I've just read on the net about a newly discovered security vulnerability in ASP.NET. You can read the details here.

The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions.

This is a bit vague, but here is a more frightening part:

The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally stealthy.The cryptographic knowledge required is very basic.

All in all, I'm not familiar enough with the security/cryptograpy subject to know if this is really that serious.

So, should all ASP.NET developers fear this technique that can own any ASP.NET website in seconds or what?

How does this issue affect the average ASP.NET developer? Does it affect us at all? In real life, what are the consequences of this vulnerability? And, finally: is there some workaround that prevents this vulnerability?

Thanks for your answers!

---

EDIT: I'd like to summarize the responses I got so far.

So, this is basically a "padding oracle" type of attack. @Sri provided a great explanation about what does this type of attack mean. Here is a shocking video about the issue!

About the seriousness of this vulnerability: Yes, it is indeed serious. It lets the attacker to get to know the machine key of an application. Thus, he can do some very unwanted things.

• In posession of the app's machine key, the attacker can decrypt authentication cookies.
• Even worse than that, he can generate authentication cookies with the name of any user. Thus, he can appear as anyone on the site. The application is unable to differentiate between you or the hacker who generated an authentication cookie with your name for himself.
• It also lets him to decrypt (and also generate) session cookies, although this is not as dangerous as the previous one.
• Not so serious: He can decrypt the encrypted ViewState of pages. (If you use ViewState to store confidental data, you shouldn't do this anyways!)
• Quite unexpected: With the knowledge of the machine key, the attacker can download any arbitrary file from your web application, even those that normally can't be downloaded! (Including Web.Config, etc.)

Here is a bunch of good practices I got that don't solve the issue but help improve the general security of a web application.

• You can encrypt sensitive data with Protected Configuration
• Use HTTP Only cookies
• Prevent DoS attacks

Now, let's focus on this issue.

• Scott Guthrie published an entry about it on his blog
• ScottGu's FAQ blog post about the vulnerability
• ScottGu's update on the vulnerability
• Microsoft has a security advisory about it
• Understanding the vulnerability
• Additional information about the vulnerability

The solution

• Enable customErrors and make a single error page to which all errors are redirected. Yes, even 404s. (ScottGu said that differentiating between 404s and 500s are essential for this attack.) Also, into your Application_Error or Error.aspx put some code that makes a random delay. (Generate a random number, and use Thread.Sleep to sleep for that long.) This will make it impossible for the attacker to decide what exactly happened on your server.
• Some people recommended switching back to 3DES. In theory, if you don't use AES, you don't encounter the security weakness in the AES implementation. As it turns out, this is not recommended at all.

Some other thoughts

• Seems that not everyone thinks the workaround is good enough.

Thanks to anyone who cared to answer my question. I learned a lot about not only this issue, but web security in general. I marked @Mikael's answer as accepted, but the other answers are also very-very useful.

What should I do to protect myself?

[Update 2010-09-29]

Microsoft security bulletin

KB Article with reference to the fix

ScottGu has links for the downloads

[Update 2010-09-25]

While we are waiting for the fix, yesterday ScottGu postet an update on how to add an extra step to protect your sites with a custom URLScan rule.

---

Basically make sure you provide a custom error page so that an attacker is not exposed to internal .Net errors, which you always should anyways in release/production mode.

Additionally add a random time sleep in the error page to prevent the attacker from timing the responses for added attack information.

In web.config

<configuration>
 <location allowOverride="false">
   <system.web>
     <customErrors mode="On" defaultRedirect="~/error.html" />
   </system.web>
 </location>
</configuration>

This will redirect any error to a custom page returned with a 200 status code. This way an attacker cannot look at the error code or error information for information needed for further attacks.

It is also safe to set customErrors mode="RemoteOnly", as this will redirect "real" clients. Only browsing from localhost will show internal .Net errors.

The important part is to make sure that all errors are configured to return the same error page. This requires you to explicitly set the defaultRedirect attribute on the <customErrors> section and ensure that no per-status codes are set.

What's at stake?

If an attacker manage to use the mentioned exploit, he/she can download internal files from within your web application. Typically web.config is a target and may contain sensitive information like login information in a database connection string, or even link to an automouted sql-express database which you don't want someone to get hold of. But if you are following best practice you use Protected Configuration to encrypt all sensitive data in your web.config.

