250 likes | 406 Views
Effective Security in ASP.Net Applications. Jatin Sharma. Types of Threats. Network. Host. Application. Threats against the network. Threats against the host. Threats against the application. Application Security . Error handling Form authentication Input validation
E N D
Effective Security in ASP.Net Applications Jatin Sharma
Types of Threats Network Host Application Threats against the network Threats against the host Threats against the application
Application Security • Error handling • Form authentication • Input validation • Data access & data protection
Error Handling • Use web.config to handle errorsThree different modes for customErrors<customErrors mode=“RemoteOnly” /> or =“Off” or =“On” • Off – display detailed asp.net error information • On – display custom (friendly) messages. • RemoteOnly – no detailed error for remote clients.
Securing the site with error handling • Example 1<customErrors mode="On" defaultRedirect="error.aspx"/>
Site Security • By default, site users are anonymous. • They may need to be authenticated and authorized.Authentication: the process of verifying a user’s identity.Authorization: to measure or establish the power or permission that has been given or granted by an authority.
ASP.Net Authentication • 4 different modes of authentication.- Windows: uses windows authentication system on the web server (for intranet).- Forms: uses ASP.Net form-based authentication (for internet).- Passport: uses Microsoft’s Passport Authentication- None: no authentication.
Specifying Authentication Type Web.config <configuration> <system.web> <!-- mode="Windows|Passport|Forms|None" --> <authentication mode="Windows" /> </system.web> </configuration>
Forms Authentication Options Web.config <configuration> <system.web> <authentication mode="Forms"> <!-- forms Attributes: name="[cookie name]" - Authentication cookie name loginUrl="[url]" - URL of login page protection="[All|None|Encryption|Validation]" timeout="[minutes]" - Length of time cookie valid path="/" - Cookie path requireSSL="[true|false]" - Restrict cookie to SSL? slidingExpiration="[true|false]" - Renew cookie? --> </authentication> </system.web> </configuration>See Page 862.
Authenticating Against the Web.Config file <configuration> <system.web> <authentication mode="Forms"> <forms name=“.MyCookie" loginUrl=“Login.aspx” protection=“All" timeout="15” path="/" > <credentials passwordFormat=“Clear”> <user name=“Sam” password=“Secret” /> <user name=“Fred” password=“Fred” /> </credentials> </forms> </authentication> </system.web> </configuration>
User Authorization Web.config <!-- Deny access to anonymous (unauthenticated) users --> <deny users="?" /> <!-- Grant access to Robin and Tim but no one else --> <allow users="Bob, Alice" /> <deny users="*" /> <!-- Grant access to everyone EXCEPT Bob and Alice --> <deny users=“Robin, Tim" /> <allow users="*" /> <!-- Grant access to any manager --> <allow roles="Manager" /> <deny users="*" />
The Login Page • First provide a namespace to the classes in the top of your class module as follows:Imports System.Web.Security
Using the Authenticate() Method Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click If FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text) Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End IfEnd Sub
Global.Asax protected void Application_AuthenticateRequest(Object sender, EventArgs e) { if (HttpContext.Current.User != null) { if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { // Get Forms Identity From Current User FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity; // Get Forms Ticket From Identity object FormsAuthenticationTicket ticket = id.Ticket; // Retrieve stored user-data (our roles from db) string userData = ticket.UserData; string[] roles = userData.Split(','); // Create a new Generic Principal Instance and assign to Current User HttpContext.Current.User = new GenericPrincipal(id, roles); } } } }
The Authenticate() Method (cont.) • The FormsAuthentication Object handles form security as specified in the Web.Config. • RedirectFromLogin Page redirects to the requested page if the user has the permission.
Authenticating Against a Database cnn.Open() Dim i As Integer Dim myCommand As New SqlClient.SqlCommand myCommand.Connection = cnn myCommand.CommandText = "select * from userList where uname='" & _ txtName.Text & "' and upassword='" & txtPassword.Text & "'" i = myCommand.ExecuteScalar If i > 0 Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End If Cnn.Close() End Sub
SQL Injection • Exploits applications that use external input in database commands • The technique: • Find a <form> field or query string parameter used to generate SQL commands • Submit input that modifies the commands • Compromise, corrupt, and destroy data
How SQL Injection Works Model Query SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ Malicious Query SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ "or 1=1" matches every record in the table "--" comments out the remainder of the query
Avoid SQL Injection • Validation Control. • SQL Stored Procedure.
Accessing Data Securely Use stored procedures Never use sa to access Web databases Store connection strings securely Apply administrative protections to SQL Server Optionally use SSL/TLS or IPSec to secure the connection to the database server 2
The sa Account • For administration only; never use it to access a database programmatically • Instead, use one or more accounts that have limited database permissions • For queries, use SELECT-only account • Better yet, use stored procs and grant account EXECUTE permission for the stored procs • Reduces an attacker's ability to execute harmful commands (e.g., DROP TABLE)
Creating a Limited Account USE Login GO -- Add account named webuser to Login database EXEC sp_addlogin 'webuser', 'mxyzptlk', 'Login' -- Grant webuser access to the database EXEC sp_grantdbaccess 'webuser' -- Limit webuser to calling proc_IsUserValid GRANT EXECUTE ON proc_IsUserValid TO webuser
Connection Strings • Storing plaintext database connection strings in Web.config is risky • Vulnerable to file disclosure attacks • Storing encrypted database connection strings increases security • Encrypting connection strings is easy • System.Security.Cryptography classes
Database Passwords • Encrypting string name =FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); • Decrypting string pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); string command = "SELECT roles FROM users WHERE username = '" + TextBox1.Text + "' AND pass = '" + pwd + "'";