background preloader


Facebook Twitter


[.NET Internals 02] Stack and heap - .NET data structures - In the second post of .NET Internals series, we’re going to investigate the organization of .NET process’s memory.

[.NET Internals 02] Stack and heap - .NET data structures -

We’ll see what is stack and heap and what kind of data is stored on each of these memory structures. If you’re here for the first time, I encourage you to first read the .NET Internals series introductory post explaining the basics of memory structure. By default, when the .NET application is started and virtual address space is allocated for the process (as we saw in the previous post), the following data structures, represented as heaps, are created: Code Heap – storing JIT-compiled native code, Small Object Heap (SOH) – storing objects of size less than 85 kilobytes, Large Object Heap (LOH) – storing objects of size greater than 85 kilobytes*, Process Heap.

*side note: there’s an exception for arrays of double, which are allocated on the LOH much before reaching 85K (double[] is considered “large” when it exceeds 1000 elements). Stack Data Structure, source: Wikipedia.

Microsoft Graph

.Inferno: .NET crypto done right. GitHub: source, binaries Nuget: Inferno, Inferno.StrongName Copyright © 2019 Stan Drapkin Introduction While many developers are aware enough not to roll their own crypto, they either pick the wrong approach, screw up the implementation, or both.

.Inferno: .NET crypto done right.

Identity. Authentication. PeterJuhasz.AspNetCore.Security.Extensions 3.0.2. HTTPS. Custom Domains and SSL bindings with IIS Express – Simon J.K. Pedersen's Azure & Docker blog. IIS Express is designed to be able to support all web development tasks without admin privileges.

Custom Domains and SSL bindings with IIS Express – Simon J.K. Pedersen's Azure & Docker blog

But that design comes with some limitations, e.g. you are not able to use any other hostname than localhost and only ports between 44300 and 44399 supports SSL. Those limitation can be a little annoying, luckily we can change the default configuration. In this post I describe how I to use a custom hostname. When IISExpress is installed it does quite a bit of configuration, the following things happens behind your back.


ASP.NET Core 2.2 - Scaffold Identity UI - KenHaggerty.Com. Decrypting (But Not Really Encrypting) Configuration Settings in ASP.NET Core. Practical .NET Decrypting (But Not Really Encrypting) Configuration Settings in ASP.NET Core You can store encrypted values in your ASP.NET Core configuration file and seamlessly decrypt the values as you retrieve them.

Decrypting (But Not Really Encrypting) Configuration Settings in ASP.NET Core

But there are, at least, two issues that you'll need to address. When I started teaching the ASP.NET course I wrote for Learning Tree International, one of the first questions I was asked (and that the course didn't answer) was: "How can I have encrypted settings in the web.config file? " It's a fair question -- I was once told that 50 percent of security breaches are performed by people inside the organization who have access to the kind of information in, well, your application's configuration file. ASP.NET Core Custom User Manager. In some reason, you might want to avoid using standard Identity package to work with users, roles, permissions etc.

ASP.NET Core Custom User Manager

I had 2 reasons: Identity works only with Entity Framework (unless you write your own implementation of the IUserStore interface), but in my project (content management system) I didn’t want to limit future users in this way; it is too huge and complicated, I don’t want to have all that features I will never use. ASP.Net MVC Identity without using Entity Framework. In this tutorial you will learn how to create your own custom identity authentication and authorization with ASP.Net MVC without using Entity Framework.

ASP.Net MVC Identity without using Entity Framework

By default, the example given in the MVC official tutorial site is using Entity Framework. So if you do not want to use Entity Framework and want to use external data source or your own database, you may want to read the following article I wrote on how to integrate your existing login details. If you are completely new to this, I would suggest you read their official MVC site and try their sample and examine their code by debugging the sample site so you can know at least the basic flow on how it works. The following code I wrote will partially base on the sample code of the official site gave. Here is the quick link provided by Microsoft about the security overview of authentication and authorization. Lets get started with setup the database first. Custom storage providers for ASP.NET Core Identity.

