ASP.NET Security Best Practices

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody i'm amanda with DevExpress and welcome to today's webinar asp.net security best practices presented by deb express CTO julien Bucknell and DevExpress Technical Evangelist Paul uh sure in this session they will explore how to ensure your website is secure with some best practices surrounding DevExpress asp.net controls in this webinar you'll learn how to protect your site and users when uploading files stop XSS cross-site scripting being used to hijack information ensure reports and dashboards are visible to the correct user and groups and prevent cross-site request forgeries this presentation will cover examples for both asp.net MVC and web forms and includes example code to allow you to test your existing sites this session is being recorded and it will be made available on our DevExpress youtube channel later today and we will send the link to the recording in a follow-up email we will also do a live Q&A at the end of this presentation just type your questions in the GoToWebinar control panel at any time throughout the broadcast all right thank you so much for joining us I will now hand things over to Paul and Julian Thank You Amanda good morning everyone and welcome to today's presentation good morning Julian good morning welcome to asp.net security best practices and I would just like to point out that this particular Junction but I am the real Julian bottle I am NOT an intruder or malefactor so there I think I think you are so I'm going to talk about today are some of the security best practices that you should be using right now in your web applications be they web forms or NBC correct in particular we're going to look at the use of external files for malicious code attacks we're going to look at differences or different types of denial of service attacks cross-site scripting and cross-site request or juries the examples I'm working from today are available on our github page github page I'll be posting a link to that later on I'll show you the the link and we do have a mix of some web forms and some MVC to show you just to break it up a little I don't want to get too bogged down necessarily in all the code we're wanting to show you best practices what to look for where to get the answers and of course we're directly relating this to our asp.net UI controls julián I'll be asking you to explain a little bit of each of these attacks as we move through if that's ok ok no problem so the very first one here we have malicious code attacks now this is essentially more about allowing your end-users to upload files to your web application now you might think to yourself you know web application it's on a web server Here I am in my browser this this kind of nebulous bit in the middle but really it's just me talking to the web server and vice versa the web server talking to me the problem is if I'm not me but I'm going to be using the word bad actor throughout here because malefactor I can't say very well and so on so a bad actor has the same kind of access to your web application as one of your real users and here we're going to be talking with malicious code attacks about uploading files you may have a web application that allows your end users to upload files that maybe just say images there may be documents they may be anything that's important to your particular business now the problem is your bad actor can upload files which will do nasty things so first thing we're going to talk about is preventing uploading of some malicious files how does he stop the hackers out there uploading stuff that you don't really want in your web application in particular we don't want things to be exposed so we don't want access to web config information or other things and this first example is going to focus on how to stop somebody uploading an executable page into your application now this example works with is or anything based on is so some of the cloud servers and we'll start by looking at what happens when I upload a page or a file here we've got a standard DevExpress file control straight out of the box and what I'm going to do is choose this malicious aspx file to upload and say upload at that point it's done it's in there and all it requires is somebody to do a little bit of sniffing or to even guess what folder that you've actually saved that to and it wouldn't be an uncommon thing to have an upload folder or an images folder as we've got in this example but having just uploaded that page I can now go to that location and execute it and you can see here that my page and I'll show you the code for this particular page you can see that it's actually gone and retrieved the entries of my configuration of my config files for database access so within seconds I've now got a listing of what the connection strings are for that particular webpage and to show you just how easy it is to do that I'm going to jump over to vs code and remember to use the correct shortcut key instead of my Mac key and go into uploaded files images and we'll see this is where the file was actually uploaded into it and of itself is a very simple aspx file not doing anything special on page load it's running through all the entries of the connection strings from web.config so you can see how easy it is to expose that and of course just from that you can imagine how easy it is to get access to other things information on the server local files on the server because you're executing a page as if it's part of your website and then here we're just showing you how we spit out the information on that now to show you that that's actually a live example make sure I'm in the right project and I'm going to come to my web config and where we had no username and password I'm going to put Julian and a password of that's your usual owner's name Julian damn damn oh no gotta change it now I may need to reset that up there we go and you can see that that's actually reading that in real time from