.NET framework and ASP.NET , MVC and EF and WebAPI version cheat sheet

OSWAP (Open Source Web Application Security Project) Replay attack

OSWAP (Open Source Web Application Security Project) focused on improving the security of a software and they provides “OSWAP top 10”, a collection of most frequent vulnerabilities exist in a Web, IoT and mobile applications.

Everyone who develops web, mobile or any IoT project MUST know about OSWAP and you may be wondering why I am writing this post now. 

I lead an initiative to migrate the payment provider for our existing B2B and B2C portfolios. The following are the integration flows:

•  Application(s) use a back end service to authenticate with the payment provider and then authorize for the $ amount.

• The payment provider authorizes and redirects to an external hosting page to enter credit card details

•   After the payment, the third party provider redirects to an application page with the payment status.

•  Based on the payment status, an application can decide what's the next steps.

Since the payment provider redirects back to an application URL, there is a potential chance of a replay attack. An attacker can use the URL in another transaction.

To mitigate the risk, we used a token-based approach - a signed token is send to the payment provider during the authorization process. After the payment, the token will be send along with the redirect URL and on the confirmation page; the token will be invalidated so that the same token cannot be used in another session.

Change audio input and volume windows 10

Original post: https://www.hanselman.com/blog/AutomaticallyChangeYourAudioInputOutputAndVolumePerApplicationInWindows10.aspx


I use multiple headsets and I find it very hard to manage these headsets when I jump into conf calls.

The two utilities mentioned by Scott will be a life saver :)

Audio Switcher: A simple app runs as part of the notification area, that help you to switch default audio input and output devices. There is no down load available. You have to copy code from git and build it. Once build is completed, find the exe from the bin folder and run the AudioSwitcher.exe program.

https://github.com/davkean/audio-switcher

EarTrumpet:https://www.microsoft.com/en-us/p/eartrumpet/9nblggh516xp?activetab=pivot%3aoverviewtab

Converting Odata Specification to OpenAPI

Last week I was working on on-boarding a few SAP Odata APIs to API Management gateway. The APIM tool used by my organization supports JSON or YAMAL specification file to on-board an API.

So, I have reached out to OpenAPI team and they informed me that Odata will soon be part of OpenAPI and mean while the below mentioned tools/process can be used to convert Odata specification to OpenAPI specification

• Odata to Open API conversion tools are available at https://github.com/oasis-tcs/odata-openapi/tree/master/tools
•  Download or clone tools folder
•  Create a folder and name  examples at the same level as of “tools” folder. This folder is used to keep Odata Edmx files.
•  If you have node installed, install the following npm packages (for windows machine)
•   $ npm install -g node-gyp
•   npm install --global --production windows-build-tools
•  Once the above packages are installed, then open command window at the tools folder location and run npm install –g. This will install a few packages based on the package.json located at tools folder
•   Once the packages are installed, to convert Odata to Open API, run the command odata2openapi -drp <<MyMetadata.xml>> (The file MUST be inside examples folder)
•   By default the tool converts to Open API 3.0 specification. To convert to 2.0 (swagger) specification, use the below options

Options:

--basePath              base path (default: /service-root)

-d, --diagram           include YUML diagram

-h, --help              show this info

--host                  host (default: localhost)

-o, --openapi-version   3.0.0 or 2.0 (default: 3.0.0)

-p, --pretty            pretty-print JSON result

-r, --references        include references to other files

--scheme                scheme (default: http)

-u, --swagger-ui        URL of Swagger UI for cross-service references

• .      Once the file is converted, I used swagger editor and modified a few values and finally on-boarded it to APIM

HTTPClient for ASP.NET core 2.0

The following articles explain the issue using HttpClient class:

https://aspnetmonsters.com/2016/08/2016-08-27-httpclientwrong/

http://www.nimaara.com/2016/11/01/beware-of-the-net-httpclient/

As per ASP.NET 2.1 road map a default HttpClient Service will be available. Until the framework available, I'm using the below implementation of HttpClient

https://gist.github.com/ajopjo/796ddf8d2f44dd3dbf6268da179cb239

If you find any issues with the implementation, please let me know.

Integrating Serilog to ASP.NET Core

If you are not using the seri log configuration package and want to set up serilog based on app specific configuration use

webHostBuilder.ConfigureLogging((hostingcontext, logging) =>
            {
                var logSettings = new LogConfiguration();
//my custom section
                hostingcontext.Configuration.GetSection("LogSettings").Bind(logSettings);
                if (logSettings.Sink.Equals("rollingFile"))
                {
                    Log.Logger = new LoggerConfiguration()
                                     .MinimumLevel.Debug()
                                     .MinimumLevel.Override("Microsoft", Information)
                                     .Enrich.FromLogContext()
                                     .WriteTo.RollingFile(logSettings.Url)
                                     .CreateLogger();
                }
                else
                {
                    Log.Logger = new LoggerConfiguration()
                                    .MinimumLevel.Debug()
                                    .MinimumLevel.Override("Microsoft", Information)
                                    .Enrich.FromLogContext()
                                    .WriteTo.Seq(logSettings.Url)
                                    .CreateLogger();
                }

                var levelSwitch = new LoggingLevelSwitch();
                int.TryParse(logSettings.LogLevel, out var level);
                levelSwitch.MinimumLevel = (LogEventLevel)level;
                logging.AddSerilog(dispose: true);
            });

Autofac dependency injection per request based on header parameter ASP.NET Core2.0

   builder.Register(c =>
            {
                string dependencyName= c.Resolve<IHttpContextAccessor>().HttpContext.Request.Headers[Constants.CountryHeader];
             
                return c.ResolveNamed<interface>(dependencyName);
            }).InstancePerLifetimeScope();

and in the module
   protected override void Load(ContainerBuilder builder)
        {
            //register modules here
            builder.RegisterType<ClassName>().Named<Interfacer>("Name of dependency");
}