Pages

Friday, March 26, 2010

Guard Against Denial-of-Service Threats in ASP.NET

An indirect way that a malicious user can compromise your application is by making it unavailable.


The malicious user can keep the application too busy to service other users, or if can simply cause the application to crash. Follow these guidelines:

  • Use error handling (for example, try-catch). Include a finally block in which you release resources in case of failure.
  • Configure IIS to use process throttling, which prevents an application from using up a disproportionate amount of CPU time.
  • Test size limits of user input before using or storing it.
  • Put size safeguards on database queries. For example, before you display query results in an ASP.NET Web page, be sure that there are not an unreasonable number of records.
  • Put a size limit on file uploads, if those are part of your application. You can set a limit in the Web.config file using syntax such as the following, where the maxRequestLength value is in kilobytes:




Posted by at No comments:

Thursday, March 25, 2010

Post data to another host specially to payment gateway (Authorize.net, blue fin payment gateway)

//Create an object of hash table
Hashtable post_values = new Hashtable();

//Add values in the hash table
post_values.Add("tran_type", "A");
post_values.Add("account_id",”AccountId”);

post_values.Add("pay_type", "C");

post_values.Add("card_cvv2",”cardCVV number”);

post_values.Add("card_number", “Card Number”);

post_values.Add("card_expire", “Card Expiry Date”);

post_values.Add("bill_name1,”Customer First Name”);

post_values.Add("bill_name2",”Customer Last Name”);

post_values.Add("bill_street, ”BillingAddress1”);

post_values.Add("bill_state", “bill_state”);



post_values.Add("bill_zip",” BillingZipCode”);



post_values.Add("bill_country", “bill_country”);

post_values.Add("amount,"totalorderamount");



// create an HttpWebRequest object to communicate with payment gateway site

HttpWebRequest objRequest = (HttpWebRequest)WebRequest.Create(“PaymentGatewayURL”);



//Assign Methor by which request will be send

objRequest.Method = "POST";

objRequest.ContentLength = post_string.Length;

objRequest.ContentType = "application/x-www-form-urlencoded";

// post data is sent as a stream

StreamWriter myWriter = null;

myWriter = new StreamWriter(objRequest.GetRequestStream());

myWriter.Write(post_string);

myWriter.Close();



// returned values are returned as a stream, then read into a string

String post_response;

HttpWebResponse objResponse = (HttpWebResponse)objRequest.GetResponse();

//Read response to the end response value will be stored in variable //post_response



using (StreamReader responseStream = new StreamReader(objResponse.GetResponseStream()))

{

post_response = responseStream.ReadToEnd();

responseStream.Close();

}
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)