Thursday, August 21, 2014

Code disclosure pattern issue with AjaxControlToolkit

I was helping a team troubleshooting some issues found when they ran IBM Security AppScan tool against a web application.
One of the issues reported by the tool was:

Web Application Source Code Disclosure Pattern Found

Severity: Medium
URL: URL/ScriptResource.axd
Entity: ScriptResource.axd (Page)
Risk: It is possible to retrieve the source code of server-side scripts, which may expose the application logic and other sensitive information such as usernames and passwords
Latest patches or hotfixes for 3rd. party products were not installed
Temporary files were left in production environment
Debugging information was left by the programmer in web pages
Fix: Remove source code files from your web-server and apply any relevant patches

And the report included the following sample response:
// Add common toolkit scripts here. To consume the scripts on a control add
//public class SomeExtender : ...
// to the controls extender class declaration.

So the highlighted part indicated to appscan that the application exposed some code. And as I have previous experience with AjaxControlToolkit I could give the proper advice.

Referring to the source code of AjaxControlToolkit, you can find that the file Common/Common.debug.js includes the above lines as a hint to developers. So it sounds harmless, another false positive, and we can live with it, right?
Probably not. The release version of the above file Common/Common.js does not include any of this C# code. This is an indicator that a debug version is being used in the test. What started as a security issue, is now a performance issue, and using release build should fix it.

In general, automated security, code analysis, or performance testing tools generate false positives, but they should not be ignored without proper analysis.

Note: the latest version of AjaxControlToolkit includes the commented hints in the Client/MicrosoftAjax.Extended/Common/Common.pre.js file

Tuesday, July 29, 2014

Do's and Don'ts of Agile Retrospectives article on

Team retrospectives is an important Agile practice, check my article Do's and Don'ts of Agile Retrospectives to find some tips about having a healthy retrospective and avoiding common pitfalls.

Friday, July 18, 2014

Using Azure command line tools in Windows batch files

I have an Azure IaaS environment for development and experiments. The environment consists of 3 machines. I wanted to automate starting and shutting down the VMs in this environment.
I used Azure Command-Line Interface to create two batch files, one to start the environment and the other to stop it.

The scripts looks like:

azure vm start VMName1
azure vm start VMName2
azure vm start VMName3


azure vm shutdown VMName3
azure vm shutdown VMName2
azure vm shutdown VMName1

But when I executed the batch files, only the first command is executed then the script just terminates even if the command is successful. I had no clue why!!

I asked my friend @mShady who thankfully pointed me to this stack overflow thread: The answer tells: "you must call another script using the call command so it knows to return back to your script after the called script completes. Try prepending call to all commands."

So I added call to the batch files:

call azure vm start VMName1
call azure vm start VMName2
call azure vm start VMName3


call azure vm shutdown VMName3
call azure vm shutdown VMName2
call azure vm shutdown VMName1

And it worked.

The documentation for call mentions that it "Calls one batch program from another without stopping the parent batch program".

After checking, I found that the azure command is a batch file that internally calls node. And that was the issue.
The path of the batch file (which is in the path environment variable to be visible anywhere) is: "C:\Program Files\Microsoft SDKs\Windows Azure\CLI\wbin\azure.cmd"

Wednesday, April 30, 2014

Learning plan for Exam 70-480

The Microsoft exam 70-480 "Programming in HTML5 with JavaScript and CSS3" is the first step in a couple of MCSD certification paths. It's common in Web, Windows Store apps and SharePoint technologies.
I share the resources I used to get prepared for this exam. Note however that while I'm relatively new to HTML5, CSS3, I have a long web development experience that helped me.
The points below are copied from the skills being measured section in the exam page, augmented with some recommend resources from my side.

General Resources

Implement and manipulate document structures and objects (24%)

  • Create the document structure
    • Structure the UI by using semantic markup, including for search engines and screen readers (Section, Article, Nav, Header, Footer and Aside); create a layout container in HTML
  • Write code that interacts with UI controls
    • Programmatically add and modify HTML elements; implement media controls; implement HTML5 canvas and SVG graphics
  • Apply styling to HTML elements programmatically
    • Change the location of an element; apply a transform; show and hide elements
  • Implement HTML5 APIs
    • Implement storage APIs, AppCache API and Geolocation API
  • Establish the scope of objects and variables
    • Define the lifetime of variables; keep objects out of the global namespace; use the “this” keyword to reference an object that fired an event; scope variables locally and globally
  • Create and implement objects and methods
    • Implement native objects; create custom objects and custom properties for native objects using prototypes and functions; inherit from an object; implement native methods and create custom methods

Preparation resources

Implement program flow (25%)

  • Implement program flow
    • Iterate across collections and array items; manage program decisions by using switch statements, if/then, and operators; evaluate expressions

  • Raise and handle an event
    • Handle common events exposed by DOM (OnBlur, OnFocus, OnClick); declare and handle bubbled events; handle an event by using an anonymous function
  • Implement exception handling
    • Set and respond to error codes; throw an exception; request for null checks; implement try-catch-finally blocks
  • Implement a callback
    • Receive messages from the HTML5 WebSocket API; use jQuery to make an AJAX call; wire up an event; implement a callback by using anonymous functions; handle the “this” pointer
  • Create a web worker process
    • Start and stop a web worker; pass data to a web worker; configure timeouts and intervals on the web worker; register an event listener for the web worker; limitations of a web worker

