Effective Security in ASP.Net Applications - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Effective Security in ASP.Net Applications

Description:

... strings increases security Encrypting connection strings is easy System.Security.Cryptography classes Databse Passwords Encrypting string name ... – PowerPoint PPT presentation

Number of Views:108
Avg rating:3.0/5.0
Slides: 27
Provided by: Chan137
Learn more at: https://www.cs.odu.edu
Category:

less

Transcript and Presenter's Notes

Title: Effective Security in ASP.Net Applications


1
Effective Security in ASP.Net Applications
  • Jatin Sharma Summer 2005

2
Types of Threats
Network
Host
Application
Threats against the network

Threats against the host
Threats against the application
3
Application Security
  • Error handling
  • Form authentication
  • Input validation
  • Data access data protection

4
Error Handling
  • Use web.config to handle errorsThree different
    modes for customErrorsltcustomErrors
    modeRemoteOnly /gt
    or Off or
    On
  • Off display detailed asp.net error information
  • On display custom (friendly) messages.
  • RemoteOnly no detailed error for remote clients.

5
Securing the site with error handling
  • Example 1ltcustomErrors mode"On"
    defaultRedirect"error.aspx"/gt

6
Site Security
  • By default, site users are anonymous.
  • They may need to be authenticated and
    authorized.Authentication the process of
    verifying a users identity.Authorization to
    measure or establish the power or permission that
    has been given or granted by an authority.

7
ASP.Net Authentication
  • 4 different modes of authentication.- Windows
    uses windows authentication system on the web
    server (for intranet).- Forms uses ASP.Net
    form-based authentication (for internet).-
    Passport uses Microsofts Passport
    Authentication- None no authentication.

8
Specifying Authentication Type
  • Web.config

ltconfigurationgt ltsystem.webgt lt!--
mode"WindowsPassportFormsNone" --gt
ltauthentication mode"Windows" /gt
lt/system.webgt lt/configurationgt
9
Forms Authentication Options
Web.config
ltconfigurationgt ltsystem.webgt
ltauthentication mode"Forms"gt lt!--
forms Attributes name"cookie name" -
Authentication cookie name
loginUrl"url" - URL of login page
protection"AllNoneEncryptionValidation"
timeout"minutes" - Length of time cookie
valid path"/" - Cookie path
requireSSL"truefalse" - Restrict cookie to
SSL? slidingExpiration"truefalse" -
Renew cookie? --gt lt/authenticationgt
lt/system.webgt lt/configurationgtSee Page 862.
10
Authenticating Against the Web.Config file
  • ltconfigurationgt
  • ltsystem.webgt
  • ltauthentication mode"Forms"gt
  • ltforms name.MyCookie"
    loginUrlLogin.aspx
  • protectionAll"
  • timeout"15
  • path"/" gt
  • ltcredentials passwordFormatCleargt
    ltuser nameSam passwordSecret /gt
    ltuser nameFred passwordFred /gt
  • lt/credentialsgt
  • lt/formsgt
  • lt/authenticationgt
  • lt/system.webgt
  • lt/configurationgt

11
User Authorization
Web.config
lt!-- Deny access to anonymous (unauthenticated)
users --gt ltdeny users"?" /gt lt!-- Grant access
to Robin and Tim but no one else --gt ltallow
users"Bob, Alice" /gt ltdeny users"" /gt lt!--
Grant access to everyone EXCEPT Bob and Alice
--gt ltdeny usersRobin, Tim" /gt ltallow users""
/gt lt!-- Grant access to any manager --gt ltallow
roles"Manager" /gt ltdeny users"" /gt
12
The Login Page
  • First provide a namespace to the classes in the
    top of your class module as followsImports
    System.Web.Security

