ASP.NET

The ASP.NET Security Vulnerability

Poster for the movie "Hackers"

Chances are that you’ve seen the Microsoft Security Advisory, but in case you haven’t here’s the "tl;dr" version:

  • There’s a vulnerability in ASP.NET that was publically disclosed late on Friday at a security conference.
  • An attacker using this vulnerability can:
    • Request and download files within an ASP.NET application like the web.config file (which often contains sensitive data).
    • Decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How Does the Vulnerability Work?

The vulnerability is based on a cryptographic oracle. When talking amongst the crypto crowd, an “oracle” refers to a system that gives away hints if you ask it the right questions.

Within ASP.NET, there’s a vulnerability that acts like a “padding oracle”. An attacker can send ciphertext to the web server and learn if it was decrypted properly by looking at the error code returned by the server. Make lots of requests like that while keeping track of the error codes returned, and you can learn enough to decrypt the ciphertext.

How Do You Work Around the Vulnerability (the high-level version)?

The vulnerability works because of the different error codes returned by the server. The workaround is to change the error handling withing ASP.NET so that it always sends the same error each time, regardless of the error, thereby cancelling the “oracular” behaviour.

More specifically, this involves enabling the <customErrors> feature of ASP.NET and mapping all errors to return the same error page.

How Do You Work Around the Vulnerability (the step-by-step version)?

Scott Guthrie’s blog has the step-by-step instructions for:

  • Working around the vulnerability
  • Making sure that the workaround has been enabled
  • Finding vulnerable ASP.NET applications on your server
  • Finding out more about the vulnerability

If you’ve got an ASP.NET-based application, make sure you’ve set up the workaround!

This article also appears in Canadian Developer Connection.

{ 0 comments }

Introducing WebMatrix

by Joey deVilla on July 7, 2010

What is WebMatrix?

webmatrixBy now, you’ve probably seen the tech news reports as well as Scott Guthrie’s announcement about WebMatrix, Microsoft’s lightweight web development web development system that packages a web development tool with a number of new web technologies:

  • IIS Developer Express: a lightweight, free-as-in-beer web server with simple setup, runs on all versions of Windows and is compatible with the full-on version of IIS 7.5
  • SQL Server Compact Edition: a lightweight, free-as-in-beer file-based database with simple setup that can be embedded within ASP.NET applications, supports low-cost hosting and whose databases can be migrated to the full-on version of SQL Server.
  • ASP.NET “Razor”: A new view engine option for ASP.NET for easy and clean templating with a simple syntax. You can use Razor to embed C# or VB into HTML.

WebMatrix ties these goodies together in a nice simple package that the beginning web developer will find easy to use and that the pro web developer will find handy for building quick sites. These parts are also available individually to ASP.NET developers and will soon be available to ASP.NET MVC developers.

If you’re looking for a quick video tour of WebMatrix, chack out the Channel 9 video below:

Get Microsoft Silverlight

Can’t see the video? You can download and install Silverlight or download the video in iPod, MP3, PSP, WMA, WMV, WMV (High) or Zune formats.

A Quick Look at WebMatrix’s Parts

WebMatrix provides a simple, task-based interface for quickly creating web sites, both static and dynamic:

WebMatrix "Quick Start" screen, with four links: My Sites, Site from Web Gallery, Site from Template, Site from Folder

It makes it easy to include open source ASP.NET- and PHP-based web applications in your site:

WebMatrix App Gallery page, featuring apps like DotNetNuke and WordPress

It’s also easy to manage applications in a WebMatrix site:

BlogEngine.NET management page in WebMatrix
If you’d rather write your own web app in WebMatrix, you can do that too. There’s a rich file editor:

WebMatrix file editor, showing the site.master page in BlogEngine.NET being edited

And database definition and management tools:

Screenshot of table definiton and contents in WebMatrix's database tools

There’s also sample code and web helpers to make your life easier and show you what’s possible, such as this handy sample that makes it easy to make a Twitter client. Here’s the code that takes advantage of the sample:

WebMatrix code editor showing a Twitter class' "Search" method being called

…and here’s the result:

Screenshot of sample Twitter app in WebMatrix

If you need to get hardcore, you can open your WebMatrix project in Visual Studio or even the free-as-in-beer Visual Web Developer 2010 Express:

WebMatrix toolbar, with the "Launch in Visual Studio" button highlighted

Previewing your WebMatrix site in multiple browsers is a snap:

The "Run" button in WebMatrix, showing the different browsers you can use to preview your site

Deployment is nice and easy once you’re doing editing your site:

The "publish" button and screen in WebMatrix

Find Out More

I haven’t had a chance to take WebMatrix out for a proper spin yet, but I’m hoping to over the next few days. It’s a collection of cool technologies (which I ‘ll also use in my regular ASP.NET MVC development) wrapped together by a nice, simple tool that’s great for the web developer who’s not working on enterprise sites. I can also see myself using it as a handy prototyping tool.

