1 / 31

Website Security

Website Security. ISYS 512. Cookies. Data in Cookies System.Web. Which web site set the cookie Expiration date DateTime data type TimeSpan data type One or more pieces of data Keys: A collection of cookie’s names Define a new cookie: HttpCookie cookieCID = new HttpCookie ("CID");

haroun
Download Presentation

Website Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Website Security ISYS 512

  2. Cookies

  3. Data in CookiesSystem.Web • Which web site set the cookie • Expiration date • DateTime data type • TimeSpan data type • One or more pieces of data • Keys: A collection of cookie’s names • Define a new cookie: HttpCookiecookieCID = new HttpCookie("CID"); • Write cookie to user: Response.Cookies.Add(cookieCID);

  4. Cookie’s Properties • Properties • Name • Value • Expires • To write a cookie: • Response.Cookies.Add(cookieObj)

  5. Creating Cookies DateTime dt; dt=DateTime.Now; TimeSpan ts = new TimeSpan(30,0,0,0); HttpCookie cookieCID = new HttpCookie("CID"); HttpCookie cookieCname = new HttpCookie("Cname"); cookieCID.Value = Login1.UserName; cookieCID.Expires = dt.Add(ts); Response.Cookies.Add(cookieCID); Note: The name(or key)of cookieCID is "CID";

  6. Reading Cookies Response.Write(Request.Cookies["CID"].Name); Response.Write(Request.Cookies["CID"].Value);

  7. Using Cookie with DataReader string strConn = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\\SalesDB2011.accdb"; OleDbConnection objConn = new OleDbConnection(strConn); String CID; CID = Request.Cookies["CID"].Value; string strSQL = "select * from webcustomer where CustID= '" + CID + "'"; OleDbCommand objComm = new OleDbCommand(strSQL, objConn); objConn.Open(); OleDbDataReader objDataReader; objDataReader = objComm.ExecuteReader(); if (objDataReader.Read()) { Session["Cname"] = objDataReader["CustName"]; Response.Write("<hr>Welcome:" + objDataReader["CustName"] + "<hr>"); } else Response.Write("<hr>We don't have your record <hr>"); objConn.Close();

  8. Authentication • Authentication is the process that determines the identity of a user. • Options: • Windows Authentication: Authentication is handled by the Windows server. • For IntraNet • Forms Authentication: For Internet, public access • Windows Live ID • Must register with Microsoft

  9. Forms Authentication • Web.config file <authentication mode="Forms"> • Use username and password to authenticate user. • Once the Forms authentication is enabled, pages cannot be accessed unless the user has the proper authentication. Without authentication, user is redirected to a login page. • If authenticated, an Authentication Ticket is issued in the form of a cookie and user is redirected back to the requested page.

  10. Forms Authentication Ticket • After verifying the submitted credentials, a forms authentication ticket is created for the user. This ticket indicates that the user has been authenticated and includes identifying information, such as the username. The forms authentication ticket is stored as a cookie on the client computer. Therefore, subsequent visits to the website include the forms authentication ticket in the HTTP request, thereby enabling the web application to identify the user once they have logged in.

  11. Forms Authentication Flow Yes, write Authentication Ticket as cookie User No, redirect to No, redirect to Authenticated? Login Page Authenticated? Yes Yes Website

  12. Enabling Forms Authentication • Set the authentication mode for the application by modifying the authentication section in the application root web.config file: <authentication mode="Forms"> • Deny access to anonymous users by modifying the authentication section in the web.config file: <authorization> <deny users="?" /> </authorization> • Create a login page that enables users to enter their usernames and passwords. • If authenticated, an authorization ticket is issued in the form of a cookie.

  13. FormsAuthentication Class • Import system.web.security namespace. • Methods: • Authenticate: • Validates a user name and password against credentials stored in the configuration file for an application. • RedirectFromLoginPage(String, boolean) • Redirect user back to the page that sent the user to the login page, and write a cookie named .ASPXAUTH containing an Authentication Ticket. • SignOut • Removes the forms-authentication ticket from the browser. • RedirectToLoginPage() • Redirects the browser to the login URL.

