of the WCF Web API
You need to have a parameter / return type of type Note and your formatters will (de-)serialize it to / from the required representation.
[WebInvoke(UriTemplate = GetNotesUriRoot,Method="POST")]
public HttpResponseMessage PostNote(Note note)
then in your request the content-type header will determine how the object is deserialised. You don't need to worry about deciding how to deserialise, the decision is made for you, as long as the relevant formatter exists (I've not delved in to formatters yet as json/xml have been enough for me so far)