MVC Application In Azure Common Vulnerability Resolution

While working with enterprise grade asp.net applications, maintaining security is a key goal. And today’s development world its not about confirming standards or practices, its also  needed to confirming compliance requirement and ultimately leads to a good key to selling product.

In this particular post I am about to point out few solution of the vulnerability test specific for mcafeesecure compliance, but if you take a close look its nothing to do with a specific vendor compliance, but must do  items for any asp.net web application.

ASP.NET DEBUG Method Enabled Security Issue Vulnerability

Threat

ASP.NET debugging is enabled on the host. An attacker can send debug statements to the remote ASP scripts.

Solution

Disable debugging. From web.config of the target web application  modify the debug attribute to false

<compilation debug=”false”/>

Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability

Threat

Asp.Net applications by default send information about the site with each response.CaptureA target host using HTTP may also be vulnerable to this issue.

Solution

Capture

Capture1

In web.config

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

In Global.ascx

MvcHandler.DisableMvcResponseHeader = true;

Remote Management Service Accepting Unencrypted Credentials Detected

Threat

A remote management service(Telnet, FTP) accepts unencrypted credentials.A malicious user/bot can easily intercept unencrypted passwords during transmission and gain unauthorized access.

Solution

Use alternate services that provide encryption. Most of the common case of using ftp service within IIS. Solution to this problem is using SFTP instead of FTP.

Tools To Check Vulnerability Issues

asafaweb Security Analyser

free online service to test configuration of any SSL web server

Asp.NET MVC Performance Tuning Guidelines

In today’s world, every application is expected to perform faster & smoother, its a part of overall user experience(UX). With the advancement of technology and the infrastructure it widely expected that application will not only do the job perfectly but also within a reasonable time. No one now wants to wait 5 mins to load a page, or complete a job while using a system. When we are in such phase of UX evolution performance tuning is common software development practice.

In a simple description performance tuning is to identify the issues that slow down the application and apply few tricks to improve performance.
In this particular post, I will only focus performance tuning at web application. To tune any web application there is 3 Steps.

  1. Insight
  2. Tune client end
  3. Tune server end

Insight

In order to make your move, you need to know first what is the problem with your application. Where you need to optimize, what are your priorities. To get these insights you need tools. Some tools will provide you the insights for client end, rest is for server end performance. Selecting right set of tool and using them is the first step of performance tuning.

Tune client end

Speed up the response time is crucial for UX and impacts the satisfaction of the user. Few tips/tricks can help you speed up your web application’s response time. Most of this time is tied up in downloading all the components in the page, minimize this time is the key to faster response.

Tune server end

Server side tuning mainly focus on low latency. How we can speedup the job that application is doing now at server end. This may involve database calls, file operations or make an external API call or may be few complex but poorly constructed business logic is the culprit. Newer Asp.Net framework s (4.5/5) is shipped (or to be shipped) with lots of performance improvement techniques or features, question is how efficiently we can utilize them.

Tools To Get Insight

Glimpse : For client end insight

Visual Studio Profiling : Visual Studio tool for performance diagnosis.

Client Side Tuning

  • Use cookies for frequently accessed non sensitive information
  • Use HTML5 async attribute for script files, to enable async loading

Scripts.RenderFormat(@"", "~/bundles/jquery")

  • Use a Content Delivery Network (CDN)
  • Minify JavaScript and CSS
  • Avoid CSS expressions
  • Remove duplicate scripts
  • Make Ajax calls cacheable
  • Choose <link> over @import
  • Optimize images
  • Don’t scale images in HTML
  • Don’t put empty image src
  • Make favicon.ico small and cache-able

Server Side Tuning

  • Run your site in Release mode, not Debug mode
  • Reducing the number of requests to the server by bundling
  • Use Base64 Data URIs
  • Avoid passing null models to views
  • Do not use Sessions or tempdata – which uses sessions
  • Add gzip (HTTP compression) and static cache (images, css, …) in your web.config

<system.webServer>

<urlCompression doDynamicCompression="true" doStaticCompression="true" dynamicCompressionBeforeCache="true"/>

</system.webServer>

  • Tells the webserver to set the “Expires” header to a far future date, effectively telling the browser to cache things forever.
<staticContent>
 <clientCache httpExpires="Sun, 29 Mar 2020 00:00:00 GMT" cacheControlMode="UseExpires" />
</staticContent>
  • If you use Razor, add the following code in your global.asax.cs, by default, Asp.Net MVC renders with an aspx engine and a razor engine. This only uses the RazorViewEngine.