Simple Authentication In Razor Pages Without A Database. Sometimes, using the full ASP.NET Core Identity framework is overkill for small, one-user applications that require some form of authentication.

Simple Authentication In Razor Pages Without A Database

I'm thinking about blog applications, or web-based utilities that have admin areas that only you should be allowed to reach. All you really want to do is authenticate against a user name and password stored in a config file or similar. You really don't need the ceremony of a database, EF Core, ApplicationDbContexts, SignInManagers, UserManagers etc. This article provides a step-by-step guide to implementing simple authentication using just cookies, while storing credentials securely without a database. Overview of the tasks The process involves a number of steps: Configure and enable cookie-based authentication Configure Protected resources Secure your credentials Store the credentials Create a login form.

Adding minimal OWIN Identity Authentication to an Existing ASP.NET MVC Application. As of ASP.NET 4, ASP.NET provides a fairly useful identity system.

Adding minimal OWIN Identity Authentication to an Existing ASP.NET MVC Application

If you create a new project and choose an MVC project and choose to add both internal and external authentication, it’s fairly straight forward to get a reasonable identity implementation into your application. However, if you have an existing application, or if the full Entity Framework based identity structure doesn’t work for you, then the process to hook up a minimal and custom implementation that uses your own domain/business model and classes is not exactly as straightforward.

You have to either rip out the pieces you don’t need from an full template install, or add the necessary pieces. In this post I hope I can show you how to do the latter, showing only the pieces that you need. ASP.Net MVC Identity without using Entity Framework. Introduction to Identity on ASP.NET Core. Authentication & Authorization in ASP .NET Core.

This is the first of a new series of posts on ASP .NET Core for 2019.

Authentication & Authorization in ASP .NET Core

In this series, we’ll cover 26 topics over a span of 26 weeks from January through June 2019, titled A-Z of ASP .NET Core! Authentication and Authorization are two different things, but they also go hand in hand. Think of Authentication as letting someone into your home and Authorization as allowing your guests to do specific things once they’re inside (e.g. wear their shoes indoors, eat your food, etc). In other words, Authentication lets your web app’s users identify themselves to get access to your app and Authorization allows them to get access to specific features and functionality. In this article, we will take a look at the NetLearner app, on how specific pages can be restricted to users who are logged in to the application. Getting Started with ASP.NET Core Razor Pages. Razor Pages is a new aspect of ASP.NET Core MVC introduced in ASP.NET Core 2.0.

Getting Started with ASP.NET Core Razor Pages

It offers a "page-based" approach for building server-side rendered apps in ASP.NET Core and can coexist with "traditional" MVC or Web API controllers. In this post I provide an introduction to Razor Pages, the basics of getting started, and how Razor Pages differs from MVC. Razor Pages vs MVC. Dilbert Web Service.

Dilbert Click here for a complete list of operations. Test The test form is only available for requests from the local machine. Free Geocoding Web Service. Hacking thousands of websites via third-party JavaScript libraries – Daniel Matviyiv. Critical Values of the Chi-Square Distribution. This table contains the critical values of the chi-square distribution. Because of the lack of symmetry of the chi-square distribution, separate tables are provided for the upper and lower tails of the distribution. A test statistic with ν degrees of freedom is computed from the data. For upper-tail one-sided tests, the test statistic is compared with a value from the table of upper-tail critical values.

For two-sided tests, the test statistic is compared with values from both the table for the upper-tail critical values and the table for the lower-tail critical values. The significance level, α, is demonstrated with the graph below which shows a chi-square distribution with 3 degrees of freedom for a two-sided test at significance level α = 0.05. Given a specified value of α: For a two-sided test, find the column corresponding to 1-α/2 in the table for upper-tail critical values and reject the null hypothesis if the test statistic is greater than the tabled value. Safely migrating passwords in ASP.NET Core Identity with a custom PasswordHasher. An easy and secure way to store a password using Data Protection API. If you’re writing a client application that needs to store user credentials, it’s usually not a good idea to store the password as plain text, for obvious security reasons.

