Lessons learned from building microservices – Part 2: Security

In this blog post I will go through some of the things I have learned regarding security when it comes to micro-services. It is not a comprehensive guide and things change constantly, so keep learning and investigating.

Best advice here is to avoid re-inventing the wheel. Avoid making your own solutions related to security. This is because someone else with more resources and time has done it before you. Think of the libraries provided by the .NET Core or Java, these have been developed and tested for years. A good example of this would be encryption libraries.

Topics on this post are the following:

  • JSON Web Tokens
  • Monitoring, Logging and Audit trailing
  • Identity and access management
  • Encryption
  • Requests and data validations
  • Error handling
  • CORS & CSP & CSRF
  • OWASP (Open Web Application Security Project)
  • Configurations
  • Quality
  • Security Audit
  • Logs

JSON Web Tokens

Basically they are JSON objects compacted and secured to transfer data between two or more entities, depending on usage.

https://jwt.io/introduction/

https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html

The most common usage is to use them with authentication and authorization.

Another usage could be when you want a person to take some action but the action is delayed to a further date and moment. This is a common thing related to registration and verifying the person.

At some point during the registration process you would need to verify the user, so you can generate a token with needed metadata and send him/her an email. Later the user clicks a link on the received email containing the token as a parameter. One the data gets to your application you can open and validate the token and finish the registration.

There are many other uses but these are just an example. Any time you need to pass data or send it over the internet and that data needs to be secured and not long lived you could consider to use a token.

Security things to do with tokens

Summary: Always validate your tokens

  • Set the audience
  • Set the issuer
  • Set an expiration time
    • You don’t want your tokens in the outside world to live forever, meaning that they should not be used after a certain amount of time.
  • Sign the token to detect tampering attempts
    • Notice: In this scenario the token will not hide the data in the payload, it will only verify that the token hasn’t been tampered with. You need to combine it with encryption
  • Encrypt the token to hide the data in the token
    • Be aware of different encryption methods and when to use them. Generally symmetric encryption is preferred for data that is not in transit; like data that reside in a database. Asymmetric encryption is good for data that is moving and not stationary; data that is moving through the internet is a good example.

Monitoring, Logging and Audit Trailing

From a security perspective I consider logging a very important thing to do. When talking about this category the following things are important to your microservice (or any other application also).

  • Being able to trace activity in your application.
    • Who is operating
    • What is being done
    • How long things take and not just your application requests but also any external resources
    • Errors/warnings and successes
  • Being able to tell if possible attacks happen that want to cause damage or steal something valuable to your or your clients
  • Being able to tell the health of your solutions
  • Have a monitoring tool that can aggregate and display detailed information about your solutions
  • Being able to create alerts that inform you and your team of possible problems
  • Consider automatic actions to avoid issues if certain things are triggered, like possible attack attempts.
  • Consider having a plan on what to do when things seem to break or go bad based on gathered data, alerts, monitoring tools etc. Having an idea what will happen next will make things easier and help avoid public problems.

For more details on logging check out my previous blog entry on these series: https://lionadi.wordpress.com/2019/12/03/lessons-learned-from-building-microservices-part-1-logging/

Identity and access management

Application users

First things first as before with the example of encryption libraries I would recommend using a ready solution, especially if you plan to do a cloud based solution or an app with thousands or more users.

Consider AWS Cognito or Azure AD B2C.

The reason for this is that they provide all the security you need and more in some cases. You will have a huge possible security risk off your shoulders. There are many details to take into consideration if you go the way of manually creation an identity solution with authentication and authorization.

These ready solutions allow you to modify many details how you will use the authentication tokens and authorization tokens in your app. You can add custom attributes, you can use social media to create accounts, support for MFA, mobile users etc.

Require Re-authentication for Sensitive Features.

Proxy

Does the above mean that you can’t create a proxy service with custom logic and logging when users authenticate against Cognito or AD B2C? The answer is NO but consider if you really need it.

Possible situations where you might need an identity proxy are:

  • You need to verify that the authenticated user is allowed to authenticate. The account may not be disabled but might require a human step to be performed somewhere
  • A custom registration flow with custom business logic; for example a person can’t register is his/hers data is not in a certain state or if the data is in certain states then the registration will look, behave and end differently for different users.
  • Custom security logging; for maximum traceability and analysis. You might want to create custom logging and use proper tools to analyze what each person is doing. Especially things related to registration are critical and it is very common that people forget passwords, don’t know how to reset their password, problems logging in might occur etc. In all these cases logging saves hours if not days of troubleshooting.

Admin users

For admin users there are many good best practices to follow and I recommed looking overt them for you particular needs and technology uses. Here are a few links on the matter for AWS, Azure:

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices

Here is a quick list on the top things at the moment:

  • Require MFA
  • Limit the number of Super Admins
  • Enforce a limited session lifetime (Reducing the time a malicious 3rd party can take advantage of an open active session)
  • Enable user notifications for new sign-ons, password resets, account changes etc
  • Consider limiting access from specific locations/IPs etc, or between a certain date and time range, require SSL
  • Use Strong Password Policies (although some of these may make people “lazy” when changing password and pick low security or bad passwords)
    • Lockout
    • Password history
    • Password age
    • Minimum length
  • Create individual user accounts, do not share accounts
  • Grant least privilege
  • Do not share access keys
  • Remove unnecessary credentials
  • Monitor admin activity and send alerts of things that are suspicious

Encryption

Encryption comes in many forms, usually done by two methods: symmetric and asymmetric

Notice: Strong recommendation use existing common libraries for encryption all the way. Do not re-invent the wheel.

Symmetric

You should prefer symmetric encryption in stationary data, data that resides in databases. Also remember to add a salt to the encryption key to avoid possible guess work by an attacker. A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like rainbow tables.

Probably the most recommended symmetric encryption is AES.

More info: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Asymmetric

Asymmetric encryption is best suited and recommended for data in transit, data that is moving from one place to another over the web. Also in my opinion data that is leaving your secure environment to another location. The most common asymmetric is RSA that is used very broadly like any time you are using HTTPS application protocol to view a site.

Requests and data validations

Generally security authentication and authorization is based on user signin and user roles. While this is a good option there are drawbacks which I will discuss later.

So I will discuss here a way of achieving security through individual permissions for each action the person tries to do. The proper name for this is: Permission Based Access Control

Notice: Still take into consideration your needs in your project. As always some methods of doing things maybe suited for vastly different purposes. I would say that if you chose the Permission Based Access Control, I would recommend that you have many users, in the thousands and even many time greater than that. Also if your users permissions need to change dynamically this is a good solution.

Other options are:

  • Role-Based Access Control (RBAC)
  • Discretionary Access Control (DAC)
  • Mandatory Access Control (MAC)

The main focus is on individual permissions that are defined in a policy/access map. These maps can then be assigned on the fly in necessary to users and/or groups. So if you where to choose a role based access control, you will likely narrow down very much of what a person can do in a system. Also as your application grows it may start to become very rigid. All persons under that role must comply to role(s) exactly in the locations you apply that role.

This most likely will force you to apply multiple roles to a location or users, this will add security options/accesses which are greater than what a particular functionality requires. You may be opening up your application to security vulnerabilities by giving to much access.

So I would suggest creating or starting to work from the idea of individual access management based on permission. Your data in your system(s) should be able to tell you which permission/access maps can a user use.

Now in this situation I am talking about the authorization of a user. When a request happens the code will check the users data and determine which permission he/he has. Your permission/access maps are usually created manually and shared in your system in a secure manner so that they can only be read and not modified by any entity that reads them.

This permission/access map can be used in two very important situations; that is to control what a person can do and what a person can see, so below are our two main requirements:

  1. Test can the person use the requested functionality
  2. If the first step has passed: Test what the user can see. A person may see only parts of data or none at all

Notice: Steps 1 and 2 above are not the same thing. Step 1 is usually something you do on a controller level, on the level where your requests starts to be processed. Step 2 is something you should be doing at the data level; like a service that operates on a data source.

Steps for security validations:

  • Find out can the user access the system
  • Based on the authentication find out who the user is
  • Gather user related data to generate a permission/access map
    • User ID(s)
    • Permission/access map(s); this should be determined based on persons data in the system. A person can have multiple access maps.
    • For each role, have a list of read/create/write/delete for each “category” of importance/bounded context/models etc. This depends on your application and the size of the application and what you are trying to achieve.
  • Use this permission/access map to determine which requests the person can access and which data can he/she see

Taking this approach you are able to:

  • be as loose as you want
  • as rigid as you want
  • exactly where you want.
{
    "AccessCategory": {
      "USER": [
        "READ",
        "UPDATE"
      ],
      "ORDERS": [
        "READ",
        "UPDATE",
        "CREATE"
      ]
    },
    "id": "DEFAULT"
  }

For the requests in the controller make checks on what kind of operations you want the person to be able to do. Have a generated “access/permission map” that knows what the person can do based on his data and states. Have the access/permission map generated frequently, preferably each request.

