The injection category describes instances when an application accepts data as input and processes it as instruction instead of as data.

Let’s consider how your team’s application handles input data.

.NET provides built-in capabilities for data annotation and validation. The attributes from the System.ComponentModel.DataAnnotations namespace can decode your data model to provide the necessary validation functionality. Email, phone, credit card, or date validators are only a few examples of the built-in validators that can spare you the effort of writing and maintaining custom code.

C#

Copy
using System.ComponentModel.DataAnnotations;

public class ExampleModel
{
[Required]
[StringLength(10, ErrorMessage = “Name is too long.”)]
public string? Name { get; set; }

[Required]
[Range(typeof(bool), "true", "true", ErrorMessage = "Unapproved design.")] 
public bool IsValidatedDesign { get; set; }

}
SQL injection
Injection attacks can take many forms; for example, SQL or command injection.

The following statement is a simple example of SQL injection, where username in an unsanitized query input parameter:

SQL

Copy
string sql = “SELECT * FROM users WHERE name = ‘” + username + “‘;”;
In absence of user input validation, a malicious actor could supplement a genuine user name for a crafted part of a SQL statement a’;DROP TABLE users;– resulting in a change of query intentions:

SQL

Copy
SELECT * FROM Users WHERE name = ‘a’;DROP TABLE users;–
As a result, the table containing user information is removed from the database. In a similar way, you can craft statements to extract data before data table deletion.

File input validation
In client-server scenarios, make sure the input is validated on both the client and the server side. Additionally, if validation passes on the server, process the form and send a success status code (200 – OK). However, if validation fails, return a failure status code (400 – Bad Request) and the field validation errors. Validation details from the server might give the malicious actor more insights on how your app logic works if they’re displayed on the client side.

Input validation also includes the way you handle file uploads. Consider an ASP.NET Blazor component handling user file uploads. The component checks for correctness before uploading the file to Azure Blob Storage. It includes extension and maximum file size inspection, and overrides the supplied filename with a random name.

C#

Copy

@code {

private string[] permittedExtensions = { ".txt", ".pdf" };
private long maxFileSize = 1024 * 15;

private async void LoadFile(InputFileChangeEventArgs e)
{
    if (e.File != null)
    {    
        if (e.File.Size == 0 || e.File.Size > maxFileSize)
        {
            // log error
        }            
        else 
        {
            var ext = Path.GetExtension(e.File.Name).ToLowerInvariant();

            if (string.IsNullOrEmpty(ext) || !permittedExtensions.Contains(ext))
            {
                var trustedFileNameForFileStorage = Path.GetRandomFileName();

                await new BlobContainerClient("connection", "blob").UploadBlobAsync(trustedFileNameForFileStorage, e.File.OpenReadStream());                    
            }
        }
    }
}

}

itil certification training courses malaysia

To securely encrypt a value like a string or integer, you can use symmetric or asymmetric encryption. To encrypt data with a symmetric-key algorithm, you can use the Advanced Encryption Standard (AES). In the next example, we create a new instance of the Aes class and use it to generate a new key and initialization vector (IV). We use the AES to encrypt any type of managed stream. The stream is then wrapped with CryptoStream.

C#

Copy
Aes aes = Aes.Create();
CryptoStream cryptStream = new CryptoStream(fileStream,
aes.CreateEncryptor(aes.Key, aes.VI),
CryptoStreamMode. Write);
Hashing
Hashing is a one-way operation. When you’re using a hashing function to hash nonunique inputs such as passwords, use a salt value added to the original value before hashing.

C#

Copy
public static byte[] HashPassword256(string password)
{
System.Security.Cryptography.SHA256 mySHA256 = System.Security.Cryptography.SHA256.Create();
var encoding = new System.Text.UnicodeEncoding();
return mySHA256.ComputeHash(encoding.GetBytes(password));
}
Random numbers
Temporary password or access codes are intended to be unique per user. You can achieve this uniqueness by introducing random-character generation, and it’s worth noting how the randomness is achieved. You might be familiar with the System.Random class. System.Random is a deterministic pseudo-random sequence generator. It’s predictable and seeded only from the system clock, which means it’s guessable. As a matter of fact, Microsoft Learn documentation explicitly states that you shouldn’t use it for generating passwords. To generate a cryptographically secure random number that’s suitable for creating a random password, you should use a RandomNumberGenerator instance.

