Title: Effective Security in ASP.Net Applications
1Effective Security in ASP.Net Applications
2Types of Threats
Network
Host
Application
Threats against the network
Threats against the host
Threats against the application
3Application Security
- Error handling
- Form authentication
- Input validation
- Data access data protection
4Error Handling
- Use web.config to handle errorsThree different
modes for customErrorsltcustomErrors
modeRemoteOnly /gt
or Off or
On - Off display detailed asp.net error information
- On display custom (friendly) messages.
- RemoteOnly no detailed error for remote clients.
5Securing the site with error handling
- Example 1ltcustomErrors mode"On"
defaultRedirect"error.aspx"/gt
6Site Security
- By default, site users are anonymous.
- They may need to be authenticated and
authorized.Authentication the process of
verifying a users identity.Authorization to
measure or establish the power or permission that
has been given or granted by an authority.
7ASP.Net Authentication
- 4 different modes of authentication.- Windows
uses windows authentication system on the web
server (for intranet).- Forms uses ASP.Net
form-based authentication (for internet).-
Passport uses Microsofts Passport
Authentication- None no authentication.
8Specifying Authentication Type
ltconfigurationgt ltsystem.webgt lt!--
mode"WindowsPassportFormsNone" --gt
ltauthentication mode"Windows" /gt
lt/system.webgt lt/configurationgt
9Forms Authentication Options
Web.config
ltconfigurationgt ltsystem.webgt
ltauthentication mode"Forms"gt lt!--
forms Attributes name"cookie name" -
Authentication cookie name
loginUrl"url" - URL of login page
protection"AllNoneEncryptionValidation"
timeout"minutes" - Length of time cookie
valid path"/" - Cookie path
requireSSL"truefalse" - Restrict cookie to
SSL? slidingExpiration"truefalse" -
Renew cookie? --gt lt/authenticationgt
lt/system.webgt lt/configurationgtSee Page 862.
10Authenticating Against the Web.Config file
- ltconfigurationgt
- ltsystem.webgt
- ltauthentication mode"Forms"gt
- ltforms name.MyCookie"
loginUrlLogin.aspx - protectionAll"
- timeout"15
- path"/" gt
- ltcredentials passwordFormatCleargt
ltuser nameSam passwordSecret /gt
ltuser nameFred passwordFred /gt - lt/credentialsgt
- lt/formsgt
- lt/authenticationgt
- lt/system.webgt
- lt/configurationgt
11User Authorization
Web.config
lt!-- Deny access to anonymous (unauthenticated)
users --gt ltdeny users"?" /gt lt!-- Grant access
to Robin and Tim but no one else --gt ltallow
users"Bob, Alice" /gt ltdeny users"" /gt lt!--
Grant access to everyone EXCEPT Bob and Alice
--gt ltdeny usersRobin, Tim" /gt ltallow users""
/gt lt!-- Grant access to any manager --gt ltallow
roles"Manager" /gt ltdeny users"" /gt
12The Login Page
- First provide a namespace to the classes in the
top of your class module as followsImports
System.Web.Security
13The Login Page (cont.)
14Using the Authenticate() Method
Private Sub Button1_Click(ByVal sender As
System.Object, ByVal e As System.EventArgs)
Handles Button1.Click If FormsAuthentication.Aut
henticate(txtName.Text, txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage
(txtName.Text, False) Else
lblMessage.Text "Bad Login" End IfEnd Sub
15Global.Asax
- protected void Application_AuthenticateRequest(Obj
ect sender, EventArgs e) - if (HttpContext.Current.User ! null)
- if (HttpContext.Current.User.Identity.IsA
uthenticated) - if (HttpContext.Current.
User.Identity is FormsIdentity) - // Get Forms Identity From
Current User - FormsIdentity id (FormsIdentity)HttpContext.
Current.User.Identity - // Get Forms Ticket From Identity object
- FormsAuthenticationTicket ticket id.Ticket
- // Retrieve stored user-data (our roles from
db) - string userData ticket.UserData
- string roles userData.Split(',')
- // Create a new Generic Principal Instance
and assign to Current User
16The Authenticate() Method (cont.)
- The FormsAuthentication Object handles form
security as specified in the Web.Config. - RedirectFromLogin Page redirects to the requested
page if the user has the permission.
17Authenticating Against a Database
cnn.Open() Dim i As Integer Dim
myCommand As New SqlClient.SqlCommand
myCommand.Connection cnn
myCommand.CommandText "select from userList
where uname'" _ txtName.Text "'
and upassword'" txtPassword.Text "'"
i myCommand.ExecuteScalar If i
gt 0 Then FormsAuthentication.RedirectF
romLoginPage(txtName.Text, False) Else
lblMessage.Text "Bad Login"
End If Cnn.Close() End Sub
18SQL Injection
- Exploits applications that use external input in
database commands - The technique
- Find a ltformgt field or query string parameter
used to generate SQL commands - Submit input that modifies the commands
- Compromise, corrupt, and destroy data
19How SQL Injection Works
Model Query
SELECT COUNT () FROM Users WHERE
UserNameJeff AND Passwordimbatman
Malicious Query
SELECT COUNT () FROM Users WHERE UserName or
11-- AND Password
"or 11" matches every record in the table
"--" comments out the remainder of the query
20Avoid SQL Injection
- Validation Control.
- SQL Stored Procedure.
21Accessing Data Securely
Use stored procedures
Never use sa to access Web databases
Store connection strings securely
Apply administrative protections to SQL Server
Optionally use SSL/TLS or IPSec to secure
the connection to the database server 2
22The sa Account
- For administration only never use it to access a
database programmatically - Instead, use one or more accounts that have
limited database permissions - For queries, use SELECT-only account
- Better yet, use stored procs and grant account
EXECUTE permission for the stored procs - Reduces an attacker's ability to execute harmful
commands (e.g., DROP TABLE)
23Creating a Limited Account
USE Login GO -- Add account named webuser to
Login database EXEC sp_addlogin 'webuser',
'mxyzptlk', 'Login' -- Grant webuser access to
the database EXEC sp_grantdbaccess 'webuser' --
Limit webuser to calling proc_IsUserValid GRANT
EXECUTE ON proc_IsUserValid TO webuser
24Connection Strings
- Storing plaintext database connection strings in
Web.config is risky - Vulnerable to file disclosure attacks
- Storing encrypted database connection strings
increases security - Encrypting connection strings is easy
- System.Security.Cryptography classes
25Database Passwords
- Encrypting
- string name FormsAuthentication.HashPasswordForS
toringInConfigFile(TextBox2.Text,"MD5") - Decrypting
- string pwd FormsAuthentication.HashPasswordForSt
oringInConfigFile(TextBox2.Text,"MD5") - string command "SELECT roles FROM users WHERE
username '" TextBox1.Text "' AND pass '"
pwd "'"