Skip Ribbon Commands
Skip to main content

Dev Blog

mrt 21
Learning Web App Security with Google Gruyere
I've been developing web applications for almost 10 years now, but I was rarely concerned with application security issues. To be sure, I am a defensive programmer, meaning that I do all kinds of checks on the inputs received by my functions, leaving very little to chance. But although I heard much about cross site scripting (XSS) and SQL injection, I didn't have a very clear understanding of these concepts. I relied on best practices (like parametrized database queries) and inherent ASP.NET features like request validation to take care of malicious inputs, be it form variables or query string parameters.

Yet I always had a gnawing feeling that I should get more understanding of web app vulnerabilities, attacks and defenses. So this month I started to look for way of how I can brush up on this important topic.

I found a couple of books, of which this one seems to collect a lot of praise from readers: The Web Application Hacker's Handbook (WAHH). I started to read the book, but I also wanted something more practical. I came across Open Web Application Security Project (OWASP) with its plenitude of resources and the famous OWASP Top 10 list of web app security flaws.

OWASP members also develop security software such as the security testing tool ZAP and the request intercepter proxy WebScarab. Both I really handy and easy to use.

OWASP has also produced WebGoat, a fictitious web application full of vulnerabilities that you can run and test locally on your PC. WebGoat has a number of lessons to teach about various security flaws that you can try to discover on your own with the help of some hints. Although a great resource, I found WebGoat somewhat lacking in the quality of their materials.

And then I stumbled upon Google Gruyere, which is a very elaborate web security code lab from Google Code University. It is much similar to WebGoat in that it gives you a sandbox to learn about and try to dicover security flaws in a Python web application that you can run either locally or online. It does a great job of explaining various security concepts and provides challenges to explore them in practice as well as guidance on how to guard against them. It is especially good at explaining the various flavors of XSS attacks, but it also provides a good foundation for understanding many other topics such as path traversal, denial of service and code execution. It touches upon but doesn't go into the details of SQL injection.

Learn how to make web apps more
secure. Do the Gruyere codelab.

I've gone through the lab and thoroughly enjoyed the challenges and learned to use the tools like WebScarab and ZAP. I'd recommend it to anyone interested in web application security!

In parallel I did some security testing of the web applications that I've been involved with for the last year or so. I found that ASP.NET does a great job protecting ASP.NET applications from certain types of attacks out of the box. I found some minor flaws that are mostly due to relying too much on client side validation and forgetting to validate user input again on the server. A quite trivial example of this is being able to intercept a request and change the house number to a negative value. But I also discovered a more serious exploit using the same technique, which I will not describe here :)

The main lesson that I've drawn so far is that we should never trust input coming into our applications, be it through a web browser or a web API. Most security flaws in software result from sloppy programming. Web developers should be well aware of these issues and write their code defensively and test it thoroughly not only from the point of view of functionality but also security-wise.

To sum up, these have been very interesting and instructive few weeks. Web application security is a fascinating topic and I look forward to diving even deeper into it!

Happy coding!
mrt 14
ASP.NET debug="false" and line numbers in error stack trace

The original post appears here:

It's a good practice to always log run-time errors to a database table or a log file or both. It is also nice to have line numbers appear in the stack trace to be able to see where in your code the error appears. For some types of errors, e.g. for exceptions of type NullReferenceException, this is especially relevant as there is no other way to determine what went wrong.

In the past I had to deploy a debug build of the application and set debug="true" within the compilation section of web.config, in order to be able to see the line numbers in error logs. But this is not a good idea, as this adversely affects application performance (see this blog from Scott Guthrie for more details and this blog for even more details). So please, always set debug="false" in production environments. Or, even better, set deployment retail="true" in your production machine.config

But what do we do if we really want more detailed error information in our logs? There appears to be a workaround for that which is quite easy to implement. In the web.config that you use to build the release version of your application (either via publish or build server) keep debug="false", but set /debug:pdbonly option in the compilerOptions attribute of the compiler element (for more details about this compiler option read this MSDN article and this blog article). This will emit your optimized release assemblies together with corresponding .pdb files containing all the information needed to reference files and line numbers in exception stack traces. You can then deploy the build output into your production environment.

This will allow you to log error details like line numbers without significantly affecting the performance of your compiler-optimized release assemblies. Warning: if you do this, then also please make sure that you don't set customErrors mode="off" so that you don't expose detailed exceptions to remote users (which is a wise thing to do from security standpoint!)

