Presentation is loading. Please wait.

Presentation is loading. Please wait.

Current Popular IT I Pertemuan 9 Matakuliah: T0403/Current Popular IT I Tahun: 2008.

Similar presentations


Presentation on theme: "Current Popular IT I Pertemuan 9 Matakuliah: T0403/Current Popular IT I Tahun: 2008."— Presentation transcript:

1 Current Popular IT I Pertemuan 9 Matakuliah: T0403/Current Popular IT I Tahun: 2008

2 Learning Outcomes Learner know security details in ASP.NET Learner can implement security in ASP.NET Learner can use security controls in ASP.NET Bina Nusantara Copyright © Surya Sujarwo 2008

3 Material Outline What, Why, Who in Security Treating Client with Caution Storing Secrets Securing Database Access Implementing Password Policies Impersonation Validation in Depth Using Login Controls Using ASP.NET Membership Security Processing for Each Request Bina Nusantara Copyright © Surya Sujarwo 2008 Configuring System Security A Matter of Trust Form Authentication Session State Security for Pages and Compilation The Provider Model Membership SqlMembershipProvider Role Manager SqlRoleProvider

4 What, Why, Who in Security What ? – Vulnerability (application used other than the way it is intended) – Threat (possibility of a vulnerability) – Exploit (using a vulnerability to realize a theat) Why ? – Web Application – A double edged sword – The law: “ Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. ” – Attacks on Web Application Unauthorized Access Code Execution Denial of Service Information Theft Damage to Information Bina Nusantara References: Professional ASP.NET Security (Russ Basiura, et al, 2002)

5 What, Why, Who in Security (Continue…) – Buffer Overflows – Script Injection and Cross-Site Scripting (steal cookie) – SQL Injection – Distributed Denial of Service (DDOS) [many attack one] – Social Engineering (human tricked) – Brute Force Attacks – Everybody is Attacked Sooner or Later – Security is Not Just about Keeping People Out Who? – The Network (Network Administrators) – Web Servers (Application designers) – Database Servers (Database Administrators) – Client Machines (Programmers, Users, Managers) Bina Nusantara References: Professional ASP.NET Security (Russ Basiura, et al, 2002)

6 Treating Client with Caution Script Injection – Prevent script adding in the textbox input Cross-Site Scripting – Don’t loop through all QueryString collections – Check the QueryString value of attack possibility SQL Injection – Use parameter in sql query – Use validation, filtering and encoding in input fields Bina Nusantara References: Professional ASP.NET Security (Russ Basiura, et al, 2002)

7 Storing Secrets In.config file In memory (Application) Use hashing (FormAuthentication.HasPasswordForStoringInConfigFile) Use Data Protection API (DPAI) – CryptProtectData – CryptUnprotectData Bina Nusantara References: Professional ASP.NET Security (Russ Basiura, et al, 2002)

8 Securing Database Access Use component (dll) for connection string. COM+ Object Contruction – Using [ConstructoionEnabled(Default=“connectionstring”)] Using Trusted Connections – Trusted_Connection=yes – Use current ASPNET user account Use Stored Procedures – Use With ENCRYPTION Bina Nusantara References: Professional ASP.NET Security (Russ Basiura, et al, 2002)

9 Implementing Password Policies Set minimum length Requiring mixed case (upper & lower) Requiring numbers & symbols Requiring password updates Choosing random passwords for users – E-mailing new password, change password link Preventing brute force attacks Bina Nusantara References: Professional ASP.NET Security (Russ Basiura, et al, 2002)

10 Impersonation Why? – Avoid granting privileges to ASP.NET account – Allow users action depending on their privileges Configured – Disable: – Enable: – Code: Bina Nusantara References: Professional ASP.NET Security (Russ Basiura, et al, 2002)

11 Validation in Depth Remembering user input is evil Forcing the user to enter something (RequiredFieldValidator) Ensuring that a value is within a range (RangeValidator) Checking and comparing values (CompareValidator) Using the RegularExpressionValidator To receive HTML in textbox: – Using server.HtmlEncode Bina Nusantara References: ASP.NET 3.5 For DUMMIES(Ken Cox, 2008)

12 Using Login Controls Bina Nusantara References: ASP.NET 3.5 Unleashed (Stephen Walther, 2008)

13 Using Login Controls (Continue…) Bina Nusantara References: ASP.NET 3.5 Unleashed (Stephen Walther, 2008)

14 Using Login Controls (Continue…) Bina Nusantara References: ASP.NET 3.5 Unleashed (Stephen Walther, 2008)

15 Using ASP.NET Membership Setting Expiration Membership class – CreateUser — create a new user. – DeleteUser — delete an existing user. – FindUsersByEmail —retrieve all users who have a particular email address. – FindUsersByName —retrieve all users who have a particular username. – GeneratePassword — generate a random password. – GetAllUsers —retrieve all users. – GetNumberOfUsersOnline — retrieve a count of all users online. – GetUser —retrieve a user by username. – GetUserNameByEmail —retrieve the username for a user with a particular email address. – UpdateUser — update a user. – ValidateUser — validate a username and password. Bina Nusantara References: ASP.NET 3.5 Unleashed (Stephen Walther, 2008)