Preparation resources

Access and secure data (26%)

  • Validate user input by using HTML5 elements
    • Choose the appropriate controls based on requirements; implement HTML input types and content attributes (for example, required) to collect user input
  • Validate user input by using JavaScript
    • Evaluate a regular expression to validate the input format; validate that you are getting the right kind of data type by using built-in functions; prevent code injection
  • Consume data
    • Consume JSON and XML data; retrieve data by using web services; load data or get data from other sources by using XMLHTTPRequest
  • Serialise, deserialise and transmit data
    • Binary data; text data (JSON, XML); implement the jQuery serialise method; Form.Submit; parse data; send data by using XMLHTTPRequest; sanitise input by using URI/form encoding

Preparation resources

Use CSS3 in applications (25%)

  • Style HTML text properties
    • Apply styles to text appearance (colour, bold, italics); apply styles to text font (WOFF and @font-face, size); apply styles to text alignment, spacing and indentation; apply styles to text hyphenation; apply styles for a text drop shadow
  • Style HTML box properties
    • Apply styles to alter appearance attributes (size, border and rounding border corners, outline, padding, margin); apply styles to alter graphic effects (transparency, opacity, background image, gradients, shadow, clipping); apply styles to establish and change an element’s position (static, relative, absolute, fixed)
  • Create a flexible content layout
    • Implement a layout using a flexible box model; implement a layout using multi-column; implement a layout using position floating and exclusions; implement a layout using grid alignment; implement a layout using regions, grouping and nesting
  • Create an animated and adaptive UI
    • Animate objects by applying CSS transitions; apply 3-D and 2-D transformations; adjust UI based on media queries (device adaptations for output formats, displays and representations); hide or disable controls
  • Find elements by using CSS selectors and jQuery
    • Choose the correct selector to reference an element; define element, style and attribute selectors; find elements by using pseudo-elements and pseudo-classes (for example, :before, :first-line, :first-letter, :target, :lang, :checked, :first-child)
  • Structure a CSS file by using CSS selectors
    • Reference elements correctly; implement inheritance; override inheritance by using !important; style an element based on pseudo-elements and pseudo-classes (for example, :before, :first-line, :first-letter, :target, :lang, :checked, :first-child)

Preparation resources

I hope this helps someone get ready for the exam. Good luck.

Sunday, February 16, 2014

My sad experience with Google app engine and domain names

So I decided to use Google app engine to host a small website. And no, it's neither the the programming language I'm not familiar with (python, it's cool and I like it by the way) nor the bad development and debugging experience that I had, is what I'm going to tell about this time. So what is it about? read on.

Pick a nice name for your baby
It was super easy to create an app with a temporary name like I reserved the domain name with the hosting company I'm used to. So I just need to assign the domain name to the GAE site and that's it. Quite a common task, right?  Sadly not.

You need a Google apps account
First, you need to create a Google apps account. You can't just assign the domain name directly. Anyway, not a big deal when apps had a free tier, but this is no longer the case. So I tried to use my existing free Google apps account that I've created years ago.
For Google to verify your ownership of the domain,  you have to add a value to the domain name DNS records. This sounds OK to prove that you control the domain. To get that value you should go to the Google apps administration page ( and click "more controls" then scroll to the right to find the "domains" icon.
Then you should select to add a new domain. and after you get the CANME or TXT record value to add to your DNS and wait for verification,  the domain should now be available for use. Except that it's not.
To make the domain point to the application you created ( you need to go to the administration home page and select the "App Engine Apps". Then select "Add Services" and enter the app Id.
And now, you select to add a URL to access the app, just to find that you cannot use the domain you've just added!! You can add a sub-domain of the original Google app service login!. What's the point in verifying another domain? I don't know!

Anyway. I went to another option by applying for a new Google apps account with a 30 days trial. And after the tedious steps of domain verification and service addition, finally I have my domain pointing to my GAE app. Hopefully, the domain will still work after the free trial expiration.

End of story? never.

Naked domains: 
Whether you should add www before your domain name or use naked domains is a religious war that I'll not discuss here. But if you want to use naked domains with GAE you're out of luck. It's not supported. 
So if the user writes ( in the browser's address bar, he's not going to your app. You must redirect the user to ( Some domain registrars support this feature, but my hosting company doesn't, so I had to do it myself. I pointed the domain ( to a site on my hosting space, and used an HTTP module to redirect requests to the www version (

Note: Apparently, there is another way to do it. But I'm not sure how get it to work using my hosting provider control panel.

And some spam
Since I did not configure email on my newly created Google apps account, Google kept sending me emails about how much I'm missing. OK. I did not need all this mess in the first place.

Just Why?
My guess is that the whole experience is geared towards promoting the apps model from two sides: you should have a Google apps account, and you should purchase services from Google market place.
The experience was not friendly for people like me, who just wanted to created a web site. When did the www boom happen exactly?

Monday, January 6, 2014

Articles I read in 2013

A new year, a new list...

2012's list can be found here
2011's list can be found here
2010's list can be found here
2009's list can be found here
2008's list can be found here 
2007's list can be found here