that uploaded file the thing that should get people's attention is how easy that was to do without too much effort from a hacker even a script Kitty type scenario so now what we want to do is actually look at what's required or how do we mitigate those particular set of circumstances first thing we're going to do is talk about the what the settings could be on the upload control itself so I'm going to jump to my upload markup page and if I know that I'm expecting a particular file type the simplest thing is obviously just to set that allowed file extension so now I only want JPEGs or ping files to be allowed what effect is that going to have on how things are processed let's run the example again browse and now we can see that I'm not seeing my malicious file and if I do actually try and select it I'm gonna get a message saying that file extension isn't allowed so that's a very simple step to take depending on what you want to upload and that's important actually because we basically write the upload file control to accept any file whatsoever we didn't want to limit it encode shall we say to say just images or just documents or anything like that after all it's your web application if you're uploading files or uploading files for a reason their particular files which are required by your web application or by your business or whatever it happens to be so it's up to you to limit the file extensions that will be allowed for your particular application absolutely now the other thing you can do is you can also set the validation settings inside your an event either the nude event or depending on how you've got the file upload control set but you can set the allowed extensions in code-behind as well there's a couple of other things that you can consider one if I switch back to vs code is the addition of something like this into your web config which will actually in stop the items inside that folder from being executed so it would be a read property and of course this really is just touching on the things like the upload control supports file types out-of-the-box of any any type the binary image the same file manager we've got some default or some preset allowed extensions on the HTML editor such of the image types mp3 mp4 org and and slash file rich text edit supports or allows extensions of the docx epub etc spreadsheet control XLS XLS em and all the usual extensions including txt doc CSV so there is another thing that we can do particularly where image is concerned what I'll be looking at that when we get to the binary image section so next what I'd like to look at is how to prevent uncontrolled resource consumption now what do I actually mean by that another word another phrase might be or denial of service attack Julian so basically your web application is accepting users to upload files the issue becomes if you like the denial of service attack is I'm not going to be talking about the DDoS didn't distributed denial of service thing denial of service that is for example hey I'm going to upload a huge file to this server and just let's watch the web application die on its feet and it also involves how you're going to be processing these files on the server are you just going to be putting them into a folder or are you going to actually be say it's a CSV file and you want to extract the information after the CSV file and put it in the database you know all of those kind of things could be susceptible to some kind of denial of service through a bad actor say uploading a lot of files very quickly or Beek files or whatever it happens to be we're going to try and through our code control the consumption of resources on the server so memory disk space processor time and so on so forth to allow good response times from your normal end users not your bad actors so typically as Julie mentioned there what we're wanting to do is is stop anything that's going to be taking up too much memory too much CPUs Bay at time or too much harddrive space when uploading files and we're talking or usually large files that will do that though there's nothing special in the actual markup here I've got a packet size set here but what we do want to do is actually look at the code inside now I do processing thread at the moment is simply or do processing event you're simply running up a long thread to emulate some delayed processing time the two things that I want to focus on when you're looking at files a bad approach is actually processing file bytes so we're going to comment that one out the reason for that is file bytes basically reads the entire file into memory yeah you don't want to do that you want to process a file in chunks and that's why a good approach here is to use streams with a stream you're going to be or rather the the runtime will be reading the file in chunks all of you processing them in chunks and then you read the next chunk and then you process the mixture so it doesn't mitigate the the problem about you know processing a huge file per se you're still going to be you know spending a lot of time reading the chunks and all the rest of it but at least you are not going to be constraining your memory after all the web server is processing several requests at the same time it's not just doing one request at a time it's doing lots sometimes tens of thousands so a couple of other things people might not already know that setting up your web config you've got inside your HTTP runtime you can set the max request length and you request limits you can set the max allowed content length the problem with that approach especially if you're using a control such as ours is we upload smaller fragments by default so only a couple hundred K at a time so that the that connection gets to stay open so that's going to bypass some of those behind-the-scene approaches for uploading large files so this approach you can set a maximum file sighs within the upload control which will also help now the HTML editor control and the spreadsheet control do have a ceiling