1
Posted on 2:23 AM by Softminer and filed under

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications


This is very good overview of application gateway


for more details view this video:


0
Posted on 3:03 AM by Softminer and filed under

Training github workshop
https://github.com/sapran/appsec_awareness_training


Enter your email and tells you if your email is being leacked
https://haveibeenpwned.com/


Owas top 10 volnerability
https://www.owasp.org/index.php/Top_10-2017_Top_10


Reward to hackers to found bugs
https://www.bugcrowd.com/bug-bounty-list/

web-dvwa is a docker sample in php which shows volnerabilities
the sample used is
https://hub.docker.com/r/vulnerables/web-dvwa/
docker pull vulnerables/web-dvwa
docker run --rm -it -p 1080:80 vulnerables/web-dvwa



















Gives you xss code that you can use in xss
https://xsshunter.com/app

SQL INJECTION
http://sqlmap.org/


List of Payload for different payloads
https://github.com/danielmiessler/SecLists


Cheat sheet
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet


OWASP Zed Attack Proxy (ZAP)
https://www.zaproxy.org/


Sonarqube
https://www.sonarqube.org/
https://hub.docker.com/_/sonarqube/
continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities


MS Threat Modeling Tool
https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
can be used to draw your software diagram and shows you the threats


















List on known Groups per country
https://attack.mitre.org/


Security Check for http headers
https://securityheaders.com/


Test SSL server certificate
https://www.ssllabs.com/ssltest/


DAST, or Dynamic Application Security Testing
SAST, or Static Application Security Testing
IAST or Interactive Application Security Testing


Burp Suite is a graphical tool for testing Web application security
https://portswigger.net/burp

more functionality than fiddler, to start proxy should set to localhost 8080
Go here and download and install certificate http://localhost:8080/
intercept is to record traffic

https://attack.mitre.org/
List of organization and attacks

check your security headers

https://securityheaders.com/

0
Posted on 8:24 AM by Softminer and filed under ,

- Hands on Labs on build real Mobile Application and Backend services based on Azure. We will follow the diagram below in the deployment:



- App Services
- Functions & Logic Apps
- Application Insights – to monitor application that are in production
- Containers – simplify application deployments
- API Management
- SQL Databases
- Mobile DevOps & Xamarin

Also, here (https://github.com/MikeCodesDotNet/Mobile-Cloud-Workshop/tree/master/Walkthrough%20Guide/00_Setup) you will find the prerequisites for the workshop.
0
Posted on 5:21 AM by Softminer and filed under

by default asp.net is setting x-frame-options: SAMEORIGIN which doesnt allow anywebsite to embed your IFRAME to disable that you need to

  System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

But the make sure to have this value to same origin in web.config

<add name="X-Frame-Options" value="SAMEORIGIN" />


The X-Frame-Options header may contain one of three tokens:

DENY
SAMEORIGIN
ALLOW-FROM origin 


you can allow a website by

X-Frame-Options: ALLOW-FROM https://yourwebsite.com

but new browser are also taking look at this value on header: 

Content-Security-Policy: frame-ancestors 'self' https://yourwebsite.com

more about it


0
Posted on 6:42 AM by Softminer and filed under

As of IIS 8 Application Initialization is part of the IIS feature set. For IIS 7 and 7.5 there's a separate download available via Web Platform Installer. Using IIS 8 Application Initialization is an optional install component in Windows or the Windows Server Role Manager:


This is an optional component so make sure you explicitly select it.

IIS Configuration for Application Initialization
Initialization needs to be applied on the Application Pool as well as the IIS Application level. As of IIS 8 these settings can be made through the IIS Administration console.

Start with the Application Pool:


Here you need to set both the Start Automatically which is always set, and the StartMode which should be set to AlwaysRunning. Both have to be set - the Start Automatically flag is set true by default and controls the starting of the application pool itself while Always Running flag is required in order to launch the application. Without the latter flag set the site settings have no effect.

