1 / 24

Security in ASP.Net What the bad guys will try and how ASP.Net will protect you.

Security in ASP.Net What the bad guys will try and how ASP.Net will protect you. Dave Webster Microsoft EMEA. Agenda. Introduction. Specific Attacks SQL Injection XSS. Security Principals Defend in Depth Deny Access to Information. Security Practices Steps To Improved Security.

rad
Download Presentation

Security in ASP.Net What the bad guys will try and how ASP.Net will protect you.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in ASP.NetWhat the bad guys will try and how ASP.Net will protect you. Dave Webster Microsoft EMEA

  2. Agenda • Introduction • Specific Attacks • SQL Injection • XSS • Security Principals • Defend in Depth • Deny Access to Information • Security Practices • Steps To Improved Security

  3. Threat Types Network Host Application Threats againstthe Network Spoofed packets, etc Threats against the Host Buffer overflows, illicit paths, etc Threats against the Application SQL Injection, XSS, input tampering, etc.

  4. Agenda • Introduction • Specific Attacks • SQL Injection • XSS • Security Principals • Defend in Depth • Deny Access to Information • Security Practices • Steps To Improved Security

  5. SQL Injection Attacks Exploit applications that don’t validate input that is later used to build dynamic SQL queries Can be used against ANY Operating System Web Server SQL database

  6. SQL Injection Attacks

  7. SQL Injection Attacks - What to do? ALL user input is hostile Regardless of whether the user is logged in or not Always use Regular Expression validator ^[\w\.]{4,11}?$ Specifies any character ( a-z A-Z 0-9 _ ) or ‘dot’, with a length between 4 and 11 characters REMEMBER – Client side validation can easily be bypassed Validate AGAIN in code Use ASP.NET Validation Controls Don’t use dynamic SQL Use stored procedures Or Parameterised queries

  8. SQL Injection Attacks - What to do? Watch out for Dynamic SQL in Stored Procedures! CREATE PROCEDURE [dbo].BadSelectUser( @Username nvarchar(50)) ASDECLARE @sql nvarchar(255) SET @sql = 'SELECT Password FROM UsersWHERE Username = ''' + @Username + '''' EXECsp_executesql @sqlGO

  9. XSS Attacks Exploit applications that don’t validate input that is later echoed back to the page Form Fields QueryString parameters Injects JavaScript into Page Consequences Attacker can modify page content via DHTML Redirect browser to another site Hijack cookies

  10. XSS Attacks

  11. XSS Attacks - What to Do? ALL user input is hostile Ensure validateRequest=“true” Make sure HOTFIX 821349 or SP1 is installed to disable <%00SCRIPT> vulnerability (.Net 1.x only) Validate and Encode Input Use Server.HTMLEncode(text) to render input safe for HTML presentation Use Custom SafeTextBox Control

  12. Agenda • Introduction • Specific Attacks • SQL Injection • XSS • Security Principals • Defend in Depth • Deny Access to Information • Security Practices • Steps To Improved Security

  13. Defend in depth Reduce the attack surface Shut off protocols you don’t need Reduce the permissions you require Defend at each layer in the app and the configuration Assume that the layer above has failed Assume that there is no protection at the lower layers Deny information to attackers

  14. Deny information Don’t propagate exceptions Use custom error pages Don’t output unnecessary information “Login failed… you have not specified a valid password.” “Login failed… please try again.” <system.web> <customErrorsdefaultRedirect="Error.htm" mode="RemoteOnly"> <errorstatusCode="500" redirect="InternalError.htm" /> </customErrors> </system.web>

  15. Agenda • Introduction • Specific Attacks • SQL Injection • XSS • Security Principals • Defend in Depth • Deny Access to Information • Security Practices • Steps To Improved Security

  16. Security Practices Prepare Servers Install Service Packs, Patches Remove all unnecessary Application, Services Run Windows Update Lockdown Web Server – IISLockDown utility Disables FTP, SMTP, NNTP Removes unnecessary virtual directories URLScan ISAPI filter Configurable via config file

  17. Control Access To Resources Create an Impersonation Account Windows Account Used by application for accessing resources Use Windows Authentication for Database login Assign Permissions to Resources File System Registry Database Use Role based security in code

  18. Declarative Security [PrincipalPermission(SecurityAction.Demand, Role="Administrator")] publicvoid UpdateUsers(UserDS userDS) { try { if (userDS.HasChanges() == false) return; UserDao userDao = new UserDao(); userDao.UpdateDataset(userDS); } catch (Exception ex) { ExceptionManager.Publish(ex); throw; } }

  19. Secure Sensitive Strings Don’t store sensitive strings in config files or code Username Password Connection Strings Use ASPNET_SetReg.exe Encrypt string to registry Assign DACL to registry entry Add registry key to web.config Hash or at least encrypt your application account passwords Hash is more secure as it is one way Append a Salt to the plaintext before Hashing to avoid dictionary attacks Membership providers in ASP.Net 2.0 hash by default Specified in the config file

  20. Validate Input ALL user input is hostile Validate Validate Validate

  21. Test Security Microsoft Baseline Security Analyzer 1.2.1 Automatically analyses server’s security status 2.0 in beta now

  22. Microsoft Baseline Security Analyzer

  23. Summary Security is the responsibility of the developer 70% of attacks exploit the application code ASP 2.0 protected by default Always defend in depth Assume top layers are compromised Assume no protection in lower layers Treat all user input as hostile until sanitized XSS attacks SQL injection attacks

  24. Resources http://msdn.microsoft.com/security/ http://msdn.microsoft.com/security/securecode Building Secure ASP.NET Applications http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

More Related