|
Tridip Bhattacharjee wrote: 1) requests with different Date header values will have different signatures, thus attacker will not be able to modify the timestamp
we will generate hash based on secret key then how date comes to scene ? this points is not clear to me.
1) Use the current date as a factor in the hash function that generates your MAC. This is used so that the hash can be appropriately re-created using the time stamp on the packet, and rejected if it doesn't match.
Tridip Bhattacharjee wrote: 2) we introduce a requirement that no http request can be older than X [eg. 5] minutes - if for any reason the message is delayed for more than that it will have to be resent with a refreshed timestamp.
point two is not clear. what this area try to mean delayed for more than that it will have to be resent with a refreshed timestamp. when client will send first request and then client may send second request after 10/15 minute later.
2) Not sure how this isn't clear. Honestly, 5 minutes over the wire is pretty forgiving. In your example, the second request will have a new time stamp. We're talking about packets here, not sessions.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
|
|
|
|
|
you said : 2) Not sure how this isn't clear. Honestly, 5 minutes over the wire is pretty forgiving. In your example, the second request will have a new time stamp. We're talking about packets here, not sessions.
suppose my first call happen at 9 AM and second call will happen after 10 AM. so gap can be long between two call. so what happen if request come from valid client with huge time gap between two call.
let me know. thanks
tbhattacharjee
|
|
|
|
|
No, not at all what's being talked about here.
A request is sent from a browser to your WebAPI at 0900. If that exact request, with a time stamp of 0900, is received by the server at 0906 or later, it get's rejected. This is to prevent that exact same request from being replayed at a later time, which is exactly what you're trying to defend against.
You send a second request at 1000. Providing that request is received by your server by 1005, everything is fine. It has no relation at all to the previous request, which is part of the definition of a RESTful service (which WebAPI implements).
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
|
|
|
|
|
The web service is deployed to IIS (it runs fine when I test which runs a temp iisexpress hosted session via debug menu) and then I try to access the URL for the service and get the following error:
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Detailed Error Info:
Moduele IIS Web Core
Notification BeginRequest
Handler Not yet determined
Error Code 0x80070021
Coding error This configuration file section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Config file \\?\C:\inetpub\wwwroot\WCFService1\web.config
Requested URL http://localhost:80/WCFService1/
Physical Path C:\inetpub\wwwroot\WCFService1\
Logon Method Not yet determined
Logon User Not yet determined
The web.config file is:
<configuration>
<system.web>
<compilation targetframework="4.0">
<system.servicemodel>
<behaviors>
<servicebehaviors>
<behavior>
<servicemetadata httpgetenabled="true">
<servicedebug includeexceptiondetailinfaults="false">
<servicehostingenvironment multiplesitebindingsenabled="true">
<system.webserver>
<modules runallmanagedmodulesforallrequests="true">
<directorybrowse enabled="true">
I went according to the “publish” wizard from the “build” menu. And I created the profile for deployment and the deployment said success. So I am not sure what I need to do additionally or correct. I also am concerned I do not see any endpoints listed in the web.config file. I plead ignorance since this is WCF and I am not sure what happens behind the scenes.
Thanks in advance,
-Scott Kay
"Matthews... we're getting another one of those strange 'aw blah ess spa nol' sounds from dolphin number three?"
modified 29-Nov-16 14:44pm.
|
|
|
|
|
Successful deployment does not guarantee successful running and performance of the code. It deployed code, which means your application is live. It doesn't run, it means it requires some tweaking.
Of course, this problem means that development machine and hosting machine are entirely (or somewhat) configured differently. So, check the settings in order to run the applicatio. In many cases, you are just hiding a feature from application, or there is a lock that prevents it to perform.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
|
Does anyone know how to create a signature form in asp.net where a person signs in a blank space and then saves the signature and then it sends an email to another person to approve.
|
|
|
|
|
Yes, that is known as a canvas; where you can use mouse to draw over. You can support other input methods and devices too, if preferred. This is a basic HTML API that doesn't require only ASP.NET to work, but can work overall in web.
Canvas tutorial - Web APIs | MDN[^]. This tutorial contains everything you need to learn.
Draw on HTML5 Canvas using a mouse - Stack Overflow[^]
Note: Under any case, that "someone" will know what you are trying to ask for, and they might not sign.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
|
Hy all,
i have:
<asp:Button ID="ButtonCheckIN" runat="server" Text="Edit" CommandArgument='<%# GetBLText(Bind("BL_MODULE").AsEnumerable(), "UN_ML_ID")%>' CommandName="CheckIn" />
When I run it, it throws error saying "'Bind' is not declared. It may be inaccessible due to its protection level". Can you help me?
|
|
|
|
|
Try Eval instead of Bind.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Hi, I have DataBind function in my code which binds to ListView. It doesnt work with Eval.
