23Jan 2013 by Ruben Canton 3 Comments

Handling brute force attacks with Umbraco

Web programming, Web security
If we want our Umbraco website to block users in case there is a brute force attack for an id we can do this: Add 2 properties to your member type: locked [true, false] and failedLogins [Numeric]. Add the following properties to your UmbracoMembershipProvider key inside webcofig (notice the values are the same as the aliases of the properties we just created): umbracoLockPropertyTypeAlias="locked" umbracoFailedPasswordAttemptsPropertyTypeAlias="failedLogins" maxInvalidPasswordAttempts="3" passwordAttemptWindow="30" Your webconfig should look something like this: [sourcecode language="xml" wraplines="false"] <add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="MyMemberType" passwordFormat="Hashed" umbracoLockPropertyTypeAlias="locked" umbracoFailedPasswordAttemptsPropertyTypeAlias="failedLogins" maxInvalidPasswordAttempts="3" passwordAttemptWindow="30" /> [/sourcecode] The rest is handled by Umbraco. You also have a couple of properties to set how many times before a block and how much time the user is blocked. You can use the property defaultMemberTypeAlias to set your memberType alias…
Read More
24Feb 2012 by Ruben Canton No Comments

Validate forms in client side using jQuery

Web programming, Web security
There is a quick way for validating forms if you are using jQuery. 1. Download the validation plugin You need to download the jQuery Validate plugin. Alternatively you can make a call to the online version from your code. 2. Add the plugin to your website I presume you are yet using the latest jQuery library and you don't need any explanation on how to use it, then, just add another reference to the plugin in your code so you can use it: [sourcecode language="html" wraplines="false"] <script src='Scripts/jquery.-1.7.1.min.js' type='text/javascript'></script> <script src='Scripts/jquery.validate.min.js' type='text/javascript'></script> [/sourcecode] 3. Make a call to validation Now, if you just want to validate a form using default validation you only need to make a call to this function: [sourcecode language="html" wraplines="false"] <script type="text/javascript" language="javascript"> $(document).ready(function () {…
Read More
20Feb 2012 by Ruben Canton No Comments

Building your Authentication system in .Net4.0

Web programming, Web security
By default, .Net applications offer a prebuilt authentication system that you can use to give some privacy to your website in case its a small one. But, in case you pretend to use your existing DB with its existing users table and your existing conditions you may want to build your own authentication system. Most of these can be built using a standard .Net format which Im going to show: Web.config User Class Authentication Cookie Login Page Accesing the User Object from any Page Web.config Let's start talking about the webconfig file, since as its name indicates, its the file were the site configuration resides and then the best place to configure the site authentication. You can of course build your own manual system just setting something at the master…
Read More
17Feb 2012 by Ruben Canton No Comments

How to get a string in MD5 in C#.Net

Web programming, Web security
Here it is: [sourcecode language="csharp" wraplines="false"] public static String getInMD5(String inputString) { byte[] input = Encoding.UTF8.GetBytes(inputString); byte[] output = MD5.Create().ComputeHash(input); StringBuilder sb = new StringBuilder(output.Length); for (int i = 0; i < output.Length; i++) { sb.Append(output[i].ToString("X2")); } return sb.ToString(); } [/sourcecode] You may need this too: [sourcecode language="csharp" wraplines="false"] using System.Text; using System.Security.Cryptography; [/sourcecode]
Read More
28Dec 2010 by Ruben Canton No Comments

The real privacy your photos have in Facebook

Web security
I realized the other day that Facebook doesn't give you many privacy with your images, and I wondered about something, if anyone who knows the source of a picture can have a look at it despite I want to place it as private and share it only with some friends, what if I try to delete it? Well, first of all, first example, this is going to be a private photo I've uploaded to Facebook, if you can see it, then its not that private... Now, lets try it with a photo that I have uploaded, yes, but now I've deleted it and shouldnt be in the Facebook image server: And finally, both of them, a photo I uploaded and its private, then Ive deleted it, can you see it?…
Read More
27Dec 2010 by Ruben Canton 1 Comment

Hacking a site’s photo directory using DOM or jQuery

Web programming, Web security
I watched the film about Facebook the other day, yes I coudn't resist, and I thought it has some interesting moments. At the beginning, Marck "hacks" some Harvard websites which contain profile photos from the students. How did he made this? Well I didnt saw the code or remember it from the film but I am going to suppose what he did and how. Lots of webpages store they images in the same directory, or at least place all the same type images together, this means all the profile images were in the same source. Also, due to programming issues, those images tend to have a name which is a numeric code, maybe the student id, or maybe the number of the photo when that photo was uploaded. This means…
Read More
09Dec 2010 by Ruben Canton No Comments

Third-party cookies

Web security
I am sure you have read something about third party cookies before, mainly because if you check your browser options you have an option to block those type of cookies. But first of all, let's start from the beginning: What is a Cookie? A cookie is something to eat made with some flour and water and.... wait, that's not what I was talking about. On the Internet, a cookie is a text file used to save some data about you in your PC by a webpage. Why would a webpage want to do that? Normally to identify you or to remember some options you chosed and use them in the future. In fact, lots of pages use cookies to identify you as a unique user and that is why without…
Read More