WCF Publishing error

Server Error in ‘/generalservice’ Application.

The type ‘GeneralService.Service1’, provided as the Service attribute value in the ServiceHost directive, or provided in the configuration element system.serviceModel/ serviceHostingEnvironment/serviceActivations could not be found.

“generalservice” is the name of the application in IIS. I renamed Service1 into “GeneralService” and the implementing class into Maths. But when I publish the service to IIS, I got the error above. The issue was in the GeneralService.svc (that was earlier named as “Service1.svc”) the ServiceHost service was still registered as

Service=”GeneralService.Service1″

Updated to Service=”GeneralService.Maths”. Issue Solved 🙂

IIS 7 Error when deploying ASP.Net Web Service

Error: “Handler “WebServiceHandlerFactory-Integrated” has a bad module “ManagedPipelineHandler” in its module list”

This error showed up when I tried to deploy an ASP.Net Web Service to IIS 7. I tried multiple thongs, including: adding Script Handlers, changing ports and what not.

But thanks to the post here, I just ran the following command and I was able to access the web service.

C:\Windows\Microsoft.NET\Framework\(version)>aspnet_regiis.exe –i

This command invokes the ASP.Net IIS Registration tool. Detailed here.

SQL Server 2008 Protocols

SQL Server 2008 supports 4 protocols using which a client can connect to the server. Their usage depends on the environment that the server is being used. The following protocols are available and a brief write up on what these are meant to do:

Shared Memory: This is the basic protocol that SQL Server 2008 supports and has no configurable settings. Considering that the clients using the Shared Memory protocol can connect only to a SQL Server instance running on the same computer, the usage of this protocol is pretty limited unless in troubleshooting. Shared Memory protocol cannot be used by anyone using MDAC 2.8 or earlier and if such a connection is attempted, Named Pipes protocol is used instead.

Named Pipes: A protocol developed for local area networks (LANs). A portion of memory is used by one process to pass information to another process, so that the output of one is the input of the other. The second process can be local (on the same computer as the ﬁrst) or remote (on a networked computer).

TCP/IP: Enabling SQL Server to use TCP/IP requires the most conﬁguration effort, but most networked computers are already properly conﬁgured.

Virtual Interface Adapter (VIA): A protocol that works with VIA hardware. This is a specialized protocol.

Las Vegas – BlackHat

I recently attended the briefings at the BlackHat conference between 28-29 July2010 at Las Vegas, US. It was an overwhelming experience to meet and see some of the stalwarts in the field of information security.

Also visited the Grand Canyon…what a sight!! Here’s one for the eyes 🙂

Register ASP.Net 4.0 handler mappings in IIS

Register ASP.Net 4.0 handler mappings in IIS:
1. Go to the .Net command prompt.
2. aspnet_regiis –i
Install the current version of ASP.NET and updates IIS configuration at the root level to use this version of ASP.Net.
3. aspnet_regiis –r
Install this version of ASP.NET and update scriptmaps at the IIS metabase root and for all scriptmaps below the root. Existing scriptmaps are upgraded to this version regardless of the original versions.

Struggles at Learning WCF

I am using the book”Windows Communication Foundation Unleashed” by Craig McMurtry; Marc Mercuri; Nigel Watling; Matt Winkler to learn the intricacies of WCF.
I am really struggling with the configuration settings and get errors almost at every steps (even when blindly following the instructions in the book!). Listing some of the errors here for my reference.
I am trying to host my service on IIS 7
Error:
No protocol binding matches the given address ‘http://localhost:8000/XXXXX’. Protocol bindings are configured at the Site level in IIS or WAS configuration.
Resolution:
In the Web.config file, empty the endpoint address. While I had the following setting the above error was thrown:L
:::
<endpoint contract="MyContractName"
binding=”basicHttpBinding” bindingConfiguration=”bindingSettings”
address=”http://localhost:8000/XXXXX” />
:::

I made the change below for the service to be hosted successfully:
:::
<endpoint contract="MyContractName"
binding=”basicHttpBinding” bindingConfiguration=”bindingSettings”
address=””/>
:::

Visual Studio 2008: x64 Debugger error

Got the error below when tried to run the VS2K8 in debug mode:

Error while trying to run project: Unable to start debugging.
The components for the 64-bit debugger are not registered. Please repair Visual Studio 2008 Remote Debugger installation via ‘Add or Remove Programs’ in control panel.