Links to references

Read Microsoft's official comment about the vulnerability at http://www.microsoft.com/technet/security/advisory/2416728.mspx. Specifically the "Workaround" part for implementation details on this issue.

Also some information on ScottGu's blog, including a script to find vulnerable ASP.Net apps on your web server.

For an explanation on "Understanding Padding Oracle Attacks", read @sri's answer.

---

Comments to the article:

The attack that Rizzo and Duong have implemented against ASP.NET apps requires that the crypto implementation on the Web site have an oracle that, when sent ciphertext, will not only decrypt the text but give the sender a message about whether the padding in the ciphertext is valid.

If the padding is invalid, the error message that the sender gets will give him some information about the way that the site's decryption process works.

In order for the attack to work the following must be true:

• Your application must give an error message about the padding being invalid.
• Someone must tamper with your encrypted cookies or viewstate

So, if you return human readable error messages in your app like "Something went wrong, please try again" then you should be pretty safe. Reading a bit on the comments on the article also gives valuable information.

• Store a session id in the crypted cookie
• Store the real data in session state (persisted in a db)
• Add a random wait when user information is wrong before returning the error, so you can't time it

That way a hijacked cookie can only be used to retrieve a session which most likely is no longer present or invalidated.

It will be interesting to see what is actually presented at the Ekoparty conference, but right now I'm not too worried about this vulnerability.

I know the differences between ASP and ASP.NET generally, as I am new to both, so I don't understand all of them, but I get the fact that ASP.NET is built on top of Microsofts .NET framework, and is the next generation of ASP, but it's built from the ground up.

W3Schools and another question here on SO provided great help explaining the difference!

I was wondering if it is worth it to fully learn Classic-ASP before diving into ASP.NET.

Why do people still use Classic-ASP? I've heard about the benefits which ASP.NET provides, and it seems like it would be worth it to switch.

Do people still use Classic-ASP because of server issues, or just because they prefer to work in it for some reason?

I would like some guidance on which I should start learning first, and why if anyone has any good suggestions?

UPDATE:

Thanks for the very helpful posts everyone! They gave me a great indicator of what is important, and why!

Thanks!!

There's little or no point learning classic asp as a precursor to asp.net as whilst similar in some respects(the Server, Request, Response objects and their associated methods, etc), they're different enough that one doesn't serve as a gentle introduction to the other.

If you've no need to know classic asp, definately go with asp.net as it's "the way of the future", be it in its MVC or WebForms guise. The only reason I can think of, now, to learn classic asp would be to support a legacy application. I'd be very surprised if there's any new "greenfield" development being carried out in classic asp on any great scale. There's also a great question (that I provided an answer to) that will give you some info on the differences between asp.net WebForms and MVC that's well worth a read.

When it comes to deciding "which language" out of the choice of C# and VB.net, pick whichever you find most comprehensible, at least initially. You'd be advised to at least consider C# as examples, samples, tutorials and suchlike are much more readily available in it. One look at the C# tag vs. the vb.net tag (105,977 questions against 10,815) here on stackoverflow makes it quite clear which has the broader uptake.

We are starting a new web based product in which we are planning to expose our business logic through WCF services. We will be using ASP.NET 4.0, C#, EF 4.0. In future we want to build iphone applications and WPF applications based on the services. I have been reading a lot about using POCO vs Self Tracking Entities (STE) and from my understand the STEs do not work well with the web scenario. Can anyone shed more light on this issue?

For me STE is absolutely wrong concept. It is just another implementation of DataSet.

• In ASP.NET application you will have to store STEs somewhere among requests. In first request you will query your datasource to get STE and provide data in the page. In the next request (postback) you will want to modify STE with returned data from the browser. To support tracking you will have to use the same STE as in the first request => you will have to store STE in viewstate (if you want to use ASP.NET WebForms) or session.
• STE is useless for SOA or interoperability. Tracking logic is part of STE = it is running on the client. If you expose STE in the service you are immediatelly expecting that client side will use the same tracking features included in STE logic. But these features are not provided to other side automatically. In .NET you have them because you share assembly with STEs. But on other platform you have to explain developers how to implement STE logic to make it work on your side. This will be probably the most limiting case for you because of iPhone application.

If i use Response.Cookies["test"].Value ="Hi"; where are cookie stored in system?

