Classic ASP form post with sensitive fields - post

helping my friend with his old ASP site and ran into an issue so I wanted to throw this out to see if i can get some help.
The site basically needs to POST data to another page which it's doing fine. The problem is that it's needs to POST the username/password to the receiving page and the site is currently holding that in hidden fields which is obviously no good since you can see it in the source code.
How can you pull the data in on the ASP page without having it hidden in an input field? I know it can get stored as a variable but then I can't POST it and if I put that variable in an input value field it shows up in the source.
Any help would be appreciated.
Thanks!

it needs to POST the username/password to the receiving page
No it doesn't. :)
If the two pages are part of the same site, use the Session object.
If the two pages are on different sites, things are trickier, but the idea is similar. I'm guessing this isn't the case for you, but if it is, look at OAuth. (For example, when you log in here, you use authentication from another site, but stackoverflow never sees your password for that site. Same idea.)

Create a database table that looks like
uniqueidentifier SessionId
varchar Username
varchar Password
Store the SessionId in the cookie with Response.Cookies.
Get the SessionId from the cookie in JavaScript, and send an ajax request to a page that gets the username and password from the database using the SessionId and outputs the values in JSON. Attach the values with javascript to a hidden field. You will still appear to be getting a value from the hidden field on the page that receives the form post, but if a user views the page source it would just say something like <input type="hidden" id="username" name="username" value="DefaultUserNameValue" />. The value will be assigned dynamically using javascript, which is not visible to the User.

Related

removing saved password from textboxes for forms inside the application

I have an application, where a normal login is present. Once login, user can create other users and we have forms with username and password fields present in those forms.
Now my problem is, when login in the application and browser asks for remember password. If I say Yes and then I go to create other users then the forms show with the username password already filled that I used for login.
I want to remember password for the main login form but don't want those to display when I am creating other users. This is mainly coming in chrome. Might come in other browsers on in mobile browser as well.
I tried clearing the text box on document ready and setting autocomplete to off for the form. but didn't work out. If I remove the type="password" attribute from the password textbox, then the browser doesn't auto fill the username/password textbox but that causes the password to display.
Any suggestion to overcome this issue are welcome.
use AutoComplete=off
The autocomplete attribute specifies whether or not an input field should have autocomplete enabled.
<input type="email" name="email" autocomplete="off">
Autocomplete allows the browser to predict the value. When a user starts to type in a field, the browser should display options to fill in the field, based on earlier typed values.
Note: The autocomplete attribute works with the following types: text, search, url, tel, email, password, datepickers, range, and color.
Update
apparently chrome ignores autocomplete="off"
This question will help you with that
Chrome Browser Ignoring AutoComplete=Off
Update 3
There is also another solution that works for people to and that is use autocomplete="false"
ref w3school
You can't tell the browser to only auto fill one set of usernames and passwords! Any sort of instructions to the browser regarding user names and passwords would be a security risk.
Your best bet would be to have the input controls have different ids and names so that the browser does not think this is the same form that it has saved information for.

Hidden field vulnerability

I have completed the source code scan (ASP) using the Fortify source code scanner.
Many hidden fields shows as a vulnerability. Like this one:
<input type="hidden" name="ToSave" value="0" />
How do I fix this issue to receive a passing test?
Thanks in advance
Mahesh
If this is application state and is not modified by the user:
Passing application state thru the browser is always a bad idea and is one of the first things that the hacker will exploit.
If this is application state: use proper ASP session management and save the session state on the server when you send the page to the user, and look up the session state on the server when the request is returned. In ASP.NET with C# you might do something like this:
Session(“ToSave”) = false;
When you send the response to the browser (e.g. send the page). Then, when you get the request back, because you’re using ASPs session management, session will have the state that you set.
If this is not application state but is a hidden field that is calculated by JavaScript in the browser and is used on the server side:
Please look at the design of the application. I do a ton of these code reviews and usually find that the application is doing something in JavaScript that should only be done on the server side. One example would be calculating the score of a test on the form putting that score in a hidden field and accepting that field on the server. Another example would be calculating the ‘next’ page in a flow and putting a marker in a hidden field. If you want to provide something like a score on the browser for user convenience use that's fine but make the official calculation (and decision, if applicable) on the server.
An attacker can easily see these values and create a request that would break your application, or worse, get the attacker something that he or she did not deserve.
In any case hidden fields are cached on the browser just as any pages are cached so it might not be wise to use hidden fields if they contain data you expect the user to not be able to see.
So, bottom line, I would agree that you shouldn't use hidden fields.