Resolution:
Install the 64-bit Remote Debugger from the following location in the installation disc:
\Remote Debugger\x64\

>WCF Exception "System.ServiceModel.ProtocolException was unhandled"

>I got the following irritating error while working with my basics of WCF:

“System.ServiceModel.ProtocolException was unhandled

Message=”The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 1024 bytes of the response were: ‘ \n \n \n \n \n<!– \nbody{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;background:#CBE1EF;} \ncode{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} \n.config_source code{font-size:.8em;color:#000000;} \npre{margin:0;font-size:1.4em;word-wrap:break-word;} \nul,ol{margin:10px 0 10px 40px;} \nul.first,ol.first{margin-top:5px;} \nfieldset{padding:0 15px 10px 15px;} \n.summary-container fieldset{padding-bottom:5px;margin-top:4px;} \nlegend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} \nlegend{color:#333333;padding:4px 15px 4px 10px;margin:4px 0 8px -12px;_margin-top:0px; \n border-top:1px solid #EDEDED;border-left:1px solid #EDEDED;border-right:1px solid #969696; \n border-bottom:1px solid #969696;background:#E7ECF0;font-weight:bold;'."

Source=”mscorlib”

”

The resolution:

In a Windows 7 PC:

Control Panel -> Programs and Features -> Turn Windows Feature on or Off -> .Net Framework 3.5.1 -> Enable Windows Communication Foundation HTTP Activation

SQL Injection Mitigations – Is SP_EXECUTESQL enough?

If you are writing Stored Procedures in SQL Server and your code got through a security code review, the chances are bright that you heard the terms “dynamic sql”, “sp_executesql” in the context of SQL Injection.
I found the details of what sp_executesql does in MSDN here. The msdn article starts with a Security note that reads “Run time-compiled Transact-SQL statements can expose applications to malicious attacks, such as SQL injection.”
This procedure, if used correctly, can help mitigate SQL Injection attacks to an extent.
From SQL Server books online, the syntax of sp_executesql looks like:
sp_executesql [ @statement = ] statement
[
{ , [ @params = ] N’@parameter_name data_type [ OUT | OUTPUT ][ ,…n ]’ }
{ , [ @param1 = ] ‘value1’ [ ,…n ] }
]
This method is useful ONLY when you use parameterization correctly and also that this method is no different from dynamic SQL if used with string concatenation. I wrote a quick set of code snippet (copied below) to check this:

The table I used is detailed in my blog entry here. As you can see a well crafted SQL query in the input can still get me the details not meant to be shown.
This can be avoided if I use a properly parameterized implementation of sp_executesql, detailed below.

As you can see when parameterization is used correctly even a crafted value cannot be used to manipulate the results returned by the query.
So use SP_EXECUTESQL does help mitigate the SQL Injection attacks only if parameterization is used properly.
I am trying to understand the internal workings of sp_executesql, for now [:)]!

SQL Injection – the way I learnt it

I am writing some T-SQL code for one of the assignments and am told to watch out for SQL injection as a possible attack vector.
So I took a look around to see what it is and how it really works from a very high level. A good resource to start with SQL Injection (for that matter any attack) is the OWASP.
To try hands on with how dynamic SQL executed using the Execute statement, I created a dummy Database in my local SQL Server instance and created some tables on it. For the purpose of this write up, I will only use one of the tables in the DB that I call “ZipCodes”. There are three dummy records in the table and here is the snapshot:

I created a Stored procedure to get me the record count from this table. Here is the code:

As you see I do not do anything fancy. The Stored procedure takes some parameters and then constructs a sql statement, @SQL which is then executed.
I execute the stored procedure using the following statement to confirm that the procedure is working just fine:

To check whether the stored procedure is validating the input parameters, I inserted the following value as part of in execute statement:

Exec [dbo].[StoredProcedureToCheckForSQLInjection] ””, ‘ABC’, 123, ‘ZipCodes’`

Well that irritated my SQL Server and the Stored procedure cried out the following error:

Look at the query that the SP tried to execute (that’s why I used the Print statement in the stored procedure code).
Ok I am on the right track and this procedure is a possible candidate of an injection attacks. I as an attacker will know this looking at the result above which shows that:
1. The Stored procedure is NOT validating the inputs.
2. The stored procedure is doing something by concatenation (Remember that I as an attacker will not have access to the SP code and hence it will be an analysis of the result/error above that will give me these details.)
That’s good news. So can I get all the records in this table? Lets check out using a crafted input that looks like the one below:

Once this query is run, the result that is thrown back is below:

Well that is not what the SP is supposed to do.
Lets check the query that the SP executed to get to the result above:

This is a very very very simple scenario and hopefully all the smart developers out there are not writing code like this in there Stored Procedures. But since I just started and it took me a while to get my query going, I thought of putting this here for reference.
I will comeback to this with more tricky cases. Till then its Happy Learning to me!!