Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Effective Security in ASP.Net Applications Jatin Sharma Types of Threats Network Threats against the network Threats against the host Threats against the application Host Application Application Security Error handling Form authentication Input validation Data access & data protection Error Handling Use web.config to handle errors Three different modes for customErrors <customErrors mode=“RemoteOnly” /> or =“Off” or =“On” Off – display detailed asp.net error information On – display custom (friendly) messages. RemoteOnly – no detailed error for remote clients. Securing the site with error handling Example 1 <customErrors mode="On" defaultRedirect="error.aspx"/> Site Security By default, site users are anonymous. They may need to be authenticated and authorized. Authentication: the process of verifying a user’s identity. Authorization: to measure or establish the power or permission that has been given or granted by an authority. ASP.Net Authentication 4 different modes of authentication. - Windows: uses windows authentication system on the web server (for intranet). - Forms: uses ASP.Net form-based authentication (for internet). - Passport: uses Microsoft’s Passport Authentication - None: no authentication. Specifying Authentication Type Web.config <configuration> <system.web> <!-- mode="Windows|Passport|Forms|None" --> <authentication mode="Windows" /> </system.web> </configuration> Forms Authentication Options Web.config <configuration> <system.web> <authentication mode="Forms"> <!-forms Attributes: name="[cookie name]" - Authentication cookie name loginUrl="[url]" - URL of login page protection="[All|None|Encryption|Validation]" timeout="[minutes]" - Length of time cookie valid path="/" - Cookie path requireSSL="[true|false]" - Restrict cookie to SSL? slidingExpiration="[true|false]" - Renew cookie? --> </authentication> </system.web> </configuration> See Page 862. Authenticating Against the Web.Config file <configuration> <system.web> <authentication mode="Forms"> <forms name=“.MyCookie" loginUrl=“Login.aspx” protection=“All" timeout="15” path="/" > <credentials passwordFormat=“Clear”> <user name=“Sam” password=“Secret” /> <user name=“Fred” password=“Fred” /> </credentials> </forms> </authentication> </system.web> </configuration> User Authorization Web.config <!-- Deny access to anonymous (unauthenticated) users --> <deny users="?" /> <!-- Grant access to Robin and Tim but no one else --> <allow users="Bob, Alice" /> <deny users="*" /> <!-- Grant access to everyone EXCEPT Bob and Alice --> <deny users=“Robin, Tim" /> <allow users="*" /> <!-- Grant access to any manager --> <allow roles="Manager" /> <deny users="*" /> The Login Page First provide a namespace to the classes in the top of your class module as follows: Imports System.Web.Security The Login Page (cont.) Using the Authenticate() Method Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click If FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text) Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End If End Sub Global.Asax protected void Application_AuthenticateRequest(Object sender, EventArgs e) { if (HttpContext.Current.User != null) { if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { // Get Forms Identity From Current User FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity; // Get Forms Ticket From Identity object FormsAuthenticationTicket ticket = id.Ticket; // Retrieve stored user-data (our roles from db) string userData = ticket.UserData; string[] roles = userData.Split(','); // Create a new Generic Principal Instance and assign to Current User HttpContext.Current.User = new GenericPrincipal(id, roles); } } } } The Authenticate() Method (cont.) The FormsAuthentication Object handles form security as specified in the Web.Config. RedirectFromLogin Page redirects to the requested page if the user has the permission. Authenticating Against a Database cnn.Open() Dim i As Integer Dim myCommand As New SqlClient.SqlCommand myCommand.Connection = cnn myCommand.CommandText = "select * from userList where uname='" & _ txtName.Text & "' and upassword='" & txtPassword.Text & "'" i = myCommand.ExecuteScalar If i > 0 Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End If Cnn.Close() End Sub SQL Injection Exploits applications that use external input in database commands The technique: Find a <form> field or query string parameter used to generate SQL commands Submit input that modifies the commands Compromise, corrupt, and destroy data How SQL Injection Works Model Query SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ Malicious Query SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-AND Password=‘’ "or 1=1" matches every record in the table "--" comments out the remainder of the query Avoid SQL Injection Validation Control. SQL Stored Procedure. Accessing Data Securely Use stored procedures Never use sa to access Web databases Store connection strings securely Apply administrative protections to SQL Server Optionally use SSL/TLS or IPSec to secure the connection to the database server 2 The sa Account For administration only; never use it to access a database programmatically Instead, use one or more accounts that have limited database permissions For queries, use SELECT-only account Better yet, use stored procs and grant account EXECUTE permission for the stored procs Reduces an attacker's ability to execute harmful commands (e.g., DROP TABLE) Creating a Limited Account USE Login GO -- Add account named webuser to Login database EXEC sp_addlogin 'webuser', 'mxyzptlk', 'Login' -- Grant webuser access to the database EXEC sp_grantdbaccess 'webuser' -- Limit webuser to calling proc_IsUserValid GRANT EXECUTE ON proc_IsUserValid TO webuser Connection Strings Storing plaintext database connection strings in Web.config is risky Vulnerable to file disclosure attacks Storing encrypted database connection strings increases security Encrypting connection strings is easy System.Security.Cryptography classes Database Passwords Encrypting string name =FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); Decrypting string pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); string command = "SELECT roles FROM users WHERE username = '" + TextBox1.Text + "' AND pass = '" + pwd + "'";