16 Security Processing for Each Request ASP.NET synchronous pipeline events: 1. BeginRequest 2. AuthenticateRequest 3. PostAuthenticateRequest 4. AuthorizeRequest 5. PostAuthorizeRequest 6. ResolveRequestCache 7. PostResolveRequestCache 8. PostMapRequestHandler 9. AcquireRequestState 10. PostAcquireRequestState 11. PreRequestHandlerExecute Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006) 12. At this stage, the selected handler executes the current request. The most familiar handler is the Page handler. 13. PostRequestHandlerExecute 14. ReleaseRequestState 15. PostReleaseRequestState 16. UpdateRequestCache 17. PostUpdateRequestCache 18. EndRequest

17 Configuring System Security Location Path Attribute – A specific page e.g. default.aspx – A specific folder e.g. “subfolder” – A combined path e.g. “subfolder/default.aspx” or “subfolder/sub1” – The combination of a website name and nested path information e.g. “Default Web Site/subfolderA” Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

18 Configuring System Security (Continue…) Locking attributes (separate by comma) – lockAttributes – lockElements – lockAllAttributesExcept – lockAllElementsExcept Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

19 A Matter of Trust Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006) Trust LevelUsed For FullAny and all code is allowed to run. Mainly intended for backwards compatibility with ASP.NET 1.0 and 1.1 applications that were not aware of how to use CAS or how to work with ASP.NET trust levels. HighAmong other restrictions, ASP.NET code cannot call into unmanaged Win32 APIs. A good first step for securing Internet-facing ASP.NET applications. MediumIntended as the default trust level for shared hosting environments where multiple untrusted customers use the same machine. Also recommended for any Internet- facing production applications. LowA set of permissions suitable for applications such as Sharepoint that provide their own sandboxed execution environment. Also useful for read-only applications that don’t require network access to other backend servers. MinimalLocked down web servers that allow only the barebones minimum in your ASP.NET code. You will be able to add two numbers together and write out the results to a web page, but not much else.

20 A Matter of Trust (Continue…) Configuring trust Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

21 Form Authentication Tasks – During AuthenticateRequest, the FormsAuthenticationModule checks the validity of the forms authentication ticket (carried in a cookie or in a cookieless format on the URL) if one exists. If a valid ticket is found, this results in a GenericPrincipal referencing a FormsIdentity as the value for HttpContext.Current.User. The actual information in the ticket is available as an instance of a FormsAuthenticationTicket off of the FormsIdentity. – During AuthorizeRequest, other modules and logic such as the UrlAuthorizationModule attempt to authorize access to the currently requested URL. If an authenticated user was not created earlier by the FormAuthenticationModule, any URL that requires some type of authenticated user will fail authorization. However, even if forms authentication created a user, authorization rules that require roles can still fail unless you have written custom logic to associate a FormsIdentity with a set of roles or used a feature like Role Manager that performs this association automatically. – If authorization fails during AuthorizeRequest, the current request is short-circuited and immediately forwarded to the EndRequest phase of the pipeline. The FormsAuthenticationModule runs during EndRequest and if it detects that Response.StatusCode is set to 401, the module automatically redirects the current request to the login page that is configured for forms authentication (login.aspx by default). Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

22 Session State Session state not equivalent to logon session Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006) Security FeatureForms Authentication Session State Control DNS domain of cookieYesNo Control path of cookieYesNo Require SSL for cookieYesNo Information is shareable across applicationsYesNo Supports absolute expirationsYesNo A valid Identifier can be easily forgedNoYes

23 Security for Pages and Compilation Request Validation – Check : Form variables, Query string variables, The Cookie collection – The check: < followed by an exclamation point (<!) < followed by the letter a through z (<a) & followed by a pound sign (&#12) Viewstate Protection – Securing with: Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

24 The Provider Model Why Have Providers? – Abstraction (separation of functionality afforded by device driver model, and retaining the ability to write custom code) Patterns found in the Provider Model – Strategy Encapsulates important pieces of a feature’s functionality in a manner that allows functionality to be swapped out with different implementation – Factory method Separate the creation of certain classes from the feature that consumes it – Singleton ( Single instance) – Façade Wrapping complex details from multiple subsystems with an easy to use class or programming interface. Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

25 Membership Membership classes: – Membership – MembershipUser – MembershipProvider Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

26 SqlMembershipProvider Options: – connectionStringName – commandTimeout Default SqlProvider connection string: Changing the default connection string: Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

27 Role Manager Roles class – Provider (default provider) – Providers – ApplicationName – Enabled – CacheRolesInCookie – MaxCachedResults RolePrincipal class – GetRoles – IsInRole – ProviderName Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

28 Role Manager (Continue…) RoleManagerModule tasks: – Early during the request lifecycle, it places a RolePrincipal instance on HttpContext.Current.User if the Role Manager feature is enabled. This work occurs during the PostAuthenticateRequest event. – At the end of a request, the module serializes the RolePrincipal into a cookie if cookie caching has been enabled for Role Manager. The module does this during the EndRequest event. Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

29 SqlRoleProvider Enable Role Manager The data layer for the role manager Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

30 That’s All Thank You for the Attention Bina Nusantara


Download ppt "Current Popular IT I Pertemuan 9 Matakuliah: T0403/Current Popular IT I Tahun: 2008."

Similar presentations


Ads by Google