API Request check example at controller level:

hasUserRights(EnumSet.of(AccessCategory.USER, AccessCategory.ORDERS), EnumSet.of(Permission.READ, Permission.UPDATE));

The above function will go through the access/permission map defined above in the JSON data and see if the requested categories have the requested permissions.

Data request: Does the person have the right to view all of the data requested; if partial show only partial or nothing.

So when you read the access/permission map you need to associate that map to the data that the users can view. This connection can be done inside the code based on the access categories.

Then when a user requests data you have to have internal business logic that will determine can the user view the requested data.

Your access/permission map by itself can’t tell your code how the code should behave, you have to associate the business logic by which to filter out data or deny data access.

I would recommend having a user access service that is responsible for generating the permissions and performs the main logic for the security checks. This way you can ask your service to generate for any user a an access service just by providing a user id. Then you can use this user specific access service to make security checks.

A good example on this would be AWS access permissions and policies:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html

Or Azure:

https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition

Error handling

It is important that you do not “leak” or give away any exceptions to the outside world.

I would recommend that you have a global way of catching all of your exceptions and replacing the response of your application with a client friendly message that tells the client what possibly went wrong but does not give away sensitive information that can be used against your application or their users. Always return a generic error: https://cipher.com/blog/a-complete-guide-to-the-phases-of-penetration-testing/

Remember to log your error properly.

Also regarding your responses to the outside world consider inserting your error friendly message in the body of the response as a custom JSON with data that might help your client app to response properly to the end user. This might be:

  • An error id
  • Possible translation error id for fetching the appropriate error message
  • Error source ID, like a database, 3rd party API, CRM etc, but be carefull not to give away this info to carelessly. Think how this info can be used against you.

Other things to consider regarding any error response is for you definitely think how the things you send to the outside world might be used against you.

This is especially true regarding authentication, authorization situation and registration. Depending on what you are doing you need to mask as much as possible in your responses when something goes wrong, even to the point of sending 200 HTTP status code in error situations. https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages

CORS & CSP & CSRF

The following security measures are a combination of procedures and steps you need to take on both a client and server side applications. I won’t go into the details of implementing them or the in depth knowledge on them. There are many ways to implement these measures in your preferred technological stack. The end result should be the same but how you do this can be different on your choices of technology, being in Azure App service and enabling CORS can be as simple as pressing a button but do a microservice within kubernetes and things change drastically. Just be aware of these measures and seek out examples how to implement them.

Important: Don’t use pick one of them but use them in combination for maximum security.

Cross-Origin Resource Sharing (CORS): In this security measure you can specify who can communicate with your server, which HTTP methods are OK and which headers are allowed. This happens from request that originate from a different different origin (domain, protocol, or port) from its own.

Implementing has to be done in your server configuration and/or code. The client application will usually make an options request to the server with what is wants to do and from where it tries to do it, the server will then say of it is OK to continue by sending what it knows is allowed. The browser will then continue or stop the request there.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Content Security Policy (CSP):

In this measure you are defining which resources are allowed from which sources to be used in your client applications. This includes, font, media, images, javascript, objects etc.

Notice that for dynamic script/content you need a nonce value for those contents. This nonce value need to be generated on a server each time the web application is loaded. If you assign a static nonce value this leaves an attack opportunity in your application to execute things which you do not intend.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

Cross-Site Request Forgery (CSRF):

By this I mean unwanted actions performed in your users browser. For more details I recommed OWASP source for more detailed information:

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

OWASP (Open Web Application Security Project)

OWASP is great resource for information related web appication security. If you want to know more I very strongly recommend to look at their stuff. I’ll post here some of their material which I consider a must to know or atleast to have an idea and come back to.

A good thorough cheat sheet: https://cheatsheetseries.owasp.org/

Top Ten security issues project: https://owasp.org/www-project-top-ten/

Top API security issues: https://github.com/OWASP/API-Security

Top Serverless application issues: https://github.com/OWASP/Serverless-Top-10-Project

A tool to check for security holes and vulnerabilities within your 3rd party libraries and dependencies:

https://owasp.org/www-project-dependency-check/

https://jeremylong.github.io/DependencyCheck/

Configurations

For configurations the most important thing that I think all developer have done at least by accident is to push production credentials into git. So avoid this :).

But other than that here are a few tips:

  • Only add configurations in your configuration files for local development
  • For any other environment have your desired environment configuration file configuration empty. What I mean is that you configuration keys are there but they are empty. You want to do this to make sure that once your test, qa or prod environment configuration files are loaded they are empty unless an outside source sets them, the next step.
  • In your non local development environment load your application with the desired environment configuration like test, qa, prod and replace the empty configurations from a secure secrets store. For example in kubernetes secrets files, in Azure use the Key Vault in AWS Key Management service.
  • Now at this point your should also have a piece of code that can determine if a configuration key is not set and thus is empty. At this stage you should throw an exception and stop the application running. This is usually something that can happen during application start processing. For this I have a post that gives a sample code: https://lionadi.wordpress.com/2019/10/01/spring-boot-bean-management-and-speeding-development

The steps here will improve both your security and quality of your code which I think go hand in hand.

Quality

Quality is important for security because if you have the time and take the interest to create good code that can live for years then it is likely that you will have a secure code, or at least more secure.

Simple things like having good coding practices, common tools and way of doings things within your team can reduce the number of error that can reduce the number of security problems.

Here are a few tools that can help improve your code quality and workflows:

https://www.sonarqube.org/

https://www.sonarlint.org/

https://www.sonatype.com/product-nexus-repository

I will write more about quality in my next post in this series and link it here.

Security Audit

Lastly have someone do a security audit on your application and the entire ecosystem if possible. Have them try to hack into your application, your ecosystem. Have them create a threat analysis with out etc.

If you can’t afford someone then think of learning the basics yourself. This will also improve your code quality and things that you will start to automatically take into consideration when you work on your code.

Logs

The important things is that you have logs about your system that reveal possible security problems or threats. The previous part I went into logging details.

Lessons learned from building microservices – Part 1: Logging

This is a part in a series of posts discussing things learned while I worked with micro-services. The things I write here are not absolute truths and should be considered as the best solutions at the time I and my team used these methods. You might chose to do things differently and I recommend highly to find out for yourself the best practices and approaches that work for you and your project.

I also assume that you have a wide range of pre-existing knowledge on building microservices, API, programming languages, programming, cloud providers etc.

I recommend looking at the OWASP cheat sheet to get even a more in depth view: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

UPDATE – 17.3.2020: I’ve improved this post based on the OWASP logging cheat sheet

Notice: In the examples below I will omit “boilerplate” code to save space.

Introduction

By logging usually is meant created records by a piece of software at your operating system level, a web application, a mobile app, a load balancer, databases, mail servers and so on. Logs are created by many different types of sources.

Their importance comes from their ability to allow you to understand what is happening in your system or application. They should show you that that everything is alright and if they are not you should be able to determine what is not alright.

Base requirements for logging

General requirements for logging are:

  • Identifying security incidents
  • Providing information about problems and unusual conditions
  • Business process monitoring
  • Audit trails
  • Performance monitoring

Which events to log:

  • Input validation failures
  • Output validation failures
  • Authentication successes and failures
  • Authorization (access control) failures
  • Session management failures
  • Application errors and system events
  • Application and related systems start-ups and shut-downs, and logging initialization
  • Use of higher-risk functionality (user management, critical system changes etc)

Things to exclude:

  • Application source code
  • Access tokens
  • Sensitive personal data and some forms of personally identifiable information
  • Authentication passwords
  • Database connection strings
  • Encryption keys and other master secrets
  • Bank account or payment card holder data
  • Data of a higher security classification than the logging system is allowed to store
  • Information a user has opted out of collection, or not consented

In some of the cases to exclude you can obscure/remove/alter sensitive data to provide partial benefits without exposing all of the sensitive data to malicious people:

  • File paths
  • Database connection strings
  • Internal network names and addresses
  • Non sensitive personal data

Still, be very careful with this information, especially with user related data.

Now as much it is important to log and have a good view on what is happening in your system and application, it is also a fine art to understand when not to log things.

Having too much log will make it hard to find out the relevant critical information you need. Having too little logging you risk not being able to understand your problem properly.

So, there is a fine balance between logging too much or too little.

A possible solution to this issue is to have more verbose logging during development and when deploying to production your application will only log what is determined important by the developers so that someone will be able to troubleshoot a problem in production without having too much or too little logging. This is also a process that need refactoring during the lifetime of the application.

This leads us to a requirement of logs: logs should be structured and easily indexed, filtered and searched.

Logging audience

When you are logging, I recommend considering for who are you logging for?

You need to ask yourself: Why add logging to an application?