C#

Copy
var randomNumberGenerator = System.Security.Cryptography.RandomNumberGenerator.Create();
By using RandomNumberGenerator, you can eliminate the chances of two or more users ending up with the same token or password when they must be unique.

java ee enterprise edition training courses malaysia

Recall that you recently joined a team at an IT software company who tasked you with conducting a design and code review of the team-owned codebases. As you onboard to your new team and explore the codebase, you discover an ASP.NET Blazor web project. With OWASP Top 10 in mind, you set off on a deep dive into the code with your security lenses on.

You start at the top of the OWASP Top 10 list with #1: Broken Access Control. This category refers to incidents where a user who shouldn’t have permission to access that data viewed confidential information.

Built-in framework security capabilities
.NET has built-in authentication and session management, so there’s no need to implement your own. Let’s consider a ASP.NET Core controller. A controller without any authorization attributes treats each request the same way without applying any security checks. By decorating controller actions or the controller itself with Authorize (user must be signed in and authenticated) or AllowAnonymous (any unauthenticated caller can invoke method) attributes, you gain control over what’s publicly accessible and which functionality is for authorized users only.

Plain ASP.NET controller with no authorization attributes, no access restrictions applied.

C#

Copy
public class AccountController : Controller
{
public ActionResult Login()
{
}

public ActionResult Logout()
{
}

public ActionResult GetCitizenTaxId()
{
}
}
Controller with authorization attributes, based on policy or role assignments. Authorized caller is able to invoke the GetCitizenTaxId method.

C#

Copy
[Authorize(Policy=””, Roles=””]
public class AccountController : Controller
{
[AllowAnonymous]
public ActionResult Login()
{
}

public ActionResult Logout()
{
}

[Authorize]
public ActionResult GetCitizenTaxId()
{
}
}
Similarly, the ASP.NET Minimal API supports the attribute decoration (Lambda HTTP get method with [Authorize] attribute), policy (AdminsOnly), and claim (admin) authorization, as shown here:

C#

Copy
var builder = WebApplication.CreateBuilder(args);

// Policy and claim use below
builder.Services.AddAuthorization(o => o.AddPolicy(“AdminsOnly”, b => b.RequireClaim(“admin”, “true”)));
var connectionString = builder.Configuration.GetConnectionString(“DefaultConnection”);
builder.Services.AddDbContext(options => options.UseSqlServer(connectionString));
builder.Services.AddDefaultIdentity(options => options.SignIn.RequireConfirmedAccount = true).AddEntityFrameworkStores();
var app = builder.Build();
app.UseAuthorization();

// Attribute use below
app.MapGet(“/auth”, [Authorize] () => “This endpoint requires authorization.”);
app.MapGet(“/”, () => “This endpoint doesn’t require authorization.”);
app.Run();
Your application’s user interface should also reflect the user’s authentication (the user is who they say they are) and authorization state (whether the user is allowed to access certain information). Here, too, you’re covered by the OWASP Top 10 framework. ASP.NET Blazor’s razor syntax supports conditionally displayed components depending on authorization status. The AutorizeView component selectively displays UI content based on user’s authorized status.

C#

Copy

Hello, @context.User.Identity.Name!

You can only see this content if you are authorized. Authorized Only Button

Authentication Failure!

You are not signed in.

@code {

private void SecureMethod() 
{ 
    // Invoked only upon successful authorization
}     

}

dynamics 365 marketing training courses malaysia

As application complexity increases, so does the effort of making it secure. Modern applications, in contrast with single-project monolith legacy applications, have many dependencies. Including, external libraries, services for hosting, building, and releasing, to name a few. None of these services are simple “plug and play” affairs. Developers need to understand them and know how to configure and implement the flows and processes securely in their own code.

Security is everyone’s job. Developers, service engineers, and program and product managers must understand security basics and know how to build security into software and services.

Training and education is an essential stage in the security-application development lifecycle (or SDL). For developers, OWASP Top 10 is a great start.

From a software-development point of view, your team’s security journey should begin by familiarizing yourself with the concepts behind each item on the Top 10 list.

Although security is everyone’s job, it’s important to remember that not everyone needs to be a security expert nor strive to become a proficient penetration tester. However, ensuring everyone understands the attacker’s perspective, their goals, and the art of the possible, helps capture the attention of everyone and raise the collective knowledge bar.

java programming training courses malaysia

Blazor includes layouts to make it easy to code common user interface (UI) elements that appear on many pages in your app.

