How to develop secure web applications part 1

In the next coming articles to, I will be focusing on Web application securities, as a developer nowadays, it’s imperative that we are very familiar with different vulnerabilities and types of attacks that are going on, we should not only be aware but it should be cultivated in our minds whenever we develop a public facing applications.

A lot of times, due to budget, or the types of projects we handle, we forget to consider different vulnerabilities which might affect our client’s web site, which shouldn’t be the case, it should be a criteria as part of development to make sure that no matter what type of web projects you’re working on specially when dealing with sensitive data, security should always be part of it.

A simple encoding of forms before we handle them is a huge matter, this is where most DOS (denial-0f-service) attacks originate, making sure that every aspect of business rules should combine security measures always remember; it is always easier to secure simple logic functions than complex logic functions.

In this first part I’d like to talk about the basic building block of a web application, Single transaction, this is the single way of accessing an object. Making single transaction secure will give the developer safe building blocks, which can be used to create more complex entities.

  • Encoding of the transaction
  • Parameter values within the transaction
  • Obfuscate if possible
  • Dynamic Page Creation
  • Usage of HTTP headers

Let’s talk about this in more details;

Encoding Transactions. The application must establish a single encoding scheme for each request (preferably common to all requests within an application) during the design stage,which is non-ambiguous and has a single representation. The decoding function should be the first to be invoked during transaction processing, this will allow you to validate all entries before committing to the next stage.

Parameter values within the transaction. A transaction is built from an object name and parameter values for the object to operate
upon. It is crucial to protect the parameters enforcing their validity and fit with the application logic. An attacker of the web application may change the value of any parameters sent to the server. As a result, nothing can be assumed about this input.

Obfuscate if possible. When creating and receiving transactions we should always find a way to disturb the information and make it confusing to the public but not to the system logic, putting this kind of strategy in place will prevent hackers and other attacker’s easy guessing your application.

Dynamic Page Creation. Dynamic sites are based on the ability to provide users with a tailored experience, created for his specific profile and session. As part of this process, aspects of the user input should be taken into account to create the dynamic pages sent back to the user. Never use values received from the client to directly create dynamic pages. Implanting users’ input directly within pages can lead to severe consequences.

Usage of HTTP headers. HTTP headers raise security issues. Similar to all other information from the client, these fields are easily manipulated. Therefore, while they might be used to provide certain functionality, they should never be used to provide security. A good example is the REFERER header, which reflects the page leading to the transaction. It can be manipulated to contain any desired URL.

These are just guides, depending on your application design and business rules every security measures within your applications should always be tailored to ensure compatibility.

Go to Next part of this series >.

String Format for Type Double

Here’s how to format a a Type Double to string in C#

use static method , String.Format or use instance method such as double.ToString and float.ToString .

// just two decimal places
String.Format("{0:0.00}", 123.4567);      // "123.46"
String.Format("{0:0.00}", 123.4);         // "123.40"
String.Format("{0:0.00}", 123.0);         // "123.00"

Next example formats double to string with floating number of decimal places. E.g. for maximal two decimal places use pattern „0.##“.

// max. two decimal places
String.Format("{0:0.##}", 123.4567);      // "123.46"
String.Format("{0:0.##}", 123.4);         // "123.4"
String.Format("{0:0.##}", 123.0);         // "123"

If you want a float number to have any minimal number of digits before decimal point use N-times zero before decimal point. E.g. pattern „00.0“ formats a float number to string with at least two digits before decimal point and one digit after that.

And to align float number to the right use comma „,“ option before the colon. Type comma followed by a number of spaces, e.g. „0,10:0.0“ (this can be used only in String.Format method, not in double.ToString method). To align numbers to the left use negative number of spaces.

String.Format("{0,10:0.0}", 123.4567);    // "     123.5"
String.Format("{0,-10:0.0}", 123.4567);   // "123.5     "
String.Format("{0,10:0.0}", -123.4567);   // "    -123.5"
String.Format("{0,-10:0.0}", -123.4567);  // "-123.5    "

and finally, if you need to use custom format for negative float numbers or zero, use semicolon separator;“ to split pattern to three sections. The first section formats positive numbers, the second section formats negative numbers and the third section formats zero. If you omit the last section, zero will be formatted using the first section.

String.Format("{0:0.00;minus 0.00;zero}", 123.4567);   // "123.46"
String.Format("{0:0.00;minus 0.00;zero}", -123.4567);  // "minus 123.46"
String.Format("{0:0.00;minus 0.00;zero}", 0.0);        // "zero"

Creating User Controls ASP.NET

One of ASP.NET’s strongest point as a framework are its handy controls that are available to web developers, these are smart little modules that you can easily drag and drop on to your page or inside another control. Although ASP.NET especially the 3.5 provide more controls than one could use for a project, you still find a need to make your own custom one, and in this article I’ll show you how easy it is to create a user controls.

An obvious part you can easily spot is it’s file extension, ie., user controls has .ascx extension and not aspx this is to prevent user control’s file to not be executed as a standalone Web Forms page.

It’s very easy to create one, first you need to ‘add new item’ on your solution(usually when you right click on your solution name it will give you this option), then once a window pop-up you would need to select ‘Web User Control’ icon to create a new user control you can always rename your file later on.

For instance you decided to create control that displays google maps after coding your google api’s in this control you can include this to any page using the Register Directive like this:

<%@ Register TagPrefix=”GoogleMapControl” TagName=”Message” Src=”LoadGooglemap.ascx” %>

TagPrefix serves as your unique namespace for your user control, this avoids clashing with your other controls inside the page. The Src attribute is the virtual path to the user control – like in our example “LoadGoogleMap.ascx” or “/MyApp/Include/LoadGoogleMap.ascx”. After registering the user control, you may place the user control tag in the Web Forms page just as you would an ordinary server control (including of course the runat=”server” attribute), like this :

This is how it will look like on your page:

<%@ Page Language=”C#” %>
<%@ Register TagPrefix=”GoogleMapControl” TagName=”Message” Src=”LoadGooglemap.ascx” %>

A Simple User Control

Your LoadGoogleMap.ascx looks something like this :

This is a simple message user control!

———————————————–

Another Simple way to include your user controls is to drag and drop them
on your page from your solution window (don’t forget to turn on your ‘design’
view on your solution page’)

Exposing User Control Properties for use in other web forms

Take note that everytime a Web Form page is treated as a control, its public fields and methods (Web Form) becomes public properties (that is, tag attributes) and methods of the control as well. In the next example I will show how an extension of the previous user control adds two public String fields.
Notice also that these fields can be set either declaratively or programmatically in the containing page.

This is how your aspx would look like:

<%@ Register TagPrefix=”GoogleMapControl” TagName=”Message” Src=”LoadGoogleMap.ascx” %>

A Simple User Control w/ Properties

And this is how your control would look like:
<script runat=server language=C# >
public String Color = "red";
public String Text = "This is a google map title text!";
</script >

And if you want to have a full control on your coding you might want to consider
as it can also be done Programmatically create your user controls just as an ordinary
server control.

here it is.

Control Con1 = LoadControl(“LoadGoogleMap.ascx”)
CType(Con1, (GoogleMap)).Category = “business”
Page.Controls.Add(con1)

And you can access it like this

<%@ Control ClassName=”GoogleMap” %>

notice that you just have to pass the object GoogleMap since you used the object Page.Controls.Add

Hope this helped you understand how the ASP.NET user control works.