13
The Login Page (cont.)
14
Using the Authenticate() Method
Private Sub Button1_Click(ByVal sender As
System.Object, ByVal e As System.EventArgs)
Handles Button1.Click If FormsAuthentication.Aut
henticate(txtName.Text, txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage
(txtName.Text, False) Else
lblMessage.Text "Bad Login" End IfEnd Sub
15
Global.Asax
  • protected void Application_AuthenticateRequest(Obj
    ect sender, EventArgs e)
  • if (HttpContext.Current.User ! null)
  • if (HttpContext.Current.User.Identity.IsA
    uthenticated)
  • if (HttpContext.Current.
    User.Identity is FormsIdentity)
  • // Get Forms Identity From
    Current User
  • FormsIdentity id (FormsIdentity)HttpContext.
    Current.User.Identity
  • // Get Forms Ticket From Identity object
  • FormsAuthenticationTicket ticket id.Ticket
  • // Retrieve stored user-data (our roles from
    db)
  • string userData ticket.UserData
  • string roles userData.Split(',')
  • // Create a new Generic Principal Instance
    and assign to Current User

16
The Authenticate() Method (cont.)
  • The FormsAuthentication Object handles form
    security as specified in the Web.Config.
  • RedirectFromLogin Page redirects to the requested
    page if the user has the permission.

17
Authenticating Against a Database
cnn.Open() Dim i As Integer Dim
myCommand As New SqlClient.SqlCommand
myCommand.Connection cnn
myCommand.CommandText "select from userList
where uname'" _ txtName.Text "'
and upassword'" txtPassword.Text "'"
i myCommand.ExecuteScalar If i
gt 0 Then FormsAuthentication.RedirectF
romLoginPage(txtName.Text, False) Else
lblMessage.Text "Bad Login"
End If Cnn.Close() End Sub
18
SQL Injection
  • Exploits applications that use external input in
    database commands
  • The technique
  • Find a ltformgt field or query string parameter
    used to generate SQL commands
  • Submit input that modifies the commands
  • Compromise, corrupt, and destroy data

19
How SQL Injection Works
Model Query
SELECT COUNT () FROM Users WHERE
UserNameJeff AND Passwordimbatman
Malicious Query
SELECT COUNT () FROM Users WHERE UserName or
11-- AND Password
"or 11" matches every record in the table
"--" comments out the remainder of the query
20
Avoid SQL Injection
  • Validation Control.
  • SQL Stored Procedure.

21
Accessing Data Securely
Use stored procedures
Never use sa to access Web databases
Store connection strings securely
Apply administrative protections to SQL Server
Optionally use SSL/TLS or IPSec to secure
the connection to the database server 2
22
The sa Account
  • For administration only never use it to access a
    database programmatically
  • Instead, use one or more accounts that have
    limited database permissions
  • For queries, use SELECT-only account
  • Better yet, use stored procs and grant account
    EXECUTE permission for the stored procs
  • Reduces an attacker's ability to execute harmful
    commands (e.g., DROP TABLE)

23
Creating a Limited Account
USE Login GO -- Add account named webuser to
Login database EXEC sp_addlogin 'webuser',
'mxyzptlk', 'Login' -- Grant webuser access to
the database EXEC sp_grantdbaccess 'webuser' --
Limit webuser to calling proc_IsUserValid GRANT
EXECUTE ON proc_IsUserValid TO webuser
24
Connection Strings
  • Storing plaintext database connection strings in
    Web.config is risky
  • Vulnerable to file disclosure attacks
  • Storing encrypted database connection strings
    increases security
  • Encrypting connection strings is easy
  • System.Security.Cryptography classes

25
Databse Passwords
  • Encrypting
  • string name FormsAuthentication.HashPasswordForS
    toringInConfigFile(TextBox2.Text,"MD5")
  • Decrypting
  • string pwd FormsAuthentication.HashPasswordForSt
    oringInConfigFile(TextBox2.Text,"MD5")
  • string command "SELECT roles FROM users WHERE
    username '" TextBox1.Text "' AND pass '"
    pwd "'"

26
Thank You
Write a Comment
User Comments (0)
About PowerShow.com