Archive
Archive for the ‘Dotnet’ Category
XML External Entity Injection – Fix
April 26, 2020
Leave a comment
We have a Web Service, which accepts ‘XML’ payload from client and processes.
Recently the ‘Web Service’ underwent Penetration testing (Also called ‘Ethical hacking’) and following vulnerability has been identified:
Reason:
- Our Web Service, processes the XML payload submitted by client using the following code snippet:
- We were not having XML payload validation in place.
- There is possibility that hacker can inject malicious content in the XML and can cause a denial of service condition, gain access to unauthorized information available on the server where the ‘Web Service’ was hosted.
Fix:
- We could fix the issue by setting ‘XmlResolver’ property to ‘Null’.
- External resources are resolved using the ‘XmlResolver’ provided via XmlDocument.XmlResolver property, by setting ‘XMlResolver’ to Null, XML Parser would not resolve the external resources, which prevents accessing external resources (i.e., Files in the Serer where Web Service hosted).
- Change the ‘XmlDocument’ object instantiation as below with ‘XmlResolver’ set to ‘Null’ solved our issue.
var xmlDocument = new XmlDocument { XmlResolver = null };
🙂
Categories: Dotnet
External Entity Injection, XmlResolver
C# – Configuration section cannot be used at this path
January 22, 2019
Leave a comment
Other day , while accessing my WCF service (i.e., .svc) from IIS server, I was getting below error:
Reason:
- In my case, Issue is with missing ‘Write’ privilege for ‘Windows Authentication’ in IIS server.
Fix:
To fix the issue follow below steps
- Connect to your IIS server
- Select the ‘Server node’ (i.e., Your machine name) from left ‘Connections’ pane
- On the right ‘Features View’ pane, select ‘Feature Delegation’ option
- From the list, select ‘Authentication – Windows’ option and make sure the delegation set to ‘Read\Write’
- If its only ‘Read’, click on ‘Read/Write’ link from right side ‘Set Feature Delegation’ pane.
- Restart your web app
- Try to browse the files and they should work now.
🙂
Categories: Dotnet
C#, Configuration section, overrideModeDefault, Web.Config