Presentation is loading. Please wait.

Presentation is loading. Please wait.

DEV301 Building Secure ASP.NET Applications Scott Guthrie ASP.NET Team.

Published byGervais Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "DEV301 Building Secure ASP.NET Applications Scott Guthrie ASP.NET Team."— Presentation transcript:

1 DEV301 Building Secure ASP.NET Applications Scott Guthrie ASP.NET Team

2

3 Agenda  ASP.NET Security Concepts Process Identity Authentication Authorization Role-Based Security Encryption Defending against Common Web Hacks Client Side Script Injection Attacks SQL Injection Attacks

4 Slides and code posted at: http://www.scottgu.com

5 ASP.NET Security Concepts Process Identity Windows Account server code runs under Authentication Identifying username of a client Authorization Controlling access of an authenticated user Role Based Security Organizing authenticated identities into custom groups and controlling access by those groups Encryption Protecting traffic between server and client

6 Process Identity

7 Process Identity refers to the Windows Account that your ASP.NET server code runs under “ASPNET” account default on Win2000 and XP “Network Service” account default under Win2003 Recommendation: Give process account as few permissions as possible (ex: ASP.NET can’t by default write to files) Strongly recommend keeping the out of the box process default process identity unless you have a very good reason to change it

8 Setting Process Identity ASP.NET on Win 2003 enables per-application process identities (configured via app pools) Each application can run under unique account Easily configured via IIS MMC Admin Tool ASP.NET on Win 2000 and Win XP enables per- machine process identity (shared for all apps) Can enable per application impersonated identity – but worker process identity shared for all apps Process account configured in machine.config file ASPNET_SetReg.exe allows the machine.config process username/password to be encrypted (new feature with ASP.NET V1.1)

9 Authentication

10 Authentication is the process of identifying and verifying “who is” a visiting browser Example: REDMOND\scottgu Example: scottgu@microsoft.comscottgu@microsoft.com Example: puid:8934839938439839843 Three built-in authentication options: Windows Authentication Forms Based (Cookie) Authentication Microsoft Passport Authentication You can create your own modules for custom authentication approaches

11 Authentication Code Application security code the same regardless of authentication mode used “User” component provides identity properties “Request.IsAuthenticated” property ‘ Output custom welcome message to user If (Request.IsAuthenticated = true) Then WelcomeMsg.Text = “Hi “ & User.Identity.Name WelcomeMsg.Text = “Hi “ & User.Identity.Name End If …….

12 Windows Authentication Authenticates usernames/passwords against NT SAM or Active Directory Ideal for Intranet security scenarios Credential resolution handled directly by browser/server NTLM (under the covers) Basic/Digest dialog pop-up if NTLM fails User.Identity.Name returns NT account: DOMAIN\username: REDMOND\scottgu

13 Windows Authentication Enable windows authentication by placing web.config file in app root: <configuration> </configuration>

14 Windows Authentication demo demo

15 Forms Authentication Utilizes html based sign-in login form to prompt users for username/password Login page UI completely customizable Username/password store flexibility Can be stored anywhere, including database Ideal for Internet scenarios Works with any browser and any OS Doesn’t require any NT accounts on server

16 How Forms Authentication Works Web Browser 1 1.HTTP GET securepage.aspx 2 2. HTTP 302 Redirect Location: login.aspx 3 3. HTTPS POST login.aspx 5 5. HTTP 200 Status OK Set-Cookie:.ASPXAUTH Auth Ticket 6 6. HTTP GET securepage.aspx Cookie:.ASPXAUTH Auth Ticket 4 4. App authentication IIS/ASP.NET Database

17 Implementing Forms Auth Developer Steps: 1) Configure Web.Config for Forms auth 2) Write your Login page 3) Implement password check in login page

18 Forms Auth Web.Config <configuration> <forms name=“.MyAppCookieName” <forms name=“.MyAppCookieName” loginUrl=“login.aspx” loginUrl=“login.aspx” protection=“all” protection=“all” timeout=“30” timeout=“30”requireSSL=“false” slidingExpiration=“true” slidingExpiration=“true” path=“/” /> path=“/” /> </configuration>