Someone someday will read that log entry and to that person the log entry should make sense and help that person. So, when you log things, think of your audience and the following things:

  • What is the content of the message
  • Context of the message
  • Category
  • Log Level

All of these can be quite different depending on who is looking at your logs. As a developer, you can easily understand quite complex logs but as a non-developer you mostly likely would not be able to make much sense of complex log entries. So, adapt your language to the intended target audience, you can even dedicate separate categories for this.

Also, think if the log entries can be visualized. For example, metrics logs should have categories, dates and numbers which can be translated into charts that show how long things last or succeed.

Write meaningful log messages

When writing log entries avoid writing them so that you need to have in depth knowledge of the application internals or code logic, even if you are a developer or someone who will look at logs that will be a developer.

There are a few reasons to write log messages that are not depended on knowing the application code or the technicalities behind your application:

  • The log messages will most likely be read by someone else that is not a technical person and even if they are not you may need to prove something in your application to a non-technical person.
  • Even if you are the only developer who is working on your application, will you remember all your logic and meaning of log entries a year or two from now? If you must go to your code and check on what the heck this log entry means, then your log entry was not meaningful enough. Yes, you do have to go back to the code anyway if you have problems but if you have to do this frequently then you definitely need to refactor your logging logic and the log content in your application.
  • If you have multiple developer and they do an analysis of a problem they may not understand what is going on. This is because they might not have any correlation or understanding of a log entry because they have not been apart of the initial solution. They must find out what is going on from the code.

Logging is about the four W:

  • When
  • Where
  • Who
  • What

Add context to your log messages

By context I mean that you log message should usually tell what is going on by giving away all the needed details to understand what is happening.

So, this is not OK:

“An order was placed”

If you where to read that one, you would ask: “What order? Who placed the order? When did this happen?”

A much more detailed and helpful log message would be:

“Order 234123-A175 was placed by user 9849 at 29.3.2019 13:39”

This message will allow someone to get that order from a system, look at what was ordered and by whom and at what time.

Log at the proper level

When you create a log entry your log entry should have an associated level of severity and importance. The common levels that are used are the following:

  • TRACE: The most verbose logging, will produce A LOT of log entries and is used to track very difficult problems. Never use it in production, if you have to them in production you have a design problem in your application. It is the finest grained log level.
  • DEBUG: This is mostly used for debugging purposes during development. At this level you want to log additional and extra information about the workings of your application that help you track down problems. This could be enabled in production if necessary, but only temporarily and to troubleshoot an issue.
  • INFO: Actions that are user-driven or system specific like scheduled operations.
  • NOTICE: Notable events that are not considered an error.
  • WARN: Events that could potentially become an error or pose might a security risk.
  • ERROR: Error conditions that might still allow the application to continue running.
  • FATAL: This should not happen a lot in your application but if it does it usually terminates your program and you need to know why.

Service instances

In a microservice architecture the most important thing is to be able to see what each microservice instance is doing. This means in the case of kubernetes each pod, or each container with docker etc.

So if you have a service named Customer and you have three instances of this service you would want to know what each service is doing when logging. So here is a check list of things to consider:

  • You need to know what each service instance is doing because each instance will process logic and each instance will have it’s own output based on what it is doing or requested to do
  • Each log entry should be able to identify which service instance was that performed the log entry by providing a unique service instance id
  • Each log entry should identify which application version the service instance is using
  • Each log entry should tell in which environment the service instance is operating in, example: development, test, qa, prod
  • If possible each log entry should tell where the service instance is like IP address or host-name

Monitoring

First thing I would recommend is to have an understating where your logs will end up and how you are going to analyze them.

The simplest form would be a log file where you would push your log entries and then using a common text editor or development editor to look at the entries. This works fine if your application is very small or you are dealing with a script. The log entries amount will likely be small, and they won’t be stored for a long period of time.

But, if you know your application or system will produce thousands, hundred of thousands or even millions of log entries each day and you need to store them for a longer period of time then you need a good monitoring tool that than read robustly log entries. You also need a good place to store your log entries.

What you would need normally is something that would:

  • Receive and process a log entry, them transform it and send it to a data store
  • At the data store you would need a tool that will index the data.
  • Then you would need to be able to search and analyze your indexed log entries

A very common tech stack for storing log entries and analysis would be ElasticSearch, Logstash and Kibana. You would use Logstash to process a log entry, transform it and send it to a data store like Elasticsearch where you would index, search and analyze data with. Finally you would use Kibana which is a UI on top of Elasticsearch to visually do the searching and analysis of logs.

Log types

Next I’ll cover the different logging types you might need and that will make your life easier.

General logging details

Before we cover the different types of logs which you might need first we need to have some common data witch each log entry. This data will help us in different way depending on the solution you are making. In my example here these data are related to an API backend but you might find them useful in some other types of solutions.

So consider adding these logging fields to other logs as metadata.

public class LogData
 {

    private String requestId;
    private String userId;
    private String environmentId;
    private String appName;
    private String appVersion;
    private Instant createdAt;

}
FieldSampleDescription
requestId6f88dcd0-f628-44f1-850e-962a4ba086e3This is a value that should represent a request to your API. This request id should be applied to all log entries to be able to group all log entries from a request. Should be unique.
userId9ff4016d-d4e6-429f-bca8-6503b9d629e1Same as with the request id but a user id that represents a possible user that made the API request. Should be unique.
environmentIdDEV, TEST, PRODThis should tell a person looking at a log entry from which environment the log entry came for. This is important in cases where all log entries are pushed into one location and not separated physically.
appNameYour Cool APISame as with the environment id but concerns the app name.
appVersion2.1.7Same as with the environment id but concerns the app version.
createdAt02/08/2019 12:37:59This should represent when the log entry has been created. This will help very much in tracking the progress of the application logic in all environment in case of troubleshooting. Preferable in UTC time.

As you can see with this base line details, we get a pretty good view on where things are happening, who is doing things and when. I can’t stress enough how important these details are!

General log entry

Well this is the base line log entry with an added message field and perhaps a title field. That’s it.

This is what you would need at a bare minimum to find out what is going on.

Access log

Access logs are a great way to keep track of your API requests and their response to a client. It’s a way to the server to keep records of all requests processed by the server. I won’t go deeper into them, there are plenty of detail descriptions available which I recommend going through, here is one:

https://httpd.apache.org/docs/2.4/logs.html#accesslog

https://en.wikipedia.org/wiki/Server_log

Here is some sample code:

public class AccessLog {
    private String clientIP;
    private String userId;
    private String timestamp;
    private String method;
    private String requestURL;
    private String protocol;
    private int statusCode;
    private int payloadSize;
    private String borwserAgent;
    private String requestId;
}
FieldSampleDescription
clientIP127.0.0.1The IP address of the client that made the request to you API.
userIdaa10318a-a9b7-4452-9616-0856a206da75Preferably this should be the same user id that was used in the LogData class above
timestamp02/08/2019 12:37:59A date time format of your choice when the request occured.
methodGET, POST, PUT etc.HTTP Method of the request.
requestURLhttps://localhost:9000/api/customer/infoThe URL of the request
protocolHTTP/1.1The protocol used to communicate with the API request.
statusCode200, 201, 401, 500 etc.HTTP status code of the request response.
payloadSize2345The size of the payload returned to the client.
borwserAgentMozilla/4.08 [en] (Win98; I ;Nav)“The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent.” – https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
requestIdThis should the the same request id used in the LogData class earlier.

Message Queue Log

This is related to a decoupling pattern between two or more entities. You push a message to a storage location and someone or something reads and processes it, this is a simplified description of course.

This is a sample log which you could use with events/message queues. Depending on what message queue you use and what kind of configurations, you would most likely have minimal information about the message pushed to a queue.

From a troubleshooting point of view and being able to track things I would recommend passing with the message additional metadata related to the message original situation.

Lets take as an example an API request. What I did was add an additional

This is a bit of complex thing to go into but the main focus here is that depending on what king of message queue or event queue technology and applications you use, you might not get a very detailed view on who, when and what happened.

An example: You have an API that a client application invokes, this request has to do an asynchronous save to a CRM, you have to make sure that this is completed and re-tried if things go bad. This is fine but what if things go bad and even after several attempts nothing has happened. A common practice is that the message is going to go to a dead letter queue, for troubleshooting and future processing.

Now to be able to find out what the problem was you need detailed information and by default messages in queues have little details. So I would recommend adding additional data to the message in a queue so that when the receiving end gets it you can log and associate that message to our previous API request. Then later when using analysis tools you can get a history of the events that has happened, for example using the requestId/correlationId.

public class MessageQueueLog {
    private String sourceHostname;
    private String sourceAppName;
    private String sourceAppVersion;
    private String sourceEnvironmentId;
    private String sourceRequestId;
    private String sourceUserId;
    private String message;
    private String messageType;
}
FieldSampleDescription
sourceHostnameLook at the LogData example earlier.
sourceAppNameLook at the LogData example earlier.
sourceAppVersionLook at the LogData example earlier.
sourceEnvironmentIdLook at the LogData example earlier.
sourceRequestIdLook at the LogData example earlier.
sourceUserIdLook at the LogData example earlier.
messageJSON data JSON data representing a serialized object that hold important data to be used the the receiving end.
messageTypeUPDATE_USER, DELETE_USERA simple unique static ID for the message. This ID will tell the receiving end what it needs to do with the data in the message field.
createdAt02/08/2019 12:37:59This should represent when the message queue entry was created. Preferable in UTC time.