Can i check Cookies["test"] value in my pc because cookies are stored in text format.

I am using VS 2008. Operating system is Windows 7.

I have tried to find in Google but not getting the exact answer. Please help to sort out this problem.

IE and Windows keeps cookies here:

%AppData%\Microsoft\Windows\Cookies

Points to the same directory as @Sohnee's does under Windows Visa and newer, but his doesn't under Windows XP and earlier, my - does.

also Temporary Internet Files can contain some cookies.

Meanwhile Firefox keeps cookies into SQLite database under profile root:

%AppData%\Mozilla\Firefox\Profiles\%FirefoxProfile%\cookies.sqlite

To read the data you need to connect to that database using any SQLite client and execute next query:

select value
from moz_cookies
where name = 'test'

I did it just now using trial SQLite Maestro. And don't forget to close all running Firefoxes before connection attempt.

If my user is in California and they have their computer set to PST, it's 1:00 pm there. If my server is set to EST, the current server time is 4:00 pm.

I need a way to get the timezone difference between the client and the server, either in Javascript or C#. In my example, I would get 3 (or -3, doesn't matter).

Does anyone know how to do this?

EDIT: Possible solution for RedFilter

Doing it all in javascript:

serverDate = new Date('<%= DateTime.Now.ToString() %>');
clientDate = new Date();
diffMin = (serverDate.getTime()-clientDate.getTime())*1000*60;  //get difference in minutes

Think that would work? Or would both of those return the same time?

You could:

1 - Return the server date to the client as a Javascript date variable.
2 - Create a new javascript date client side (var currentTime = new Date();) and subtract the above date
3 - Post the result back to the server (if necessary; you may only need to know the difference client-side).

Update

Here is an example:

<script>
serverDate = new Date('<%= DateTime.Now.ToString() %>'); 
clientDate = new Date(); 
diffMin = (serverDate.getTime()-clientDate.getTime())/(1000*60);      alert("serverDate: " + serverDate + "\r\n" + "clientDate: " + clientDate + "\r\n" + "diffMin: " + diffMin);
</script>

If the server and client are on the same machine, you will see a diffMin approaching zero. There is a slight difference between the dates due to the time between the server-side script generating the date and the browser parsing and executing the javascript.

I've got the question... Are there any free build servers for .NET applications? We are starting project as remotely working team and right now we are searching for such solution. As far as it's an academic project we do not have funds to buy server and run CC.net on it.. Are there any charge free solutions? Or at least cheap ones...

I'm asking rather about the service on the internet, not software solution ;)

Another idea: do you really need your build server on the internet?

How about putting only your code repository on the internet (Github, Bitbucket, Google Code...)?
One of your project members could set up the build server at home. As long as it's online 24/7, it can pull the repository from the internet, make the build locally and upload the results via FTP to some webspace where you all can access it.

Of course that's not as comfortable as a "real" internet based solution, but cheap.

If I look at the Razor View Engine, then I see a very nice and concise syntax that is not particularly tied to generating html. So I wonder, how easy would it be to use the engine outside asp.net in a "normal" .net environment for example to generate text, code,...

Any pointer, example, comment or explanation is welcome.

There are two issues here:

1. Yes, you can run the Razor View Engine outside of the context of an ASP.NET app domain, as explained in Andrew's blog: http://blog.andrewnurse.net/2010/07/22/UsingTheRazorParserOutsideOfASPNet.aspx
2. However, Razor is still primarily focused on generating xml-like markup (e.g. HTML) in the sense that the Razor parser uses the presence of <tags> to determine the transition between code and markup. You can probably use it to generate any text but you might run into issues when your output doesn't match Razor's assumptions about what your intentions are.

So for example while this is valid Razor code (because of the <div> tag):

@if(printHello) {
   <div>Hello!</div>
}

The following snippet is invalid (because the Hello! is still being trated as code):

@if(printHello) {
   Hello!
}

However there's a special <text> tag that can be used to force a transition for multi-line blocks (the <text> tag will not be rendered):

@if(printHello) {
   <text>Hello!
   Another line</text>
}

There is also a shorter syntax to force a single line to transition using @::

@if(printHello) {
   @:Hello!
}

Let's say we are developing an E-Commerce Web application for a small to medium sized business. Let's further assume that the business is likely to scale over time. In other words, the product line will typically grow.

