new code examps

skf/markdown/code_examples/asp/1-code_example--File_upload--.md

@@ -1,9 +1,9 @@
-	 	
 File upload
 -------
 
 **Example:**
 
+
 	using System;
 	using System.Collections.Generic;
 	using System.Linq;
@@ -23,7 +23,8 @@ File upload
 				string test = file.FileName;
 
 				/*
-				Here we define a blacklist of different path traversal patterns in order to prevent an attacker to upload files outside of the unintended
+				Here we define a blacklist of different path traversal patterns in order to prevent an 
+				attacker to upload files outside of the unintended
 				directory.
 				*/
 				string[] evil = new string[] { @"%2e%2e%2f", "../", "%2e", "%5c", "%252e", "%c0%af", "%c1%9c" };
@@ -37,8 +38,10 @@ File upload
 
 					if (match.Success)
 					{
-						//this breach has to be repported into the log files
-						//Log.SetLog(Session['userID'], "Untrusted userinput was detected in the file get contents function in HOME, date, FAIL, HIGH");
+						/*
+						this breach has to be repported into the log files
+						Log.SetLog(Session['userID'], "Untrusted userinput in HOME, date, FAIL, HIGH");
+						*/
 
 						/*
 						Set counter; if counter hits 3, the user's session must be terminated.
@@ -55,8 +58,9 @@ File upload
 
 				/*
 				The next step would be checking if the file contains the right extension in order to prevent
-				a user from uploading files which could be used to harm your system. in this example we check if the last extension
-				found in the file name is a jpg or a png. whenever an application just regexes for the extension an attacker could
+				a user from uploading files which could be used to harm your system. in this example 
+				we check if the last extension found in the file name is a jpg or a png. whenever
+				an application just regexes for the extension an attacker could
 				bypass the check by uploading an file like: "filename.jpg.php".
 				*/
 				string[] StrSpli = test.Split('.');
@@ -119,7 +123,6 @@ File upload
 					//If the mimetype is not valid we delete the file from the system.
 					System.IO.File.Delete(@"C:\Users\Public\xml\"+test+"");
 				}
-		   
 			}
 		}
 	}

skf/markdown/code_examples/asp/10-code_example--Anti_clickjacking_headers--.md

@@ -1,4 +1,3 @@
-
 Anti clickjacking headers
 -------
 

skf/markdown/code_examples/asp/11-code_example--X_XSS_Protection_header--.md

@@ -1,4 +1,3 @@
-
 X-XSS-Protection header
 -------
 

skf/markdown/code_examples/asp/12-code_example--X_Content_Type_Options_header--.md

@@ -1,4 +1,3 @@
-
 X-Content-Type-Options header
 -------
 

skf/markdown/code_examples/asp/13-code_example--Secure_session_cookies--.md

@@ -1,4 +1,3 @@
-
 Secure session cookies
 -------
 

skf/markdown/code_examples/asp/14-code_example--Session_cookies_HttpOnly--.md

@@ -1,4 +1,3 @@
-
 Session cookies HttpOnly
 -------
 

skf/markdown/code_examples/asp/15-code_example--Identifier_based_authorization--.md

@@ -1,4 +1,3 @@
-
 Identifier-based authorization
 -------
 
@@ -39,7 +38,8 @@ Identifier-based authorization
 			Aggregate aggregate =  new Aggregate();
 
 			//Here we connect to the database by means of a connection string as configured in the web.config
-			SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
+			SqlConnection conn = new 
+			SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
 
 			//The count integer is set every time the user connects to the databse to process data
 			public void IdentifierBasedAuthentication(int pageID)
@@ -80,7 +80,8 @@ Identifier-based authorization
 					/* 
 					Whenever you are checking whether a user is restricted to review certain data,
 					the acces restrictions should be proccessed serverside.
-					The userID could be stored inside a session variable on login, and should be used to retrieve userdata from the database when requested
+					The userID could be stored inside a session variable on login, and should
+					be used to retrieve userdata from the database when requested
 					in order to verify if the user is allowed to look into that data:
 					*/
 					string query = string.Format("SELECT * from profile WHERE userID = @userID ");

skf/markdown/code_examples/asp/16-code_example--SQL_query--.md

@@ -1,4 +1,3 @@
-
 SQL query
 -------
 
@@ -41,7 +40,8 @@ SQL query
 			//AuditLog Log = new AuditLog();
 
 			//Here we connect to the database by means of a connection string as configured in the web.config
-			SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
+			SqlConnection conn = new 
+			SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
 
 			public void selectStatement()
 			{   

skf/markdown/code_examples/asp/17-code_example--Crossdomain.xml_--.md

@@ -1,4 +1,3 @@
-
 Crossdomain.xml 
 -------
 
@@ -20,7 +19,8 @@ Crossdomain.xml
 	Example by twitter's crossdomain.xml:
 