for uploaded file sizes any guess as I sort that is it's actually 30 megabytes or more and that's that's again the issue we are writing a general control is up to you to define the limits of that control so for a file upload control for example define the maximum file size you're going to accept I mean 30 megabytes it's probably a little large but you know well but most people I know that the Internet is getting faster and faster around the world but there are still the people that struggle with slower speeds and 30 megabytes could still take considerable time to touch the upload so having a few pages they've been doing that yeah be aware of that particular property set your maximum file size whatever upload control you are using do remember to set it you know if you're an HTML editor and how many HTML files do you know that are 30 megabytes in size I've seen your blog face thank you so limiting it in in that sense as well now the file manager controlled by default allows files to be uploaded and does not impose any file size - or extension but you can disable the file uploading simply enough by setting the settings upload enabled false in the markup and of course you can also alter other operations by file manager such as copy delete download which are all configured it using the settings editing property and most of those are disabled by default so the next thing on my hit list Julien is the use of temporary files now the process or the approach here would be that you're sending you've got an end user is allowed to upload I know a spreadsheet that you're going to process into a database later or a text file that you're going to process into a database later this ability for uploading information for later consumption by another process and it's sitting in a temporary area there's a danger here that will allow third parties to get to that information which of course is a big no-no when we look at sorry the first thing of course is if you're just allowing your end-user to upload files for later processing is don't put them in a folder that's asset accessible through a URL Paul showed an example earlier our mayor is uploading a farm into the images folder and it's kind of obvious hey we're upload you can image it's probably going to be the folder called images and oh lo and behold there it is be aware of the fact you can hide folders from being accessible through a URL the the biggest example here is app data which Paul is currently pointing at app data is not accessible through a URL so be aware that you can do that and do it if you're having temporary files and you're processing them later put them in a temporary file folder that's not accessible through a URL and then additional options here would be to use a dedicated extension free temporary file so instead of just taking the users file name with their extension you could create your own custom that's going to make it extremely difficult for people to consider again this is all about making things more secure you may think yourself well you know my temporary folder is not accessible through URL why do I need to do all this just you know layer on some security here and I really like this this bit previous to the my temp extension here the get random file name for your temporary files I this new one of me I didn't actually know this existed in but it exists if it's been in the city of my own it's been in that framework for as long as a framework to existed Julian and it's part it's part of our ADA path and there's a couple of a couple of calls which people might not be aware of and are certainly useful there's get random file name and get temp file name now there's a subtle difference between the two the get random file name will return a cryptographic lis cryptographically strong a random string that can be used as either a folder name or a file name but unlike get temp file it doesn't create anything on the disk so if you use get temp file it creates a zero byte file already for you so yeah the the random file name the assumption is it's going to be critically secure therefore it's not going to you know it's like a goo it you're not going to get the same goo it twice in a row so automatically you have a a unique name whereas the get temporary file name will get temp on them I should say has to create a file there just to make sure that that particular temp file name is never used again so one thing to note here though is get random file name if you do want to use it does automatically included in a extension so you need to strip that are for be careful that you using your extension on top of that right so with temporary files make sure your folder is inaccessible to the outside world I should say obviously it's going to be accessible to your website that's the important thing about if you can execute code on the web server you've got access to the entire file structure entire folder structure and if you using temporary files then by all means you know create random file names and process and later or temporary file names don't accept what the user gives you as a file name absolutely and I'm just going to jump over the browser for a second if you're using the DevExpress aspx file manager control then you can use the access permissions for setting rules against each of those folders so there's a great document here inside the support center or the documentation showing what and how to set those rules up for different things so there's some great examples as well if you're wanting to specifically allow certain things to be shown uploaded etc etc next on I hit list we've covered three big ones so far malicious files the DOAs and now we take a look at binary images and this is kind of an important aspect of web applications you generally let people upload images so that they can view them later an example is you know avatar for you know somebody maybe your web application allows your end-users to have an avatar that they can see when they're ordering a product or you know writing