Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

Similar presentations


Presentation on theme: "Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005."— Presentation transcript:

1 Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005

2 Types of Threats Threats against the network Threats against the host Threats against the application NetworkHostApplication

3 Application Security Error handling Error handling Form authentication Form authentication Input validation Input validation Data access & data protection Data access & data protection

4 Error Handling Use web.config to handle errors Three different modes for customErrors or =“Off” or =“On” Use web.config to handle errors Three different modes for customErrors or =“Off” or =“On” Off – display detailed asp.net error information Off – display detailed asp.net error information On – display custom (friendly) messages. On – display custom (friendly) messages. RemoteOnly – no detailed error for remote clients. RemoteOnly – no detailed error for remote clients.

5 Securing the site with error handling Example 1 Example 1

6 Site Security By default, site users are anonymous. By default, site users are anonymous. They may need to be authenticated and authorized. Authentication: the process of verifying a user’s identity. Authorization: to measure or establish the power or permission that has been given or granted by an authority. They may need to be authenticated and authorized. Authentication: the process of verifying a user’s identity. Authorization: to measure or establish the power or permission that has been given or granted by an authority.

7 ASP.Net Authentication 4 different modes of authentication. - Windows: uses windows authentication system on the web server (for intranet). - Forms: uses ASP.Net form-based authentication (for internet). - Passport: uses Microsoft’s Passport Authentication - None: no authentication. 4 different modes of authentication. - Windows: uses windows authentication system on the web server (for intranet). - Forms: uses ASP.Net form-based authentication (for internet). - Passport: uses Microsoft’s Passport Authentication - None: no authentication.

8 Specifying Authentication Type Web.config

9 Forms Authentication Options <!-- forms Attributes: name="[cookie name]" - Authentication cookie name loginUrl="[url]" - URL of login page protection="[All|None|Encryption|Validation]" timeout="[minutes]" - Length of time cookie valid path="/" - Cookie path requireSSL="[true|false]" - Restrict cookie to SSL? slidingExpiration="[true|false]" - Renew cookie? --> See Page 862. Web.config

10 Authenticating Against the Web.Config file <configuration><system.web> <forms name=“.MyCookie" loginUrl=“Login.aspx” <forms name=“.MyCookie" loginUrl=“Login.aspx” protection=“All" protection=“All" timeout="15” timeout="15” path="/" > path="/" > </forms> </system.web></configuration>

11 User Authorization Web.config

12 The Login Page First provide a namespace to the classes in the top of your class module as follows: Imports System.Web.Security First provide a namespace to the classes in the top of your class module as follows: Imports System.Web.Security

13 The Login Page (cont.)

14 Using the Authenticate() Method Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click If FormsAuthentication.Authenticate(txtName.Text, txtPassword.Text) Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End If End Sub

15 Global.Asax protected void Application_AuthenticateRequest(Object sender, EventArgs e) {if (HttpContext.Current.User != null) {if (HttpContext.Current.User.Identity.IsAuthenticated) {if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { if (HttpContext.Current.User.Identity is FormsIdentity) { // Get Forms Identity From Current User { // Get Forms Identity From Current User FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity; // Get Forms Ticket From Identity object // Get Forms Ticket From Identity object FormsAuthenticationTicket ticket = id.Ticket; // Retrieve stored user-data (our roles from db) string userData = ticket.UserData; string[] roles = userData.Split(','); // Create a new Generic Principal Instance and assign to Current User // Create a new Generic Principal Instance and assign to Current User HttpContext.Current.User = new GenericPrincipal(id, roles); } } } }

16 The Authenticate() Method (cont.) The FormsAuthentication Object handles form security as specified in the Web.Config. The FormsAuthentication Object handles form security as specified in the Web.Config. RedirectFromLogin Page redirects to the requested page if the user has the permission. RedirectFromLogin Page redirects to the requested page if the user has the permission.

17 Authenticating Against a Database cnn.Open() Dim i As Integer Dim myCommand As New SqlClient.SqlCommand myCommand.Connection = cnn myCommand.CommandText = "select * from userList where uname='" & _ txtName.Text & "' and upassword='" & txtPassword.Text & "'" i = myCommand.ExecuteScalar If i > 0 Then FormsAuthentication.RedirectFromLoginPage(txtName.Text, False) Else lblMessage.Text = "Bad Login" End If Cnn.Close() End Sub

18 SQL Injection Exploits applications that use external input in database commands Exploits applications that use external input in database commands The technique: The technique: Find a field or query string parameter used to generate SQL commands Find a field or query string parameter used to generate SQL commands Submit input that modifies the commands Submit input that modifies the commands Compromise, corrupt, and destroy data Compromise, corrupt, and destroy data

19 How SQL Injection Works SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ Model Query Malicious Query "or 1=1" matches every record in the table "--" comments out the remainder of the query

20 Avoid SQL Injection Validation Control. Validation Control. SQL Stored Procedure. SQL Stored Procedure.

21 Accessing Data Securely Use stored procedures Never use sa to access Web databases Store connection strings securely Optionally use SSL/TLS or IPSec to secure the connection to the database server 2 Apply administrative protections to SQL Server

22 The sa Account For administration only; never use it to access a database programmatically For administration only; never use it to access a database programmatically Instead, use one or more accounts that have limited database permissions Instead, use one or more accounts that have limited database permissions For queries, use SELECT-only account For queries, use SELECT-only account Better yet, use stored procs and grant account EXECUTE permission for the stored procs Better yet, use stored procs and grant account EXECUTE permission for the stored procs Reduces an attacker's ability to execute harmful commands (e.g., DROP TABLE) Reduces an attacker's ability to execute harmful commands (e.g., DROP TABLE)

23 Creating a Limited Account USE Login GO -- Add account named webuser to Login database EXEC sp_addlogin 'webuser', 'mxyzptlk', 'Login' -- Grant webuser access to the database EXEC sp_grantdbaccess 'webuser' -- Limit webuser to calling proc_IsUserValid GRANT EXECUTE ON proc_IsUserValid TO webuser

24 Connection Strings Storing plaintext database connection strings in Web.config is risky Storing plaintext database connection strings in Web.config is risky Vulnerable to file disclosure attacks Vulnerable to file disclosure attacks Storing encrypted database connection strings increases security Storing encrypted database connection strings increases security Encrypting connection strings is easy Encrypting connection strings is easy System.Security.Cryptography classes System.Security.Cryptography classes

25 Databse Passwords Encrypting Encrypting string name = FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); Decrypting Decrypting string pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text,"MD5"); string command = "SELECT roles FROM users WHERE username = '" + TextBox1.Text + "' AND pass = '" + pwd + "'";

26 Thank You


Download ppt "Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005."

Similar presentations


Ads by Google