Metrics log

With metrics logs the idea is to be able to track desired performance and successes in your application. A common thing that you might like to track would be how external request from your own code is performing. This will allow you set up alerts and troubleshoot problem with external sources, especially if combined with an access log you can see and a metrics log of how long you request totally took to finish.

But depending on what kind of tools you use you might get automatic But depending on what kind of tools you use, you might get automatic metrics for your application; like CPU usage, memory usage, data usage etc. Here I will focus on metrics logs you would produce manually from your application.

So you could track the following metrics:

  • External source like database, API, service etc.
  • You request total processing time from start to end to return a response
  • Some important section of your code
public class MetricsLog {

    private String title;
    private String body;
    private String additional;
    private String url;
    private int statusCode;
    private Double payloadSize;
    private Long receivedResponseAtMillis = 0L;
    private Long sentRequestAtMillis = 0L;
    private MetricsLogTypes logType;
    private double elapsedTimeInSeconds = 0;
    private double elapsedTimeInMS = 0;
    private String category;
}
FieldSampleDescription
titleUser Database
bodyUpdate user
additionalSome additional data
urlhttp://localhost:9200/api/car/typesIf this is a API request to an external service you should log the request URL.
statusCode200, 401, 500 etc.The HTTP status code returned by the external source.
payloadSize234567The size of the returned data.
receivedResponseAtMillis1575364455When the response was received, this could be in UNIX epoch time.
sentRequestAtMillis1575363455When the request was received, this could be in UNIX epoch time.
logTypeAPI, DATABASE, CODE etc.The HTTP status code returned by the external source or some other code that you wish to use.
elapsedTimeInSeconds1Calculate and write how long it took for the response to be received.
elapsedTimeInMS1000Calculate and write how long it took for the response to be received.
categoryCategory1/2/3 etc.This could be used to group different metrics together.

Security Logs

I would also consider creating a separate security log that would be logged and identified by the logging indexer to it’s own pattern or category etc.

This is to speed up troubleshooting related to security issues like when someone signs in, signs out, registers etc.

A security log provides tools to establish an audit trail. It allows you to record, track and investigate security related operations that happen in your system. This is a hard thing to do it right since you must have enough information to troubleshoot but keep secrets and sensitive information hidden.

Start by using default features of the technology you are using like Azure AD or Cognito and then go into manually logging security logs to complement them which you would do normally from your application.

For each recorded event, the record in the security log includes at least the following:

  • Date and time of event.
  • User identification including associated terminal, port, network address, or communication device etc.
  • Type of event.
  • Names of resources accessed.
  • Success or failure of the event.

For the security logging you can combine the General Security Logging with just a Title and Body. The bare minimum. The idea is to log an event that is related to a security issue and if possible separate it in it’s own index pattern/category.

Aggregated log entry

This is an example where you would have a main log class that will contain our desired log entry data and details for a system.

Possible use cases is when streaming to Cloudwatch or to perhaps Elasticsearch.

public class CloudLog {
    private LocalDateTime timeStamp;
    private String logger;
    private Map<String, Object> metadata;
    private String message;
    private String level;
}
FieldDescription
timeStampA timestamp when the log entry was created.
loggerThe logger entity name.
metadataA map full of key value pair, full of data which can be serialized into JSON for indexing.
messageThe main message to the log entry
levelSeverity level of the log entry, DEBUG, INFO, ERROR, etc.

Ethical Hacking: Terminology – Part 1

I’ve started a new course on ethical hacking to get a better understanding of the internet, software security, personal security etc.

I’ll post a series of posts where I will write down my notes on what I’ve learned.

I’ll start today with some basic terminology:

Term Description
White Hat Hacker People that do hacking to help others, legal and ethical
Black Hat Hacker Unethical and unlegal activities
Grey Hat Hacker Between White and Black hat
Footprinting Information gathering on your target, on your task: like figuring out network related information, or software related details, or getting information from real world things or people. General information gathering in regard to your chosen target
DoS (Just you) Denial Of Service – On person performs a certain amount of request, more than the server can handle, to make the server crash. Servers can handle only a certain amount of requests and so the requests that does not fit into the request pool limit will be dropped out. If the service attack comes from one location/machine this is should not be possible.
DDoS (multiple people) Domain Denial Of Service – When you multiple computers/machines doing the service attack it will be harder for the software to know who to kick out.

 

The attack is not hard to do but the preparation is hard. You need to have multiple machines and to do this usually you have to infect other computers to create a bot farm of machines.

RAT Remote Administration Tools – For DDoS attacks needed a software that can be distributed upon other computers. This gives you control of a computer and allows you to hide your identity. The operations are not visible to a normal user. You can even hide them so that they do not show in normal operating system diagnostic tools.
FUD ( Anti-virus can not detect) Fully Undetectable – Also needed for DDoS attacks. Not labeled as malicious by anti-virus programs
Fishing Applying a bait and someone acts on it. Example: You get an email from someone and you click on it. Either it uploads something malicious or you do something that compromises your data, security.

 

Usually these are done so that the links look authentic but once you click on them you are redirected to some other server, which is not the one you would expect.

 

An easy way to spot these kind of addresses is to look at the address. If it is not from an HTTPS address then you are probably dealing with a false address. HTTPS addresses are much harder to fake.

SQL Injections Passing SQL Queries to HTTP requests. Allowing SQL command to run on a server to get or alter data that is not others wise intended to see or use.
VPN Virtual Private Network – Routing and encrypting traffic data between you and the VPN server/provider. A way of anonymizing yourself.

 

There is no real easy way to identify you unless the VPN Provider gives up your identity.

Proxy A less reliable way of staying anonymous. You could route your traffic between many proxies but the more proxies you have the harder it is to add new proxies to your traffic. This is mostly because of internet speed limitations, not enough available bandwidth. It will slow down you actions.

 

You can use free proxies and you can use paid proxies but paid ones leave a trace of whom you are.

Tor Open Source – Another way to hide your identity. Faster than proxies but slower than VPNs. Routes traffic through different routes, routers, places to hide your trace.

 

There is a very high chance of staying hidden (99.99%), there are tools, ways to find but highly unlikely.

VPS Virtual Private Server – a “security layer”, example: a virtual machine inside an actual machine that serves as a database server for you web server. This is done so that the database is not accessible from the outside directly.

 

In this way you can be specific who and from where can access that virtual machine.

Key Loggers Tools that are used to extract information from a machine, these needs to be deployed to a machine where the tool gathers key strokes and send that information to a location for analysis.

 

Key Loggers can extract existing information as well, you can modify the settings of a key logger (what, where, how to act), you can take screenshots, to use a camera on a device, microphone etc.

Terminal An interface to control your operating system. GUI tools are not as nearly as powerful as terminal tools.

 

Most hacking tools are designed for the terminal. Once you know how to do it in the terminal, you’ll know how to do it in the GUI.

Firewall A firewall is configured through iptable commands.

 

Linux firewall is open source and it has a HUDE amount of options. On Windows, by default you have some of these options but you will need to buy some package or application to get more options.

Root Kit rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
Reverse-shells There are thousands of Reverse-shells. You have a program that infects another device that program opens up a reverse connection from that device back to you. Therefore, you can keep up controlling an external device.

 

Usually you need to break through a router first and reconfigure it to give you more access to a network and machines.

Azure AD Integration

This year I’ve been working a lot more with Azure. On of my tasks has been to integrate other application to each other using Azure AD. Here are some of my finding and good to know things in case someone else runs into them:

  • Create a new MVC Application in Visual Studio
  • When this is done, press the second mouse button on the project and go to “Add” > “Connected Services”. This will allow you to create an O365 connection.
  • Select Office 365 API Services.
  • In the new Window select or type in your domain.
  • Next, create new Azure AD application configuration or use an existing one by providing the GUID for the application.
    • Make sure you select the “Configure Single Sign-On using Azure AD” option
    • Make sure that your application is multi-tenant:
      • This works so that you register your app with you own Azure AD domain, then after that external Azure AD tenants and their users are registered through an “onboarding” process. The process will the user or admin user for privileges to use certain information from the AD or other resources. These are defined in the Azure AD application settings.
      • Notice you are using an application ID and key to connect to your own organization Azure AD then the users are only onboarding using the multi-tenant option in the Azure AD application configuration.
    • Next select what kind of privileges your application needs from the Azure AD and O365.
    • You need onboarding functionality from here: https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-multitenant-openidconnect/
    • In Global.asax.cs application_start function add the following: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
      • If this is missing, then you claim will not work properly.
    • If you are using a SQL Server database and Entity Framework remember to update you model from the database and remember primary key connections. If the Entity Framework update does not work then removing and adding the database tables should force an update. Also remember to clean and build your project if nothing else helps.
    • If you get this error: Error: {“error”:”invalid_grant”,”error_description”:”AADSTS70002: Error validating credentials. AADSTS70000: The provided access grant is invalid or malformed…..
    • Doing a redirect the proper way in an MVC apllication using the following piece of code in your contoller: return Redirect(returnUrl);
      • If you use the normal way in ASP .NET: Response.Redirect(returnUrl); you will run into trouble. The error message might look something like this:
        • Server Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgery
        • You could set the AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in the Application_start, but this will lower your security and not advisable.

