I am new to asp.net development
I develop login form with username and password
I finished off with my work but any how my login table has injected with sort of script as
username
"> </title><script src="http://it
password
"> </title><script src="http://it
I have written simple query as
SELECT * FROM user WHERE userid = 'admin' AND password = 'ms2012'
I thought some body has injected in a username and password textbox
But I don't understand how they did. Can anybody explain how they have updated it and what should I do to avoid it?
There are 3 basic things to consider if you want to the application to be secured from SQL Injection:
Paramterized Queries
Stored Procedures
Sanitizing all input data
Related
I have created a share and added that share to a reader account.
Now I have executed a create user statement there in the reader account i.e.
CREATE or replace USER client_test
PASSWORD = 'Client4321'
LOGIN_NAME = 'client'
DISPLAY_NAME = 'client test'
FIRST_NAME = 'client'
LAST_NAME = 'test'
EMAIL = 'mukul.kumar#gmail.com'
DEFAULT_ROLE = sysadmin;
This statement gets executed without any error and also I can see the user details under the account tab in snowflake UI
but still, when I am trying to login into this newly created user, there is an error of incorrect username or password coming up.
Is creating a user in a reader account not allowed or anything like there in snowflake?
I haven't found documentation on this as such. It will be appreciated if anyone helps me out with this.
The issue here is that the login_name is the one which should be used for logging in to the SF application. Use "client" and "Client4321" to login and it will be successful.
I want to parameterise the login feature file so that is can be used for multiple user credentials. Can anyone please help me here? Below is the code that I am using:
Given url baseUrl
And form field username = 'admin'
And form field password = 'admin'
When method GET
Then status 200
I want to parameterise the value for username and password so that it can be passed from another feature file and can be reused again.
I am debugging confirmation email flow when signing up a new User in Asp.Net Core web application with Identity Server 4.
Since I had already signed up with my actual email, to reuse it, I modified the UserName and Email in AspNetUsers table using SQL Update to some random value.
Now when I am signing up with the original email again. I am getting a duplicate user error
result = await _userManager.CreateAsync(user, model.Password);
I have already:
Cleared browser cache.
Closed local IIS Express
Restarted Visual Studio.
Used_userManager.DeleteAsync() after updating the UserName and Email back to original values but this gives an Microsoft.AspNetCore.Identity.IdentityError with description Optimistic concurrency failure, object has been modified.
On running this query on Sql Server
select * from INFORMATION_SCHEMA.COLUMNS where COLUMN_NAME in ( 'UserName' , 'Email')
I get the following:
I know that this is not a good practice to mess with backend, but this is development environment and I could continue my work with another email.
I would request readers to help in understanding how the User could be safely scorched to be able to reuse the email.
Appreciate your time
I agree with Kyle's comment and to further speed up your debug process you should note that if you use gmail to do this you can debug this process using one email.
from google/gmails perspective myaccount#gmail.com == my.acount#gmail.com == m.y.a.c.c.ount#gmail.com etc etc just try it out, google disregards all period characters in the email. you can enumerate/exhaust ~2^8 emails (in this example) if you just enumerate through the local-part of the e-mail address. but from your applications side, myaccount#gmail.com is not the same as my.account#gmail.com, ie they are different user accounts. Basically you can use one email to test out this feature of yours without having to delete the user.
Here is how I did it and finally got passed the pesky "concurrency failure" error message... This works in ASP.NET CORE 2.2
Obtain the user object through the FindByName method first.
Remove the user from their assigned Role (in this case I hard coded "Admin" because that is the role I'm interested in but fill in your own), then delete the user.
//Delete user.
//Obtain the user object through the FindByName method first.
//Remove the user from their assigned Role, then delete the user.
var userManager = serviceProvider.GetRequiredService<UserManager<ApplicationUser>>();
ApplicationUser delAppUser = new ApplicationUser
{
Email = "SomeEmailForindividualAdminUser",
UserName = "SomeUsernameindividualAdminUser"
};
Task <ApplicationUser> taskGetUserAppUser = userManager.FindByNameAsync(delAppUser.UserName);
taskGetUserAppUser.Wait();
Task<IdentityResult> taskRemoveFromRoleAppUser = userManager.RemoveFromRoleAsync(taskGetUserAppUser.Result, "Admin");
taskRemoveFromRoleAppUser.Wait();
Task<IdentityResult> taskDeleteAppUser = userManager.DeleteAsync(taskGetUserAppUser.Result);
taskDeleteAppUser.Wait();
I have a Store procedure to create auto generate SQl users.
code to create User
CREATE LOGIN userName with PASSWORD= 'autoGeneratedPass'
Problem: When the auto generated Password is weak then i got the below error
Password validation failed. The password does not meet Windows policy requirements because it is too short.
so i turned off Windows policy checking
Code
CREATE LOGIN userName with PASSWORD= 'autoGeneratedPass' CHECK_POLICY = OFF
If i did that any hidden problem arise?
Using Apache mod_auth_basic and mod_authn_dbd you can authenticate a user by looking up that user's password in the database. I see that working if the password is held in clear, but what if we use a random string as a salt (also stored in the database) then store the hash of the concatenation?
mod_authn_dbd requires you to specify a query to select that password not to decide if the user is authenticated of not. So you cannot use that query to concatenate the user provided password with the salt then compare with the stored hash.
AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s"
Is there a way to make this work?
Looking at the Password Formats for Basic Auth it seemed that I could make this work if the hash is done using the apr_md5_encode function.
Found another question that relates to this and links to a Java implementation. I used that implementation with a small change to calculate the database hash inside my website normal user-creation flow. After this i could use mod_authn_dbd with this query:
AuthDBDUserRealmQuery "SELECT CONCAT('$apr1$',password_salt,'$',password_hash) FROM users WHERE user = %s AND realm = %s"