19 Forms Auth Web.Config Consistent machine keys must be set for web farm scenarios <configuration> <machineKey validationKey=“autogenerate” <machineKey validationKey=“autogenerate” decryptionKey=“autogenerate” decryptionKey=“autogenerate” validation=“SHA1” /> validation=“SHA1” /> </configuration>

20 Writing A Login Page 1) Provide your Custom HTML UI Typically have textboxes + checkboxes 2) Login button event handler Validate username/password however you want (database call, AD call, etc) 3) Call ASP.NET APIs to: Issue authentication cookie Redirect to original URL

21 FormsAuthentication Class RedirectFromLoginPage Method After authentication, redirects back to original request URL GetAuthCookie Method Retrieves the authentication cookie (doesn’t add it to the outgoing response) SetAuthCookie Method Appends the authentication cookie to the outgoing response (no redirect)

22 Forms Authentication demo demo

23 .NET Passport Authentication Single sign-in across member sites No separate usernames/passwords required Large installed based: 165 million users today Built-in support within Windows XP Ideal for Internet security scenarios Integrated into ASP.NET authentication Requires Passport SDK installation More details at http://www.passport.com

24 Custom Web Authentication Application.AuthenticateRequest event Implemented in Global.asax or Http Module (implement IHttpModule) Scenarios: Custom SOAP authentication Non-cookie forms auth for mobile devices Customize forms authentication

25 Authorization

26 Authorization Strategies 1) Windows Security & ACLs ACLs checked for Windows authentication Independent of impersonation 2) URL Authorization Imperative “allow” or “deny” tags Supports non-Windows accounts Easy XCopy Deployment Solution 3) Custom Authorization Role your own (database calls, etc)

27 Using URL Authorization Example: deny user “fred”, allow “scott” and “mary” <configuration> </configuration>

28 Using URL Authorization Example: deny user “fred”, allow all other users <configuration> </configuration>

29 Using URL Authorization Example: deny anonymous users (force authentication to take place) <configuration> </configuration>

30 Using URL Authorization Example: force authentication only on the Checkout.aspx page <configuration> </configuration>

31 URL Authorization demo demo

32 Custom Web Authorization Application.AuthorizeRequest event Implemented in Global.asax or Http Module (implement IHttpModule) Scenarios: Implement per-request billing system Restrict access based on time of day or other custom parameters Restrict access based on behaviors (e.g. implement a per-day access limit, etc).

33 Role Based Security

34 Custom Roles Role based security allows application devs to define custom identity groups Roles not tied to NT domain groups Examples: “Brokers”, “SalesPeople”, “Admin”, “Premium” Enables more flexible authorization of resources and code than per user checks Declaratively through Web.Config Through code: User.IsInRole method Goal: Application administrators can modify role members once app deployed No code or configuration changes required

35 Defining Roles Roles are specified programmatically using Application_Authenticate event Implemented in Global.asax or Http Module (implement IHttpModule) ‘ Global.asax Authenticate Event Handler Sub Application_Authenticate(Sender as Object, E as EventArgs) Dim roles() as String = GetRolesFromMyDB(User.Identity.Name) Dim roles() as String = GetRolesFromMyDB(User.Identity.Name) Context.User = new GenericPrincipal(User.Identity, roles) Context.User = new GenericPrincipal(User.Identity, roles) End Sub

36 Authorizing against Roles Roles can be used to grant/deny access within Web.Config files: <configuration> </configuration>

37 Roles and Code User.IsInRole() method can be used to check roles within code at runtime ‘ Restrict who can make expensive purchase If ((amount < 10000) Or (User.IsInRole(“VP”)) Then ‘ Do purchase ‘ Do purchaseElse Throw New Exception(“You require VP expense approval!”) Throw New Exception(“You require VP expense approval!”) End If

38 Role Based Security demo demo

39 Encryption

40 ASP.NET supports wire encryption of network traffic using SSL through IIS https://www.foobar.com/login.aspx Request.IsSecureConnection Indicates whether request is SSL based System.Security.Cryptography.NET Namespace provides cryptographic encoding/decoding of arbitrary data

41 Encryption Recommendations: Use SSL when passing username/ password credentials over the web Encrypt or one-way hash passwords stored within databases (secures in event of DB penetration) Never store secrets or passwords in clear text – use framework to encrypt within a secret store (example: DAPI)