ViewEngines.Engines.Clear();

ViewEngines.Engines.Add(new RazorViewEngine());

  • Replace foreach/for loop with linq wherever possible.
  • Avoid multiple database calls to load related data that serves one request. Say you are to make 2 separate db calls to get chunk of users and total number of users for a request that do paging, marge those two request as one.
  • Use in-memory cache for non cloud application and distributed cache for cloud one’s.

Optimizing or improving performance is a continuous effort. Monitor the application regularly, think about user behavior/interaction and the responses to gain max result. And as a note….load testing is excellent way to find out your application behavior before clients find those.

Good Read

MongoDB Tip & Tricks

Commands

Update a specific field value for a collection:

Example: Update “CampaignId” field across entire collection

db.Prospects.update(
{}, {$set: {CampaignId: ObjectId('54ec891dc8efe23e3e0fb1ef')}}, { multi: true }
)

Remove a specific field value for a collection:

Example: Remove “CampaignId” field across entire collection

db.Prospects.update(
   { CampaignId: "54ec891dc8efe23e3e0fb1ef" },
   { $unset: { ZipCode: ""} }
)

Filter out documents from a collection based on list of Id’s, equivalent to SQL “IN”
Example: Retrieve documents with list of “ProductId”s across entire collection.

List ids=new List();
for(int index=0;index<Products.Count;index++)
{
  ids.Add(ObjectId.Parse(Products[index].Id));
}
var filter = Builders.Filter.Eq("ProductId", ids);
return await _database.GetCollection("AnalyticsSummary")
.Find(filter)
.ToListAsync().ConfigureAwait(false);

Rename a specific field value for a collection:
Example: Rename “CampaignId” field to “CampaignName” across entire collection

db.getCollection('CampaignSummary').update({},{ $rename: { "CampaignId": "CampaignName" } }, false, true )

The false, true in the method above are: { upsert:false, multi:true }. You need the multi:true to update all your records.

MongoDB Bulk Data Import From CSV

Background

mongoimport is a very handy tool for bulk data import. For the most simplest form of importing data in your collection is is the only built in tool available. Alternatively for import one can built an utility .At present this tool as limited capability and can import data from Extended JSON, CSV, or TSV only.

For your help, I have provided an fully functional data import file with 1.3 million+ records. You can download it from here and use as you like.

Using Import Utility

The process of data importing is very easy. Let me elaborate the process by steps.

Create a *.csv file for import where column/header names are at first row.

1) Place the import data file under MONGO_ROOT/BIN/

2) From shell navigate to bin under MONGO installation directory

3) You have to execute following command

mongoimport -d [DB_NAME] -c tmpprospect --type csv --file 
[IMPORT_FILE_NAME].csv --headerline

If you take the import file I provided, command looks like this,
where DB_NAME is “hawk” & [IMPORT_FILE_NAME] is “hawk-prospect-data”

mongoimport -d hawk -c tmpprospect --type csv 
--file hawk-prospect-data.csv --headerline

4) You will see mongoimport utility will split the import file into small chunks of 10k records and importing one by one.

mongoimport

As you can see in the above screenshot, the csv file column name became property name in BASON document. So each record of CSV file will insert as a new BASON document is specified collection.

Limitations

1) In few occasions error messages while importing is not detailed enough to diagnosis.
2) This tool do not support importing to collection that consists of embedded documents, if you do so it will simply ignore the embedded document part and import rest of the documents.
3) Can only import into a single collection, at a time.

Whatever the limitations are, for the very basic importing need, this tool is time saver.

MongoDB Force a Member to Become Primary in a ReplicaSet

Problem Background

The primary is the only member in the replica set that receives write operations. If for some reason primary may becomes unavailable & an election determines the new primary. Which is not expected in few occasion. Election happens due to hardware issue or may be someone accidentally shutdown the primary which lead to this unwanted selection.On other note you may want one of your secondary to act as primary. You can achieve this forcefully and here is how you do it.