something on some thread in a conversation or something like that you're going to allow your end user to upload an image and view that image so that they can say oh yeah that's me now you might drop on the upload control as we've got here and you followed our other example and said well we're only going to support JPEGs and against what extensions of that so we're not exposing ourselves to the malicious code attack however what I've got here is I file with a jpg extension I'm gonna go upload and it's now in our folder if I jump back to my page I now want to view that image and here we've got a page and I'll show you the mark-up just of the page for viewing it and boom ow and you may have guessed from the name of the file that we are showing here some basic cross-site scripting attack XSS cross-site scripting by all means go and google it is kind of interesting it's a way of getting a file onto a server that gets executed by the by the server or pass back to the browser and executed on the browser and that code should not be executed at all here we have a bit of if you like hTML is actually an SB X type thing and boom here we go alert hello world your site has been hacked so imagine that there was not an image at all it had the right extension would be but it wasn't an image and images are I'd say a kind of special class of things you know cuz they're I'm going to say something stupid they're visible everywhere and your users will be uploading images I can pretty much guess that but it's certainly a common thing where people are wanting to upload avatars and other things so this is the actual code for the binary image viewer that we're looking at the mark-up straightforward nothing there if I jump to the code behind we can see that the image was being read typically this would be done from a database but for our demonstration we're just using a file that was saved out to call to avatar and that's been read back into a byte array and then we're displaying content type of image and then outputting that byte array so this is not a best practice and in fact what we need to do is get rid of this line here and bring in and specify that the image type is of a JPEG type and for additional validation you can use this header which is going to specify the snow no sniff sniff no sniff on the X content type options so if I run this example again and do my image viewer I'm now instead of executing that potentially dangerous code I'm going to be seeing this message saying hey can't display this so again this is an example of being more secure in how you respond to requests be aware that you know stuff you may get from your end-user may have malicious code in it and stuff you send back to the user may also have malicious code in it inadvertently to you so be more secure in other words here we're saying well this is an image viewer kind of thing let's force the response headers to say this is an image it's a JPEG and you know let the browser do its stuff which is what just happened basically the browser said yeah that's not an image absolutely interestingly dara mentioned Microsoft edge has that protection built in already but whether that's gonna disappear when they what did you call it earlier chroma Phi it yes edge Microsoft are deciding to use the basic chrome code for the next edge or something so they could be fine oh there goes my phone now one thing that I want to look at inside the file upload control was how can we also stop that file from being uploaded in the first place one of the things we can do we've got our upload control as we had before only this time I'm going to uncomment out a few lines of code and then explain what we're doing so after the stream or after the file has been uploaded we then attempt to read and create this stream and pass it into this new method called is image is Val image it's a simple enough check that simply retrieves us retrieves or receives the stream sets up a try/catch and says ok try and use that stream to create an image object if that fails then it's going to return a false we don't care why it failed there's a problem will it be a corrupt file a different file type that's not a one that is supporting of an image or in our case it's that malicious code if it does represent an image then return true save they know the ropes yeah in other words if you're expecting a file of a certain type verify that it is of that type invalid image now of course there's one other thing that simplifies all of this process of course we have a control for doing this so the SPX the SPX binary image control out of the box has all the built-in support no code required it's going to validate that what you're actually uploading is what you're expecting so at that point it's not going to save my avatar picture out for that reason so because a lot of websites a lot of web applications use binary images allowed use to upload them and view them and all that kind of stuff we created a control to do just that and make sure that it is secure final thing on uploading images of course mess at your maximum upload the file size because it's the simplest thing that's going to prevent denial of service attacks make that image size and maximum size relatively small and you won't suffer from those DDoS attacks now we're going to jump over to our MVC project and we're going to take look at cross-site CSRF trust like request forgeries in other words look when you use a browser to access something on a web server you were the rather the browser does sends a request to the server the server reads the request and then sends back whatever response it happens to be so if you're requesting a webpage your request will be give me this webpage and the services or I've got that web page here's the HTML and what this particular issue is all about is forging those requests to the server to do something nefarious to get something they're not supposed to see whatever it may be cross-site request forgeries generally involve some kind of phishing page