ASPsecuritySharma

Download Report

Transcript ASPsecuritySharma

Effective Security in
ASP.Net Applications
Jatin Sharma
Types of Threats
Network
Threats against
the network
Threats against the host
Threats against the application
Host
Application
Application Security

Error handling

Form authentication

Input validation

Data access & data protection
Error Handling

Use web.config to handle errors
Three different modes for customErrors
<customErrors mode=“RemoteOnly” />
or =“Off”
or =“On”



Off – display detailed asp.net error information
On – display custom (friendly) messages.
RemoteOnly – no detailed error for remote clients.
Securing the site with
error handling

Example 1
<customErrors mode="On" defaultRedirect="error.aspx"/>
Site Security


By default, site users are anonymous.
They may need to be authenticated and authorized.
Authentication: the process of verifying a user’s
identity.
Authorization: to measure or establish the power or
permission that has been given or granted by an
authority.
ASP.Net Authentication

4 different modes of authentication.
- Windows: uses windows authentication system on the
web server (for intranet).
- Forms: uses ASP.Net form-based authentication (for
internet).
- Passport: uses Microsoft’s Passport Authentication
- None: no authentication.
Specifying Authentication Type
Web.config
<configuration>
<system.web>
<!-- mode="Windows|Passport|Forms|None" -->
<authentication mode="Windows" />
</system.web>
</configuration>
Forms Authentication Options
Web.config
<configuration>
<system.web>
<authentication mode="Forms">
<!-forms Attributes:
name="[cookie name]" - Authentication cookie name
loginUrl="[url]" - URL of login page
protection="[All|None|Encryption|Validation]"
timeout="[minutes]" - Length of time cookie valid
path="/" - Cookie path
requireSSL="[true|false]" - Restrict cookie to SSL?
slidingExpiration="[true|false]" - Renew cookie?
-->
</authentication>
</system.web>
</configuration>
See Page 862.
Authenticating Against the
Web.Config file
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=“.MyCookie"
loginUrl=“Login.aspx”
protection=“All"
timeout="15”
path="/" >
<credentials passwordFormat=“Clear”>
<user name=“Sam” password=“Secret” />
<user name=“Fred” password=“Fred” />
</credentials>
</forms>
</authentication>
</system.web>
</configuration>
User Authorization
Web.config
<!-- Deny access to anonymous (unauthenticated) users -->
<deny users="?" />
<!-- Grant access to Robin and Tim but no one else -->
<allow users="Bob, Alice" />
<deny users="*" />
<!-- Grant access to everyone EXCEPT Bob and Alice -->
<deny users=“Robin, Tim" />
<allow users="*" />
<!-- Grant access to any manager -->
<allow roles="Manager" />
<deny users="*" />
The Login Page

First provide a namespace to the classes in the
top of your class module as follows:
Imports System.Web.Security
The Login Page (cont.)
Using the Authenticate() Method
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
If FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage(txtName.Text, False)
Else
lblMessage.Text = "Bad Login"
End If
End Sub
Global.Asax
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
// Get Forms Identity From Current User
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
// Get Forms Ticket From Identity object
FormsAuthenticationTicket ticket = id.Ticket;
// Retrieve stored user-data (our roles from db)
string userData = ticket.UserData;
string[] roles = userData.Split(',');
// Create a new Generic Principal Instance and assign to Current User
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}
}
The Authenticate() Method (cont.)

The FormsAuthentication Object handles
form security as specified in the Web.Config.

RedirectFromLogin Page redirects to the
requested page if the user has the permission.
Authenticating Against a Database
cnn.Open()
Dim i As Integer
Dim myCommand As New SqlClient.SqlCommand
myCommand.Connection = cnn
myCommand.CommandText = "select * from userList where uname='" & _
txtName.Text & "' and upassword='" & txtPassword.Text & "'"
i = myCommand.ExecuteScalar
If i > 0 Then
FormsAuthentication.RedirectFromLoginPage(txtName.Text, False)
Else
lblMessage.Text = "Bad Login"
End If
Cnn.Close()
End Sub
SQL Injection

Exploits applications that use external input in
database commands




The technique:
Find a <form> field or query string parameter used
to generate SQL commands
Submit input that modifies the commands
Compromise, corrupt, and destroy data
How SQL Injection Works
Model Query
SELECT COUNT (*) FROM Users
WHERE UserName=‘Jeff’
AND Password=‘imbatman’
Malicious Query
SELECT COUNT (*) FROM Users
WHERE UserName=‘’ or 1=1-AND Password=‘’
"or 1=1" matches every
record in the table
"--" comments out the
remainder of the query
Avoid SQL Injection

Validation Control.

SQL Stored Procedure.
Accessing Data Securely
Use stored procedures
Never use sa to access Web databases
Store connection strings securely
Apply administrative protections to SQL Server
Optionally use SSL/TLS or IPSec to secure the
connection to the database server 2
The sa Account


For administration only; never use it to access a
database programmatically
Instead, use one or more accounts that have
limited database permissions



For queries, use SELECT-only account
Better yet, use stored procs and grant account
EXECUTE permission for the stored procs
Reduces an attacker's ability to execute harmful
commands (e.g., DROP TABLE)
Creating a Limited Account
USE Login
GO
-- Add account named webuser to Login database
EXEC sp_addlogin 'webuser', 'mxyzptlk', 'Login'
-- Grant webuser access to the database
EXEC sp_grantdbaccess 'webuser'
-- Limit webuser to calling proc_IsUserValid
GRANT EXECUTE ON proc_IsUserValid TO webuser
Connection Strings

Storing plaintext database connection strings in
Web.config is risky



Vulnerable to file disclosure attacks
Storing encrypted database connection strings
increases security
Encrypting connection strings is easy

System.Security.Cryptography classes
Database Passwords

Encrypting
string name =FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5");

Decrypting
string pwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5");
string command = "SELECT roles FROM users WHERE username =
'" + TextBox1.Text + "' AND pass = '" + pwd + "'";