If you’d like to find out more about WebMatrix, take a look at these:

Download the WebMatrix Beta now!

WebMatrix has just been released as a beta and available for download right now! We want you to try it out and let us know what you think, because we’ll be refining it based on what you tell us.

This article also appears in Canadian Developer Connection.

{ 3 comments }

Maritime DevCon: June 18th in Moncton

by Joey deVilla on June 3, 2010

martime dev con

If you’re a developer out in the Maritimes, you might want to check out Derek Hatchard’s Maritime Dev Con, which takes place on June 18th in Moncton. It’s a single-afternoon, two-track conference – which means you should be able to take time out to attend it – covering a number of topics including:

  • .NET and ASP.NET
  • Java
  • iPhone development
  • Ruby
  • Python
  • Groovy
  • NoSQL and MongoDB
  • “Rockstar Estimating Skills”

Maritime Dev Con has a registration fee that won’t hurt your wallet – it’s a mere CAD$19!

I’m a big fan of small, regional gatherings like Maritime Dev Con and its western counterpart Prairie DevCon. Each region has its own specializations and needs that a by-locals, for-locals conference can do a better job of serving, and the smaller size of these conferences allows for more back-and-forth between audience and presenter, and between attendees. Support your local conference!

This article also appears in Canadian Developer Connection.

{ 0 comments }

This article also appears in Canadian Developer Connection.

Canada's Next Top Model (moose) View (Lake Louise) Controller (beaver)

If you’re going to be in the area of downtown Toronto next Thursday, May 28th, you might want to check out my presentation, Canada’s Next Top Model View Controller at the next Metro Toronto .NET User Group meeting. I’ll be talking about the ASP.NET MVC Framework, Microsoft’s answer to MVC frameworks like Ruby on Rails, Django, CakePHP and Catalyst. As is my stock in trade with presentations, this will be informative, enlightening, entertaining and just might feature a rock and roll accordion performance.

The presentation takes place Thursday, May 28th at 6:00 p.m. at the Manulife Financial Building (200 Bloor Street East, Toronto, between Church and Jarvis – use the entrance on St. Paul Square). Admission for the presentation is free, but you have to register, and as of this writing, only 24 tickets remain.

For more details about the presentation, visit the Metro Toronto .NET user group site.

{ 0 comments }

I’m in Calgary Next Week

by Joey deVilla on December 4, 2008

downtown_calgary

tech_days_calgary

I’ll be in Calgary from Monday to Friday next week, catching up with my friend and co-worker John Bristowe (he’s Microsoft’s Developer Evangelist for Western Canada) and speaking at the Tech Days conference.

If you use (or are thinking of using) The Empire’s technologies, Tech Days is a pretty good place to get immersed. It’s a conference focused on learning about Microsoft tech on its target platforms – PC, web and phone – both current and upcoming. It’s also a chance for Microsoft developers to get together and network, and you leave the conference with a nice package of free stuff, including a full version of Visual Studio 2008 Professional Edition. (And just between you and me, if your company’s paying for it, Tech Days is also a good excuse to get a couple of paid days out of the office.)

In addition to the conference notes and reportage that you’ve come to expect from Global Nerdy and the accordion playing you’ve come to expect from me, I will be contributing in another way: I’m delivering the A Deep Dive into the ASP.NET Ajax Extensions presentation (it’s part of the web development track and taking place on Wednesday, December 10th at 1:00 p.m.. Here’s the abstract for the presentation:

The ASP.NET AJAX Extensions are the server half of ASP.NET AJAX. Aside from adding controls such as ScriptManager and UpdatePanel to the platform, they extend the ASMX model to support client-side callbacks and JSON serialization. In this session, we’ll explore ASP.NET AJAX on the server – both inside and out – in order to provide you with the knowledge you will need to exploit it to its fullest.

(If I had more time, I think I’d write my own abstract.)

I looked at the time slot I was given and went “uh-oh”. It’s one p.m., right after lunch, which is what people used to call the sexta hora in Latin. That means “sixth hour” and refers to the sixth hour of being awake, which is when people start to get a little bit sleepy. That’s where the word siesta comes from – it’s a bastardization of sexta hora. I’m going to have to make sure that I keep things interesting – I welcome that challenge.

See you in Calgary!