 

C# .NET Getting Windows Directory File Permissions programmatically

Hi,

 

I while back I needed to do a security trim on files in a Windows file system based on returned search results by SharePoint search. Since in SharePoint 2010 search indexing does not know how to take into consideration file system rights for searches there was a need to do a security trimming based on what privileges you have in Active Directory and what you are given to the file itself.

Since there where alot of moving parts and hard to find out which classes and function where needed to actually do this specific task I finally found a source that gave a great sample how to do this:

http://www.conarc.com/blog/2010/03/25/programmatically-getting-effective-directoryfile-permissions/

Unfortunately the source above does not exist anymore for whatever reason. So for those who might need similar functionality through code here is the sample code from the link above and what you need class wise.

In the code below what you need is to call the following static function to check for if the user has certain privileges:

FileSystemRights rights = FileSystemEffectiveRights.GetRights(username, filelocation);

Then call the following function to test against the given file system privileges and what you want to user to have in the file system.
bool canReadExecute = rights.HasRights(FileSystemRights.ReadAndExecute);

 

Classes and enumeration needed for this functionality(there are many moving parts here and you might have to work with Active Directory and File System to test this code):

FileSystemRights Enumeration

FileSystemAccessRule Class

AccessControlType Enumeration

AuthorizationRuleCollection Class

SecurityIdentifier Class

FileSystemAccessRule Class

FileInfo Class

PrincipalContext Class

UserPrincipal Class

PrincipalSearcher Class

WindowsIdentity Class

 

Sample code – http://www.conarc.com/blog/2010/03/25/programmatically-getting-effective-directoryfile-permissions/ :

public static class FileSystemRightsEx
{
public static bool HasRights(this FileSystemRights rights, FileSystemRights testRights)
{
return (rights & testRights) == testRights;
}
}

public static class FileSystemEffectiveRights
{

public static FileSystemRights GetRights(string userName, string path)
{
if (string.IsNullOrEmpty(userName))
{
throw new ArgumentException(“UserName not defined!”);
}

//if (!Directory.Exists(path) && !File.Exists(path))
//{
// throw new ArgumentException(string.Format(“path: {0}”, path));
//}

return GetEffectiveRights(userName, path);
}

private static FileSystemRights GetEffectiveRights(string userName, string path)
{
FileSystemAccessRule[] accessRules = GetAccessRulesArray(userName, path);
FileSystemRights denyRights = 0;
FileSystemRights allowRights = 0;

for (int index = 0, total = accessRules.Length; index < total; index++)
{
FileSystemAccessRule rule = accessRules[index];

if (rule.AccessControlType == AccessControlType.Deny)
{
denyRights |= rule.FileSystemRights;
}
else
{
allowRights |= rule.FileSystemRights;
}
}

return (allowRights | denyRights) ^ denyRights;
}

private static FileSystemAccessRule[] GetAccessRulesArray(string userName, string path)
{
// get all access rules for the path – this works for a directory path as well as a file path
AuthorizationRuleCollection authorizationRules = (new FileInfo(path)).GetAccessControl().GetAccessRules(true, true, typeof(SecurityIdentifier));

// get the user’s sids
string[] sids = GetSecurityIdentifierArray(userName);

// get the access rules filtered by the user’s sids
return (from rule in authorizationRules.Cast<FileSystemAccessRule>()
where sids.Contains(rule.IdentityReference.Value)
select rule).ToArray();
}

private static string[] GetSecurityIdentifierArray(string userName)
{
// connect to the domain
PrincipalContext pc = new PrincipalContext(ContextType.Domain);

// search for the domain user
UserPrincipal user = new UserPrincipal(pc) { SamAccountName = userName };
PrincipalSearcher searcher = new PrincipalSearcher { QueryFilter = user };
user = searcher.FindOne() as UserPrincipal;

if (user == null)
{
throw new ApplicationException(string.Format(“Invalid User Name: {0}”, userName));
}

// use WindowsIdentity to get the user’s groups
WindowsIdentity windowsIdentity = new WindowsIdentity(user.UserPrincipalName);
string[] sids = new string[windowsIdentity.Groups.Count + 1];

sids[0] = windowsIdentity.User.Value;

for (int index = 1, total = windowsIdentity.Groups.Count; index < total; index++)
{
sids[index] = windowsIdentity.Groups[index].Value;
}

return sids;
}
}

Good To Know: ASP .NET MVC Reference Guide

Hi,

This is my collection of sources of the most “relevant” information on ASP .NET MVC. Hope this helps you if you need information on MVC and web development with Microsoft Tools.

