Microsoft Development





Most development for the Microsoft platform is done utilizing the technologies supported by the.NET framework. Other development is done using Visual Basic for Applications (VBA) for programs like Access, Excel, Word and Outlook, with PowerShell for scripting, or with SQL for large databases.

Share tech news, updates, or what's on your mind.

Sign up to Post

I just download Microsoft visual studio 2017 but the window is not the same as 2010. Can you please tell me how to create a new mvc project in it with c sharp coding? I am using windows 7
Free Tool: Port Scanner
LVL 12
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Why can I not update the URL in the browser?

I update QueryString and remove a malicious parameter. But, after executing the following code:


Still see that bad domain.

I may be fighting development automation inside my own project;

I paste the following into the browser...

My code captures the goto parameter and removes it from the QueryString. I call the RewritePath() function above, and see the following in the browser

I have no problem with the introduction of
but I do have a problem that the sub-domain re-appears.


I even created a copy of QueryString, made the deletions on the sanitized version. But that also fails.

Need to Redirect after removing one or more query string params.

I am using a whitelist to remove dangerous query string params, and when done, need to redirect to whatever is left in the  query string.

I understand things may break, but am okay letting our website's existing default behavior handle it.

What is the exact command to redirect?

ActionExecutingContext filterContext is the input param of the ActionFilterAttribute

        public override void OnActionExecuting(ActionExecutingContext filterContext)

and after removing the faulty query string params from:


I am ready to redirect.


Please complete the the above parameter for Redirect()

I need to remove a dangerous domain from the URL, but the QueryString Collection is Read Only.
I created a whitelist of safe URL's and scan the URL inside a custom ActionFilterAttribute to assert that every domain is whitelisted:

But rather than upsetting existing program flow by redirecting to an error page, we have decided to simply remove that dangerous domain. If the goto or returnURL is errant, I need to completely remove it. But, the QueryString Collection is Read Only.

I use the following code to remove the "goto" key and notice the NameValueCollection array drops from a size of 1 to 0.

        private void RemoveParameter(NameValueCollection nameCollection, string keyToRemove)
            // reflect to readonly property
            PropertyInfo isreadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);

            if (isreadonly != null)
                // make collection editable
                isreadonly.SetValue(nameCollection, false, null);

                // remove

                // make collection readonly again
                isreadonly.SetValue(nameCollection, true, null);

Open in new window

but even after a final call to:


the browser still has the bad domain in the goto. In fact, I was expecting "goto" to no longer display.

What am I missing?

RedirectResult from ActionFilterAttribute

I made a custom ActionFilterAttribute which checks a URL to see if the domains are contained in a whitelist of domains. It's working, but I need to redirect to a failure page on failure.

Can I use the following call?

filterContext.Result = new RedirectResult("/error/Unauthorized");

and what about the path?

I see

ErrorController : Controller
with the following action method

public ActionResult Unauthorized

and it returns the following view:

            return View("UserNoPermissions");

and I see the Shared View


yet, I get the error:

HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

I am hoping to use the Uri object to reject the following XSS exposure.

for example, a return URL which includes the following puts your website at risk:

So, I hope I can use the  System.Uri object to throw an exception. This means I do not get into modifying my RegEx.

I would be surprised to learn that  the following is not a reg flag:

When can HttpUtility.HtmlEncode() reduce risk of XSS attack?

I was under the impression that it was best practice to encode the URL before I call Redirect().

For example:
                    return Redirect(HttpUtility.HtmlEncode(returnUrl));

But then was told it makes no difference, since encoding it just means the browser needs to decode it. And, all that matters is how you protect yourself from incoming malicious URL's. Obviously, a hacker can reformat any outputted URL.

Where and when does it make sense to use HttpUtility.HtmlEncode(returnUrl) ?

How comprehensive is this malicious URL test?

        public static bool IsUrlDomainValid(this Uri uri, List<string> whitelist)
            return whitelist.Any(w => uri.Host.EndsWith(w));

Open in new window

I create a while list that contains various good domains:

and want this function to fail if there is a single domain that is not whitelisted.

Is that was this code does? I get worried with the use of "endswith"

What if the last domain is a good one, but there is a bad one in the middle?

Does this C# block return URL hacking?

            if (Url.IsLocalUrl(redirectToAfterLoggingIn) && redirectToAfterLoggingIn.Length > 1 &&
                (redirectToAfterLoggingIn.StartsWith("/") && !redirectToAfterLoggingIn.StartsWith("//")) &&
                return Redirect(redirectToAfterLoggingIn);

Open in new window

I find it confusing, at best.

How can it be a local URL if it starts with a "/"?

C#: Can AuthorizeAttribute.GetRedirectResult() be hacked?

I see the following over-ride of GetRedirectResult()

        private ActionResult GetRedirectResult(AuthorizationContext context, string controller, string action, string clientId = null,
            List<KeyValuePair<string, object>> additionalParameters = null)
            var returnUrl = context.HttpContext.Request.RawUrl;


Open in new window

but notice the value for Request.RawUrl is a simple path, generated by our code:


So, I wonder if I need to do any URL sanitizing on this, given it seems based on C# and not user generated.

Is this something that can be ignored?

Free Tool: Subnet Calculator
LVL 12
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.