  14. Example 1:User Names & Passwords Are Stored in Web.Config File <configuration> <system.web> <compilation debug="true" targetFramework="4.0" /> <authentication mode="Forms"> <forms loginUrl="Webform1.aspx" > <credentials passwordFormat="Clear"> <user name="user1" password="password1"/> <user name="user2" password="password2"/> <user name="user3" password="password3"/> </credentials> </forms> </authentication> <authorization> <deny users="?" /> </authorization> </system.web> </configuration>

  15. Login Control • Properties: • UserName • Password

  16. Using FormsAuthentication’s Authenticate Method protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { if (FormsAuthentication.Authenticate(Login1.UserName, Login1.Password)) FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true); else Response.Write("Invalid Credentials: Please try again"); } Note: Using a Login Control

  17. Example 2: User Names & Passwords Are Stored in a Database Table <configuration> <system.web> <authorization> <deny users="?"/> </authorization> <authentication mode="Forms"> <forms loginUrl="Login.aspx" /> </authentication> </system.web> </configuration>

  18. Code Example protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { String strConn = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\\SalesDB2011.accdb"; OleDbConnection objConn = new OleDbConnection(strConn); String strSQL = "select * from users where userID='" + Login1.UserName + "'"; OleDbCommand objComm = new OleDbCommand(strSQL, objConn); objConn.Open(); OleDbDataReader myReader; myReader = objComm.ExecuteReader(); if (myReader.Read()) { if (Login1.Password == myReader["Password"].ToString()) FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true); else Response.Write("Invalid password, Access denied"); } else Response.Write("User not exist"); objConn.Close(); }

  19. SignOut Demo • using System.Web.Security; • A signOut page with a button to SignOut; Then redirect to the home page and trigger the authentication again. protected void Button1_Click(object sender, EventArgs e) { FormsAuthentication.SignOut(); Response.Redirect("WebForm1.aspx"); }

  20. Web Site Administration Tool • From VS 2010, click Project/ ASP.Net Configuration to open Web Site Administration Tool. • Security: Users, roles, access rules • Users: • Create users • Manage users • Select Authentication type: • Windows authentication • Forms authentication • Manage roles • Manage access rules

  21. Access Rules • Allow or deny access to a particular directory by user name or role. • Use Web Site Administration Toolto create and manage access rules and it will create an authorization section with Allow or Deny elements in the web.config file for that directory. • The permissions established for a directory also apply to its subdirectories, unless configuration files in a subdirectory override them. • Users: • ALL: Including authenticated and anonymous users. • Anonymous: Unauthenticated users.

  22. User Accounts and Roles • Managing user accounts and roles we can define authorization rules for accessing a particular ASP.NET page or directoryfor a particular user or role.

  23. How to Create Users and Roles • Must start SQLExpress service. • By default, ASP.Net saves users and roles data in a SQL Server Express file that is stored in App_Data folder. • Click Show All Files • file: App_Data\ASPNETDB.MDF • Table: aspnet_Users • From VS 2010, click Website/ASP.Net Configuration to open the Web Site Administration Tool. • Click Security • Create User • Create Role • Create Access Rules

  24. Membership Class • System.Web.Security.Membership • ASP.NET membership class gives you a built-in way to validate and store user credentials. • Including users created by Website Administration Tool and CreateUserWizard. • Method: • ValidateUser(stringusername, stringpassword)

  25. Authenticate Users Using Membership Class protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { if (Membership.ValidateUser(Login1.UserName, Login1.Password) == true) FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true); else Response.Write("Access denied"); }

  26. ASP.NET Login Controls • The ASP.NET login controls provide a login solution for ASP.NET Web applications without requiring programming. • By default, these controls use SQLExpress database to manage users. • Login control • CreateUserWizard • ChangePassword control

  27. ChangePassword control • The ChangePassword control works with authenticated and non-authenticated users. If a user has not been authenticated, the control prompts the user for a login name. If the user is authenticated, the control populates the text box with the user's login name. • Properties: • DisplayUserName

  28. CreateUserWizard • Demo

  29. SQL Injection • "SQL Injection" is an unverified/unsanitized user input vulnerability, and the idea is to convince the application to run SQL code that was not intended. • Exploits applications that use external input for database commands.

  30. SQL Injection Demo • On a web page that takes customer ID entered in a textbox as input, then displays the customer’s data. • 1. Retrieve all records:In the textbox, enter: ‘ OR 1=1 OR CID = ‘ 2. Guess table name or field name: ‘ AND 1=(SELECT COUNT(*) FROM Orders) AND CID=‘ 3. Finding some users: ' or cname like 'S%' or cid=‘

  31. Demo protected void Button1_Click(object sender, EventArgs e) { String strConn = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\\SalesDB2011.accdb"; OleDbConnection objConn = new OleDbConnection(strConn); String strSQL = "select * from customer where cid='" + TextBox1.Text + "'"; OleDbCommand objComm = new OleDbCommand(strSQL, objConn); objConn.Open(); OleDbDataReader myReader; myReader = objComm.ExecuteReader(); if (myReader.HasRows) { GridView1.DataSource = myReader; GridView1.DataBind(); } else Response.Write("User not exist"); objConn.Close(); }

More Related