ingig.net

I want to thank everybody for the support

ingig — Tue, 30 Sep 2008 12:49:00 +0000

This is amazing, who needs airplanes?

ingig — Sat, 31 May 2008 19:02:00 +0000

I guess Star Trek experience is closer then you think. Simply said, Wow!

http://www.musionmedia.co.uk/cisco_day.html

Capitalize each word

ingig — Fri, 09 May 2008 18:47:00 +0000

Just for bookmarking, I have thought about this every few months

http://www.aspdotnetfaq.com/Faq/How-to-Capitalize-the-First-Letter-of-All-Words-in-a-string-in-C-sharp.aspx

Prevent xss in Asp.Net

ingig — Thu, 08 May 2008 15:58:00 +0000

We just did a big update on our system, where we try to prevent possible xss attacks. For those who don't know, xss attacks can happend when you allow user to send text to your server and then display it. From v. 1.1 Asp.Net provided some protection from xss but it's very limited and I disabled it immediately when it came out since it just throws an ugly error message to the user who is trying to put something as small as <b> in his text.

The framework from Microsoft, using viewstate and postback, provides some protection as well since it's harder to change variables, but I never liked that framework, I instead did it the old fashion way, a edit.aspx page that submited it's forms to save.aspx using post. So this is how I get the variables.

string name = Request.Form["name"];
int id = int.Parse(Request.Form["id"]);
bool isTrue = (Request.Form["isTrue"] == "1");

The problem with this is that I had to clean the variables every time to prevent xss with something like my method Util.ClearHtml(string), the code is something like this

string name = Util.ClearHtml(Request.Form["name"]);
int id = int.Parse(Clear.Html(Request.Form["id"]));
bool isTrue = (Clear.Html(Request.Form["isTrue"]) == "1");

This is a bit to much code for me and since I'm lazy I almost never did this. Then if somebody sends id=abc the page would crash. This didn't bother me so much, since it only happend when something spooky was going on. But it's ugly. Also the ClearHtml method didn't really do very good job in cleaning the text from possible xss attacks.

So my solution is this. I created the XssClear class with the following methods

This is for getting value from a submitted form using POST

public string F(name); //returns null if string is null else string.Empty if fails to convert, string is Trim()-ed
public int FInt(name); //returns 0 if fails to convert
public double FDouble(name); //returns 0 if fails to convert
public decimal FDecimal(name); //returns 0 if fails to convert
public bool FBool(name); //returns false if fails to convert
public DateTime FDateTime(name); //returns DateTime.MinValue if fails to convert
public string[] FArray(name); //returns null if fails to convert or if value is == "" and "," is the default seperator
public string[] FIntArray(name); //returns null if fails to convert or if value is == "" and "," is the default seperator
public XssClearResult FHtml(name); //this is used when the user can insert html

This is for getting variable using GET (or QueryString)

public string QS(name);
public int QSInt(name);
public double QSDouble(name);
public decimal QSDecimal(name);
public bool QSBool(name);
public DateTime QSDateTime(name);
public string[] QSArray(name);
public string[] QSIntArray(name);
public XssClearResult QSHtml(name);

All my pages inherits from the page BarnalandPage (old name), there I have these methods. So when I want to get a varible from QueryString this is how it's done

string name = QS("name");
int id = QSInt("id");
bool isTrue = QSBool("isTrue");

This saves alot of pain, errors in our system has gone down extremly in the first hours of having it running like this.

So to clean the text for xss attacks I do few things. I don't have think about the basic variables, int, bool, datetime, double, decimal. If the class can't convert it, the default value is returned. Allowing text and html (FHtml and QSHtml) is the big trouble.

This is the method to clean a text and not allowing html

private string Get(string key, string value, string def) {
   if (value == null) return def;

   //Let's check if we have already retrieved this key before
   if (content.ContainsKey(key)) return (string) content[key];

   //AntiXss is a library from Microsoft, seems to work fine
   string s = AntiXss.HtmlEncode(Ingig.Util.ClearHTML(value)).Trim();
   content.Add(key, s);
   return s;
}

The AntiXss library seem to do it's job fine, prevents every attack that is on the xss cheat sheet

Next job is to remove any possible xss attack in a html text. This is more complicated, since the possiblities are many as you can see on the cheat sheet.

We use the method GetHtml(string key, string value); and it looks like this

public class XssClear {
   ....
   ....
   ....

