A comparison of the number of iterations in .NET 5 and .NET Framework

Photo by Matteo Catanese on Unsplash

How many source “iterations” would happen when the below code executes?

Most people think one of two things:

  1. The source is iterated just once, so three iterations/loops for a source with three items.
  2. Nine iterations (each extension method iterates the collection).

Let’s find out the correct answer.

What is an iteration?

We first need to agree on the definition of an iteration.

Most people think of an iteration as one loop through a foreach/for/while etc.

But what happens when you loop through a foreach?

Behind the foreach syntactic sugar

Behind the scenes, the iterator pattern is implemented.

The above foreach loop is syntactic sugar for:

A…


A deep dive into the inner workings of Antiforgery tokens in .NET 5.0

Photo by Aaron Burden on Unsplash

In this article I’ll talk about what values an antiforgery token can take on in .NET 5.0.

You should already have a basic understanding of antiforgery tokens and how to use them in .NET 5.0.

The First 26 Characters

If you’ve read my first article on antiforgery tokens, you’ll know that out of the 155 characters that make up the token, the first 5 characters are always the same:

CfDJ8

This is because these hard-coded eight bytes are always written to the start of the array before being base64 encoded:

0x09F0C9F0

The next 21 characters will always be the same for your application depending…


A look into whether or not antiforgery tokens can be stolen

Photo by NASA on Unsplash

Antiforgery Tokens

Here are some questions I came up with while learning about antiforgery tokens and how they can protect against CSRF attacks.

You should already know what a CSRF attack is, and what antiforgery tokens are.

Read my article if you’re interested in how antiforgery tokens work behind the scenes.

Login CSRF attack

A login CSRF attack is the opposite of a normal CSRF attack.

The victim loads a fake website which appears real, and uses it to log in to a website like PayPal, but without the victim knowing, the attacker’s credentials are used behind the scenes.

Once the victim logs in, the…


How antiforgery tokens work in .NET 5.0

Photo by Tom Winckels on Unsplash

In this article I’ll talk about how antiforgery tokens work behind the scenes by answering these questions:

  1. How does the cookie name get generated?
  2. How do the cookie and HTML form tokens get generated?
  3. How are the tokens verified?

You should already know what antiforgery tokens are, and how to use them in Asp.Net Core.

Following along

You can skip this section, however it’s much more interesting to follow along by debugging this yourself.

I won’t show all the code here, however it’s a very simple MVC application which has a form and a button to POST the form.

You can download…


What is the ideal body type for a Ninja?

I was curious as to what the best body type is in terms of height, weight, BMI and age.

I’ve recorded all the stats for the ninjas whose runs and stats were shown on TV, for season three and four.


Get an understanding of what happens under the hood

Photo by mecdjino on Unsplash

This is something that took me a long time to get working, and there is not much help out there on the internet.

So I’m writing this article to give you the help I wish I had when I was trying to work this out.

Why?

Maybe you’re just curious as to how things work behind the scenes, or maybe you’ve found a bug, or need some code you don’t have access to. Whatever your reason is, this article will help you skip all the issues I had.

How?

There are many ways to debug the source code. …


Use .NET Reflection to increase code readability, maintainability, and extensibility

Photo by Elena Mozhvilo on Unsplash

In this article, I’ll show you a scenario where using Reflection can help improve the readability, maintainability, extensibility, and the DRYness of your code.

The Scenario

You’ve written a web app for a car dealership which prints reports about the cars in stock, and what cars have been sold.

Current State Of The Code

Here is what the code looks like at the moment. It’s a simple ASP.NET Core MVC application with one Controller called Home, and two classes for generating the reports.

The CarInfo class generates a report for the cars in stock:

The CarSales class generates a report for the cars that have…


GET/POST vs PUT/DELETE and CORS

Make sure you’ve read part 1 if you haven’t already.

We’re now going to look at the difference between cross-domain GET/POST and PUT/DELETE requests.

POST Request

To test out what happens when you make a POST request, update Index.cshtml in FakeBank with this code (line 8 and 9 have changed):

Refresh the FakeBank webpage and you’ll notice the Withdraw() action method in GoodBank gets executed.

Look back in the F12 Dev Tools in the FakeBank webpage and you’ll see it’s the same as the GET request. The action method gets executed, but you can’t view the response.

It doesn’t matter that…


The best way to learn how it works is to do one yourself

This is part 1 of a 2 part series.

I’m going to show you how to simulate a CSRF attack using two local web apps, and then answer a bunch of questions I came up with while I was learning this stuff.

I’ll also talk about CORS and the Same-Origin policy.

The scenario

You’re an internet banking user who is currently logged on to the GoodBank website.

While you’re still logged on, you receive an email pretending to be from GoodBank.

You click the link in the email and it loads the website for FakeBank.

Behind the scenes, the FakeBank website will…


How an invisible character can ruin your webpage

Have a look at these two simple HTML pages:

Page 1

They look identical, but have a look at what is rendered in the browser:

Page 1 Rendering

David Klempfner

I’m a software developer who is passionate about learning how things work behind the scenes.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store