Tuesday, May 27, 2014

C# 6.0 Language Preview

There’s nothing particularly revolutionary or earth-shattering in C# 6.0. If you compare it to other significant releases, like generics in C# 2.0, LINQ in C# 3.0 or TAP in C# 5.0, C# 6.0 is more of a “dot” release than a major one. (The big news being the compiler has been released as open source.)


1.     Indexed Members and Element Initializers

2.     Auto-Properties with Initializers

3.     Primary Constructors

4.     Static Using Statements

5.     Declaration Expressions

6.     Exception-Handling Improvements


Check below reference for more details.






The above C#-specific are implemented entirely in the compiler, without any dependency on an updated Microsoft .NET Framework or runtime.

This means you can adopt C# 6.0 in your development without having to upgrade the .NET Framework for either development or deployment.

In fact, installing the C# 6.0 compiler from this release involves little more than installing a Visual Studio 2013 extension, which in turn updates the MSBuild target files.



Hope this helps.


Arun Manglick


Monday, May 19, 2014

VS 2013 - Browser Link

Browser Link – SignalR channel between browser and Visual Studio


The new Browser Link feature in VS 2013 lets you run your app within multiple browsers on your dev machine, connect them to Visual Studio, and simultaneously refresh all of them just by clicking a button in the toolbar.


You can connect multiple browsers (including IE, FireFox, Chrome) to your development site, including mobile emulators, and click refresh to refresh all the browsers all at the same time.  This makes it much easier to easily develop/test against multiple browsers in parallel.


Browser Link also exposes Browser Link API  o enable developers to write Browser Link extensions

By enabling developers to take advantage of the Browser Link API, it becomes possible to create very advanced scenarios that crosses boundaries between Visual Studio and any browser that’s connected to it.


Web Essentials takes advantage of the API to create an integrated experience between Visual Studio and the browser’s developer tools, remote controlling mobile emulators and a lot more.



Hope this helps.


Arun Manglick


Monday, May 12, 2014

Web Application Security & Non-Hacking Tools & Techniques

Below are major threat categories. We'll study here different tools and techniques to prevent such attacks.
  1. Cross Site Scripting(XSS) & HTML Injection 
  2. Cross site request Forgeries(CSRF)
  3. Session Hijacking
  4. Injection
    • SQL Injection
    • HTML Injection
    • HTTP header injection
    • Mail-header injection
    • OS command injection
  5. Sensitive Data Handling
  6. Phishing Attack
  7. Click-Jacking
  8. Directory Traversal
  9. Race Condition
  10. Access Control
  11. Encryption
  12. Programming
  13. Input Validation

1). Cross Site Scripting(XSS):

Cross-site scripting (XSS) vulnerabilities occur when:

  • Untrusted data enters a web application, typically from a web request.
  • The web application dynamically generates a web page that contains this untrusted data.
  • During page generation, the application does not prevent the data from containing ontent that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc.
  • A victim visits the generated web page through a web browser, which contains malicious script that was injected using the untrusted data.
  • Three Types of XSS:
    • Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response.
    • Type 2: Stored XSS (or Persistent) - The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content.
    • Type 0: DOM-Based XSS - In DOM-based XSS, the client performs the injection of XSS into the page; in the other types, the server performs the injection.

Security Requirement & Solution:
  1. No HTML tag should be allowed as input data
    • ASP.NET Razor Views are HTML Encoded by default (also ASP.NET MVC 4)
    • For aggressive stripping use Microsoft AntiXSS library
    • Use HTML.Encode <%: %> provided by ASP.Net MVC for output
  2. All inputs should be HTML escaped
    • Prevent HTML tags in inputs by default, globally. (To turn it off - ValidateInput=false / AllowHTML) (ASP.NET MVC 4)
    • Use Microsoft Anti-Cross Site Scripting Library (AntiXSS) and set it as default HTML encoder.
    • Use AntiXSS Sanitizer object to call GetSafeHtml or GetSafeHtmlFragment before saving HTML data to the database
  3. All attributes should be put  in double quote parentheses
    • Use inbuilt HTML5 and CSS3 validation provided by Visual Studio.
  4. Ensure no Script tag is included in the input value
  5. Specify the charset  to Content Type on HTTP response header
    • Modify web.config code on IIS with following to specify charset and content-type as (name="Content-Type" value="text/html; charset='UTF-8'" )
  6. Use HttpOnly attribute to the cookie
    • Set HTTPOnly attribute as following:
  7. Invalidate all unnecessary HTTP methods, like TRACE, DELete etc
      • IIS 7 by default PUT, DELETE are not enabled.
      • Otherwise Deny TRACE by configuring IIS request filtering -> HTTP Verb -> Deny TRACE"

    2). Cross site request Forgeries(CSRF):

    Hope this helps.

    Arun Manglick