   XssClearResult result;
   string pattern;
   public XssClearResult GetHtml(string key, string value) {
       if (value == null) return null;
       if (content.ContainsKey(key)) return (XssClearResult) content[key];

       result = new XssClearResult();

       // change every hexadecimal to ascii
       // change every hex value to ascii
       // remove 	 | 	 | 
 | 
 |  | 
       // remove tab | \n | \r
       // remove /\*\s*\S*\s*\*/ 'This is comments in code

       value = Regex.Replace(value, @"(&\#[0-9]{1,20};?)", new MatchEvaluator(XssClear.DecimalToString), RegexOptions.IgnoreCase);
       value = Regex.Replace(value, @"(&\#x[0-9][0-9a-f];?)|(%[0-9a-f]{2};?)", new MatchEvaluator(XssClear.HexToString), RegexOptions.IgnoreCase);
       value = Regex.Replace(value, @"¼(/?script)¾", "<$1>", RegexOptions.IgnoreCase);
       value = Regex.Replace(value, @"/\*[^*]*\*/", "", RegexOptions.IgnoreCase);
       // value = Regex.Replace(value, @"(\n)*", "");
       value = Regex.Replace(value, @"(\t|\r|\f)*", "");

       DataTable dt;
       //I have the database table XssRegex, which contains list of regex that prevent xss attacks, let's load it from db if not cached
       if (HttpContext.Current.Cache["XssRegexList"] == null) {

           //This uses my DbConnection class which connects to the database and saves alot of pain
           DbConnection db = new DbConnection();
           db.Sql = "SELECT regex FROM XssRegex";
           dt = db.Query().Table;

           HttpContext.Current.Cache.Insert("XssRegexList", dt);
       } else {
           dt = (DataTable) HttpContext.Current.Cache["XssRegexList"];
       }

       //Now we run through the regex and remove any thing that is a possible xss attack
       //If we find a possible attack we remove it and add it into our error list
       //and report what pattern it was that caused the error
       Regex regex;
       MatchCollection matches;
       foreach (DataRow dr in dt.Rows) {
           regex = new Regex(dr["regex"].ToString(), RegexOptions.IgnoreCase);
           matches = regex.Matches(value);
           if (matches.Count > 0) {
               for (int i=0;i<matches.Count;i++) {
                   result.Errors.Add(AntiXss.HtmlEncode(matches[i].Value.Replace(matches[i].Value, "[[[span class[]red]]]" + matches[i].Value + "[[[///span]]]")).Replace("[]", "=").Replace("///", "/").Replace("[[[", "<").Replace("]]]", ">"));

                   result.Patterns.Add(AntiXss.HtmlEncode(dr["regex"].ToString()));
               }
               value = regex.Replace(value, "");
           }
       }

       pattern = "<[a-z*^on]*\\s*([a-z^on]*=\"?[a-z]*\"?)|(?<Event>on[a-z]*[^=]*=[^ >]*)|";
               pattern +=    "<[a-z*^on]*\\s*([a-z^on]*=\"?[a-z]*\"?)|(?<Event>seeksegmenttime[^=]*=[^ >]*)|";
               pattern +=    "<[a-z*^on]*\\s*([a-z^on]*=\"?[a-z]*\"?)|(?<Event>fscommand[^=]*=[^ >]*)|";
               pattern +=    "<[a-z]*\\s*[a-z]*=\"?([a-z^on]*=\"?[a-z]*\"?)|(?<Event>(mocha|livescript)[^:]*:[^ \">]*)\"?";

       pattern = "<[a-z*^on]*\\s*((?<Attributes>[a-z]*=?\"?[^\">]*\"?)\\s*)*";

       regex = new Regex(pattern, RegexOptions.IgnoreCase);
       matches = regex.Matches(value);
       for (int i=0;i<matches.Count;i++) {
           value = regex.Replace(value, new MatchEvaluator(RemoveOnEvent));
       }

       pattern = "<embed(\\s*\\w*\\s+|(\\w*=\"((?<Always>always)|[^\" ]*)\"))*";
       regex = new Regex(pattern, RegexOptions.IgnoreCase);
       matches = regex.Matches(value);
       for (int i=0;i<matches.Count;i++) {
           value = regex.Replace(value, new MatchEvaluator(RemoveAlwaysInScriptAccess));
       }

       result.Text = value.Trim();
       string s = (value);
       content.Add(key, result);
       return result;
   }