 	<?xml version="1.0" encoding="UTF-8"?>
-	<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
+	<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+	xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
 	  <allow-access-from domain="twitter.com" />
 		<allow-access-from domain="api.twitter.com" />
 		<allow-access-from domain="search.twitter.com" />

skf/markdown/code_examples/asp/19-code_example--Enforce_secure_passwords--.md

@@ -1,4 +1,3 @@
-
 Enforce secure passwords
 -------
 
@@ -48,9 +47,9 @@ Enforce secure passwords
 					/*
 					Also very important is the fact that you have to take into consideration that
 					Password1! is a valid password according to password standards. This however is not the case since
-					this password is included in almost every dictionairy attack system. So we have to prevent the user from using these
-					weak passwords, this we do by defining these bad passwords in a text file and compare the user's password with the
-					bad passwords defined in the text file.
+					this password is included in almost every dictionairy attack system. So we have to prevent 
+					the user from using these weak passwords, this we do by defining these bad passwords in a text 
+					file and compare the user's password with the bad passwords defined in the text file.
 					*/
 
 					StreamReader sr = new StreamReader(@"C:\Users\Public\xml\test.txt", true);

skf/markdown/code_examples/asp/2-code_example--CSRF_tokens--.md

@@ -1,4 +1,3 @@
-
 CSRF tokens
 -------
 

skf/markdown/code_examples/asp/20-code_example--Timeout_a_session--.md

@@ -1,4 +1,3 @@
-
 Timeout a session
 -------
 

skf/markdown/code_examples/asp/21-code_example--Disable_directory_listing--.md

@@ -1,4 +1,3 @@
-
 Disable directory listing
 -------
 

skf/markdown/code_examples/asp/22-code_example--Charsets--.md

@@ -1,4 +1,3 @@
-
 Charsets
 -------
 

skf/markdown/code_examples/asp/23-code_example--HTML_output--.md

@@ -1,4 +1,3 @@
-
 HTML output
 -------
 
@@ -60,7 +59,8 @@ HTML output
 
 	inputvalidation validate = new inputvalidation();
 	string userinput = "when this string is evil the application will block operation!";
-	if(validate.validateInput(userinput, "nummeric", "Unecpected userinput", "HIGH", 3)== false){ /* Cancel operation of your application */ }
+	if(validate.validateInput(userinput, "nummeric", "Unecpected userinput", "HIGH", 3)== false)
+	{ /* Cancel operation of your application */ }
 
 
 	/*

skf/markdown/code_examples/asp/24-code_example--Password_storage(salting_stretching_hashing)--.md

@@ -1,4 +1,3 @@
-
 Password storage(salting/stretching/hashing)
 -------
 

skf/markdown/code_examples/asp/26-code_example--Random_password_token_generation--.md

@@ -1,4 +1,3 @@
-
 Random password/token generation
 -------
 

skf/markdown/code_examples/asp/27-code_example--Session_cookies_(domain)--.md

@@ -1,4 +1,3 @@
-
 Session cookies (domain)
 -------
 

skf/markdown/code_examples/asp/28-code_example--Content_type_headers--.md

@@ -1,4 +1,3 @@
-
 Content type headers
 -------
 

skf/markdown/code_examples/asp/29-code_example--Sandboxing--.md

@@ -1,4 +1,3 @@
-
 Sandboxing
 -------
 

skf/markdown/code_examples/asp/30-code_example--Audit_logs--.md

@@ -1,4 +1,3 @@
-
 Audit logs
 -------
 
@@ -27,7 +26,8 @@ Audit logs
 			public int blocker { get; set; }
 
 			//Here we connect to the database by means of a connection string as configured in the web.config
-			SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
+			SqlConnection conn = new 
+			SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
 
 			public void SetLog(string session, string message, string state, string threat)
 			{

skf/markdown/code_examples/asp/33-code_example--Single_input_validation_controll--.md

@@ -1,4 +1,3 @@
-
 Single input validation controll
 -------
 

skf/markdown/code_examples/asp/35-code_example--Aggregate_user_controls--.md

@@ -1,4 +1,3 @@
-
 Aggregate user controlls
 -------
 
@@ -7,10 +6,10 @@ Aggregate user controlls
 
 	/*
 	In order to enforce Aggregate access control protection the best method would be to 
-	define your rules by means of a database structure rather than sessions or log's.
+	define your rules by means of a database structure rather than sessions or logs.
 	This is due to the fact that if the user drops his session the rating would start
 	al over again. 
-	
+
 	TABLE users
 	---------------------------------------------------------------------------------   
 	| userID | userName | password | privilegeID |    access    | AggregateControl	|
@@ -32,8 +31,6 @@ Aggregate user controlls
 	----------------------------------
 	|     3       | read             |
 	----------------------------------
-
-
 	*/
 		
 	using System;
@@ -96,7 +93,8 @@ Aggregate user controlls
 
 				using (SqlCommand command = conn.CreateCommand())
 				{
-					//We update the aggregate table in the database in order to keep track of the number of connections the user made
+					//We update the aggregate table in the database in order to 
+					//keep track of the number of connections the user made
 					count += controll;
 				
 					command.CommandText = "UPDATE users SET aggregate = @count WHERE userID = @userID";
@@ -111,7 +109,8 @@ Aggregate user controlls
 				Everytime the user accesses the database we keep track of the number of times he
 				connected. Whenever the user passes a reasonable number he should be rejected 
 				since he could be an attacker scraping your table contents and stealing company information
-				You could a CRON job or stored procedure in your system in order to clean the Aggregate column within certain timeframes
+				You could a CRON job or stored procedure in your system in order to 
+				clean the Aggregate column within certain timeframes
 				*/
 				HttpContext.Current.Response.Write(controll);
 				if (controll > 5000)
@@ -120,14 +119,20 @@ Aggregate user controlls
 					{
 
