Transcript ASPsecuritySharma

Effective Security in
ASP.Net Applications
Jatin Sharma
Types of Threats
Network
Threats against
the network
Threats against the host
Threats against the application
Host
Application
Application Security

Error handling

Form authentication

Input validation

Data access & data protection
Error Handling

Use web.config to handle errors
Three different modes for customErrors
<customErrors mode=“RemoteOnly” />
or =“Off”
or =“On”



Off – display detailed asp.net error information
On – display custom (friendly) messages.
RemoteOnly – no detailed error for remote clients.
Securing the site with
error handling

Example 1
<customErrors mode="On" defaultRedirect="error.aspx"/>
Site Security


By default, site users are anonymous.
They may need to be authenticated and authorized.
Authentication: the process of verifying a user’s
identity.
Authorization: to measure or establish the power or
permission that has been given or granted by an
authority.
ASP.Net Authentication

4 different modes of authentication.
- Windows: uses windows authentication system on the
web server (for intranet).
- Forms: uses ASP.Net form-based authentication (for
internet).
- Passport: uses Microsoft’s Passport Authentication
- None: no authentication.
Specifying Authentication Type
Web.config
<configuration>
<system.web>
<!-- mode="Windows|Passport|Forms|None" -->
<authentication mode="Windows" />
</system.web>
</configuration>
Forms Authentication Options
Web.config
<configuration>
<system.web>
<authentication mode="Forms">
<!-forms Attributes:
name="[cookie name]" - Authentication cookie name
loginUrl="[url]" - URL of login page
protection="[All|None|Encryption|Validation]"
timeout="[minutes]" - Length of time cookie valid
path="/" - Cookie path
requireSSL="[true|false]" - Restrict cookie to SSL?
slidingExpiration="[true|false]" - Renew cookie?
-->
</authentication>
</system.web>
</configuration>
See Page 862.
Authenticating Against the
Web.Config file
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=“.MyCookie"
loginUrl=“Login.aspx”
protection=“All"
timeout="15”
path="/" >
<credentials passwordFormat=“Clear”>
<user name=“Sam” password=“Secret” />
<user name=“Fred” password=“Fred” />
</credentials>
</forms>
</authentication>
</system.web>
</configuration>
User Authorization
Web.config
<!-- Deny access to anonymous (unauthenticated) users -->
<deny users="?" />
<!-- Grant access to Robin and Tim but no one else -->
<allow users="Bob, Alice" />
<deny users="*" />
<!-- Grant access to everyone EXCEPT Bob and Alice -->
<deny users=“Robin, Tim" />
<allow users="*" />
<!-- Grant access to any manager -->
<allow roles="Manager" />
<deny users="*" />
The Login Page

First provide a namespace to the classes in the
top of your class module as follows:
Imports System.Web.Security
The Login Page (cont.)
Using the Authenticate() Method
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
If FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage(txtName.Text, False)
Else
lblMessage.Text = "Bad Login"
End If
End Sub
Global.Asax
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
// Get Forms Identity From Current User
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
// Get Forms Ticket From Identity object
FormsAuthenticationTicket ticket = id.Ticket;
// Retrieve stored user-data (our roles from db)
string userData = ticket.UserData;
string[] roles = userData.Split(',');
// Create a new Generic Principal Instance and assign to Current User
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}
}
The Authenticate() Method (cont.)

The FormsAuthentication Object handles
form security as specified in the Web.Config.

RedirectFromLogin Page redirects to the
requested page if the user has the permission.
Authenticating Against a Database
cnn.Open()
Dim i As Integer
Dim myCommand As New SqlClient.SqlCommand
myCommand.Connection = cnn
myCommand.CommandText = "select * from userList where uname='" & _
txtName.Text & "' and upassword='" & txtPassword.Text & "'"
i = myCommand.ExecuteScalar
If i > 0 Then
FormsAuthentication.RedirectFromLoginPage(txtName.Text, False)
Else
lblMessage.Text = "Bad Login"
End If
Cnn.Close()
End Sub
SQL Injection

Exploits applications that use external input in
database commands




The technique:
Find a <form> field or query string parameter used
to generate SQL commands
Submit input that modifies the commands
Compromise, corrupt, and destroy data
How SQL Injection Works
Model Query
SELECT COUNT (*) FROM Users
WHERE UserName=‘Jeff’
AND Password=‘imbatman’
Malicious Query
SELECT COUNT (*) FROM Users
WHERE UserName=‘’ or 1=1-AND Password=‘’
"or 1=1" matches every
record in the table
"--" comments out the
remainder of the query
Avoid SQL Injection

Validation Control.

SQL Stored Procedure.
Accessing Data Securely
Use stored procedures
Never use sa to access Web databases
Store connection strings securely
Apply administrative protections to SQL Server
Optionally use SSL/TLS or IPSec to secure the
connection to the database server 2
The sa Account


For administration only; never use it to access a
database programmatically
Instead, use one or more accounts that have
limited database permissions



For queries, use SELECT-only account
Better yet, use stored procs and grant account
EXECUTE permission for the stored procs
Reduces an attacker's ability to execute harmful
commands (e.g., DROP TABLE)
Creating a Limited Account
USE Login
GO
-- Add account named webuser to Login database
EXEC sp_addlogin 'webuser', 'mxyzptlk', 'Login'
-- Grant webuser access to the database
EXEC sp_grantdbaccess 'webuser'
-- Limit webuser to calling proc_IsUserValid
GRANT EXECUTE ON proc_IsUserValid TO webuser
Connection Strings

Storing plaintext database connection strings in
Web.config is risky



Vulnerable to file disclosure attacks
Storing encrypted database connection strings
increases security
Encrypting connection strings is easy

System.Security.Cryptography classes
Database Passwords

Encrypting
string name =FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5");

Decrypting
string pwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5");
string command = "SELECT roles FROM users WHERE username =
'" + TextBox1.Text + "' AND pass = '" + pwd + "'";