{ 2 comments }

Cover of "Teach Yourself ASP.NET Ajax in 24 Hours"While following the exercises in the book Teach Yourself ASP.NET Ajax in 24 Hours – one of the few books I’ve been able to find on Ajax for ASP.NET 3.5 – I found an error in the “Hour 9” chapter in the example that covers client-side error-handling (it starts on page 137). I’ve reported this error to the publisher and with any luck, they’ll post a corrected version on their support web page for the book.

I’ve done some searching and haven’t found anything covering this error so I thought I’d cover it here. Better still, I’ll also cover the fix, which turns out to be quite simple. If you’ve been trying out the code in the book and wondering why it doesn’t work, relax: at least in this case, it’s not your fault.

In the course of covering the error and how to fix it, I’ll also talk about how ASP.NET handles exceptions raised by asynchronous postbacks and how you can make use of it to make better user interfaces. Even if you don’t have a copy of Teach Yourself ASP.NET Ajax in 24 Hours, you should find this article an interesting introduction to client-side error handling in ASP.NET Ajax.

Unhandled Exceptions and Asynchronous Postbacks

In ASP.NET Ajax, if an exception is raised during an asynchronous postback and isn’t handled on the server side – that is, in the code-behind – it gets passed along to the client side. What happens on the client side depends on which version of ASP.NET you’re using:

  • In ASP.NET Ajax 1.0, the server-side exception object is serialized into JSON. The JSON is sent to the client, which displays the exception’s message property in an alert box.
  • In ASP.NET Ajax for .NET 3.5, the server-side exception is still serialized into JSON and the JSON is still sent to the client. However, instead of displaying the exception’s message property in an alert box – a presumptuous design decision, if you want my opinion – the client throws the exception, which gives you the opportunity to handle it on the client side as you please.

(In this article, I’ll stick to covering ASP.NET Ajax for .NET 3.5.)

This is quite different from most other web application frameworks, where an exception raised as the result of an XMLHttpRequest call to the server results in some kind of “error” page from the server (or a blank page, if you’re suppressing error reporting).

To illustrate this, let’s put together a simple ASP.NET Ajax application. It’s a single page with a single button, that if clicked, throws an exception.

Here’s the code for the page layout. It’s pretty straightforward:

Listing 1: Default.aspx – Layout for the page of our simple ASP.NET Ajax application.

Some notes about the code:

  • The ScriptManager control at the top of the form enables Ajax by ensuring that the JavaScript needed to support ASP.NET Ajax on the client side is downloaded to the browser.
  • The UpdatePanel control determines the controls that trigger asynchronous postbacks and defines the region of the page that can be updated via Ajax.
  • Button1 is the button control that we want to throw an exception when clicked. We’ll set it to call the Button1_OnClick method, which will contain the exception-throwing code.

The code-behind is very simple. In it, we define a single method: the event handler Button1_OnClick, which is called in response when the user clicks Button1. All we want it to do is throw an exception that uniquely identifies itself:

Listing 2: Default.aspx.cs – Code-behind for the page of our very simple example app.

Running with Debugging vs. Running Without Debugging

Listing 1 and 2 give us enough to make our simple app work. It’s time to take it for a spin.

Here’s something that doesn’t get covered in Teach Yourself ASP.NET Ajax in 24 Hours: what happens when you try to run this app with debugging (starting it by hitting F5 in Visual Studio or “Start Debugging” under the “Debug” menu)?

Here’s a screenshot of what happened for me: simple_app_with_debugging

With debugging on, the unhandled exception thrown in Button1_OnClick is caught by the debugger. Normally, this sort of error-catching behaviour is welcome, but in this particular case, it gets in the way of what we’re trying to achieve: having an exception on the server side and passing it along to the user’s browser to handle.

If we run the same app without debugging, we get the effect we want: the exception is raised on the server side, but the server-side part of the application doesn’t halt with an error message. Instead, the client shows the error message.

Here’s a screenshot. Note that the error message includes the string “Click!”, which is the argument in the throw statement the Button1_OnClick event handler. Thanks to this, we can be pretty certain that the error message is the result of our deliberately-thrown exception:

image

Now that we have the exception that we threw on the server side being handled on the client side, let’s do something with it. 

Handling Exceptions Passed from the Server on the Client Side

Let’s do something simple – let’s catch the exception caused by the button click, and instead of having a JavaScript error box pop up, let’s make a couple of changes to the button:

  • Change its text to “This button has been disabled for your safety.”
  • Disable it.

To handle exceptions on the client side, we need to write some client-side JavaScript. Luckily, this is made simple by the number of handy utility classes defined in the scripts downloaded to the client by the ScriptManager component. In this case, we’re going to make use of the Sys.Webforms.PageRequestManager class to deal with the exception because it provides us with the following:

  • The endRequest event, which is raised after an asynchronous postback has completed and control is returned to the browser.
  • The add_endRequest method, which specifies a method to call when the endRequest event is raised.

