Questions tagged [asp.net-mvc]
a web application framework implementing the Model View Controller (MVC) pattern.
69 questions
4votes
3answers
636views
Using ID token for role-base authorization in ASP.NET Core MVC
We have an ASP.NET Core MVC web application that signs in users (assuming that this is the correct app type). It is pretty simple, users can sign-in via their Entra ID account. Within Entra ID they ...
- 143
0votes
1answer
1kviews
Is the .AspNet.Application cookie vulnerable to CSRF attacks?
I have an MVC application that has undergone SAST. The scan detects a potential XSRF/CSRF vulnerability. The application rewrites the .AspNet.ApplicationCookie setting SameSite=Strict: protected void ...
0votes
1answer
751views
ASP.NET Core - are files put in the Shared folder under Pages (where the Razor pages reside) publicly accessible?
Are files put into the Pages/Shared folder public to the whole WWW if the website is hosted publicly? I am asking since I want to implement a partial view load thru a controller and want to know ...
- 264
9votes
2answers
10kviews
Passing a C# object to Javascript in ASP.NET MVC
Several answers on StackOverflow suggest that a C# object can be passed to JavaScript in ASP.NET MVC by the following: <script type="text/javascript"> var obj = @Html.Raw(Json....
- 35.4k
0votes
0answers
568views
CWE-915 (overpost/mass assignment) and antiforgery when not saving posted object to storage
Veracode has found overpost or mass-assignment flaws (CWE 915) in our MVC portal. Technically, this is true, but I am wondering how much of an effort we would need to put into this, especially since ...
- 103
0votes
0answers
472views
prevent dom based - xss from js file in mvc
I'm using a free template as a front end in my application and the main javascript file came out as a high risk as it's vulnerable to a dom based cross site scripting.Is there a way to sanitize the ...
- 1
0votes
2answers
674views
Content-Type and Code Execution
I just got a message from a security guy that my application is executing remote code if they pass a Content-Type: image/asp. For now he does not disclose anything. Now my question is that if I am ...
2votes
2answers
156views
how to deal with with authentication tokens in the client browser and in my database?
I am building an asp .net mvc project and I want to save the user who is currently logged in , So I read about sessions and cookies and I found that authentication tokens stored in a cookies are a ...
0votes
1answer
223views
Why ASP.Net Identity sends sensitive information to clients?
As far as I understand, Identity sends to the user an encrypted token with some user information like the user name and expiration date. Then, when a new request arrives to the server, it decrypts it ...
- 123
1vote
1answer
210views
Validating JWT in server-to-auth-server scenario
The main question here is: If you are using a backend server to authenticate a user with a third party provider such as Auth0, do you need to validate the JWT received in this scenario? I am looking ...
- 153
1vote
1answer
2kviews
How to resolve the Format String Error alert in OWASP ZAP for a web application (ASP.NET C#)?
I have a web application with a log in page. In the log in page, I've set maxlength for the username input and the password input, which looks like the code below. @Html.TextBoxFor(m => m....
- 121
1vote
0answers
1kviews
Active Directory authentication with a Login form ASP.NET MVC5
I want to create a web application with a login form and authenticate with Active Directory account. Our users sometimes use a device that users cannot log in, so we don't want to use Windows ...
- 11
2votes
1answer
2kviews
Preventing CSRF with SameSite="strict" without degrading user experience?
ASP.NET will soon begin reflecting Google's decision to default cookies to SameSite="strict" in a defense against CSRF attacks: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-...
- 123
0votes
1answer
673views
Risks of allowing users to upload PDF and XML files to be stored/retrieved from a DB (ASPNET MVC 5)
I'm modifying an ASPNET MVC 5 web site and a requirement is to allow users to upload an XML and PDF file. The XML file will be used to layout text on the PDF based on variables coming from within the ...
1vote
3answers
5kviews
When is it okay not to use anti-forgery token in login page?
In this post, there is a paragraph that mentions a scenario where there is no need to validate anti-forgery token in login page: When is it OK to leave off the anti-forgery token? In general, if the ...
- 111