Up to now I have developed n-tier solutions using ADO.NET and stored procedures with the help of the SqlHelper class. For bigger applications I have used Enterprise Library (2.0).

I would like to move towards an ORM-based approach and am starting to learn LINQ as well as making the switch from ASP.NET Web Forms to ASP.NET MVC. I do not want to go with LINQ-to-SQL. The question is not whether an ORM is required but if the Entity Framework ORM is overkill for such a project. I don't mind a learning curve if it is warranted for the task in hand.

As regards "overkill", I would like to know if:

• EF is faster than someone with the correct skills coding queries manually
• EF leads to unnecessary code bloat
• EF unnecessarily shields devs from code-level details of their queries
• LINQ-to-Entities is suited for projects of this size

In fact, if anyone thinks that an ORM is overkill for such project I'd like to hear reasons why. What prompted me to ask this question was the following article:

http://razor.preneer.com/razor/post/Entity-Framework-is-the-wrong-direction-for-web-developers.aspx

EF is not overkill for web apps.

I disagree with a lot of what is stated in your referenced article. I do agree devs should have decent skills with SQL BUT ORMS do a great job in getting a devs job done more quickly.

• Speed of ORMS - They are getting better all the time & they allow you to call SP's or modify the queries to get max speed when necessary. There are also great profilers out there for monitoring ORM performance like EFProf.

• Slows down the coding process - Really!!! Once learned it speeds it up.

• Devs needing to know SQL - I agree. However, ORMS especially with LINQ syntax often allow devs to right more complex SQL than they would have on their own.

• Devs write efficient queries already - REALLLYYYY!!!! Just ask the DBA his/her thoughts! I happen to think I do but so does everyone else. See the problem. :-)

• Code Bloat - Have to disagree, especially with ones that have LINQ.... It often makes the code more readable and reduces the line count often.

• Forget about LINQ - This ship has sailed. LINQ Rocks!!!! Go with it or be left behind. It's not just used in ORMS. It can be used against, arrays, objects, XML, files, twitter and the list goes on and on.... Get to know LINQ.

The article talks about some of the inspiration of the latest developments out of MS as coming from Ruby on Rails. ROR has an ORM based on Active Record in it.....

ORMS are good. They don't have to be used everywhere and everytime but they are good and should be considered.

Microsoft released their out of band release to fix the security flaw in ASP.NET the yesterday.

What methods did Microsoft use to end the viability of this vector?

A great summary of the changes comes from http://musingmarc.blogspot.com/2010/09/ms10-070-post-mortem-analysis-of-patch.html

• Don't leak exception information - This prevents exploits from seeing what is broken.
• Don't short-circuit on padding checks (take the same amount of time for padding correct verses padding broken) - This prevents exploits from seeing timing difference for incorrect padding.
• Don't be too picky about exception catching in IHttpHandler.ProcessRequest - This prevents exploits from seeing that you caught one kind of exception (CryptographicException) instead of all exceptions.
• Switch from Hash-based initialization vectors to Random IVs - This prevents exploits from using the relationship between the data and the hash to decrypt faster.
• Allow for backward compatibility - In case this breaks something, allow the new behavior to be reverted in-part.
• When doing a code review pass, change to make it clear you've considered the new options.

Currently im using EF and using its datacontext directly in all of my actions, but since i started reading about loose coupling and testability im thinking that thats not the best way to go. Im trying to understand all the pro's and con's before i start refactor all my current code.

Problem 1: Considering that every entity needs its own repository, and thus has to setup its own connection to a datasource (lets assume a database using EF), wouldnt that give alot of overhead if i need data from 5 different entities on a single page?

Problem 2: What im seeing aswell in all the examples which i found online is that most people (even people like shanselman) implement the repository pattern using the entity classes which are generated by either LINQ or EF, doesn't this defeat the purpose of repository pattern with regards to loose coupling? On the other hand, what is the alternative, using POCO classes in combination with for example AutoMapper? (this scares me a little)

Im hoping that a few people can shed some light on this, because im a bit confused at the moment if the repository pattern is the right choice for a website.

You can read this book. There is a good example of the using Repository pattern and LINQ.
Also there is this article Using Repository and Unit of Work patterns with Entity Framework 4.0.