Flash and ASP.NET MVC to post data to server

what design approach would you take for security and scalability (and perhaps level of effort) when posting an ASP.NET MVC HTML form that also has a Flash component, as described in the scenario below?
I have a scenario where there's an ASP.NET MVC site, and a page that requires user authentication & authorization to access (using ASP.NET forms authentication). On that page there's an HTML form. The form also has a Flash component. The form has a few text fields, and the Flash component has binary data that needs to get submitted to the server in tandem with the HTML form fields. When the user hits the submit button on the HTML form, the form contents and binary data from the Flash need to get submitted as part of one atomic unit, so to speak.
I know that I can use HTML / Flash JavaScript bridging to post the form either through JavaScript, or through the Flash component. I could even do both, perhaps posting the binary data from the Flash component when the user clicks submit, and then posting the HTML form content following that.
From your experience, what approach would be the path of least resistance to post the form with? Considering the user authentication and authorization part, I imagine that Flash would higher effort than HTML. What about the user authentication aspect? If the page posted from Flash to the server, would Flash also have to authenticate the user, in addition to the standard HTML authentication form?
My Flash binary data should not typically be greater than 300KB, often less...any opinions / insights are greatly appreciated!
EDIT:
I also vaguely remember that with Flash 10.1, ExternalInterface seemed to not work right when transferring binary data to JavaScript, am I mistaken with that, and that you can easily transfer 300KB or more of binary data from Flash to a JavaScript variable that is then posted to the server?
Thanks!
That's one way of doing it:
Make your flash component call a javascript function through ExternalInterface.call().
Make the called javascript function change a hidden field inside the form.
When the form is posted, the hidden field will send the desired value to the server.
I guess this is also the safest way - since the Flash component will not communicate with the server. Everything you need is a standard, non-AJAX form post.
Edit
Sorry, I guess I should have paid more attention... If there is too much data being sent from the flash component, maybe you should post it directly to the server.
Still, you could use ExternalInterface to synchronize the whole process. Make Flash call a server-side method (I would use FluorineFX for that, but your opinion may vary). Then .NET will return an ID, meaning it has received and saved the binary data for future use. Then call ExternalInterface to set that ID to a hidden field. After that, when the HTML is posted to the server, the server-side action method just need to retrieve the binary data using the posted ID...
The problem here is that you will end up with some binary data that will never be associated to any form post... But that's OK I guess, just run some "garbage-collector" script from time to time.
About the authentication issue: FluorineFX does implement .NET authentication, and it is able to retrieve the current logged in user. Of course, there are some issues.

asp.net mvc html.password set value

I've got a html.password helper control on an edit profile type screen. Is there a way to set the value of this when the page first loads so that if the user doesn't want to change their password, the existing one gets passed back to the controller.
Thanks
Nick
Html.Password helper does not use ViewData automatically (see ASP.NET MVC source, InputExtensions.cs file, line 78, line 184). You need something like this:
<%= Html.Password("password", ViewData["password"]) %>
UPDATED:
Tested in Opera 10b, Firefox 3.5, Internet Explorer 8
I know this isn't a direct answer to your question, but coming at this from the user's point of view, would the user want their password being transmitted like this. I know I would not want any of my passwords transmitted anywhere unless it was absolutely necessary.
Most sites that I've seen only require a new password in the profile screen if it needs to be changed. If it is to remain the same and not updated the blank password fields are an indication of that. It also means that you can store the passwords in a more secure way (e.g. a one way salted hash) that does not permit password retrieval in any way (which if they could be retrieved would be a potential security risk in itself)

What methods are available to stop multiple postbacks of a form in ASP.NET MVC?

A common web problem is where a user clicks the submit button of a form multiple times so the server processes the form more than once. This can also happen when a user hits the back button having submitted a form and so it gets processed again.
What is the best way of stopping this from happening in ASP.NET MVC?
Possibilities as I see it are:
Disable the button after submit - this gets round the multiple clicks but not the navigation
Have the receiving action redirect immediately - browsers seem to leave these redirects out of the history
Place a unique token in the session and on the form - if they match process the form - if not clear the form for a fresh submit
Are there more?
Are there some specific implementations of any of these?
I can see the third option being implemented as an ActionFilter with a HtmlHelper extension in a similar manner to the anti-forgery stuff.
Looking forward to hearing from you MVC'ers out there.
Often people overlook the most conventional way to handle this which is to use nonce keys.
You can use PRG as others have mentioned but the downside with PRG is that it doesn't solve the double-click problem, it requires an extra trip to the server for the redirect, and since the last step is a GET request you don't have direct access to the data that was just posted (though it could be passed as a query param or maintained on the server side).
I like the Javascript solution because it works most of the time.
Nonce keys however, work all the time. The nonce key is a random unique GUID generated by the server (also saved in the database) and embedded in the form. When the user POSTs the form, the nonce key also gets posted. As soon as a POST comes in to the server, the server verifies the nonce key exists in its database. If it does, the server deletes the key from the database and processes the form. Consequently if the user POSTs twice, the second POST won't be processed because the nonce key was deleted after processing the first POST.
The nonce key has an added advantage in that it brings additional security by preventing replay attacks (a man in the middle sniffs your HTTP request and then replays it to the server which treats it as a legitimate).
You should always return a redirect as the HTTP response to a POST. This will prevent the POST from occuring again when the user navigates back and forth with the Forward/Back buttons in the browser.
If you are worried about users double-clicking your submit buttons, just have a small script disable them immediately on submit.
You might want to look at the Post-Redirect-Get (PRG) pattern:
This really isn't MVC specific, but the pattern we follow on our web pages is that actions are performed with AJAX calls, rather than full page POSTs. So navigating to a url never performs an action, just displays the form. The AJAX call won't be in the history
Along with the disabling of buttons, you can add a transparent div over the entire web page so that clicking does nothing. We do this at my work and add a little friendly label saying processing request..
The most elegant solution I found was to use ActionFilters:
Blog post is here

Resources