Solution To Problem

Say we have 3 note replica set, 3 physically separated machines.

192.168.1.0 – the current primary.
192.168.1.1 – a secondary.
192.168.1.2 – a secondary .

Our goal is to make 192.168.1.2 primary

From mongo shell, connect to current primary. use the following sequence of operations.

mongo 192.168.1.0:27017
rs.stepDown(120)

Now connect to a secondary. use the following sequence of operations.

mongo 192.168.1.1:27017
rs.freeze(120)

wait for 120 seconds

mongo 192.168.1.2:27017
rs.Status()

You will see machine with IP 192.168.1.2 is now became primary.

Dotnetters Tech Summit at RUET

This June we have successfully able to conduct a long technical event titled “DotNetters Tech Summit – 2015 RUET”, was held on Saturday, 6th June at RUET (Rajshahi University of Engineering & Technology). This event was organized by Microsoft technical community group ‘DotNetters‘. The event was heavily appreciated and draw immense response from CSE students of RUET. Inaugurated at late afternoon by honorable vice-chancellor of RUET Prof. Dr. Mohd. Rafiqul Alam Beg, event was crowded with over 200 participants.

Being a part of DotNetters is amazing, professionals from different established companies are voluntarily involve with such community effort. Seeing such interest I have founded DotNetters  years back with group of .Net geeks. Since then we often organizes knowledge exchange community events to bridge the gap between next generation software development professionals with industry development practices and challenges. This event particularly focused web application development, cloud, big data, SPA, Node & BI

Talking in front of RUET students was amazing, they were interested and eager to learn from the professionals. Even after events we discussed with students about their thoughts, expectations and difficulties.

Full house @RUET
Full house @RUET

Speakers at the event was renowned software architects and engineers from different reputed software companies in Bangladesh.  Most attractive part of the session was an interactive development drills participated by all the speakers lead by me.  DotNetters often organizes knowledge exchange community events to bridge the gap between next generation software development professionals with industry development practices and challenges.

Explaining application development tools
Explaining application development tools

The panel of speakers include Shahriar Iqbal Chowdhury, CTO at Desme & Founder of DotNetters, Shahriar Hossain, tech author & technical community speaker at Microsoft, Ronald Roni Saha, Sr. System Developer at SoftwarePeople, Delwar Hossain, Sr. Software Engineer at Desme, Sohel Rana founder of Nerddevs, Sk. Tajbir, Sr. Software Engineer from Desme and Maksud Saifullah Pulak Software, Engineer from Aprosoft.

Speakers
Speakers

Renowned Canadian software development community ‘CodeProject’, USA based software company ‘Desme’ and ‘Aprosoft Consulting and Training Corp. Ltd’ were the community partners for this event, while ‘HiFi Public’ acted as the media partner.

Mango City [Photo-blog]

Rajshahi a distinctly famous city all over the Bangladesh for its peoples favorite appetite “Mango”. This historic north bangal city is became mango trading hub of the country. Mango is a fruit for summer and particularly summer weather of north of Bangladesh is ideal for mango. So hundreds and thousands of acres mango garden is now cultivating this fruit commercially.Recently for a technical event I have chances to visit the city and take a snap of mango trading that took place in the heart of city. And here you cant purchase mango’s in kilos, you have to purchase in bulk like 40 kilos in a very very cheap price. Same mango’s are shipped to big cities and sold in high price depending on quality.No more talking enjoy the juicy mango’s.

IMG_3418
Pile of Mango for sell
IMG_3420
Packaging for parcel
IMG_3421
Packaging for parcel out of town
IMG_3424
Choose your favorite one
IMG_3425
Waiting for client with verities of mango’s
IMG_3426
Whatever you want , ripe, semi-ripe, not ripe all right here
IMG_3428
How many you need?
IMG_3429
Need a closer look?
IMG_3431
Fresh from the orchard
IMG_3438
Semi-Ripe mango for long distance parcel

Tempted? you have to make trip in summer in the most burning side of the country and that juicy season last only two and half months. You are in Bangladesh during summer and you haven’t tested mango’s from the root!! that’s a awful waste, make a trip…….. mango’s totally worth it.