Design the application architecture – Application Layers, Azure, State Management, Caching, WebSocket, HTTPModules
ASP.NET MVC 4 Content Map http://www.asp.net/mvc/overview/getting-started/aspnet-mvc-content-map
.NET On-Premises/Cloud Hybrid Application Using Service Bus Relay http://www.windowsazure.com/en-us/documentation/articles/cloud-services-dotnet-hybrid-app-using-service-bus-relay/
A Beginner’s Guide to HTTP Cache Headers http://www.mobify.com/blog/beginners-guide-to-http-cache-headers/
ASP.NET MVC Views Overview http://www.asp.net/mvc/tutorials/older-versions/views/asp-net-mvc-views-overview-cs
ASP.NET Routing http://msdn.microsoft.com/en-us/library/cc668201.aspx
ASP.NET State Management Overview http://msdn.microsoft.com/en-us/library/75x4ha6s.ASPX
Beginners guide to HTML5 Application Cache API http://www.html5rocks.com/en/tutorials/appcache/beginner/
Caching in .NET Framework Applications http://msdn.microsoft.com/en-us/library/dd997357%28v%3DVS.110%29.aspx
Controllers and Action Methods in ASP.NET MVC Applications http://msdn.microsoft.com/en-us/library/dd410269%28v=vs.100%29.aspx
Differences Between ASMX and WCF Services http://msdn.microsoft.com/en-us/library/ff648181.aspx
Distributed Cache http://csharp-guide.blogspot.fi/2013/06/distributed-cache.html
Donut Caching and Donut Hole Caching with Asp.Net MVC 4 http://www.dotnet-tricks.com/Tutorial/mvc/ODJa210113-Donut-Caching-and-Donut-Hole-Caching-with-Asp.Net-MVC-4.html
Donut Caching with ASP.NET MVC 4 http://www.dhuvelle.com/2012/10/donut-caching-with-aspnet-mvc-4.html
Entity Framework http://msdn.microsoft.com/en-us/data/ef.aspx
Extending ASP.NET Processing with HTTP Modules http://msdn.microsoft.com/en-us/library/zec9k340%28v=vs.85%29.aspx
Getting Started with ASP.NET Web API 2 http://www.asp.net/web-api/overview/getting-started-with-aspnet-web-api/tutorial-your-first-web-api
Global.asax File http://msdn.microsoft.com/en-us/library/1xaas8a2%28v=vs.71%29.aspx
HOW TO: Write a Simple Web Service by Using Visual C# .NET http://support.microsoft.com/kb/308359
HTML5 Web Storage http://www.w3schools.com/html/html5_webstorage.asp
HTTP Handlers and HTTP Modules Overview http://msdn.microsoft.com/en-us/library/bb398986%28v=vs.100%29.aspx
IHttpModule Interface http://msdn.microsoft.com/en-us/library/system.web.ihttpmodule%28v%3Dvs.71%29.aspx
Improving Performance with Output Caching (C#) http://www.asp.net/mvc/tutorials/older-versions/controllers-and-routing/improving-performance-with-output-caching-cs
INFO: ASP.NET Configuration Overview http://support.microsoft.com/kb/307626
Introducing “Razor” – a new view engine for ASP.NET http://weblogs.asp.net/scottgu/archive/2010/07/02/introducing-razor.aspx
Introducing WebSocket HTML5 http://www.html5rocks.com/en/tutorials/websockets/basics/
Introducing Windows Azure http://www.windowsazure.com/en-us/documentation/articles/fundamentals-introduction-to-Windows-Azure/
Introducing Windows Azure AppFabric Applications http://blogs.msdn.com/b/appfabric/archive/2011/06/20/introducing-windows-azure-appfabric-applications.aspx
Introduction to HTTP Modules http://msdn.microsoft.com/en-us/library/ms178468%28v=vs.85%29.aspx
Learn About ASP.NET Web API http://www.asp.net/web-api
patterns & practices: Data Access Guidance http://dataguidance.codeplex.com/
Run Startup Tasks in Windows Azure http://msdn.microsoft.com/en-us/library/windowsazure/hh180155.aspx
The WebSocket API http://dev.w3.org/html5/websockets/
Two Ways of Passing HTML5 Web Storage Data to ASP.NET http://www.codeguru.com/csharp/.net/two-ways-of-passing-html5-web-storage-data-to-asp.net.htm
Use AppCmd.exe to Configure IIS at Startup http://msdn.microsoft.com/en-us/library/windowsazure/hh974418.aspx
Using an Asynchronous Controller in ASP.NET MVC http://msdn.microsoft.com/en-us/library/ee728598%28v=vs.100%29.aspx
WCF Web HTTP Programming Model http://msdn.microsoft.com/en-us/library/bb412169%28v=vs.110%29.aspx
Windows Azure Execution Models http://www.windowsazure.com/en-us/documentation/articles/fundamentals-application-models/
Windows Azure Jump Start (03): Windows Azure Lifecycle, Part 1 http://channel9.msdn.com/posts/Windows-Azure-Jump-Start-03-Windows-Azure-Lifecycle-Part-1
Windows Azure Jump Start (04): Windows Azure Lifecycle, Part 2 http://channel9.msdn.com/posts/Windows-Azure-Jump-Start-04-Windows-Azure-Lifecycle-Part-2
Design the user experience – User Interface Design and Implementation
About Font Embedding http://msdn.microsoft.com/en-us/library/ms533034%28v%3DVS.85%29.aspx
AjaxExtensions.BeginForm Method http://msdn.microsoft.com/en-us/library/system.web.mvc.ajax.ajaxextensions.beginform%28v=vs.118%29.aspx
ASP.NET MVC – HTML Helpers http://www.w3schools.com/aspnet/mvc_htmlhelpers.asp
ASP.NET MVC 4 Content Map http://msdn.microsoft.com/en-us/library/gg416514%28v%3Dvs.108%29.aspx
Compatibility tables for support of HTML5, CSS3, SVG and more in desktop and mobile browsers. http://caniuse.com/
CSS Media Types http://www.w3schools.com/css/css_mediatypes.asp
CSS Reference http://www.w3schools.com/cssref/default.asp
DefaultDisplayModes.Instance http://chipburris.wordpress.com/tag/displaymodeprovider-instance/
DisplayModeProvider Class http://msdn.microsoft.com/en-us/library/system.web.webpages.displaymodeprovider%28v=vs.111%29.aspx
EditorExtensions.EditorFor Method http://msdn.microsoft.com/en-us/library/system.web.mvc.html.editorextensions.editorfor%28v=vs.118%29.aspx
How To Test ModelState.IsValid In ASP.NET MVC http://randomtype.ca/blog/how-to-test-modelstate-isvalid-in-asp-net-mvc/
How to: Implement Remote Validation in ASP.NET MVC http://msdn.microsoft.com/en-us/library/gg508808%28v=vs.98%29.aspx
How to: Validate Model Data Using DataAnnotations Attributes http://msdn.microsoft.com/en-us/library/ee256141%28v=vs.100%29.aspx
HTML DOM innerHTML Property http://www.w3schools.com/jsref/prop_html_innerhtml.asp
Html.BeginForm() vs Ajax.BeginForm() in MVC3 http://www.codeproject.com/Articles/429164/Html-BeginForm-vs-Ajax-BeginForm-in-MVC3
HTML5 http://msdn.microsoft.com/en-us/library/ie/hh673546%28v%3Dvs.85%29.aspx
HTML5 New Input Types http://www.w3schools.com/html/html5_form_input_types.asp
HtmlHelper Class http://msdn.microsoft.com/en-us/library/system.web.mvc.htmlhelper%28v=vs.118%29.aspx
JavaScript prototype Property http://www.w3schools.com/jsref/jsref_prototype_math.asp
JavaScript Tutorial http://www.w3schools.com/js/
jQuery http://jquery.com/
jQuery Documentation http://api.jquery.com/
jQuery Mobile http://jquerymobile.com/
jQuery Mobile Framework http://jquerymobile.codeplex.com/
jQuery UI http://jqueryui.com/
JsonRequestBehavior Enumeration http://msdn.microsoft.com/en-us/library/system.web.mvc.jsonrequestbehavior%28v=vs.118%29.aspx
JsonResult Class http://msdn.microsoft.com/en-us/library/system.web.mvc.jsonresult%28v=vs.118%29.aspx
Kendo UI Mobile http://www.telerik.com/kendo-ui-mobile
KnockoutJS http://knockoutjs.com/documentation/introduction.html
LinkExtensions.ActionLink Method http://msdn.microsoft.com/en-us/library/system.web.mvc.html.linkextensions.actionlink%28v=vs.118%29.aspx
ModelStateDictionary.IsValid Property http://msdn.microsoft.com/en-us/library/system.web.mvc.modelstatedictionary.isvalid%28v=vs.118%29.aspx
Partial View in ASP.NET MVC 4 http://www.codeproject.com/Tips/617361/Partial-View-in-ASP-NET-MVC-4
Rendering a Form in ASP.NET MVC Using HTML Helpers http://msdn.microsoft.com/en-us/library/dd410596%28v=vs.100%29.aspx
Sencha Touch http://www.sencha.com/products/touch/
Simplifying HTML generation in code using Razor templates http://www.codeproject.com/Articles/457307/Simplifying-HTML-generation-in-code-using-Razor-te
Styles.Render Method http://msdn.microsoft.com/en-us/library/system.web.optimization.styles.render%28v=vs.110%29.aspx
System.Web.Mvc.Ajax Namespace http://msdn.microsoft.com/en-us/library/system.web.mvc.ajax%28v=vs.118%29.aspx
System.Web.Mvc.Html Namespace http://msdn.microsoft.com/en-us/library/system.web.mvc.html%28v=vs.118%29.aspx
Understanding JavaScript Prototypes. http://javascriptweblog.wordpress.com/2010/06/07/understanding-javascript-prototypes/
Using the viewport meta tag to control layout on mobile browsers https://developer.mozilla.org/en-US/docs/Mozilla/Mobile/Viewport_meta_tag
ValidationExtensions.ValidationMessageFor Method http://msdn.microsoft.com/en-us/library/system.web.mvc.html.validationextensions.validationmessagefor%28v=vs.118%29.aspx
ValidationMessageFor HTML Helper in MVC3 Razor http://20fingers2brains.blogspot.com/2013/03/validationmessagefor-html-helper-in.html
Vendor-specific Properties http://reference.sitepoint.com/css/vendorspecific