Suppose you’re working in the pizza delivery company’s website and you created the content for most of the main pages as a set of Blazor components. You want to ensure that these pages have the same branding, navigation menus, and footer section. However, you don’t want to have to copy and paste that code into multiple files.

oracle java training courses malaysia

Suppose you write a component to handle a URI that the user requests, such as http://www.contoso.com/pizzas/margherita/?extratopping=pineapple.

When you write a component, you might need access to navigation information like:

• The current full URI, such as http://www.contoso.com/pizzas/margherita?extratopping=pineapple.
• The base URI, such as http://www.contoso.com/.
• The base relative path, such as pizzas/margherita.
• The query string, such as ?extratopping=pineapple.

You can use a NavigationManager object to obtain all these values. You must inject the object into the component and then you can access its properties. This code uses the NavigationManager object to obtain the website’s base URI and then uses it to set a link to the home page:

razorCopy

@page "/pizzas"
@inject NavigationManager NavManager

<h1>Buy a Pizza</h1>

<p>I want to order a: @PizzaName</p>

<a href=@HomePageURI>Home Page</a>

@code {
    [Parameter]
    public string PizzaName { get; set; }
    
    public string HomePageURI { get; set; }
    
    protected override void OnInitialized()
    {
        HomePageURI = NavManager.BaseUri;
    }
}

To access the query string, you must parse the full URI. To execute this parse, use the QueryHelpers class from the Microsoft.AspNetCore.WebUtilities assembly:

razorCopy

@page "/pizzas"
@using Microsoft.AspNetCore.WebUtilities
@inject NavigationManager NavManager

<h1>Buy a Pizza</h1>

<p>I want to order a: @PizzaName</p>

<p>I want to add this topping: @ToppingName</p>

@code {
    [Parameter]
    public string PizzaName { get; set; }
    
    private string ToppingName { get; set; }
    
    protected override void OnInitialized()
    {
        var uri = NavManager.ToAbsoluteUri(NavManager.Uri);
        if (QueryHelpers.ParseQuery(uri.Query).TryGetValue("extratopping", out var extraTopping))
        {
            ToppingName = System.Convert.ToString(extraTopping);
        }
    }
}

With the preceding component deployed, if a user requested the URI http://www.contoso.com/pizzas?extratopping=Pineapple, they would see the message “I want to add this topping: Pineapple” in the rendered page.

You can also use the NavigationManager object to send your users to another component in code by calling the NavigationManager.NavigateTo() method:

razorCopy

@page "/pizzas/{pizzaname}"
@inject NavigationManager NavManager

<h1>Buy a Pizza</h1>

<p>I want to order a: @PizzaName</p>

<button class="btn" @onclick="NavigateToPaymentPage">
    Buy this pizza!
</button>

@code {
    [Parameter]
    public string PizzaName { get; set; }
    
    private void NavigateToPaymentPage()
    {
        NavManager.NavigateTo("buypizza");
    }
}

jboss training courses malaysia

When the user makes a request for a page from your web app, they can specify what they want to see with information in the URI. For example:

http://www.contoso.com/pizzas/margherita?extratopping=pineapple

After the protocol and website address, this URI indicates that the user wants to know about margherita pizzas. Also, the query string after the question mark shows that they’re interested in an extra topping of pineapple. In Blazor, you use routing to ensure that each request is sent to the component that can best respond. You also use routing to ensure that the component has all the information it needs to display what the user wants. In this case, you might want to send the request to the Pizzas component and for that component to display a margherita pizza with information about adding pineapple to it.

Blazor routes requests with a specialized component called the Router component. The component is configured in App.razor like this:

razorCopy

<Router AppAssembly="@typeof(Program).Assembly">
    <Found Context="routeData">
        <RouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
    </Found>
    <NotFound>
        <p>Sorry, we haven't found any pizzas here.</p>
    </NotFound>
</Router>

When the app starts, Blazor checks the AppAssembly attribute to find out which assembly it should scan. It scans that assembly for components that have the RouteAttribute present. Blazor uses these values to compile a RouteData object that specifies how requests are routed to components. When you code the app, you use the @page directive in each component to fix the RouteAttribute.

