1 / 25

Effective Security in ASP.Net Applications

Effective Security in ASP.Net Applications. Jatin Sharma. Types of Threats. Network. Host. Application. Threats against the network. Threats against the host. Threats against the application. Application Security . Error handling Form authentication Input validation

jeff
Download Presentation

Effective Security in ASP.Net Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effective Security in ASP.Net Applications Jatin Sharma

  2. Types of Threats Network Host Application Threats against the network Threats against the host Threats against the application

  3. Application Security • Error handling • Form authentication • Input validation • Data access & data protection

  4. Error Handling • Use web.config to handle errorsThree different modes for customErrors<customErrors mode=“RemoteOnly” /> or =“Off” or =“On” • Off – display detailed asp.net error information • On – display custom (friendly) messages. • RemoteOnly – no detailed error for remote clients.

  5. Securing the site with error handling • Example 1<customErrors mode="On" defaultRedirect="error.aspx"/>

  6. Site Security • By default, site users are anonymous. • They may need to be authenticated and authorized.Authentication: the process of verifying a user’s identity.Authorization: to measure or establish the power or permission that has been given or granted by an authority.

  7. ASP.Net Authentication • 4 different modes of authentication.- Windows: uses windows authentication system on the web server (for intranet).- Forms: uses ASP.Net form-based authentication (for internet).- Passport: uses Microsoft’s Passport Authentication- None: no authentication.

  8. Specifying Authentication Type Web.config <configuration> <system.web> <!-- mode="Windows|Passport|Forms|None" --> <authentication mode="Windows" /> </system.web> </configuration>

  9. Forms Authentication Options Web.config <configuration> <system.web> <authentication mode="Forms"> <!-- forms Attributes: name="[cookie name]" - Authentication cookie name loginUrl="[url]" - URL of login page protection="[All|None|Encryption|Validation]" timeout="[minutes]" - Length of time cookie valid path="/" - Cookie path requireSSL="[true|false]" - Restrict cookie to SSL? slidingExpiration="[true|false]" - Renew cookie? --> </authentication> </system.web> </configuration>See Page 862.

  10. Authenticating Against the Web.Config file <configuration> <system.web> <authentication mode="Forms"> <forms name=“.MyCookie" loginUrl=“Login.aspx” protection=“All" timeout="15” path="/" > <credentials passwordFormat=“Clear”> <user name=“Sam” password=“Secret” /> <user name=“Fred” password=“Fred” /> </credentials> </forms> </authentication> </system.web> </configuration>

  11. User Authorization Web.config <!-- Deny access to anonymous (unauthenticated) users --> <deny users="?" /> <!-- Grant access to Robin and Tim but no one else --> <allow users="Bob, Alice" /> <deny users="*" /> <!-- Grant access to everyone EXCEPT Bob and Alice --> <deny users=“Robin, Tim" /> <allow users="*" /> <!-- Grant access to any manager --> <allow roles="Manager" /> <deny users="*" />

  12. The Login Page • First provide a namespace to the classes in the top of your class module as follows:Imports System.Web.Security

  13. The Login Page (cont.)

  14. Using the Authenticate() Method Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click If FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text) Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End IfEnd Sub

  15. Global.Asax protected void Application_AuthenticateRequest(Object sender, EventArgs e) { if (HttpContext.Current.User != null) { if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { // Get Forms Identity From Current User FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity; // Get Forms Ticket From Identity object FormsAuthenticationTicket ticket = id.Ticket; // Retrieve stored user-data (our roles from db) string userData = ticket.UserData; string[] roles = userData.Split(','); // Create a new Generic Principal Instance and assign to Current User HttpContext.Current.User = new GenericPrincipal(id, roles); } } } }

  16. The Authenticate() Method (cont.) • The FormsAuthentication Object handles form security as specified in the Web.Config. • RedirectFromLogin Page redirects to the requested page if the user has the permission.

  17. Authenticating Against a Database cnn.Open() Dim i As Integer Dim myCommand As New SqlClient.SqlCommand myCommand.Connection = cnn myCommand.CommandText = "select * from userList where uname='" & _ txtName.Text & "' and upassword='" & txtPassword.Text & "'" i = myCommand.ExecuteScalar If i > 0 Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End If Cnn.Close() End Sub

  18. SQL Injection • Exploits applications that use external input in database commands • The technique: • Find a <form> field or query string parameter used to generate SQL commands • Submit input that modifies the commands • Compromise, corrupt, and destroy data

  19. How SQL Injection Works Model Query SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ Malicious Query SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ "or 1=1" matches every record in the table "--" comments out the remainder of the query

  20. Avoid SQL Injection • Validation Control. • SQL Stored Procedure.

  21. Accessing Data Securely Use stored procedures Never use sa to access Web databases Store connection strings securely Apply administrative protections to SQL Server Optionally use SSL/TLS or IPSec to secure the connection to the database server 2

  22. The sa Account • For administration only; never use it to access a database programmatically • Instead, use one or more accounts that have limited database permissions • For queries, use SELECT-only account • Better yet, use stored procs and grant account EXECUTE permission for the stored procs • Reduces an attacker's ability to execute harmful commands (e.g., DROP TABLE)

  23. Creating a Limited Account USE Login GO -- Add account named webuser to Login database EXEC sp_addlogin 'webuser', 'mxyzptlk', 'Login' -- Grant webuser access to the database EXEC sp_grantdbaccess 'webuser' -- Limit webuser to calling proc_IsUserValid GRANT EXECUTE ON proc_IsUserValid TO webuser

  24. Connection Strings • Storing plaintext database connection strings in Web.config is risky • Vulnerable to file disclosure attacks • Storing encrypted database connection strings increases security • Encrypting connection strings is easy • System.Security.Cryptography classes

  25. Database Passwords • Encrypting string name =FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); • Decrypting string pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); string command = "SELECT roles FROM users WHERE username = '" + TextBox1.Text + "' AND pass = '" + pwd + "'";

More Related