so fishing as in pH phishing rather than F fishing so some kind of fishing so you send you know emails out to everybody in a company with some kind of fishing link in it and somebody manages to click on the link and then suddenly you're in control and this is all about trying to get those kind of forgeries thrown out so what Paul is going to show here is a grid so we've got one application here it's a grid and you should be logged in to edit that grid so Paul is going to log in and he's going to log in as the admin because everybody does and here we have a grid and it said it one that we can edit we can you know do some changes find everything's groovy but what we're going to do now is we're going to forge a request to the server and this is generally done through AJ's what this particular grid does which is our grid obviously is that we change you make results in an AJAX call to the server the sermon doesn't processing for the database and sends back yet whatever changes to the screen whatever changes to the the rendering are necessary so what we're going to do is we're going to forge a request to the same access say Ajax access point so here we have it's just a link will show you the code in a minute we're going to view the page source right now there we go the link is all it's going to do is oh it's a hidden form here look hmm okay it's going to submit that hidden form and the hidden form is going to say but it's going to call the Edit form delete partial Ajax call and it's going to pass an ID of ID and their value of 2 is going to delete so effective effectively as a phishing page it's going to remove line two from my grid and I've got no way of actually controlling that so send post back this is the page has been rendered from that callback however we go back to our real page and do refresh and line two indeed has been removed by a third-party page something that obviously none of us want and it's typical for those types of attacks to take alter emails or steal emails passwords and in fact there's a couple of great articles out there on why shouldn't use auto form fill for that very reason having hidden forms you accept the fact that you're quite happy to have your page filled and the heap of information that you're not even aware of is then sent back to a third party server and you can't do anything about it so let's take a look inside the correct project at what's actually happening here and what we can do to actually mitigate that as we saw before there's a simple the actual fishing page itself is quite simple just doing this post back and it knows from a bit of playing around in side the chrome tools what the ID is and how to look for the value so some of this back grant information people you can spend time just playing around trying to work out how they can access your particular page what we are interested in is looking at what the solution or how we can implement that and it's all to do with these tokens as Julian was was noting before so in essence what sorry in essence the the what we're going to do here is to create a unique token that goes along with the user and his particular session and that token can't be forged because it's going to be cryptographically signed and every request the user make has to include this token and that server is going to validate the token to make sure that it is valid and therefore the user is who the user says he is and so on correct so there's a page on the Microsoft site that talks in great detail as to how the validation how the tokens work so we'll be including or there is a link to that on the detail as well I want to look at my so I'm working with a very small screen size here so I'm going to have to use my search to find the correct details now what was interesting when we were preparing this presentation Julien while I find my my page is that the the web forms version this is actually quite difficult to to replicate so and if you're using ASP net identity then those particular tokens and validations are used as well by SP net to protect your site okay the file I am looking for is it's a controller so using anti and here we go so in order to actually prevent that from happening once you've injected the token into your your client side which is really mentioned is done by basically creating a unique value based on a machine key something like that then you can add the decoration attribute to say validate anti forgery token wanna run that example up again I should have all three products back hopefully wait for iist spin-up yes there's my three products and I actually want to go to my post back page here so we can still edit this time I'll do a sad face another smiley face and now we're going to try and send that post back and I get this validation saying that hey sorry you can't call this page without actually having the correct validation token as part of that request therefore protecting the user from that cross-site request forgery or hat yeah so in essence what we've done is yes somebody could work out you know what a jet call to make to do a certain thing but what we're doing here is we're giving that call a token if you like that can only be from or used from the users own session absolutely now we want you to be aware that in complex Ajax nimble controls they don't actually automatically include the token fields value in their Ajax requests so instead just as a little snippet that you can come through and actually incorporate your token inside the request so all of this and all the code they're showing is very available for you and I'll take you through that in just a minute now there is also the ability of implementing the same on the dashboard product but what we're going to do is jump over to our website and start stepping you through some of the links and how to look through some of the states in more detail and then we're going to talk for a few minutes about authorization which in itself is of a quite a large topic covering three of our largest visual bi style