Questions tagged [.net]
A runtime, architecture, and libraries for Microsoft Windows used for creating applications.
381
questions
1
vote
1
answer
137
views
Understanding how to correctly migitate CVE-2024-38095
I am trying to understand under which circumstances CVE-2024-38095 applies. When reading the advisory (https://github.com/dotnet/runtime/security/advisories/GHSA-447r-wph3-92pm), one finds the ...
- 273
2
votes
0
answers
73
views
Issue with Single Sign-On (SSO) Implementation for WPF application with ADFS/MSAL
I'm encountering an issue with the implementation of Single Sign-On (SSO) in our WPF application, and I'd appreciate some guidance or insights from the community.
Here's a breakdown of our setup:
We ...
- 21
0
votes
1
answer
277
views
Best practises regarding authentication in SPA/API solutions with SSO
There is really not that great information on what the best practices are for auth in SPA/API solutions. Most of them just say use JWTs and auth code flow in the SPA. There is a ton of information ...
- 113
0
votes
0
answers
70
views
Trouble understanding hash_extension tool examples for hash length extension attack (C#)
I am trying to follow the example of how a hash length extension attack works using the article here: https://www.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks
...
0
votes
0
answers
137
views
Looking for a very basic encrypt/decrypt with a shared key for .net web application
Building a .Net 6 web app and storing data in On-Prem database.
I collect some sensitive data that needs to be stored in the database in a format that is not easily readable. I also need to retrieve ...
0
votes
0
answers
315
views
XSS Payload That Can Bypass Special Character Check
I developed the following C# algorithm to prevent XSS attacks:
private bool Is_There_XSS_Payload(string arg)
{
Regex regex = new Regex(@"^[a-zA-Z0-9]+$");
bool result = ...
- 1
1
vote
0
answers
1k
views
Uploading webshell in ASP.net application using directory-traversal and file-upload vulnerability
On my target site, I found two vulnerabilities, unrestricted file upload(to any directory) and directory traversal. I have two end points :
1- site.com/fileUp : uploads file
{
----Request Parameters---...
- 15
0
votes
1
answer
241
views
Exploit user controllable C# code in webapp
The application in question offers the option to create arbitrary C# code and execute it at any time. These could be considered macros to customize certain tasks. Say that a normal user, who would ...
- 3
0
votes
1
answer
150
views
Storing a key in a reasonably safe way
I’m developing an application that will run on a private, on premises network. The application will be accepting requests through an API, read some encrypted data from the disk, decrypt them, do some ...
- 537
2
votes
1
answer
596
views
Is better for security to not run Nginx and Backend inside docker but use docker only for database and not external exposed services?
I'm not a Docker specialist, I know how to install, configure and do only basic Docker hardening based on Docker official documentation.
I know nothing about AppArmor,SELinux and GRSEC.
But i need to ...
- 21
-3
votes
1
answer
298
views
Decode Encrypted Password help me [duplicate]
Help me to decode belove password
68H++v5FX/kUty5/itzflw== Above is password store in sql table
0
votes
1
answer
800
views
How to preserve key in TPM 2.0
I've been looking into TPM 2.0 with .NET (TSS.MST), and I don't understand how to preserve key upon application rerun. TSS.MST provides a binary simulating the TPM2.0 device and the app is connecting ...
4
votes
1
answer
4k
views
Can we add TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 on windows server 2012 using gpedit although not supported by windows OS by default?
We are using IIS on Windows 2012-R2 server to host dotnet apps. From the app, when we try connecting to an external 3rd party api we see TLS handshake failure. On running ssllabs test on that api, I ...
0
votes
1
answer
241
views
Are .NET runtime really not signed?
I'm doing a manual install on Linux of the .NET runtime which can be downloaded from dotnet.microsoft.com.
MS do provide a SHA512 checksum of the file on the site, but that can't be use to verify the ...
- 109
0
votes
1
answer
640
views
How to protect private key for client cert in machine store? Is it acceptable for it to be exportable?
Is it acceptable to store a client cert's private key as exportable in the computer's certificate store?
I have a .NET desktop app that installs client certificates in local machine\personal. The ...
- 125