What is the best way to handle an error that I believe a bot is appending bad information to a URL? Example: https://www.example.org/notes.aspx?id=15032386122&pn=15032386121'A=0
Currently the errors are being sent to an inbox, the page is using the value and throwing an "Input string was not in a correct format.". This is filling up the error inbox with useless emails.
I could check for invalid values and throw a new error type. Then based on the type determine if I should send an email. That seems frivolous and adds extra complexity.
Related
I'm quite new to the asp.net core identity framework. Many tutorials, articles and guides seem to handle an IdentityError in the same way. They expose the description of the error to the user, i.e. they add the description of the error to the ModelState.
It's been drummed into my head that exposing errors to the user is a terrible idea as it empowers attackers.
So I thought, It must depend on what kind of information is available in the description. For example, if the error is "Your password is too weak" or "You need to enter in a valid e-mail address". That type of information is valuable to the user and should be ok to display. However a "The data source took too long to respond" is already too much information and offers little value. I'd rather catch that type of error and replace it with some generic 500 error.
So my question: Is it safe to show the raw Identity Error to the user? If not how can I filter what I should and Should not show to the user?
I tried looking at the MSDN docs to understand all the possible codes that I could receive. But those docs offer very little information.
I am specifically working with
var userCreationResult = await userManager.CreateAsync(newUser, password);
But it applies to any instance when an IdentityError might appear.
Many software quality and security regulations have audit requirements for this (no error message presented to end users may contain information that is secret or would enable users with malicious intent to compromise the system or access sensitive data), so this is an important question. If there is a documentation or article specifically addressing this, then it is well hidden.
The possible values that the two members of the IdentityError class can assume, are baked into the framework. So it looks like you can be sure that it will always be one of those, unless you obtain an instance of IdentityError from anything else than a UserManager.
The Code field is assigned from nameof of the error method, and the associated Description text is read from core framework resources, so those will be localized.
Source Code
en-us Descriptions
List of errors in current implementation (version 3.0.0):
DefaultError
ConcurrencyFailure
PasswordMismatch
InvalidToken
RecoveryCodeRedemptionFailed
LoginAlreadyAssociated
InvalidUserName
InvalidEmail
DuplicateUserName
DuplicateEmail
InvalidRoleName
DuplicateRoleName
UserAlreadyHasPassword
UserLockoutNotEnabled
UserAlreadyInRole
UserNotInRole
PasswordTooShort
PasswordRequiresUniqueChars
PasswordRequiresNonAlphanumeric
PasswordRequiresNonAlphanumeric
PasswordRequiresLower
PasswordRequiresUpper
Most of these are static strings and do not disclose any variable information.
The following do disclose variable information. This is data previously supplied by the user anyway in the first eight cases, and the value of a server configuration property in the last two cases, minimum required password length and minimum number of unique characters required in a valid password:
InvalidUserName: the user name
InvalidEmail: the email address
DuplicateUserName: the user name
DuplicateEmail: the email address
InvalidRoleName: the name of the role
DuplicateRoleName: the name of the role
UserAlreadyInRole: the name of the role
UserNotInRole: the name of the role
PasswordTooShort: the minimum password length
PasswordRequiresUniqueChars: the number of unique chars required
If that qualifies as "safe" within the constraints and specifications of your project, then the answer is yes.
Regarding your second question on how to do, you could do the following to filter out
a duplicate username as you loop through errors
if (error.Code == _userManager.ErrorDescriber.DuplicateUserName(user.UserName).Code)
{
//Hide info to user by, e.g. redirecting to a page for a registration flow, or display an invalid login attempt for a login flow
}
This may seem odd, but it's a requirement for a project I'm working on. I have a MVC view that provides a UI to search a Lucene index. Once the user inputs something to search on and presses the submit button, the URL looks something like this:
http://.../IMS/Demographics?searchTerm=64453&searchDefault=True&page=1&pageSize=10&ascending=True
The "searchDefault" variable is Boolean, as is the ascending variable. However, the searchDefault variable is displayed with a checkboxfor on the search view. So, if I change "searchDefault=True" to "searchDefault=True%27B", I get "An exception of type 'System.InvalidOperationException' occurred in System.Web.Mvc.dll but was not handled in user code". The debugger points to the seachDefault checkboxfor as the problem, because I'm trying to shove a string into a Boolean. Well, I wrote a Catch for that exception in the Search method, so I'm not sure how to validate or remove the erroneous characters before the URL is executed and it hits the controller Search method. I validate and remove special characters within the Search method, but this error seems to occur earlier.
Any information on how to catch this would be appreciated. If this type of security issue has a name, I'd like to know that too. Thank you.
I want to catch a specific mysql error with the number 1046.
If i use MessageBox.Show to display the error number it is always 0, no matter which Exception it is. Shouldn't the Exception have a number like the number 1046?
catch (MySqlException mysqlex)
{
MessageBox.Show(mysqlex.Number.ToString());
}
EDIT: Sorry, i am using the MySQL-Connector / Net.
You don't see a number because you did not connect to a database.
And probably MySQL is assigning numbers to error exceptions.
If you look at description for Number property here it says
Gets a number that identifies the type of error. This number corresponds to the error numbers given in Server Error Codes and Messages.
Because you did not made a connection to the server you cannot get server error code.
Check your connection string.
Probably same problem as this.
please try in the following code.
MessageBox.Show(mysqlex.InnnerException.Number.ToString());
I am using the QuickBooks SDK in C# .NET to add /edit vendors in my QuickBooks. When I make a request with multiple errors, say like passing more than allowed number of characters for both Name field and Address1 field, QuickBooks always returns only the first error. It does not return all the errors that I make. How to return all the errors?
The status message says I am tryin to enter more than the allowed no of characters for the Name field, but doesn't mention anything about the Address field for which I am also passing more than allowed no of characters. If I pass a proper value for Name and make a error in Address1 field, then it gives me error in that field.
I want to get all the errors at one go. How can I get it?
I am looping through the ResponseList and displaying the error but the ResponseList.Count is also always 1. What is the way to get errors in all the fields that I am passing in a single request?
How to return all the errors?
You can't. QuickBooks itself does not support this - it always just returns the first error it runs into.
The allowed values, data lengths, and data types are very well defined in the XSDs/OSR. You should be able to easily build some validation into your own application to catch these errors/enforce correct data entry before submitting the data to QuickBooks.
I want to get all the errors at one go. How can I get it?
What is the way to get errors in all the fields that I am passing in a single request?
You can't. QuickBooks doesn't support this.
I get a -2147024891 error code in a MessageQueueException; of type MessageQueueErrorCode. How can I find which errors occurred here?
Note: I have extracted values of this enum using System.Enum.GetValues and then used a LINQ query to find out which ones do fit in this error by using & (and); then getting it's name by System.Enum.GetName and joining them with a ',' separator...anyway: failed!
The error code is 0x80070005. The 7 is the 'facility code', it is Windows. In other words, you didn't get a message queuing error, you got a Windows error. Error code 5 is "Access Denied".
Something wrong with the user account, typically, not enough privileges.
You can cast your errorcode to an enum and use ToString():
string error = ((MessageQueueErrorCode)ex.ErrorCode).ToString();
which should return the Name of the enum value.
Actually i'm unsure what happens if the enum doesn't contain this specific value (maybe an InvalidCastException is thrown) but you can try it out for yourself.