Examples:
works:
<%# Bind("BL_MODULE")%>
doesnt work:
<%# GetBLText(Bind("BL_MODULE").AsEnumerable(), "UN_ML_ID")%>
..and throws error
|
|
|
|
|
Bind is for read and write and eval is for read only. Since this is your button's CommandArgument read only is what you want.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
I got it, but if do it using Eval:
<%# GetBLText(Eval("BL_MODULE"), "UN_ML_ID")%>
it throws run time error saying
does not contain a property with the name 'BL_MODULE'
|
|
|
|
|
|
I dont get why should I try FindControl and try to get my button. I dont need to get any buttons. I just need to solve one of the problems. One problem appears if I use Eval, the other- Bind. If I use Eval I get:
does not contain a property with the name 'BL_MODULE'
If I use Bind I get something like "Bind is not declared".
As I see, the offer I get here is to use Eval, so how to make program to think that there is a property. What datatype should I use to make property work. I tried DataTable as I thought that property should work as a column, but didnt work. String names checked. Its fine.
|
|
|
|
|
Member 11031304 wrote: I dont get why should I try FindControl and try to get my button. I dont need to get any buttons Yes, you are trying to set the CommandArgument property of the button in each and every Item in your ListView.
So, do it in C# instead of trying to get the right syntax in aspx. Simple and done.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
The error is pretty clear - whatever you're binding to, it doesn't contain a property or field called BL_MODULE .
Using Bind won't change that. It will simply hide that error behind a different error.
Stick to using Eval , and either fix your property name, or fix your data source so that it contains the expected property.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
How to change property name? Byt the way, I tried to change data source so that it contains expected property. I created DataTable and added column with such name, but the same error exists.
|
|
|
|
|
You either change the string you're passing to Eval so that it matches the name of a property / field on your data source, or you change the data source so that it contains a property with the specified name.
If you're still getting the "property not found" error, then you've done something wrong. Either the property name doesn't match, or you're not binding to what you think you're binding to.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
normally these days many web site provide OAuth to login to their web api but how we can use the same oauth for web api ?
client will send user id and pwd in plain text to web api and web api will send those client credentials to oauth site ?
if user credentials found right then OAuth will send token to web api and web api will send token to client and from the next subsequent call web api will use the same token for each request...........am i right ?
if my thinking is wrong then just briefly tell me how oauth is used with web api and how client send their credentials and how get token etc. thanks
tbhattacharjee
|
|
|
|
|
Same as your question on HMAC.
|
|
|
|
|
just was reading a article on web API with HMAC authentication from this url http://www.piotrwalat.net/hmac-authentication-in-asp-net-web-api/
if possible some one briefly discuss what is HMAC authentication and How this type of authentication works for web api ?
what i understood from their article that client will have a secret key and when client will request web api service then they will send hash of secret key along with request and web service will compare the hash and if match then it allow to call action ?
if i understood correctly then i have some question. suppose if am sending hash of a secret key to web api then how web api know what key client have ? because if web api has to generate hash of secret key what client used for comparing at service end then web api has to know which client is sending data.
there is change of Replay attack for HMAC authentication for web api
the article raise some points which is not clear to me to prevent the chance of Replay attack for HMAC authentication for web api.
the points are
Imagine a malicious third party intercepts a valid (properly authenticated) HTTP request coming from a legitimate client
(eg. using a sniffer). Such a message can be stored and resent to our server at any time enabling attacker to repeat operations
performed previously by authenticated users. Please note that new messages still cannot be created as the attacker does not
know the secret nor has a way of retrieving it from intercepted data.
1) requests with different Date header values will have different signatures, thus attacker will not be able to modify the timestamp
we will generate hash based on secret key then how date comes to scene ? this points is not clear to me.
2) we introduce a requirement that no http request can be older than X (eg. 5) minutes - if for any reason the message is
delayed for more than that it will have to be resent with a refreshed timestamp.
point two is not clear. what this area try to mean delayed for more than that it will have to be resent with a refreshed timestamp.
tbhattacharjee
|
|
|
|
|
|
I wrote an application in asp net (3.5).
From an .aspx page should be interfaced a script in asp.
I meant that the aspx page after viewing waits X seconds and then using HTTPRequest and POST call the asp page.
In the aspx page I inserted a timer that delays the execution of the asp page X seconds.
When I use firefox working properly, while chrome is in the loop, that is the status bar see that continually draws the current page without stopping, ending only when I close the course page.
Searching the net I saw that chrome and safari have some incompatibility.
Where did I go wrong ?
What can be done to solve this problem, taking into account that I can not replace the ASP page with an .aspx, because it uses COM objects that do not know the features?
Someone enlighten me !!!
|
|
|
|