 						//this breach has to be repported into the log files
-						Log.SetLog(Session['userID'], "User account was locked out due to aggregate user controll system", date, FAIL, HIGH");
+						Log.SetLog(Session['userID'], "User account was locked out due to aggregate user control system", date, FAIL, HIGH");
 
-						//Whenever te reasonable number of connections the user made was surpassed we destroy all the sessions to deny the user any further access to the system
+						/*
+						Whenever te reasonable number of connections the user made was surpassed we destroy all the 
+						sessions to deny the user any further access to the system
+						*
 						HttpContext.Current.Session["authenticateUser"] = "";
 						HttpContext.Current.Session.Abandon();
 						HttpContext.Current.Response.Redirect("/login", true);
 
-						//Than we set his access level on his account to FALSE in order to prevent him from logging in again til you did your forensics on the log files
+						/*
+						Than we set his access level on his account to FALSE in order to prevent 
+						him from logging in again til you did your forensics on the log files
+						*/
 						string access = "FALSE";
 						command.CommandText = "UPDATE users SET access = @access WHERE userID = @userID";
 						command.Parameters.AddWithValue("@access", access);

skf/markdown/code_examples/asp/36-code_example--Session_hijacking_and_fixation--.md

@@ -1,4 +1,3 @@
-
 Session hijacking / Session fixation
 -------
 
@@ -125,12 +124,14 @@ Session hijacking / Session fixation
 			AuditLog Log = new AuditLog();
 
 			//Here we connect to the database by means of a connection string as configured in the web.config
-			SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
+			SqlConnection conn = new 
+			SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
 
 			//The count integer is set every time the user connects to the databse to process data
 			public void checkSession()
 			{
-				if ((System.Web.HttpContext.Current.Session["authenticateUser"] != "isLoggedin") || (System.Web.HttpContext.Current.Session["authenticateUser"] == ""))
+				if ((System.Web.HttpContext.Current.Session["authenticateUser"] != "isLoggedin") || 
+				(System.Web.HttpContext.Current.Session["authenticateUser"] == ""))
 				{
 					HttpContext.Current.Response.Redirect("/login", true);
 				}
@@ -151,12 +152,16 @@ Session hijacking / Session fixation
 						session  = oReader["sessiom"].ToString();
 						ipadress = oReader["ipadress"].ToString();
 
-						if ((System.Web.HttpContext.Current.Session["ASPsessionID"].ToString() != session) && (ipadress != HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]))
+						if ((System.Web.HttpContext.Current.Session["ASPsessionID"].ToString() != session) && 
+						(ipadress != HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]))
 						{   
 							//We log the muliple users on the system 
 							Log.SetLog(Session['userID'], "Mulitple users with same session id detected", date, FAIL, MOD");
 
-							//We redirect the user to a page which alerts him as well as gives him the option to destroy the mulitple sessions if he does not trust them
+							/*
+							We redirect the user to a page which alerts him as well as gives him the option to destroy the 
+							mulitple sessions if he does not trust them
+							*/
 							HttpContext.Current.Response.Redirect("/Home/multipleUsers", true);
 						}
 					}

skf/markdown/code_examples/asp/38-code_example--Open_forwards_&_redirects--.md

@@ -1,4 +1,3 @@
-
 Open forwards & redirects
 -------
 

skf/markdown/code_examples/asp/39-code_example--XML_injection_prevention--.md

@@ -1,4 +1,3 @@
-
 XML injection prevention 
 -------
 

skf/markdown/code_examples/asp/4-code_example--Directory_path_traversal--.md

@@ -1,4 +1,3 @@
-
 Path traversal
 -------
 
@@ -11,12 +10,10 @@ Path traversal
 	using System.Text.RegularExpressions;
 	using System.IO;
 
-
 	namespace MvcApplication1.Controllers
 	{
 		public class rewrite
 		{
-			//include classes
 			auditLogs Log = new auditLogs();
 			inputvalidation validate = new inputvalidation();
 			whitelist listme = new whitelist();

skf/markdown/code_examples/asp/43-code_example--Enforce_sequential_step_order_wizzard--.md

@@ -1,4 +1,3 @@
-
 Enforce sequential step order (Wizzard)
 -------
 

skf/markdown/code_examples/asp/44-code_example--White_listing--.md

@@ -1,5 +1,4 @@
-
-White-listing
+ White-listing
 -------
 
 **Example:**

skf/markdown/code_examples/asp/45-code_example--Encoding--.md

@@ -1,4 +1,3 @@
-
 Encoding
 -------