42 Common Web Hacks

43 Client Side Script Injection Very common hacking technique used on the web today Hacker Technique: Find place on website where input is taken from users, and then redisplayed on a page Provide client-side script for input, unless developer html encodes it on the server, the script will execute when redisplayed Note: All web applications (PHP, ASP, JSP and ASP.NET) susceptible to this

44 CSS Injection Example Sub Page_Load() Sub Page_Load() Label1.Text = “Hello “ & Request.QueryString(“name”) Label1.Text = “Hello “ & Request.QueryString(“name”) End Sub End Sub</script><html> </html> Home.aspx?name=<script>alert(‘Gotcha!’);</script>

45 Client Side Script Injection Prevention Techniques: HtmlEncode all inputs from the browser Server.HtmlEncode(input) HttpUtility.HtmlEncode(input) ASP.NET V1.1 ValidateRequest feature Enabled by default in ASP.NET V1.1 Detects and raises error when some common CSS attacks are passed to server Still use HtmlEncode in addition though!

46 Client Side Script Injection demo demo

47 SQL Injection Attacks Very dangerous hacking technique – leads to data loss/corruption/penetration Hacker Technique: Find place on website where input is taken from users (not necessarily redisplayed) Assume input is being used in a database operation, try to escape out of a developer’s late-bound database query and cause alternative query to be executed Note: All web applications (PHP, ASP, JSP and ASP.NET) susceptible to this

48 SQL Injection Example Sub Page_Load() Sub Page_Load() Dim connection As SqlConnection Dim connection As SqlConnection Dim command As SqlCommand Dim command As SqlCommand Dim query As String Dim query As String query = "SELECT * from Products Where QtyInStock > " & Request ("qtyinstock") query = "SELECT * from Products Where QtyInStock > " & Request ("qtyinstock") connection = New SqlConnection(ConfigurationSettings.AppSettings(“products")) connection = New SqlConnection(ConfigurationSettings.AppSettings(“products")) command = New SqlCommand(query, connection) command = New SqlCommand(query, connection) connection.Open() connection.Open() DataGrid1.DataSource = command.ExecuteReader() DataGrid1.DataSource = command.ExecuteReader() DataGrid1.DataBind() DataGrid1.DataBind() connection.Close() connection.Close() End Sub End Sub</script>

49 SQL Injection Prevention Always, Always, Always use type-safe SQL parameters for data access -> no lazily constructed SQL statements Use stored procedures for data access and avoid dynamic SQL statements Make sure you use parameters when calling the SROCS or still be susceptible to attacks! Disable dynamic SQL statement in DB – require all access through SPROCs you write Limit the ASP.NET account to only have access to the SPROCs it needs

50 SQL Injection demo demo

51 Summary Security is a critical feature of every app Design and incorporate it up front Always be vigilant about potential attacks ASP.NET provides a rich and flexible security architecture Built-in support for common scenarios Flexible enough for custom adapting

52 Slides and code posted at: http://www.scottgu.com

53 Additional Resources Online Discussion Groups: www.asp.netwww.asp.net Security Forum www.aspadvice.comwww.aspadvice.com Security Listserv Microsoft Prescriptive Guidance Books: http://msdn.microsoft.com/practices/ Watch for: Improving Web Application Security – Threats and Countermeasures patterns & practices book (currently in beta)

54 Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Microsoft® ASP.NET Setup and Configuration Pocket Reference: 0-7356-1936-0 Today Performance Testing Microsoft®.NET Web Applications: 0-7356- 1538-1 Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

55 evaluations evaluations

56 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "DEV301 Building Secure ASP.NET Applications Scott Guthrie ASP.NET Team."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
IIS v7.0 Martin Parry Developer & Platform Group Microsoft Limited

IIS v7.0 Martin Parry Developer & Platform Group Microsoft Limited
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Developing an ASP.NET Application and using the Mobile Internet Toolkit Bart Vande Ghinste Developer Consultant Microsoft Belux.

Developing an ASP.NET Application and using the Mobile Internet Toolkit Bart Vande Ghinste Developer Consultant Microsoft Belux.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Similar presentations

Ads by Google