Friday, January 31, 2014

LINQPad : debugging with Visual Studio

I've been a fan of LINQPad for a while and I use it a lot for writing code snippets and testing them.

Note: If you pay for it, you get Intellisense as well.

Came across a situation where I had a bug and couldn't put my finger on it. Would be ideal to debug / step-through it but you can't ...

Well, actually you can - learn something new every day.

Add these lines to your snippet:

Debugger.Launch();
Debugger.Break();

So obviously LINQPad is running
Start up Visual Studio - the normal Start screen is fine
Debug - Attach to Process
Select LINQPad.exe from the list and Attach
Run your snippet

BINGO - jumps into VS - debug away.

How have I not known about this?

Enjoy!

Wednesday, January 29, 2014

AD : PrincipalOperationException A device attached to the system is not functioning

Best error message ever.

Got this on a web site - WTF - what device?

Card reader, CD drive ... not on a web site, mate!

Turns out this is during a create on a user or a group in AD where the name is greater than the allowed field length.

So for Create User - the SAMAccountName can't be greater than 20 characters,

There's probably a similar restriction for  group since I got the same error.

Good interview question :-)

Enjoy!

Friday, January 17, 2014

Misc : How much is my blog worth?

Came across this site:

Worth of Web Calculator

According to this, my blog is worth the princely sum of $69.00 !

Any offers :-)

Enjoy!

ADFS : Multi-valued attributes from AD

There are two kinds of attributes in AD viz. single valued and multi-valued. The latter obviously can have more than one value.

You can see the difference when you try and edit them. Single-valued has a single textbook while multi-valued has a textbox to enter a new value and a multi-line textbox to show all the current values.

If you look at a multi-valued attribute in AD using ADUC, you'll see it displayed as:

value1;value2;value3

Note: This is different to a single value attribute that contains the string:

value1 value2 value3

That's a string of ONE value which is"value1 value2 value3".

How do you find them.

Use ldp, click on the Base DN of "CN=Schema ..." and then run:

(isSingleValued=FALSE)

I couldn't find any under the "objectClass=user" category but there are some if you have added the AD extension attributes to the schema i.e. the ones that start with "msExch ...".

All of which is a segue into how ADFS handles this. It produces a new claim (of the same type) for each value.

So if you took the above and mapped them to a claim of type Values, you'll get:

.../claim/Value =  value3
.../claim/Value =  value2
.../claim/Value =  value1

Interestingly, it seems to display the values in reverse order but I wouldn't make any assumptions about the order the claims are presented.

Enjoy!




Monday, January 13, 2014

Misc : MSDN 2000 points!

Finally passed the 2000 point barrier on the MSDN forums!

It's much harder to get rep. on MSDN than on stackoverflow.

Enjoy!

Wednesday, January 08, 2014

C# : Cross site scripting and quotes

Busy developing a web site (ASP.NET, C#, Windows Forms, .NET Framework 4) and I got some security gurus to help do some security / penetration testing.

The site has some forms where you enter user details into text boxes. This is stored in a DB. You can search for users and the results are displayed in a grid e.g. first name, last name, email, roles etc.

So if you entered some Javascript into the last name text box e.g.

script Alert ('XSS error'); /script

(insert your own angle brackets!)

this would be written to the DB and when the grid displayed the next tine, you would see the Alert - the dreaded XSS syndrome.

Microsoft has a library to handle this - the somewhat maligned AntiXSS.

This has methods for HTML encoding, CSS encoding, URL encoding, injection etc.

So e.g. you can use:

AntiXssEncoder.HtmlEncode(lastname, true);

If someone types:

 script Alert ('XSS error'); /script

as a last name, this is encoded as:
 
<script>Alert (‘XSS Error’);</script>


which is harmless.

Now that's all well and good but you will note from the above that the single quote "'" is also encoded.

So what happens when you have someone with a name of O'Reilly?

Bad stuff happens - that's what!

What is saved is:

O'Reilly

There are many Google hits around the fact that the library is actually too strict etc. etc.

What I do is after the encoding, is:

lastname.Replace("& # 3 9 ;''", "'");     // Remove the spaces

So it's back to the single quote.

 You could also use something like:

Sanitizer.GetSafeHtmlFragment (lastname);

which removes a few HTML elements like script - so in this case there's just an empty string.

And for injection e.g. LDAP, you can use:

Microsoft.Security.Application.Encoder..LdapFilterEncode("xyz");

Enjoy!