Is there a jQuery equivalent to do the following:

$(document).ready(function() {

for an element:

$(a).ready(function() {

I have content in an updatepanel and I am calling jQuery UI's .button() on some anchor elements. After the updatepanel refreshed, the anchors are rerendered and lose the UI styling.

I already know how to detect the end of an ajax request using .NET AJAX's add_endrequest(handler), but was hoping for a neater solution using jQuery.delegate.

e.g.

$('body').delegate('#mybutton', 'load', (function(){  //this doesnt work... }

If I understand your requirement correctly, one way to do this is with the Live Query plug-in.

Live Query ... has the ability to fire a function (callback) when it matches a new element and another function (callback) for when an element is no longer matched

For example:

$('#someRegion a').livequery( function(){ 
  do_something();
});

---

Update: Since the DOM changes are not running through jQuery, unfortunately livequery doesn't see them. I mulled over this issue before and considered a polling-based solution in this answer.

---

Update: Polling is kind of ugly, but if there's really no other alternative, here's a polling-based solution that uses a jQuery "dummy" manipulation to make livequery "see" the change. You'd only want to consider something like this as a last resort -- if there's no option to tie into a callback method.

First, set up livequery watching the container where the updates will occur:

$('div#container').livequery( function(){ 
  $(this).css('color','red'); // do something
});

And then use setInterval(), here wrapped in a convenience function:

function pollUpdate( $el, freq ){
  setInterval( function(){
    $el.toggleClass('dummy');
  }, freq); 
};

So you can have:

$(document).ready( function(){
  pollUpdate( $('div#container'), 500 );
});

Here's a working example. Click the button to add new DOM elements without jQuery, and you'll see they get picked up (eventually) and restyled by livequery. Not pretty, but it does work.

Usually I would look at writing a Windows Service to manage tasks that aren't suited to being hosted in a web application. These types of tasks are usually long running processes or scheduled tasks. Although this is normally the primary approach for these types of tasks, people have looked at ways of running these kinds of background processes in a web application by kicking off a number of threads in the Application_Start event exposed by Global.asax. The problem with this approach has always been that if your IIS worker process dies, then your background thread is killed too (effectively your 'Windows Service' is stopped until the next request is received).

ASP .NET 4.0 offers a solution to this problem. You can now set the StartMode to 'AlwaysRunning' as described in this blog post by Scott Gu. Somewhere in the comments on this post, someone asks a question about the viability of hosting Windows Service type tasks in IIS since the new feature ensures the worker process is always running. Scott mentioned that it would definitely support the scenario. Further to this, the recent introduction of AppFabric means that Microsoft themselves are providing simple hooks for hosting and monitoring WCF and WF services in a web application.

What does this mean for those of us that used to write Windows Services to support our web apps? Should we adopt this model? What are the pitfalls? As far as I can tell, there are a number of benefits to hosting 'Windows Service' processes in a web application, the most useful being the ease of deployment. Furthermore, we can actually start developing simple user interfaces to our services which provide information about what is happening at runtime.

If I had to go this route, I don't think that I would host my 'Windows Service' type functionality in the customer facing web application. I would probably develop a new web application project (much like I would in the Windows Service context) that would host my long running/scheduled task processes. I guess there are few reasons for this.

1. Security. There may be a different security model for the UI displaying information about the running background processes. I would not want to expose this UI to anyone else but the ops team. Also, the web application may run as a different user which has an elevated set of permissions.
2. Maintenance. It would be great to be able to deploy changes to the application hosting the background processes without impacting on user's using the front end website.
3. Performance. Having the application separated from the main site processing user requests means that background threads will not diminish IIS's capability to handle the incoming request queue. Furthermore, the application processing the background tasks could be deployed to a separate server if required.

I would be really interested to hear your thoughts on this approach and whether I should be sticking with Windows Services. I am very tempted to try this new approach.

What does this mean for those of us that used to write Windows Services to support our web apps?

I think this a key scenario where you could be move away from a Windows service to using the continous running web site.

Should we adopt this model?

Standard development answer: Depends ;)

What are the pitfalls?

One issue I can see is the IIS dependancy. If you need a service to run on a users machine I would not feel comfortable about asking them to install IIS just to run my service. Here I think the traditonal model works better.