Now on the Site/Application level you can specify whether the site should pre load:


At this point ASP.NET apps should auto-load. This is all that's needed to pre-load the site if all you want is to get your site launched automatically.

If you want a little more control over the load process you can add a few more settings to your web.config file that allow you to show a static page while the App is starting up. This can be useful if startup is really slow, so rather than displaying blank screen while the user is fiddling their thumbs you can display a static HTML page instead:






This allows you to specify a page to execute in a dry run. IIS basically fakes request and pushes it directly into the IIS pipeline without hitting the network. You specify a page and IIS will fake a request to that page in this case ping.ashx which just returns a simple OK string - ie. a fast pipeline request. This request is run immediately after Application Pool restart, and while this request is running and your app is warming up, IIS can display an alternate static page - Startup.htm above. So instead of showing users an empty loading page when clicking a link on your site you can optionally show some sort of static status page that says, "we'll be right back". I'm not sure if that's such a brilliant idea since this can be pretty disruptive in some cases. Personally I think I prefer letting people wait, but at least get the response they were supposed to get back rather than a random page. But it's there if you need it.

Note that the web.config stuff is optional. If you don't provide it IIS hits the default site link (/) and even if there's no matching request at the end of that request it'll still fire the request through the IIS pipeline. Ideally though you want to make sure that an ASP.NET endpoint is hit either with your default page, or by specify the initializationPage to ensure ASP.NET actually gets hit since it's possible for IIS fire unmanaged requests only for static pages (depending how your pipeline is configured).


https://weblogs.asp.net/scottgu/auto-start-asp-net-applications-vs-2010-and-net-4-0-series
0
Posted on 6:20 AM by Softminer and filed under , ,

First download the sample here:
https://developer.xamarin.com/samples/monodroid/Firebase/FCMNotifications/

Then you have to create a project in Firebase
http://firebase.google.com

download google-services.json
right click on the google-service.json and set the Build Action vlaue to GoogleServicesJson



when your app is running the device get the token.

To send notification to device you need serverkey which you get from firebase server and token which you get from device in running mode

To send by postmann



you can write small c# code to post to sever by webclient:


using (var client = new WebClient())
     {
        var values = "{\"to\" : \"toekn",\"notification\" : {\"body\" : \"test\",\"title\" : \"title\",\"icon\" : \"myicon\"}}";
         client.Headers.Set("Content-Type", "application/json");
          client.Headers.Set("Authorization", "key=serverkey");
         var response = client.UploadString("https://fcm.googleapis.com/fcm/send", values);
         }


Using Microsoft Azure

using System;
using Microsoft.Azure.NotificationHubs;

namespace SendToNotificationHub
{
    class Program
    {
        public static string connectionString = "Endpoint=sb://app.servicebus.windows.net/;SharedAccessKeyName=DefaultFullSharedAccessSignature;SharedAccessKey=yourkey";
        public static string NotificationHubPath = "your-hub";

        static void Main(string[] args)
        {
            SendNotificationAsync();
            Console.ReadLine();
        }


        private static async void SendNotificationAsync()
        {
            NotificationHubClient hub = NotificationHubClient.CreateClientFromConnectionString
            (connectionString, NotificationHubPath);
            var alert = "{\"aps\":{\"alert\":\"Hi!\"}}";
            await hub.SendAppleNativeNotificationAsync(alert);
        }
    }
}
0
Posted on 8:40 AM by Softminer and filed under ,

to host on IIS



on project properties

IIS express

Project files have the information related to the IIS Express and it’s basic settings; whereas there are several configuration files that are required to host and run a web application.  You can find all the IIS Express related files under \users\\My Documents \ IISExpress\Config .

Open the “applicationhost.config” file in any text editor, and search for your web application name. You will find a section similar to the image shown in below.
Configuration Settings
http://dailydotnettips.com/2014/01/29/5-internal-things-that-you-should-know-about-iis-express/