   //This is for removing AllowScriptAccess in embed tags
   public string RemoveAlwaysInScriptAccess(Match m) {
       if (m.Groups["Always"].Value.Trim() == "") return m.Groups["Always"].Value;
       result.Errors.Add(AntiXss.HtmlEncode(m.Value.Replace(m.Groups["Always"].Value, "[[[span class[]red]]]" + m.Groups["Always"].Value + "[[[///span]]]")).Replace("[]", "=").Replace("///", "/").Replace("[[[", "<").Replace("]]]", ">"));
       result.Patterns.Add(AntiXss.HtmlEncode(pattern));

       return m.Value.Replace(m.Groups["Always"].Value, "no");
   }

   public string RemoveOnEvent(Match m) {
       string txt = m.Value;
       for (int i=0;i<m.Groups["Attributes"].Captures.Count;i++) {
           string temp = m.Groups["Attributes"].Captures[i].Value.ToLower();
           if (temp.StartsWith("on") || temp.StartsWith("seeksegmenttime") || temp.StartsWith("fscommand") || temp.StartsWith("mocha") || temp.StartsWith("livescript")) {
               result.Errors.Add(AntiXss.HtmlEncode(m.Value.Replace(m.Groups["Attributes"].Captures[i].Value, "[[[span class[]red]]]" + m.Groups["Attributes"].Captures[i].Value + "[[[///span]]]")).Replace("[]", "=").Replace("///", "/").Replace("[[[", "<").Replace("]]]", ">"));
               result.Patterns.Add(AntiXss.HtmlEncode(pattern));
               txt = txt.Replace(m.Groups["Attributes"].Captures[i].Value, "");
           }
       }
       return txt;
   }

   /* One trick for xss is to type everything in Decimal or Hex, these two methods (DecimalToString and HexToString)
       changes all decimal and hex into regular text */

   public static string DecimalToString(Match m) {
       return char.ConvertFromUtf32(System.Convert.ToInt32(m.Value.Replace("&#", "").Replace(";", "")));
   }

   public static string HexToString(Match m) {
       return char.ConvertFromUtf32(Convert.ToInt32(Convert.ToUInt32(m.Value.Replace("&#x", "").Replace("%", "").Replace(";", ""), 16)));
   }
}

The result is then loaded into XssClearResult

public class XssClearResult {
   private ArrayList errors;
   private ArrayList pattern;
   private string text;

   public XssClearResult() {
       this.errors = new ArrayList();
       this.pattern = new ArrayList();
   }

   public ArrayList Errors {
       get {return errors;}
   }
   public ArrayList Patterns {
       get {return pattern;}
       set {pattern = value;}
   }
   public string Text {
       get {return text;}
       set {text = value;}
   }
}

So when I want to allow user to send html over the wire I simply do

string text = FHtml("text").Text;

If I want to list all the possible xss attack that the user inserted I simply do

ArrayList al = FHtml("text").Errors;
for (int i=0;i<al.Count;i++) {
Response.Write(al[i]);
}

As far a I can see this prevents "any" known xss attacks which is nice because they used to be everywhere in our system. Why did I use "any"? Well I don't do checks for old Netscape 4 browsers.

The are some assumptions that I make,

string is always trimmed,
number variables(int,double,decimal) returns 0 if it fails to convert,
boolean variable returns false if it fails to convert,
DateTime returns DateTime.MinValue if it fails to convert,
if the value that is going to be converted to an array is empty it returns null.

You can still change the default value, in one case I needed FInt("id") to return -1 as default value, so the method FInt("id", -1) came to be available.

You can download the XssClear class here, it includes XssClear, XssClearResult and a txt file with the regex's in the database, hope you like it and can use it.

Google search results

ingig — Tue, 22 Apr 2008 21:18:00 +0000

Does anyone else feel like the google search results aren't the same quality as it used to be. Just a feeling, it's been really difficult to find stuff lately.

List of usefull asp.net stuff

ingig — Fri, 18 Apr 2008 12:04:00 +0000

I have to say that aspdotnetfaq.com is pretty cool page, reminds of javascript.faqts.com which is also a great page

Remove item from Response Header

ingig — Thu, 17 Apr 2008 12:16:00 +0000

Every time somebody requests a item from our webserver it inserts a litle info about itself into the response header

Server:Microsoft-IIS/6.0

I've been wondering how to remove this since I think it pretty pointless

You need to create a httpmodule,

public class WebsiteDomainModule : IHttpModule {
   // IHttpModule members
   public void Init(HttpApplication httpApp) {
        httpApp.PreSendRequestHeaders += new EventHandler(this.OnPreSendRequestHeaders);
   }

   public void Dispose() {
        // Usually, nothing has to happen here...
   }
   public void OnPreSendRequestHeaders(object sender, EventArgs e) {
        HttpContext.Current.Response.Headers.Remove("Server");
   }
}

Just add a reference into you web.config file and that line is gone.

By removing that line we save about 25 MB of traffic data every day, about 3GB a month. Not bad.

IHttpModule bara fyrir .net kóða

ingig — Wed, 16 Apr 2008 12:31:00 +0000

Ég var að vinna í HttpModule sem við erum með og var að logga niður hvaða síður voru að keyra hann. Þegar ég skoðaði listann þá sá ég þetta venjulega

/default.aspx
/js/default.js.aspx
/images/logo.jpg
/css/design.css
.... fleiri static skrár

Það sem er verra við þetta er að þarna er static skrár að keyra í gegnum module-inn og þar þarf ekki í þessum module. Í IIS 7 er hægt að segja að það eigi bara managed síður að keyra module-inn. Það er ósköp einfallt, bætir einfaldlega preCondition="managedHandler" við þar sem þú setur module-inn inní web.config hjá þér.