Monitoring and tracking are major issues, but as you also point out this is solved by AppFabric. It is even better than what you get from the Window Service. However you have added another dependancy which also will require .NET 4.0 and a relatively new version of Windows. I could also be wrong here, but my understanding is that AppFabric is not supported in production on client OS's. Which could bring in additional headaches.

You will lose pause functionality in the continous web site model too.

Finally IIS killing inactive app-pools isn't the only way an app pool can recycle. Editing a web.config file causes it for instance, which may not be an ideal situation.

the most useful being the ease of deployment.

I also think development is much easier - in the past I have had a console app and a windows service so I can dev/test on my machine using the console app and then change it to a windows service when it goes out. Now dev/test is MUCH easier.

A must read for this is Death to Windows Services...Long Live AppFabric!

Just going to start making a web application and was wondering which was better, or at least what are the main differences between them (as it probably matters what I am using them for)?

• Windows Authentication
• Passport Authentication
• Form Authentication

I would say it greatly depends on what your web app will be doing, as each one has its place. Here is some brief details about each one.

Windows authentication enables you to identify users without creating a custom page. Credentials are stored in the Web server s local user database or an Active Directory domain. Once identified you can use the user s credentials to gain access to resources that are protected by Windows authorization.

Forms authentication enables you to identify users with a custom database such as an ASP.NET membership database. Alternatively you can implement your own custom database. Once authenticated you can reference the roles the user is in to restrict access to portions of your Web site.

Passport authentication relies on a centralized service provided by Microsoft. Passport authentication identifies a user with using his or her e-mail address and a password and a single Passport account can be used with many different Web sites. Passport authentication is primarily used for public Web sites with thousands of users.

Anonymous authentication does not require the user to provide credentials.

http://msdn.microsoft.com/en-us/library/eeyk640h.aspx - ASP.NET Authentication further details on forms and window authentication

Edit Rushyo link is better: http://msdn.microsoft.com/en-us/library/ee817643.aspx

I cannot figure out, how can a random, small sleep delay can be a solution to prevent an attacker from probing our site.

This is his code snippet:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
void Page_Load() {
  byte[] delay = new byte[1];
  RandomNumberGenerator prng = new RNGCryptoServiceProvider();

  prng.GetBytes(delay);
  Thread.Sleep((int)delay[0]);

  IDisposable disposable = prng as IDisposable;
  if (disposable != null) { disposable.Dispose(); }
}
</script>

<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<div>
    An error occurred while processing your request.
</div>
</body>
</html>

This is to prevent people constantly triggering your error page and exploiting the recent ASP.NET vulnerability. They need a large number of failures to take advantage of this exploit.

The sleep delay will not 'prevent' access to your page. Think of it as being analogous to brute forcing a password; if you have to wait 5 seconds between guesses instead of 5ms, you will take a little more time to find the pw.

I understand delegates encapsulate method calls. However I'm having a hard time understanding their need. Why use delegates at all, what situations are they designed for?

A delegate is basically a method pointer. A delegate let us create a reference variable, but instead of referring to an instance of a class, it refers to a method inside the class. It refers any method that has a return type and has same parameters as specified by that delegate. It's a very very useful aspect of event. For thorough reading I would suggest you to read the topic in Head First C# (by Andrew Stellman and Jennifer Greene). It beautifully explains the delegate topic as well as most concepts in .NET.

I am delimiting my data with the "//" as I am passing it up to my webservice. My webservice is splitting the data into an array like so:

myArray = al(i).ToString.Split("//")

Everything works great, however, if I pass in some data like this: 100/100 then that also gets split. Is there a way to make sure that only the "//" gets split?

The VB.Net compiler is converting your string into a Char array and calling this overload.
Thus, it's splitting on either / or /.

You need to call the overload that takes a string array, like this:

"100/100".Split(New String() { "//" }, StringSplitOptions.None)

I need to create chart using javascript. should be look like as in link below (click play to see chart sample):

Please suggest me which control should i use/purchase, which allows me to create chart in such style shown in link. chart data will be in xml format and i am asp.net developer thanks

For charting in HTML5 pages is good to use javascript library. I recomand these charting.

this one is like your charting.. http://www.jqplot.com/tests/OHLCTests.php http://code.google.com/apis/chart/docs/gallery/compound_charts.html#candlestick_charts

Others http://www.splashnology.com/blog/javascripts/290.html http://www.highcharts.com/ http://developer.yahoo.com/yui/examples/charts/index.html