Views and UI Rendering in ASP.NET MVC Applications http://msdn.microsoft.com/en-us/library/dd410123(v=vs.100).aspx
Develop User Experience – Search Engine Optimization, Globalization and Localization, Routes, Application Behaviour, Network Optimization
13 ASP.NET MVC extensibility points you have to know http://codeclimber.net.nz/archive/2009/04/08/13-asp.net-mvc-extensibility-points-you-have-to-know.aspx
Action Filtering in ASP.NET MVC Applications http://msdn.microsoft.com/en-us/library/dd410209%28v=vs.100%29.aspx
ActionResult Class http://msdn.microsoft.com/en-us/library/system.web.mvc.actionresult%28v=vs.118%29.aspx
ActionResult.ExecuteResult Method http://msdn.microsoft.com/en-us/library/system.web.mvc.actionresult.executeresult%28v=vs.118%29.aspx
An Introduction to ASP.NET MVC Extensibility https://www.simple-talk.com/dotnet/.net-framework/an-introduction-to-asp.net-mvc-extensibility/
ASP.NET Globalization and Localization http://msdn.microsoft.com/en-us/library/c6zyy3s9%28v=vs.100%29.aspx
ASP.NET MVC – Basic overview of different view engines http://www.codeproject.com/Articles/467850/ASP-NET-MVC-view-engines
ASP.NET MVC Custom Model Binder http://www.codeproject.com/Articles/605595/ASP-NET-MVC-Custom-Model-Binder
ASP.NET MVC Model Binding and Data Annotation http://www.codeproject.com/Articles/551576/ASP-NET-MVC-Model-Binding-and-Data-Annotation
ASP.NET MVC Routing Overview (C#) http://www.asp.net/mvc/tutorials/older-versions/controllers-and-routing/asp-net-mvc-routing-overview-cs
ASP.NET Routing http://msdn.microsoft.com/en-us/library/cc668201%28v%3Dvs.100%29.aspx
Attribute Usage Guidelines http://msdn.microsoft.com/en-us/library/vstudio/2ab31zeh%28v=vs.100%29.aspx
BindAttribute Class http://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute%28v=vs.118%29.aspx
Bundling and Minification http://www.asp.net/mvc/tutorials/mvc-4/bundling-and-minification
Configuring HTTP Compression in IIS 7 http://technet.microsoft.com/en-us/library/cc771003%28v=ws.10%29.aspx
CultureInfo Class http://msdn.microsoft.com/en-us/library/system.globalization.cultureinfo%28v=vs.110%29.aspx
Custom Controller Factory in ASP.NET MVC http://www.dotnetcurry.com/showarticle.aspx?ID=878
FilterAttribute Class http://msdn.microsoft.com/en-us/library/system.web.mvc.filterattribute%28v=vs.118%29.aspx
Globalize.js https://github.com/jquery/globalize
HandleErrorAttribute Class http://msdn.microsoft.com/en-us/library/system.web.mvc.handleerrorattribute%28v%3Dvs.108%29.aspx
How to: Set the Culture and UI Culture for ASP.NET Web Page Globalization http://msdn.microsoft.com/en-us/library/bz9tc508.aspx
HTML 5: The Markup Language (ARIA Edition) http://dev.w3.org/html5/markup/aria/aria.html
Mage.exe (Manifest Generation and Editing Tool) http://msdn.microsoft.com/en-us/library/acz3y3te.aspx
Microsoft Ajax Content Delivery Network http://www.asp.net/ajaxlibrary/cdn.ashx
MVC 4 Part 4 – Bundles and Optimisation http://johnnewcombe.net/blog/post/4
MvcRouteHandler and MvcHandler in ASP.NET MVC Framework http://www.codeproject.com/Articles/595520/MvcRouteHandler-and-MvcHandler-in-ASP-NET-MVC-Fram
ResourceManager Class http://msdn.microsoft.com/en-us/library/system.resources.resourcemanager%28v=vs.110%29.aspx
Search Engine Optimization Toolkit http://www.iis.net/downloads/microsoft/search-engine-optimization-toolkit
Subscriber Locale Codes http://msdn.microsoft.com/en-us/library/aa226765%28v%3Dsql.80%29.aspx
The Features and Foibles of ASP.NET MVC Model Binding http://msdn.microsoft.com/en-us/magazine/hh781022.aspx
Thread.CurrentUICulture Property http://msdn.microsoft.com/en-us/library/system.threading.thread.currentuiculture%28v=vs.110%29.aspx
Using CDN for Windows Azure http://www.windowsazure.com/en-us/documentation/articles/cdn-how-to-use/
Using Value Providers in ASP.NET 4.5 http://www.codeguru.com/csharp/.net/using-value-providers-in-asp.net-4.5.htm
Walkthrough: Organizing an ASP.NET MVC Application using Areas http://msdn.microsoft.com/en-us/library/ee671793%28v=vs.100%29.aspx
WebPart.AuthorizationFilter Property http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.webparts.webpart.authorizationfilter%28v=vs.110%29.aspx
What’s the Difference Between a Value Provider and Model Binder? http://haacked.com/archive/2011/06/30/whatrsquos-the-difference-between-a-value-provider-and-model-binder.aspx/
ViewResultBase Class http://msdn.microsoft.com/en-us/library/system.web.mvc.viewresultbase%28v=vs.118%29.aspx
VirtualPathProviderViewEngine Class http://msdn.microsoft.com/en-us/library/system.web.mvc.virtualpathproviderviewengine%28v=vs.118%29.aspx
Troubleshoot and debug web applications – Runtime issues, Exception handling, Testing, Debuging
AppDomain.FirstChanceException Event http://msdn.microsoft.com/en-us/library/system.appdomain.firstchanceexception%28v=vs.110%29.aspx
Assert Class http://msdn.microsoft.com/en-us/library/microsoft.visualstudio.testtools.unittesting.assert.aspx
Beginners Guide to Performance Profiling http://msdn.microsoft.com/en-us/library/ms182372.aspx
Code Contracts http://msdn.microsoft.com/en-us/library/dd264808%28v=vs.110%29.aspx
Code Contracts http://research.microsoft.com/en-us/projects/contracts/
Code Contracts for .NET http://visualstudiogallery.msdn.microsoft.com/1ec7db13-3363-46c9-851f-1ce455f66970
Collect Logging Data by Using Windows Azure Diagnostics http://msdn.microsoft.com/en-us/library/windowsazure/gg433048.aspx
Configuring Performance Sessions for Profiling Tools http://msdn.microsoft.com/en-us/library/ms182370.aspx
Configuring Windows Azure Diagnostics http://msdn.microsoft.com/en-us/library/windowsazure/dn186185.aspx
Controller.OnException Method http://msdn.microsoft.com/en-us/library/system.web.mvc.controller.onexception%28v=vs.118%29.aspx
Create and Use Performance Counters in a Windows Azure Application http://msdn.microsoft.com/en-us/library/windowsazure/hh411542.aspx
customErrors Element (ASP.NET Settings Schema) http://msdn.microsoft.com/en-us/library/h0hfz6fc%28v=vs.85%29.aspx
Debugging a Cloud Service in Visual Studio http://msdn.microsoft.com/en-us/library/windowsazure/ff683670.aspx
Debugging Cloud Services http://msdn.microsoft.com/en-us/library/windowsazure/ee405479.aspx
HandleErrorAttribute Class http://msdn.microsoft.com/en-us/library/system.web.mvc.handleerrorattribute%28v=vs.118%29.aspx
How To Put Your Toe Into ASP.NET MVC Integration Testing http://orientman.wordpress.com/2013/12/06/how-to-put-your-toe-into-asp-net-mvc-integration-testing/
How to: Break When an Exception is Thrown http://msdn.microsoft.com/en-us/library/d14azbfh.aspx
How to: Handle Application-Level Errors http://msdn.microsoft.com/en-us/library/24395wz3%28v=vs.100%29.aspx
How to: Receive First-Chance Exception Notifications http://msdn.microsoft.com/en-us/library/dd997368%28v=vs.110%29.aspx
Integration Testing Your ASP.NET MVC Application http://blog.stevensanderson.com/2009/06/11/integration-testing-your-aspnet-mvc-application/
Invariants and Inheritance in Code Contracts http://msdn.microsoft.com/en-us/magazine/hh205755.aspx
Isolating Code Under Test with Microsoft Fakes http://msdn.microsoft.com/en-us/library/hh549175.aspx
Logging Error Details with ASP.NET Health Monitoring (C#) http://www.asp.net/web-forms/tutorials/deployment/deploying-web-site-projects/logging-error-details-with-asp-net-health-monitoring-cs
MVC: Error Page implementation https://thatsimpleidea.wordpress.com/tag/exception/
Performance and Diagnostics Hub in Visual Studio 2013 http://blogs.msdn.com/b/visualstudioalm/archive/2013/07/12/performance-and-diagnostics-hub-in-visual-studio-2013.aspx
Performance Profiler in Visual Studio 2012 http://sylvester-lee.blogspot.fi/2013/03/performance-profiler-in-visual-studio.html
Quick Start: Test Driven Development with Test Explorer http://msdn.microsoft.com/en-us/library/hh212233.aspx
Record and run a web performance test http://msdn.microsoft.com/en-us/library/ms182539.aspx
Remote Debugging a Window Azure Web Site with Visual Studio 2013 http://blogs.msdn.com/b/webdev/archive/2013/11/05/remote-debugging-a-window-azure-web-site-with-visual-studio-2013.aspx
System.Diagnostics.Contracts Namespace http://msdn.microsoft.com/en-us/library/system.diagnostics.contracts%28v=vs.110%29.aspx
TraceListener Class http://msdn.microsoft.com/en-us/library/system.diagnostics.tracelistener%28v=vs.110%29.aspx
Tracing in ASP.NET MVC Razor Views http://blogs.msdn.com/b/webdev/archive/2013/07/16/tracing-in-asp-net-mvc-razor-views.aspx
Understanding Web Tests http://msdn.microsoft.com/en-us/library/ms182537%28v=vs.90%29.aspx
Unit Testing in ASP.NET MVC Applications http://msdn.microsoft.com/en-us/library/ff936235%28v%3Dvs.100%29.aspx