products but using the and forgery token with the dashboard designer we've got some great code examples here again for both styles of web project and unlike the unceremonious yellow screen of death that we saw before the dashboard will display a nice little message or toast taste is the word I was looking for Julian chopped up some to no saying none that Nina Nina Nina you can't do that yes all right let's scroll back up this document and take a look at authorization we saw before let's go home I'm logged in if I want to log off you're going to use authorization when accessing things reports dashboards and even down to what you want your end-users to have available for the query builder but if you think in terms of you've got a public website and there's a report using the DevExpress extra reports engine that you want people to see you can launch the report and we're gonna see a nice report but my pages got my all my usual details exporting everything that is available out of the box however I now want to look at a report that is only available to somebody who's logged in so I'm gonna have be putting that behind a control say you must have authentication to view that data not in and of itself is okay unless you've then got roles so think in terms of public being a role we've got admin which might see everything and then we've got say the Technical Evangelist that only see limited things so based on which user is going to log in as to what might be available so John logs in and John's get access to John's report and the public report makes sense John's got the ability to edit we saw before when public logged in there was no option as to what reports were available and in fact if I now log in as admin we're gonna see that I've got admin reports John report public report and again I've got the ability to edit so in terms of setting that up there's a number of different things we can do again I'm not going to try and go through all of the different processes here code wise because it just takes focus away from what we're trying to do but in essence for each of the products there's a set of attributes or a set of inheritance classes that you can implement that will take you through that process I would have preferred to see maybe a role instead of a username here but it's the same practice same principle we can see that here we've got a a method returning a list of available reports based on what's the current user is so we're getting the identity of the user and then building up this list of available reports and we can see here the difference of or why the user admin was able to see all of the reports versus the user John who could only see one report and of course if the public user there'd be nothing returned in that understand that this is a simplified example some of this information you'd be having inside a database table or dynamically created you wouldn't be necessarily expected to even know all of the report definitions at this level but we're trying to give you the overview here as to how you can protect those reports and protect your end-user information similar principle for being able to get through an edit now I'm not going to step through and read all of this you can do that in your own time the examples do go through quite clearly and start to show you what the end user is going to happen and the example here is if somebody tries to paste a URL or tries to take information before or we can see here that the document viewer fired the the method open report with admin report if somebody tried to spoof that and they weren't validated then they're gonna start getting errors shown so that they can't actually hijack that information does that make sense Julian absolutely in essence I mean that code that Paul was showing earlier on I mean your hard coding your report names hard coding your user names yeah you wouldn't have that in the real application but nevertheless there'll be some kind of table where you are linking names or roles to to reports and so on so forth so this is shows you you know how to use authorization so that your end users can't view something then are supposed to be able to view absolutely just scrolling down to finish exactly the same principle for the dashboard we've got some examples here again with the using MVC weather using web forms how to implement specific controllers with access rules for each of those viewers now Julianne talking of dashboarding reporting specifically we are going to be doing some technical I think 400-level webinars coming up over the next couple of months some real deep dials and some real just get down and dirty coding sessions on how to use some functionality in there so I'm just gonna throw that little I should actually do some revision then why not now I've not looked taking a look at any of the questions yet so do we want to maybe have a look through some of them yeah why not the only thing I point out to people at the moment is we do a lot of security investigations whether they're prompted by our customers saying whoa what about this or whether we discover something online for example where people are talking about a certain vulnerability and how to get around that vulnerability we do these security investigations pretty much all the time the github page that we were showing earlier on that you can visit and Paul will be giving you the the full link in a moment shows our current understanding of how to ensure secure applications using our controls at this point in time and we do regularly update Suites subscriptions to mitigate vulnerabilities as and when required obviously we'll be updating that gets Paige when required but I really really really would ask you to make sure you get emails from us when we basically send out an email saying oh there's this security issue it has been resolved in version say eighteen point two point seven please download this now if you're using such and such a control we send those out fairly regularly when we discover vulnerabilities