So you need to encrypt it, but as soon as you start to think about encryption, it raises all kinds of issues… Which algorithm should you use? Which encryption key? Obviously you will need the key to decrypt the password, so it needs to be either in the executable or in the configuration. But then it will be pretty easy to find… Well, the good news is that you don’t really need to solve this problem, because Windows already solved it for you! This class has two methods, with pretty self-explanatory names: Protect and Unprotect: The userData parameter is the plain, unencrypted binary data. Clear text (encode to UTF8) => clear bytes (Protect) => encrypted bytes (encode to base64) => encrypted text And for decryption, we just need to reverse the steps: Eventually, we can wrap all this in two simple extension methods:

Strange Attractors and TCP/IP Sequence Number Analysis. Here is an example of the 3-dimensional attractor for some sequence, seq[n]: If we know the value of seq[t-1], the problem of determining a "good" guess for the value of seq[t] is equivalant to choosing a "good" point in discrete 3-space. Indeed, given a point (x, y, z), we can add x + seq[t-1] to our Spoofing Set as a guess for seq[t]. Now, we turn our attention towards choosing points in discrete 3-space that will produce effective Spoofing Sets.

We refer to adding a point (x, y, z), adding a delta value x and adding a sequence value to the Spoofing Set interchangeably. We begin this analysis by noting that seq[t-1], seq[t-2] and seq[t-3] can be easily gathered by probing the remote host. Randomness in .NET – There are various situations when you need random data in your application. Maybe you want to mix the order of the returned items, or maybe you create nonces for your encrypted messages. Those two sample scenarios require different approaches, and while choosing a non-cryptographic PRNG works just fine in the first situation, using it in the latter is entirely wrong. Random deviates from standard algortihm · Issue #23298 · dotnet/corefx.

Decrypting ASP.NET 4.5 – Quipqiup - cryptoquip and cryptogram solver. Multi - Encoder - Decoder by FBCS (fbcs(at) Use PowerShell to Decrypt LSA Secrets from the Registry – Hey, Scripting Guy! Blog. Summary: Guest blogger, Niklas Goude, talks about using Windows PowerShell to decrypt LSA Secrets from the registry to gain access to domain admin rights. Microsoft Scripting Guy, Ed Wilson, is here. Today we have the exciting conclusion to the Security Week blogs by Niklas Goude. Impersonating a computer in a Windows domain. Feature or flaw? How to hijack a Windows account in less than a minute. XSS (Cross Site Scripting) Prevention Cheat Sheet. Last revision (mm/dd/yy): 10/8/2018. The Flourishing Business of Fake YouTube Views. How to Download Web Pages and Files Using wget. The wget utility allows you to download web pages, files and images from the web using the Linux command line. Work with ASP.NET Intrinsic Objects.

There are a bunch of objects built into ASP.NET for providing information about the current state of the server, application, response, etc. How do I access intrinsic ASP.NET objects from web service code (C#)? A Matter of Context. Susan Warren Microsoft Corporation. Wesley Bakker - Finding out if a delimited string contains a specific value the easy way. One of the things I do on a regular basis is to read somebody else's code in order to learn from it. And just this week I was reading some code of which I at first did not understand what was happening and then it struck me: var searchString = " " + inputString + " "; if(searchString.Contains(" " + searchValue + " ")){ // do something } The inputString here contains a space(" ") delimited list of values.

UserData in FormsAuthenticationTicket won't retain value. Browser Cookie Limits. On The Care and Handling of Cookies. Cookies in ASP.NET. Cookie Quest: A Quest to Read Cookies from Four Popular Browsers. System.Random serious bug. Top 20 NuGet packages for Security - NuGet Must Haves.

Web Server

Security Driven .NET. Check String Length Online -