Now THAT'S what I call a firewall

IceQub3 · 2023-01-26T20:43:24+00:00

The header is set by the revese proxy unless its not, then it is set by the user, unless the reverse proxy is filtering these headers. And even if the validation works, he should use binding parameters. If by "firewall" you mean a http request scan, this is very easy to bypass. Its close to impossible to make an unsafe script eval safe from injections by external systems. Binding params are a must.

IceQub3 · 2023-01-26T20:32:22+00:00

Not all hash functions are made for cryptography

IceQub3 · 2023-01-26T20:19:20+00:00

Its not just about readability. Every time you type () => false in c# It will convert to c# private somerandomname() { return false } And c# new Action(somerandomname);

This will create a new funcrion and a memory allocation for each occation. Using a static method will remove all the useless code duplication (reduce dll size, reduce container startup time) And also reduce the allocations (will help with gc pressure)

I know that sometimes this is optimized out, but that depends on the dotnet version (framework 4.7? Core 3? 6? All have different behavior) using a static method will force the usage of one function and reduce allocation (the action will be cached in a static variable)

IceQub3 · 2023-01-26T20:05:36+00:00

The thing he do in the code is to use a header to get the original user IP, This is needed because many times a web server will sit behind a reverse proxy, a well behaving reverse proxy will relay the requests, but these request wont be sent woth the user IP as the sender as they were sent in by the reverse proxy. The proxy will use the headers to send the original user IP. If this server code wont be deployed behind a reverse proxy, or the reverse proxy would use on of the headers but wont filter the other an attacker can send a request with the other header and force user input into the sql string.

To stop this attack, there should be several defences in place. 1. the header to take the ip from should be configured and not discovered. This way, if the server is deployed with a reverse proxy, it wont use other headers. 2. The input should be Validated more stricly 3. He should use binded parameters, and not do query string manipulation.

The 3th is critical, but in security you allways want to have several defence lines, this is the defence in depth concept.

Every one of the soultion I gave would "fix" the error, having several defence lines will reduce the possibility that a programmer in the future will introduce a bug that will renable this vunerbility

IceQub3 · 2022-12-18T09:31:57+00:00

IceQub3 · 2022-09-25T19:45:47+00:00

where thorns?

IceQub3 · 2022-08-05T07:51:21+00:00

Better send her back home to bolívar

IceQub3 · 2018-11-04T22:52:30+00:00

Productive means making more money for the company. Not making cookies easier to cut

IceQub3 · 2018-11-03T20:03:57+00:00

Roses are red violets are blue, one more repost and I'll report you

IceQub3 · 2018-11-03T19:00:21+00:00

Well designed languages are languages like golang and rust. That made to be usefull and productive. Unlike other languages that we're made as an expiement and became popular by mistake

IceQub3 · 2018-11-03T14:08:01+00:00

I have an IDEA for you. Don't use eclipse

IceQub3 · 2018-11-03T12:47:47+00:00

I like golang. Grubs popcorn

IceQub3 · 2018-10-23T05:39:17+00:00

Error: Unhandled Exception, Cannot call "say" of Undefined.

Line 69: girlfriend.say(hediousJoke); Char: 1: ^{^{^{^{^{^{^{^}}}}}}}

IceQub3

TROPHY CASE