Asp.net Queries

Add new aspx page named captcha_image.aspx using System; using System.Data; using System.Configuration; using System.Collections; using System.Web; using System.Web.Security; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; using System.Web.UI.HtmlControls; using System.Drawing; public partial class CAPTCHA_Image : System.Web.UI.Page {     protected void Page_Load(object sender, EventArgs e)     {         System.Drawing.Bitmap objbmp = null;         System.Drawing.Graphics objgraphics = null;         Font objFont = null;         try         {             objbmp = new System.Drawing.Bitmap(60, 20);             //objgraphics = New System.Drawing.Graphics;             objgraphics = System.Drawing.Graphics.FromImage(objbmp);             objgraphics.Clear(Color.Green);             objgraphics.TextRenderingHint = objgraphics.TextRenderingHint;             objFont = new Font("Arial", 10, FontStyle.Bold);             string randomStr = ...

Finding: The application does not re-initialize the session ID stored in the cookie field after login. this allow an attacker to steal the session ID assigned before invalid login,wait for a valid user to use that browser to login from,and then simultaneously use the stolen and now-valid session ID of thtat user to access restricted pages in the application. The attacker leaves the browser open and goes to his own computer (another system) whrere he waits for a valid user to use that browser to login into the application and enter into the authenticated module.A genuine user logs in the application with the same session ID that was logged earlier on by the attacker. Recommendation: Add a new cookie that randomly changes for each login attempt. Also regenerate session id before and after authentication. Write this code on the page load of every authenticated page Int64 value; Random randomclass = new Random(); value = randomclass.Next(); HttpCookie mycookie = new HttpCookie("cook...

public static DateTime ConvertDateFormat (string str) { int dd, mm, yy; string[] strarr = new string[3]; strarr = str.Split(new char[] { '/' }, str.Length); dd = Int32.Parse(strarr[0]); mm = Int32.Parse(strarr [1]); yy = Int32.Parse(strarr[2]); DateTime dt = new DateTime(yy,mm,dd); return (dt); }

protected void encrypt_Click(object sender, EventArgs e) { string enc = Encrypt(TextBox2.Text); TextBox2.Text = enc; } public string Encrypt (string TextToBeEncrypted) { RijndaelManaged RijndaelCipher = new RijndaelManaged(); String Password = "CSC"; Byte[] PlainText = System.Text.Encoding.Unicode.GetBytes(TextToBeEncrypted); Byte[] Salt = System.Text.Encoding.ASCII.GetBytes(Password.Length.ToString()); PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(Password, Salt); ICryptoTransform Encryptor = RijndaelCipher.CreateEncryptor(SecretKey.GetBytes(32), SecretKey.GetBytes(16)); MemoryStream memoryStream = new MemoryStream(); CryptoStream cryptoStream = new CryptoStream(memoryStream, Encryptor, CryptoStreamMode.Write); cryptoStream.Write(PlainText, 0, PlainText.Length); cryptoStream.FlushFinalBlock(); Byte[] CipherBytes = memoryStream.ToArray(); memoryStream.Close(); cryptoStream.Close(); string EncryptedData = Convert.ToBase64String(CipherBytes); return EncryptedData; } p...

public static bool valid_address (string inputEmail) { Contact Address can have alphabets numbers . , ( ) space only. string strRegex = @"^[a-zA-Z0-9\.\,\(\)\s]+$"; Regex re = new Regex(strRegex); if (re.IsMatch(inputEmail)) return (true); else return (false); } public static bool valid_alphabet (string inputEmail) { string strRegex = @"^[a-zA-Z0-9\.\,\s]+$ "; Regex re = new Regex(strRegex); if (re.IsMatch(inputEmail)) return (true); else return (false); } public static bool valid_city (string inputEmail) { City Name can have alphabets . space only . string strRegex = @"^[a-zA-Z\.\s]+$"; Regex re = new Regex(strRegex); if (re.IsMatch(inputEmail)) return (true); else return (false); } public static bool valid_password (string inputEmail) { Password must be minimum 6 character and combination of alphabets (A-Z )or(a-z)and numerics(0 to 9) string strRegex = "(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{6,10})$"; Regex re = new Regex(strRegex); if (re.Is...