or when we mitigate them so please be aware of that and make sure that you're always but always using the latest version of a particular release oh there it is go to github.com DevExpress in the SPD met security best practices ok questions questions questions the team have been busy as always answering but what I might do is read through some questions and some answers you're more organized than I am then so one of the question is how can I refine restricted extensions which we covered basically you can do it in your code behind in an event or you can set the allowed file extensions inside the validation settings tag on the file upload control and about things we have so a couple of people asking about the link which is now posted and still up on screen the the other thing I want to emphasize is when we write a control we try and make it as wide-ranging as possible when you're talking about security you don't want things to be as wide-ranging as possible you want to nail it now you want to impose limits so all I would say is be aware that if you're using a particular control that might have security implications it probably already has methods and properties which allow you to limit what the control can do so yeah we were talking earlier on about pillar setting fun extensions and all that kind of stuff so be aware of that kind of thing and make sure you just don't use a control straight out of the box you look at how you can limit the implications of using that control for your particular web application one questions for file extensions what would we want to we would want to control in a file uploader or file manager is there a blacklist property or only working with why there so by default the upload control and the file manager allow uploading of any file there's no blacklist property but you can use that allowed file extensions to define what's happening and of course in the file manager control you have the access rules set around that as well the one question came through what about SVG files which Julian loves but of course they contain nasty scripts as well so is there any way to check that and the answer is by default the binary image control that does not allow uploading of SVG files it only works with binary image data sort of hence from the name we've got that's an interesting question I wonder if there's somebody out there is actually written a validator for SVG to say yeah this is a valid SVG or what the heck is this this is not SVG because after all SVG is a script you're free this weekend yeah right okay fine what's that I was going to just show people when we saw that error message a little earlier was of course what happens I left for our four pages what's your blogpost Julianne's what's my blogpost what boy a.com slash meh so when you talk about for all four pages instead of yellow screen of deaths you can end up with of all things a Peugeot 404 I think that's Julian in the front driving yeah yeah brilliant sixties car Italia anyway but you should never see a yellow screen of death you're talking about my right block there you were talking about it's just weird I actually log every 404 access see what people were trying to access and somebody last week tried to retrieve via URL all of the get folders that get generated if you're using git as your repo on your on my production machine on my production block there yeah I mean yeah the the folders are not uploaded and all the rest of it somebody actually tried to access those URLs so just you'd be warned people do your script kiddies do do weird wonderful things and try and access things they're not supposed to so make sure your web application is locked down back the questions file manager useful component for SP net is there a similar component for spa applications such as their extreme and the answer that is not yet but it's on our future plans a big smiley face well think about that extreme is this client-side so you know the attacks via Ajax for example when we're talking about cross-site request forgeries that still happen but it again it's on the server the server does the work the forgery tokens are not available on dev extreme at the moment I'm a submit but you know there's still a server aspect to dev extreme even though it's pure client-side absolutely another question do you need to place your anti forgery token on every forum or is it possible to just set it once and unfortunately you need to put it on any forum where data is submitted back to the server they are form submit or Ajax call have a forgery token and there's a couple still that I need to check with the team on so Jillian as usual I'm dubbing you in for the block post with the follow up questions no we shall pass back to you because I am going to ignite London London ignite which is next week is it gonna be as good as Sydney was last week long to ignite it's in the Docklands I think and of course we have some other amazing webinars coming up over the next few weeks so maybe we can hand back to Amanda hello gentlemen alright everybody like I mentioned before today's webinar will be made available later on our deaf express YouTube channel I'm gonna post that link right now in the chat box there it goes while you're on our YouTube channel please subscribe and also ring that little notification bell so that you are notified whenever we release new content you will also get a follow up email with a link to this webinar recording in like Paul mentioned we do have a couple webinars coming up revamp your WinForms apps NBC tips and tricks and more you can register at def express.com slash webinars and that is it for this one thank you so much to Julian and Paul thank you all for joining us and of course thank you for choosing DevExpress bye bye

Info

Channel: DevExpress

Views: 11,863

Rating: 4.9189191 out of 5

Keywords: Developer Express, DevExpress, ASP.NET, Webinar, Best practices, Security

Id: V_LFLjnFnis

Channel Id: undefined

Length: 57min 16sec (3436 seconds)

Published: Tue Feb 19 2019