Decrypting ASP.NET Identity cookies


I decided recently I need to learn Python. It’s a great scripting language, often used in forensics, diagnostics and debugging tools. There is even a plugin for windbg that allows you to script this debugger in Python language, but it’s a subject for another post. Moving back to learning Python – as an exercise I wrote a simple tool to decrypt ASP.NET Identity cookies and ASP.NET Anti-Forgery tokens. You may find it useful in situations when you need to diagnose why one of your users can’t sign in into your applications or is not authorize to access one of its parts. It does not perform validation but only decrypts the content using 256-bit AES (let me know in comments if you need some other decryption algorithm to be implemented). Adding validation logic shouldn’t be a big deal and the nist library (which I used for cryptographic operations) provides all the necessary functions.

Continue reading

Common authentication/authorization between .NET4.0 and .NET4.5 web applications


ASP.NET Identity is a big step forward and we should profit from its features, such as: two-step authentication, support for OpenId providers, stronger password hashing and claims usage. One of its requirements is .NET4.5 which might be a blocker if you have in your farm legacy Windows 2003 R2 servers still hosting some of your MVC4 (.NET4.0) applications. In this post I would like to show you how you may implement common authentication and authorization mechanisms between them and your new ASP.NET MVC5 (and .NET4.5) applications deployed on newer servers. I assume that your apps have a common domain and thus are able to share cookies.

Continue reading

Collect .NET applications traces with sysinternals tools


In this short post I would like to show you how, with sysinternals tools, you may noninvasively trace .NET applications. This is especially useful in production environment where you can’t install your favorite debugger and hang whole IIS to diagnose an issue. We will work with three tools: dbgview, procdump and procmon. Let’s start with the first one.

Continue reading

ASP.NET Anti-Forgery Tokens internals


Anti-Forgery Tokens were introduced in ASP.NET in order to prevent Cross-Site Request Forgeries. There are many sites which describe how to use and configure those tokens in your application. But in this post I’m going to show you what exactly those tokens contain, where they are generated and how to customize them.

Let’s start our journey from a sample Razor HTTP form:

...
@using (Html.BeginForm()) {
    @Html.AntiForgeryToken()
    @Html.TextBoxFor(m => m.Name)<br />
    @Html.TextBoxFor(m => m.FullName)<br />
    <br />
    <input type="submit" value="Test" />
}
...

Continue reading

Reference Source, dotPeek and source code debugging


Not so long ago Microsoft has made .NET source code browsable through a really nice page: http://referencesource.microsoft.com/. Additionally, they promised that the .NET Framework source code debugging will finally work in Visual Studio. At almost the same time JetBrains published EAP of its dotPeek tool with some great features that make “reverse-engineered debugging” extremely easy. And for other DLLs we still have the old Microsoft Public Symbols server. In this post I am going to show you how I configure my system and Visual Studio for different debugging scenarios.

Continue reading

LowLevelDesign.NLog.Ext and ETW targets for NLog


I really like the NLog library and I use it pretty often in my projects. Some time ago I wrote a post in which I showed you my preferred debug and production configuration. Other day I presented you a simple layout renderer for assembly versions. Today, I would like to inform you that all those goodies ;) are available in my brand new LowLevelDesign.NLog.Ext Nuget package.

Additionally, you may find in it two ETW NLog targets. ETW (Event Tracing for Windows) is a very effective way of logging and its support in kernel makes it a great choice for verbose/trace/debug logs. Moreover, if you are using Windows Performance Toolkit in your performance analysis, providing your own ETW messages will help you correlate system events with methods in your application. ETW infrastructure is highly customizable (check Semantic Logging Application Block to see how your logs might look like and how they might be consumed:)).

Continue reading

Stopwatch vs. DateTime


.NET developers usually know they should measure code performance using a Stopwatch class from the System.Diagnostics namespace. From time to time though I see code where someone uses DateTime instances for this purpose. And it’s not very surprising as DateTime class is usually the one that comes to mind when you think of time in .NET. In today’s post I would like to show you the difference in accuracy of both those approaches and the price you need to pay using either of them. We will work on this sample code that does nothing but measure time :):

Continue reading