Happy coding!

sep 05
Stopwatch Class and Handy Static Methods of Enumerable

It's amazing how much there is to discover about .NET Framework! A couple of days ago I came across a neat little class called System.Diagnostics.Stopwatch, which was introduced in .NET 2.0! This class comes in handy when you want to measure how long certain operations​ take to execute. I used to work with endTime - startTime, which yiels a timespan, which than needs to be converted to milliseconds or something:

            startTime = DateTime.Now;
             // do the processing
            endTime = DateTime.Now;
            long msElapsed = (endTime - startTime).Milliseconds / TimeSpan.TicksPerMillisecond;

The Stopwatch class makes our life a bit easier:

            Stopwatch sw = new Stopwatch();
             // do the processing
            long msElapsed = sw.ElapsedMilliseconds;

Another handy little thing to know is that the System.Linq.Enumerable class has 3 very useful static methods:

Enumerable.Empty<T>() returns an empty set of class T

Enumerable.Range(int start, int count) returns a range of count integers starting from start

Enumerable.Repeat(TResult element, int count) returns a sequence of count objects of type TResult

Happy coding!

aug 23
Sync user declared in database and SQLserver

To have the user sync-ed in both database/users and SQL-server/users:

execute sp_change_users_login 'AUTO_FIX', [name_of_the_user_in_SQLserver]






jun 26
Oracle for .NET Developers

Even though I've been developing data driven applications for some 8 years or so, you'd be surprised to learn that I had never actually developed against an Oracle database. I've worked mostly with SQL Server, but also occasionally with MS Access and MySQL. Yet Oracle had always been terra incognita for me, until early this month I got two different assignments at two different customers, and both of them involved an ASP.NET web application with an Oracle back end!

Not that I was very happy about that, but I decided to approach it in this spirit of "I can do it" and "live and learn". Well, it took me some extra time to figure out how to work with an Oracle client, how to set up an Oracle Express database on my laptop, how to work with Oracle development tools such as Oracle SQL Developer and Toad for Oracle. But in the end I got it working just fine and learned quite a bit in the process.

So if you are a .NET developer and have to program against an Oracle database, this is how you can set up your development environment:
  1. If you like working with .NET Entity Framework and LINQ for your data access (and I think you should), do install the Oracle Data Access Components for Microsoft Entity Framework. At the moment it is in beta, but it works just fine! This install includes the Oracle Instant Client, Oracle Data Provider for .NET 4 and Oracle Developer Tools for Visual Studio.
  2. If you don't want to work with Entity Framework, just install the latest version of the Oracle client.
  3. Install the free Oracle Express database for your local development.
  4. Install the free Oracle SQL Developer tool, which can be compared to SQL Server Management Studio Express. You may also wish to try the licensed Toad for Oracle, which to my taste has just too many features.
  5. In Visual Studio, open the Server Explorer and add a data connection to your Oracle Database by using Oracle Data Provider for .NET. Then generate an entity model based on this connection.
  6. When setting up a connection string to an Oracle database in a test or production environment, I recommend using a full connection string without a reference to tnsnames.ora, which looks something like this:
    Even though this may seem a bit cumbersome, I found that it's better to use such a connection string instead of relying on the tnsnames.ora file, especially if there are different versions of an Oracle client installed, each having its own tnsnames.ora file.
Because of time pressure, in this particular case I had to abandon my favorite approach to new things, which is reading a good book on the subject, in favor of the "trial & error" approach. But I hope that one day I'll read a good (and small!) book about Oracle in order to better understand concepts behind it.



jun 06
Use Linked Reports in SQL Server Reporting Services!
A couple of weeks ago I was asked to develop a number of reports in SQL Server Reporting Services 2005. Most of these reports display information from different websites that the client develops and hosts for their own clients, something like 25 different websites. 

My client's original idea was to create a "template" report that can then be copied for each website separately.​ The problem with this approach is of course that if something needs to be changed, the change will have to be copied into all 25 reports.

My initial idea was to use a join in my sql queries to the Active Directory, so that based on the current user I could figure out which AD user groups the user belongs to and then, based on a naming convention, derive from the group names which websites the user should have access to. Well, that's sort of complicated. I couldn't even get a linked server to the Active Directory working, probably because of some permissions problems.

And then I decided to use my favourite approach: I found this pretty good book on the subject:, skimmed through its contents and found an elegant solution in one of the last chapters.

The idea is

  1. to have website as a parameter in your report;
  2. put the report in a hidden folder on the Report Server available only to users authorized to view the information across websites; we'll call it the base report;
  3. create a folder for each website and set permissions on each folder;
  4. from the base report create a linked report for each website in the corresponding website folder
  5. in the linked report, go to the parameters configuration page, set the default value of our website parameter to the desired value and choose not to prompt the user for the parameter value.

To sum up, we now have a base report available to the cross-site admins and a website-specific linked report available to the website admins. If the report needs to be changed, in most cases we'll only need to update the base report!

Another useful best practice that I learned from the book is to create a template report containing the basic layout: the header, the footer, the logo, page numbering, etc. Then we can place this template .rdl report into the visual studio folder where Report Designer stores its templates (for VS2005, it can be C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\ProjectItems\ReportProject) . After that, when we add a new report to our Visual Studio report project, the template will appear in the list of installed templates for us to choose from. When we create a new report based on the template, we'll get all the formatting and features from the template and can then proceed to modify the report as desired:

Happy coding!

jun 01
How to combine URLs with relative paths in C#

Many of us are familiar with the wonderful class System.IO.Path. It makes life a lot easier when working with file system paths, for example:

string filePath = System.IO.Path.Combine(@"c:\docs", @"important\", "myfirst.doc");

This results in this path: c:\docs\important\myfirst.doc
This is handy when you need to combine a (part of the) path coming from a config file or as a parameter and you don't know for sure whether people work with trailing or leading slashes or not. The static methods of the Path class take care of that for us!

