Yesterday I attended an MSDN Event that covered an assortment of pretty cool topics (IIS 7, ASP.NET Administration Services, etc). Later that day I also attended the monthly HDNUG (Houston DotNet Users Group) meeting where another cool topic was covered (ASP.NET MVC Framework). I got so much information within such a short span of time that I had to come here and tell you all about it. So here it goes.
ASP.NET 2.0 MVC Framework
Basically, this framework allows you to implement a way of separating your logic from the presentation layer so well that makes code behind pages a thing of the past. It also allows for intuitive URL routing which basic means that instead of having http://servername/someappname/GetItems.aspx and http://servername/someappname/GetSingleItem.aspx, you would have http://servername/someappname/Items/GetSingle and http://servername/someappname/Items/GetAll. More specifically for our environment you setup applications such as http://servername/someappname/Items/Get/27 or http://servername/MyItems/GetAll/username. You get the idea. The URL becomes a more intuitive part of the application in not only how the application is accessed but also how it is navigated. The framework also simplifies the layers between the actual HTML code and the logic behind every page.
Windows Communication Foundation (WCF) Services
Hosting and Consuming WCF Services http://msdn2.microsoft.com/en-us/library/bb332338.aspx
WCF takes what exists in the Web Services world beyond the HTTP protocol to a host of other protocols such as TCP, Named Pipes, etc. Since it does not run under IIS the only mechanism for communication with the service is the protocol itself (such as net.tcp://servername/ServiceName or net.tcp://servername:8080/ServiceName.
Main Security Threads In Web Apps
XSS (Cross Site Scripting) Attacks
Where the user uses lack of validation to insert scripting in a text area to get information from the state of the page. If you do not validate input well enough, your application might be vulnerable to this attack. Just add // to any textbox and see what happens.
Use .NET 2.0’s builtin AntiXSSLibrary
Where given the url http://SiteName.com/getitem.aspx?id=22
And the code “select * from tablename where id=” & Request.QueryString(“id”) without validation
The attacker can add to the URL http://SiteName.com/getitem.aspx?id=22;delete from tablename where id=22 or even run stored procedures against the database.
Good article here
Good article about security
That’s all folks!