In the preceding code, the <Found> tag specifies the component that handles the routing at runtime: the RouteView component. This component receives the RouteData object and any parameters from the URI or query string. It then renders the specified component and its layout. You can use the <Found> tag to specify a default layout, which is used when the selected component doesn’t specify a layout with the @layout directive. You learn more about layouts later in this module.

In the <Router> component, you can also specify what is returned to the user when there isn’t a matching route, by using the <NotFound> tag. The preceding example returns a single <p> paragraph, but you can render more complex HTML. For example, it might include a link to the home page or a contact page for site administrators.

Using the @page directive

In a Blazor component, the @page directive specifies that the component should handle requests directly. You can specify a RouteAttribute in the @page directive by passing it as a string. For example, this attribute specifies that the page handles requests to the /Pizzas route:

razorCopy

@page "/Pizzas"

If you want to specify more than one route to the component, use two or more @page directives, like in this example:

razorCopy

@page "/Pizzas"
@page "/CustomPizzas"

juniper networks training courses malaysia

We’re building hybrid apps with .NET, which means we have access to all of the .NET class libraries. In addition to these APIs, building Blazor Hybrid apps with .NET MAUI not only allows you to deploy to multiple platforms, it also allows access to each platform’s native APIs. This means that if you need to integrate platform capabilities of iOS, Android, macOS, or Windows, you can do it all in C#. You can access these APIs directly from your Blazor components or create shared .NET MAUI class libraries.

Platform integration

Each platform that .NET MAUI supports offers unique operating system and platform APIs that you can access from C#. .NET MAUI provides cross-platform APIs to access much of this platform functionality, which includes access to sensors, accessing information about the device on which an app is running, checking network connectivity, storing data securely, and initiating browser-based authentication flows.

.NET MAUI separates these cross-platform APIs into different areas of functionality:

• Application Model: App functionality, including app actions, application information, opening the browser, opening URIs, opening maps, handling permissions, and version tracking
• Communication: Access to contacts, email, networking, phone dialer, sms messaging, and web authentication
• Device Features: Information and access to battery, display info, device info, sensors, flashlight, geocoding, geolocation, haptic feedback, and vibration
• Media: Including media picker, screenshots, text to speech, and unit converters
• Sharing: Including access to the clipboard and sharing files or text to other applications
• Storage: APIs for picking files, file system helpers, preferences, and secure storage

kubernetes training courses malaysia

You’ve defined the UI for your web app. Now, let’s explore how to add logic to the app. In a Blazor app, you can add C# code in separate .cs files or inline in your Razor components.

C# inline in components

It’s common practice to mix HTML and C# in a single Razor component file. For simple components with lighter code requirements, this approach works well. To add code into a Razor file, you’ll use Razor syntax.

What are Razor directives?

Razor directives are component markup used to add C# inline with HTML. With directives, developers can define single statements, methods, or larger code blocks.

Code directives

Code directives should be familiar to developers who have used Razor in MVC or Pages.

You can use @expression() to add a C# statement inline with HTML. If you require more code, use the @code directive to add multiple statements enclosed by parentheses.

You can also add an @functions section to the template for methods and properties. They’re added to the top of the generated class, where the document can reference them.

lean it certification training courses malaysia

Companies that build web apps and client apps commonly hire developers for different roles. Some developers create back-end, server-side logic. Some build client-side web apps. Others build native-client apps for mobile and desktop platforms. These developers often use different development languages and technologies.

C# and .NET are popular choices for building server-side logic. Client-side web apps are often built with web UI frameworks using JavaScript. When it comes to native-client apps for desktop and mobile, there are several options available, including many for .NET and C#. Using multiple languages and toolsets requires multiple sets of skills and often requires two separate teams. Also, code to transfer and represent data must be built in both languages and kept in sync. Blazor Hybrid can simplify your development team’s tasks, code, and processes by allowing you to use your existing skills and code in building web applications in C# and .NET to build native-client applications using these same technologies.

In this unit, you’ll start with an introduction to Blazor Hybrid, .NET MAUI, and Razor Components.

What is Blazor?

Blazor apps are composed of reusable web UI components built using C#, HTML, and CSS. With Blazor, developers can build client and server code with C#. They can also share code and libraries with the front-end client code and back-end logic. Using C# for all code simplifies sharing data between the front end and back end, enables code reuse to accelerate development, and reduces maintenance.

jboss enterprise application platform training courses malaysia