Use the Windows Azure Diagnostics Configuration File http://msdn.microsoft.com/en-us/library/windowsazure/hh411551.aspx
Walkthrough: Using TDD with ASP.NET MVC http://msdn.microsoft.com/en-us/library/ff847525%28v=vs.100%29.aspx
What is a First Chance Exception? http://blogs.msdn.com/b/davidklinems/archive/2005/07/12/438061.aspx
Windows Performance Monitor http://technet.microsoft.com/en-us/library/cc749249.aspx
Working with Web Tests http://msdn.microsoft.com/en-us/library/ms182536%28v=vs.90%29.aspx
Design And Implement Security – Authentication, Authorization, Data Integrity, Hacks and Security, Communication
A Beginner’s Tutorial on Custom Forms Authentication in ASP.NET MVC Application http://www.codeproject.com/Articles/578374/AplusBeginner-27splusTutorialplusonplusCustomplusF
A Custom SqlRoleProvider for “Authenticated Users” http://blogs.msdn.com/b/jjameson/archive/2010/12/09/a-custom-sqlroleprovider-for-quot-authenticated-users-quot.aspx
Anti-Cross Site Scripting Library http://msdn.microsoft.com/en-us/security/aa973814.aspx
Apple Secure Coding Guide https://developer.apple.com/library/ios/documentation/Security/Conceptual/SecureCodingGuide/SecureCodingGuide.pdf
ASP.NET Impersonation http://msdn.microsoft.com/en-us/library/aa292118%28v=vs.71%29.aspx
ASP.NET MVC Authentication – Global Authentication and Allow Anonymous http://weblogs.asp.net/jgalloway/archive/2012/04/18/asp-net-mvc-authentication-global-authentication-and-allow-anonymous.aspx
Asp.Net MVC With the ValidateAntiForgeryToken For Cross Site Request Forgeries http://patrickdesjardins.com/blog/asp-net-mvc-with-the-validateantiforgerytoken-for-cross-site-request-forgeries
ASP.NET Web Application Security http://msdn.microsoft.com/en-us/library/330a99hc%28v=vs.100%29.ASPX
Authenticating Users with Windows Authentication (C#) http://www.asp.net/mvc/tutorials/older-versions/security/authenticating-users-with-windows-authentication-cs
AuthorizeAttribute Class http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute%28v=vs.118%29.aspx
Basic Security Practices for Web Applications http://msdn.microsoft.com/en-us/library/zdh19h94%28v=vs.100%29.aspx
Client Certificates vs. Server Certificates – What’s the Difference? http://www.symantec.com/connect/blogs/client-certificates-vs-server-certificates-what-s-difference
Configure ASP.NET Impersonation Authentication (IIS 7) http://technet.microsoft.com/en-us/library/cc730708%28v=ws.10%29.aspx
Create an ASP.NET MVC 5 App with Facebook and Google OAuth2 and OpenID Sign-on (C#) http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
CryptoStream Class http://msdn.microsoft.com/en-us/library/system.security.cryptography.cryptostream%28v=vs.110%29.aspx
Custom Authentication and Authorization in ASP.NET MVC http://www.dotnet-tricks.com/Tutorial/mvc/G54G220114-Custom-Authentication-and-Authorization-in-ASP.NET-MVC.html
Custom Authentication with MVC 3.0 http://www.bradygaster.com/post/custom-authentication-with-mvc-3.0
Custom Membership Providers http://www.codeproject.com/Articles/165159/Custom-Membership-Providers
Custom Membership Providers – Task Manager http://www.codeproject.com/Articles/176863/Custom-Membership-Providers-Task-Manager
Custom Role Providers http://www.codeproject.com/Articles/607392/Custom-Role-Providers
DpapiProtectedConfigurationProvider Class http://msdn.microsoft.com/en-us/library/system.configuration.dpapiprotectedconfigurationprovider%28v=vs.110%29.aspx
FormsIdentity Class http://msdn.microsoft.com/en-us/library/system.web.security.formsidentity%28v=vs.110%29.aspx
How to Authenticate Web Users with Windows Azure Active Directory Access Control http://www.windowsazure.com/en-us/documentation/articles/active-directory-dotnet-how-to-use-access-control/
How to configure Custom Membership and Role Provider using ASP.NET MVC4 http://logcorner.wordpress.com/2013/08/29/how-to-configure-custom-membership-and-role-provider-using-asp-net-mvc4/
How to Create an Intranet Site Using ASP.NET MVC http://msdn.microsoft.com/en-us/library/gg703322%28v=vs.98%29.aspx
How to: Create a WindowsPrincipal Object http://msdn.microsoft.com/en-us/library/t6547wf1%28v=vs.110%29.aspx
How to: Create GenericPrincipal and GenericIdentity Objects http://msdn.microsoft.com/en-us/library/y9dd5fx0%28v=vs.110%29.aspx
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA http://msdn.microsoft.com/en-us/library/ff650304.aspx
How To: Use Membership in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff648345.aspx
HtmlHelper.AntiForgeryToken Method http://msdn.microsoft.com/en-us/library/dd470175%28v=vs.118%29.aspx
HttpEncoder Class http://msdn.microsoft.com/en-us/library/system.web.util.httpencoder%28v=vs.100%29.ASPX
Microsoft Web Protection Library http://wpl.codeplex.com/
OAuthWebSecurity.Login Method http://msdn.microsoft.com/en-us/library/microsoft.web.webpages.oauth.oauthwebsecurity.login%28v=vs.111%29.aspx
OAuthWebSecurity.VerifyAuthentication Method http://msdn.microsoft.com/en-us/library/microsoft.web.webpages.oauth.oauthwebsecurity.verifyauthentication%28v=vs.111%29.aspx
patterns & practices Improving Web Services Security – Now Released http://wcfsecurityguide.codeplex.com/
Programming WCF Security http://msdn.microsoft.com/en-us/library/ms731925%28v=vs.110%29.aspx
Provider Model Design Pattern and Specification, Part 1 http://msdn.microsoft.com/en-us/library/ms972319.aspx
RequireHttpsAttribute Class http://msdn.microsoft.com/en-us/library/system.web.mvc.requirehttpsattribute%28v=vs.118%29.aspx
Role-Based Authorization (C#) http://www.asp.net/web-forms/tutorials/security/roles/role-based-authorization-cs
RSACryptoServiceProvider Class http://msdn.microsoft.com/en-us/library/system.security.cryptography.rsacryptoserviceprovider%28v=vs.110%29.aspx
RsaProtectedConfigurationProvider Class http://msdn.microsoft.com/en-us/library/system.configuration.rsaprotectedconfigurationprovider%28v=vs.110%29.aspx
SAML 2.0 tokens and WIF – bridging the divide http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx
Securing Your ASP.NET Applications http://msdn.microsoft.com/en-us/magazine/hh708755.aspx
Security Practices: ASP.NET Security Practices at a Glance http://msdn.microsoft.com/en-us/library/ff650037.aspx
Seed Users and Roles with MVC 4, SimpleMembershipProvider, SimpleRoleProvider, Entity Framework 5 CodeFirst, and Custom User Properties http://blog.longle.net/2012/09/25/seeding-users-and-roles-with-mvc4-simplemembershipprovider-simpleroleprovider-ef5-codefirst-and-custom-user-properties/
SqlMembershipProvider Class http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider%28v=vs.110%29.aspx
SqlRoleProvider Class http://msdn.microsoft.com/en-us/library/system.web.security.sqlroleprovider%28v=vs.110%29.aspx
System.Security.Cryptography Namespace http://msdn.microsoft.com/en-us/library/system.security.cryptography%28v=vs.110%29.aspx
System.Threading.Thread.CurrentPrincipal vs. System.Web.HttpContext.Current.User or why FormsAuthentication can be subtle http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx
Thread.CurrentPrincipal Property http://msdn.microsoft.com/en-us/library/system.threading.thread.currentprincipal%28v=vs.110%29.aspx
Understanding and Using Simple Membership Provider in ASP.NET MVC 4.0 http://www.codeproject.com/Articles/689801/Understanding-and-Using-Simple-Membership-Provider
Understanding the Forms Authentication Ticket and Cookie http://support.microsoft.com/kb/910443
Understanding Windows Identity Foundation (WIF) 4.5 http://www.codeproject.com/Articles/504399/Understanding-Windows-Identity-Foundation-WIF-4-5
Using IIS Authentication with ASP.NET Impersonation http://msdn.microsoft.com/en-us/library/134ec8tc%28v=vs.100%29.aspx
Using OAuth Providers with MVC 4 http://www.asp.net/mvc/tutorials/security/using-oauth-providers-with-mvc
Walkthrough: Using Forms Authentication in ASP.NET MVC http://msdn.microsoft.com/en-us/library/ff398049%28v=vs.100%29.aspx
WCF Security Fundamentals http://msdn.microsoft.com/en-us/library/ff650862.aspx
WCF Using Windows Authentication and SqlRoleProvider over basicHttp http://randypaulo.wordpress.com/2011/07/13/wcf-using-windows-authentication-and-sqlroleprovider-over-basichttp/
WebSecurity Class http://msdn.microsoft.com/en-us/library/webmatrix.webdata.websecurity%28v%3Dvs.111%29
Windows Communication Foundation Security http://msdn.microsoft.com/en-us/library/ms732362%28v=vs.110%29.aspx
WindowsIdentity Class http://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity%28v=vs.110%29.aspx
WS-Trust 1.3 OASIS Standard http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html