Now, I've been wondering for some time if there is a way to do something similar with URLs and relative paths. The easiest way to do this that I found is to use the constructor of the System.Uri class:

string webPath = new Uri(new Uri(""), @"\public\default.aspx").ToString();

This results in To be on the safe side, you should even better use this static method of the Uri class: System.Uri.TryCreate(...).

There is also a class called System.Web.VirtualPathUtility However it works only with the paths from the current web app context and cannot be used for the above scenario.

Happy coding!

mrt 19
Silverlight Fourier Filter

I would like to present a small Silverlight application which demonstrates the fourier filtering technique. Fourier filtering is used in image manipulation and compression. I thought it might be an interesting topic for a little Silverlight project.

For those interested in the Fourier Filtering background, this page explains the theory, while this page contains the Java applet which highly inspired my project. The Java applet works, like many Fourier Filter examples, only with gray-scale images, while this Silverlight demo works with colored images.

I used Prism as MVVM support library, just to pick-up some experience. I also used Exocortex’s FFT (Fast Fourier Transform) library for the fourier operations; converted and adapted for Silverlight.

Anyway, the demo application shows an original and filtered image at the top (Yes, the instructions are here, it’s a demo!). At the bottom it shows the DFT (Discrete Fourier Transform) spectrum, plus a tabcontrol where you select a filter type.




It works is like this: Select a filter at the bottom-right, adjust the parameters and click on the “Filter” button at the right top. As a result you will see that the DFT spectrum has changed, where the filter is applied the pixels are black. Fourier filtering is applied to the original image and the result is shown in the top right. I liked this quite simple interface.

Learning points

I spend quite some time to overcome the peculiarities of the Exocortex FFT library. For those interested in the fourier transform operations, should check out the code for forward/backward FT, and the recreation of the (filtered) image.

For this particular project, Prism is probably far too heavy weight; many Prism features were not used. Prism’s key feature, as I see it, is the integration with MEF and Unity. I think Prism is very suitable for larger projects, where different teams work on different parts of the userinterface. That said, what would be the best MVVM library to use in this little project? Well, I could have done it without a library and still do it the MVVM way. Actually, that’s what I did first, I introduced Prism later.

To stir up the discussion, this project contains an example when NOT to use the MVVM pattern. Even Prism’s manual makes this suggestion. The example is in the interactive controls to manipulate the filter settings. These controls have (warning: upcoming bad language) code behind. It is possible to write these interactive filter controls in the MVVM way, but you just shouldn’t do it. These interactive usercontrols implement specific filter-parameter manipulation, which you won’t reuse anywhere else. And it is hardly pointless to write a unit-test, which checks whether function A positions object B at position X,Y, when its correctness can only be judged by the human eye. So this is probably a great example to counter the MVVM purists.

For the Silverlight designers, this code has a nice example how to create a filled rectangle with a hole in it, while being able to manipulate its geometry. Check out the interactive filter control for the high-pass filter if you are interested.

Download the sources (Visual Studio 2010 required): Demo Sources

Download the binaries (open the included HTML file in your browser): Demo Binaries


Follow me on Twitter:

feb 24
Kinect voor Silverlight

Hadden we voor Silverlight al een “method of failed”, nu hebben we zeker een “method of cool”. De jongens van Codeplex project “Miria” hebben het voor elkaar gekregen om Kinect te koppelen aan Silverlight. En daar eindigt het zeker niet, omdat er reeds koppelingen bestonden voor andere multi-touch interfaces, en een koppeling met een Wii controller.

Klik hier voor een demonstratie filmpje (ze hadden wat mij betreft de muziek wel mogen weglaten).

Klik hier voor het Miria project op Codeplex.

En omdat we de smaak te pakken hebben, klik hier voor een filmpje waarin een bal-spelletje op een laptop wordt bestuurd met een smartphone.

feb 18
Unit Test Deployment files not found in VS2010

When writing Unit tests, it is sometimes useful to use specific files for a specific Unit test. With help of the TestContext object in a Unit test class you can easily deploy files along with your Unit Tests.

Everytime a Unit test is executed, the file(s) is published to an output Directory. This file can then be used for your Unit test.

        [DeploymentItem("SQLScripts\\Fill_DB_WithTestData.sql", "Fill")]
        public void Select_Data_Returns_DataOrderedByDateDescending()
            string fillFile = Path.Combine(TestContext.TestDeploymentDir, "Fill\Fill_DB_WithTestData.sql");


The files that you want to deploy must be set to “Copy Always” in the properties window.


Then it should work.

But!!!! In VS 2010 a setting is disabled where it was enabled in VS 2008. Deployment of files is now default switched off!

In order to switch it on go to Menu | Test | Edit Test Settings and select the active one (Test | Select Active Test Settings)

Click Deployment and Check the box!


Happy Testing !

1 - 10Next