Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

Published byGertrude Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005."— Presentation transcript:

1 Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005

2 Types of Threats Threats against the network Threats against the host Threats against the application NetworkHostApplication

3 Application Security Error handling Error handling Form authentication Form authentication Input validation Input validation Data access & data protection Data access & data protection

4 Error Handling Use web.config to handle errors Three different modes for customErrors or =“Off” or =“On” Use web.config to handle errors Three different modes for customErrors or =“Off” or =“On” Off – display detailed asp.net error information Off – display detailed asp.net error information On – display custom (friendly) messages. On – display custom (friendly) messages. RemoteOnly – no detailed error for remote clients. RemoteOnly – no detailed error for remote clients.

5 Securing the site with error handling Example 1 Example 1

6 Site Security By default, site users are anonymous. By default, site users are anonymous. They may need to be authenticated and authorized. Authentication: the process of verifying a user’s identity. Authorization: to measure or establish the power or permission that has been given or granted by an authority. They may need to be authenticated and authorized. Authentication: the process of verifying a user’s identity. Authorization: to measure or establish the power or permission that has been given or granted by an authority.

7 ASP.Net Authentication 4 different modes of authentication. - Windows: uses windows authentication system on the web server (for intranet). - Forms: uses ASP.Net form-based authentication (for internet). - Passport: uses Microsoft’s Passport Authentication - None: no authentication. 4 different modes of authentication. - Windows: uses windows authentication system on the web server (for intranet). - Forms: uses ASP.Net form-based authentication (for internet). - Passport: uses Microsoft’s Passport Authentication - None: no authentication.

8 Specifying Authentication Type Web.config

9 Forms Authentication Options <!-- forms Attributes: name="[cookie name]" - Authentication cookie name loginUrl="[url]" - URL of login page protection="[All|None|Encryption|Validation]" timeout="[minutes]" - Length of time cookie valid path="/" - Cookie path requireSSL="[true|false]" - Restrict cookie to SSL? slidingExpiration="[true|false]" - Renew cookie? --> See Page 862. Web.config

10 Authenticating Against the Web.Config file <configuration><system.web> <forms name=“.MyCookie" loginUrl=“Login.aspx” <forms name=“.MyCookie" loginUrl=“Login.aspx” protection=“All" protection=“All" timeout="15” timeout="15” path="/" > path="/" > </forms> </system.web></configuration>

11 User Authorization Web.config

12 The Login Page First provide a namespace to the classes in the top of your class module as follows: Imports System.Web.Security First provide a namespace to the classes in the top of your class module as follows: Imports System.Web.Security

13 The Login Page (cont.)

14 Using the Authenticate() Method Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click If FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text) Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End If End Sub

15 Global.Asax protected void Application_AuthenticateRequest(Object sender, EventArgs e) {if (HttpContext.Current.User != null) {if (HttpContext.Current.User.Identity.IsAuthenticated) {if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { if (HttpContext.Current.User.Identity is FormsIdentity) { // Get Forms Identity From Current User { // Get Forms Identity From Current User FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity; // Get Forms Ticket From Identity object // Get Forms Ticket From Identity object FormsAuthenticationTicket ticket = id.Ticket; // Retrieve stored user-data (our roles from db) string userData = ticket.UserData; string[] roles = userData.Split(','); // Create a new Generic Principal Instance and assign to Current User // Create a new Generic Principal Instance and assign to Current User HttpContext.Current.User = new GenericPrincipal(id, roles); } } } }

16 The Authenticate() Method (cont.) The FormsAuthentication Object handles form security as specified in the Web.Config. The FormsAuthentication Object handles form security as specified in the Web.Config. RedirectFromLogin Page redirects to the requested page if the user has the permission. RedirectFromLogin Page redirects to the requested page if the user has the permission.

17 Authenticating Against a Database cnn.Open() Dim i As Integer Dim myCommand As New SqlClient.SqlCommand myCommand.Connection = cnn myCommand.CommandText = "select * from userList where uname='" & _ txtName.Text & "' and upassword='" & txtPassword.Text & "'" i = myCommand.ExecuteScalar If i > 0 Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End If Cnn.Close() End Sub

18 SQL Injection Exploits applications that use external input in database commands Exploits applications that use external input in database commands The technique: The technique: Find a field or query string parameter used to generate SQL commands Find a field or query string parameter used to generate SQL commands Submit input that modifies the commands Submit input that modifies the commands Compromise, corrupt, and destroy data Compromise, corrupt, and destroy data

19 How SQL Injection Works SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ Model Query Malicious Query "or 1=1" matches every record in the table "--" comments out the remainder of the query

20 Avoid SQL Injection Validation Control. Validation Control. SQL Stored Procedure. SQL Stored Procedure.

21 Accessing Data Securely Use stored procedures Never use sa to access Web databases Store connection strings securely Optionally use SSL/TLS or IPSec to secure the connection to the database server 2 Apply administrative protections to SQL Server

22 The sa Account For administration only; never use it to access a database programmatically For administration only; never use it to access a database programmatically Instead, use one or more accounts that have limited database permissions Instead, use one or more accounts that have limited database permissions For queries, use SELECT-only account For queries, use SELECT-only account Better yet, use stored procs and grant account EXECUTE permission for the stored procs Better yet, use stored procs and grant account EXECUTE permission for the stored procs Reduces an attacker's ability to execute harmful commands (e.g., DROP TABLE) Reduces an attacker's ability to execute harmful commands (e.g., DROP TABLE)

23 Creating a Limited Account USE Login GO -- Add account named webuser to Login database EXEC sp_addlogin 'webuser', 'mxyzptlk', 'Login' -- Grant webuser access to the database EXEC sp_grantdbaccess 'webuser' -- Limit webuser to calling proc_IsUserValid GRANT EXECUTE ON proc_IsUserValid TO webuser

24 Connection Strings Storing plaintext database connection strings in Web.config is risky Storing plaintext database connection strings in Web.config is risky Vulnerable to file disclosure attacks Vulnerable to file disclosure attacks Storing encrypted database connection strings increases security Storing encrypted database connection strings increases security Encrypting connection strings is easy Encrypting connection strings is easy System.Security.Cryptography classes System.Security.Cryptography classes

25 Databse Passwords Encrypting Encrypting string name = FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); Decrypting Decrypting string pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); string command = "SELECT roles FROM users WHERE username = '" + TextBox1.Text + "' AND pass = '" + pwd + "'";

26 Thank You

Download ppt "Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.

Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.

Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:

Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.

Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.

Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google