Here’s the JavaScript, which we’ll put in a file called ErrorHandler.js:

Listing 3: ErrorHandler.js — Client-side error handler for our very simple example app.

The script performs the following:

  • It registers the method EndRequestHandler as the method to call whenever the endRequest event is raised.
  • It defined the method EndRequestHandler, which does the following:
    • If an exception did occur during the asynchronous callback:"
      • The button’s text is changed
      • The button is disabled
      • The error is reported as handled, which allows the application to continue

Now that we have this client-side code, we need to get it to the client. We do this by using the Scripts section of the ScriptManager to send this file to the client. The listing below shows the updated layout code for our simple application. I’ve highlighted the change in the listing below:

Listing 4: Revised Default.aspx – Layout for the page of our simple ASP.NET Ajax application.

The Scripts section of the ScriptManager lets us specify scripts to be sent to the client along with the page, with each script specified in a ScriptReference tag.

When we run the app (remember, without debugging on) with these changes and click the button, here’s what we get:

Button with text "This button has been disabled for your safety"

In a later article, I’ll look at other ways of using client-side error handling in ASP.NET Ajax in .NET 3.5.

The Error in Teach Yourself ASP.NET Ajax in 24 Hours

Here’s the page layout code for the error-handling example in Teach Yourself ASP.NET Ajax in 24 Hours. The code-behind for the page and the client-side JavaScript are fine, it’s this code that has the error. See if you can spot what’s amiss:

Listing 5: Default.aspx — Page layout of client-side error-handling example in Hour 9 of Teach Yourself ASP.NET Ajax in 24 Hours.

Just for kicks, here’s what happens when you click on the button in the app using the code straight from Teach Yourself ASP.NET Ajax in 24 Hours:

Screen capture of resulting error message from original "Teach Yourself ASP.NET Ajax in 24 Hours" application

The mistake is simple: although there is some error-handling client-side JavaScript in the app, it’s not referenced in the ScriptManager tag, which means it’s not sent to the client. Without error-handling code on the client side, the exception is thrown, there’s nothing to catch it and the user is presented with the standard error dialog box.

The fix is equally simple: reference the script in the ScriptManager tag’s Scripts section:

Once that’s done, the program works as promised.

{ 2 comments }

Salmagundi for Friday, November 7th, 2008

by Joey deVilla on November 7, 2008

Interview with Chris Slemp, MSDN

joey_devilla_chris_slemp

Here’s another video interview featuring Yours Truly at the PDC: it’s with Chris Slemp, Program Manager for the Server and Tools Online group at Microsoft. In the interview, we talk about MSDN and its new social bookmarking feature.

Click here to watch the video.

“Grim Fandango’s” Puzzle Document

grim_fandango_puzzle_document

If you’re looking to get into the mind of a game designer and the design of one of the most highly-regarded computer adventures games, be sure to check out the Grim Fandango Puzzle Document. Tim Schafer, in “a temporary fit of Cake-induced Grim nostalgia,” decided to put the game’s puzzle design document online in PDF form (it’s 2.3MB in size).

Here’s a great summary of the Grim Fandango Puzzle Document, written by Andy Geers:

I use that word "crafted" because that’s exactly what this newly released document shows: true craftsmanship. We see the incredible attention to detail, the pacing of the narrative as it builds and as the puzzles get increasingly sophisticated, always coaxing the player along with them. As somebody whose spent the last few years trying to write my own adventure game, what struck me most about this document is the sheer simplicity of it – it’s well established that it takes a great deal of clarity and hard work to boil down something so vast as Grim Fandango into such a simple representation that conveys so much information in such a succinct way.

It’s a considerably more interesting read than most specs.

My Job-Related Reading List

Nothing gives you that frozen-caveman-thawed-in-modern-times feeling like returning to a software platform after not developing in it in seven years. Getting back into the swing of Microsoft’s development tools has been fun so far, but it is, as a lot of people have told me, like drinking from the firehose.

reading_list_nov_2008

To quickly get acclimated with C#, ASP.NET and XNA, I’m expensing the following books I bought today:

I’ll let you know what I think of these books as I read them.

“Zero Punctuation” Reviews

And finally, a couple of reviews from my all-time favourite game reviewer, Ben “Yahtzee” Croshaw. The first one’s for Saints Row 2, which includes a great argument for why it might actually be a better game than Grand Theft Auto IV as well as a brilliant concept for a new game:

and here’s the latest review, for Dead Space, which he summarizes as “competent but bland”. Luckily, his review is anything but…

{ 0 comments }