Password hash using PBKDF2 with HMAC SHA256/ SHA512 in .NET Framework 4.7.2 and .NET Core 2.0

Here I am back with more updates on PBKDF2 with HMAC but this time I am talking about SHA-2 family of hashes which includes SHA-256 and SHA-512, both that to in standard .NET framework.

I have posted another article for implementing PBKDF2 with SHA-2 family for password hashing which has custom implementation of PBKDF2 as at that time this option was not available in standard .NET framework. Keep on reading

Password hash using PBKDF2 with HMAC SHA256/ SHA512 in .NET Framework 4.7 and before

Recently I got an requirement from one of my client to generate salted password hash using PBKDF2 and SHA-2 algorithms. But as everyone knows we only have SHA-1 available in .NET framework till now.

Because this was an client requirement so I have to accommodate in my project scope and to do this I got help from a nice guy who made this easy for me. While doing search on google I found this article from that guy. Keep on reading

Steps to Remove Security Vulnerabilities of WordPress Site

There may have many security vulnerabilities in your wordpress site which may result in an easy security hack. Here I have listed the possible security hacks and their solutions, which may help you to prevent your site got being hacked :

  1. Authenticated Reflected XSS Exists : This vulnerability is caused if data is being displayed directly according to the url parameters.
  • Example: http://example.com?user_id=1><script>alert(1)</script>. Thus, any script can also be added in the url which is major security issue, as anyone can run his script and can affect our data.
  • Recommendation: The best way to prevent this vulnerability you should use data sanitization techniques of wordpress in your theme and plugins. If you are using third party theme and plugins then make sure the developer has used wordpress data sanitization methods.
  1. Clickjacking : Clickjacking is a malicious technique in which a different domain’s frame set is being displayed with button or click content on another site and user doesn’t know that the frame set does not belong to current site. If user clicks over the button or link the malwares get being installed. Thus hackers hijacks the user’s click that’s why it is called clickjacking or cross frame scripting.
  • Recommendation: To prevent this we should use Xframe options in our htaccess file, to prevent  other wesite’s frame get being displayed. If your website is not using iframe then you can set XFRAME- OPTIONS to DENY and if your website is using iframes then you can set XFRAME- OPTIONS to SAMEORIGIN, so that your website’s frame will be displayed only.

=&0=&3. =&1=&: If  caching of pages containing sensitive data is not disabled then the browser stores                  local copies of these pages, which may be accessed by anyone who has access to the user’s computer.

  • Recommendation: All pages having sensitive information like logins, password resets, reports etc.. should include the following headers to ensure that browser caching of these pages is disabled :
  • Expires: It should have past date
  • Pragma: It should have no-cache.
  • Cache-control: It should have no-store.
  1. System Information Leak : There are some important files present in our wordpress directory which can reveal our important information, so to keep our site safe, rempve the files if they are not in use like wp-config-sample, readme.txt etc, or write rules in .htaccess, so that no one can access them. You can write the hraccess rules to deny the access of these files as :
  • # Rules to block access to WordPress specific files
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    <files readme.txt>
    Order allow,deny
    Deny from all
    </files>
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    <files wp-config.php>
    Order allow,deny
    Deny from all
    </files>
    <files xmlrpc.php>
    Order allow,deny
    Deny from all
    </files>
    <files wp-settings.php>
    Order allow,deny
    Deny from all
    </files>
    <files wp-load.php>
    Order allow,deny
    Deny from all
    </files><files .htaccess>
    Order allow,deny
    Deny from all
    </files>
    #####
  • Whenever 404 page or error pages are get being displayed, then some additonal information get being displayed about the server which is called server signature, to prevent this information get leaked you should turn off the server signature in your htaccess file as :
  • # START – Disable server signature #
    ServerSignature Off
    # END – Disable server signature #