How to get rid of the warning :
 _WIN32_WINNT not defined. Defaulting to _WIN32_WINNT_MAXVER (see WinSDKVer.h)

project c++ visual studio v15 entreprise
In an MVC App, can Session[] be hacked?

How confident should a Controller Action be that the Session data is legit?

Something tells me, zero percent confident.

Is the data stored in Session[] under the same restriction as query string params? That it must be encrypted? Or does the .NET Framework take care of that?

Does Microsoft's Anti-XSS Library block:

HTTP Splitting and Cache Poisoning?

These are new concepts to me, so surely I need to spend more time reading this article:

If you have the time... :)

Which vulnerability is NOT blocked by Microsoft's Anti-XSS Library?

Can an AJAX Request be hacked?

I am trying to put my arms around all the work that needs to be done on four .NET Applications and have found XSS URL Vulnerabilities in Controller Actions.

I have been told by experts that "100% of the XSS exposure is on the server, and that no change could be made in javascript that could reduce the risk of an XSS attack."

I paraphrased in the quote above. Is it true?

What about an AJAX call?

If there were a way to "harden the URL" inside the AJAX call, could a hack hack that URL?

Is context.HttpContext.Request.RawUrl inside a controller action a "must fix" problem?

I am trying to highlight everywhere in four .NET Applications which are exposed to XSS URL hacking.

So, it seems EVERY TIME I find the line of code:


I need sanitize it by checking the web domains against my white list.

Is this a correct assumption, that EVERY instance of RawURL is dangerous?

Can you think of any other C# keywords I can search for while looking for vulnerabilities on the C#.NET application?

Is the following HTML5?

I see this kind of code throughout the javascript for the multiple applications I need to support.


But I see in this article:

HTML5 comparison to Old way

Instead, I read the new way to code this is by using the dataset:
       data-untrustedinput="@untrustedInput" />

     var injectedData = document.getElementById("injectedData");

     // All clients
     var clientSideUntrustedInputOldStyle =

     // HTML 5 clients only
     var clientSideUntrustedInputHtml5 =

Open in new window

the use of getAttribute() is the old way, not the HTML5 way, as you can see.

My goal is to block XSS URL hacks. Does the HTML5 way close any exposures?

Do you know how to test my web app using HTTPS using local IIS?

Is there a test tool with IIS which supports this? And without needing to buy a certificate?

Using the Uri object to return a list of domain found in the  string

I need to find if Uri (or related .NET object) can return 2 of 3 domains when it parses this string:";

I would be okay if it returned:


How can I do this with Uri or some other .NET object?

How to install Resharper on Visual Studio 2017?

I have the license ID handy, but forgot how.

Train for your Pen Testing Engineer Certification
LVL 12
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

This website is keep popping up every time when i try to load any web page. I have malware bytes but its not catching anything. I am using windows 7.

How Vulnerable are query string parameters and their values?

I am curious how vulnerable a website is to hacking that has little validation on the query string params.

Some argue that:
1) an unrecognized query string parameter can do no harm
2) it's too much work, since the program is always in flux, so the "poor stepchild" would not keep up
3) the code to block this (locally at least) is fragile and will always delay a solid release
4) there will be many more failed log-ins than blocked hackers

What are your thoughts on this topic?

And how does using a Web Application Firewall change the discussion?

It seems that if the benefits to security were small or non-existent, the Security Industry would not waste its time closing this vulnerability.
Looking for the security of a Web Application Firewall, with the least amount of work.

I have been told I needed a Web Application Firewall (WAF) and wonder if it's smarter to use a Web Cloud based WAF? It's for a .NET MVC App. running on IIS.

It sounds like it's a smart way to get security, without first needing to become an expert in it. And to know they are always on the lookout, making their system more secure, would let me rest easier.

Any good names you can recommend?

Also, how difficult is it to "build our own?" What kinds of customization capabilities would we lose, if we went with a Cloud based version?

How long might it take to deploy a cloud version of the WAF?

If I wanted to use AWS, for example, must I also host my website with AWS?

Need to find where query params are added to a .NET Solution.

I need to search through multiple solutions and find the many places where query string params are added to the URL. So, I wonder about all the ways this can be done.

Have you got any searches I can do that would help me track those down?

My fear is that finding them all would be nearly impossible, given you can insert a query parameter just be concatenating a string.

But, please make suggestions about explicit commands and objects used, and other more general keywords I can search for, to discover where URL's are being created.

Looking for Test URL's to try against my Anti-XSS code

Can you post some URL's or a link to a site where I can get dozens of various URL's that I can use to test against my Anti-XSS URL Hack code?

I need domains in the return URL, query string parameters, to see what my code can do.

Blocking a period at the end of a whitelisted URL?

I have a RegEx which is partly working to help verify a white listed list of domains, with '|' as delimiter, is working

              string regEx3 = @"https?://(" + whitelist + ")(.*)\\?(goto|returnurl)=https?://(" + whitelist + ")";

But I need to BLOCK a domain which uses my white listed domain as a sub-domain. is okay, but the following is not

I need to make the RegEx fail when it discovers a period after the white listed domain.



Microsoft Development





Most development for the Microsoft platform is done utilizing the technologies supported by the.NET framework. Other development is done using Visual Basic for Applications (VBA) for programs like Access, Excel, Word and Outlook, with PowerShell for scripting, or with SQL for large databases.