<system.webServer>
    <modules>
        <add name="WebsiteDomainModule" type="Frontur.WebsiteDomainModule, frontur" preCondition="managedHandler" />
    </modules>
</system.webServer>

Eve Online clientin orðin open source

ingig — Mon, 14 Apr 2008 23:26:00 +0000

Slashdot var að segja frá þessu. Clientinn er ekki alveg orðin open source en honum var lekið inná thepiratebay.org. Nokkuð magnað. Væri ekki bara tilvalið að gera clientinn þá bara að open source, hann er hvortið er þarna úti núna og það kannski auðveldar vinnuna. Bara hugdetta.

Ef þú ert Eve-Online notandi, þá er best að halda sig frá torrentinum. CCP menn eru víst að monitora allar iptölur sem tengjast honum og loka á þá accounta sem iptalan tengist. Kannski komin tími að heimsækja foreldrana :)

Næsta skref í vefþjónustukerfinu hjá okkur

ingig — Mon, 14 Apr 2008 18:14:00 +0000

Ég hef verið að skoða WCF undanfarið þar sem það er víst það sem tók við af WSE. Þetta er nokkuð sniðugt og mjög sveigjanlegt en það tekur slatta tíma að komast inní þetta. Það eru mörg vandamál sem koma upp sem ég fer í seinna en núna er ég að vinna í því að endursmíða API kerfið hjá okkur. Það verður í SOAP, REST og JSON formi.

Á næstu dögum ætlum við (hjá Fronti) að setju upp smá samkeppni þar sem viljum fá eins marga til að búa til forrit sem notar vefþjónusturnar okkar, hvort sem er með vefsíðu, síma eða gluggaforrit. Við munum bjóða uppá flotta vinninga fyrir bestu forritin og væntanlega auglýsa þetta í einhverjum skólanum, jafnvel í mínum gamla skóla HR.

Ég skelli svo inn slóðinni hérna inn þar sem verður hægt að fá upplýsingar hvernig hægt er að taka þátt og skrá sig.

Augnaleikur og Binary klukkua

ingig — Fri, 11 Apr 2008 13:17:00 +0000

Undarlegt hvernig augun á manni virkar þegar maður horfir á punktinn í þessari mynd í 30 sekúndur og færir svo músina yfir hana

Svo er eitthvað fyrir nördinn í manni, Binary klukka

http://www.scottklarr.com/topic/30/binary-clock---free-javascript/

Það er hægt að fá svona armbandsúr á gadgets.dk. Þetta er búð í Århus, svona 40 fm² en einhvernvegin náði ég að eyða rúmri klukkustund af ævi minni þar og hvert skipti sem ég fór hring um hana fann ég eitthvað nýtt.

Upper the first letter - Util

ingig — Thu, 10 Apr 2008 16:36:00 +0000

Another simple one. This makes sure that the first letter in a text is uppercase

public static string UpperFirstLetter(string str) {
return str.Substring(0, 1).ToUpper() + str.Substring(1, str.Length-1);
}

Mario in Javascript

ingig — Wed, 09 Apr 2008 12:53:00 +0000

It's amazing what they can do with javascript today. Check out Mario written in javascript. In one 14kb file

When session expires - Util

ingig — Tue, 08 Apr 2008 16:02:00 +0000

I use this code to insert into form when there is the possibility that a session will expires, e.g. when users are writing a weblog. When the session expires the user is logged out and there is the possiblity that he'll lose all the text he has written.

So in the form where the user is writing his text I add this this the form

<%= Util.GetIdentityInput(pid) %>

This will give me a hidden input box, with his identity encrypted(pid == person Id), so if the session has expired I can retrieve what user id he was using and log him back in.

The code is pretty simple, after the encryption I need to replace any " with &quote; since this is an input box and " are not allowed. The UrlEncode is simply for browser compatability.

public static string GetIdentityInput(int pid) {
return "<input name=\"EventAccess\" value=\"" + HttpContext.Current.Server.UrlEncode(Encrypt.EncryptPassword(pid.ToString())).Replace("\"", "&quote;") + "\" type=\"hidden\" />";
}

By doing this users never loses their text because of logout.

Just in case someone is using type for locking

ingig — Mon, 07 Apr 2008 18:38:00 +0000

Check out this article about locking, http://jeffbarnes.net/portal/blogs/jeff_barnes/archive/2008/02/07/don-t-use-types-for-locking.aspx