Difference between revisions of "CRV2 FrameworkSpecIssuesASPNet"

From OWASP
Jump to: navigation, search
 
(23 intermediate revisions by one user not shown)
Line 1: Line 1:
 
= ASP.NET Security =
 
= ASP.NET Security =
  
= Protection against SQL injections =
+
Securing web applications in ASP.NET requires an integration of configurations between the .NET framework and IIS.  ASP.NET applications contains a web.config file where you can define many access and privileges for example, but they alone are not sufficient to protect the resources of your application. IIS plays a major role in protecting the website’s assets contained in it too. It is important to understand the interaction between these components in order to implement proper security
The best solution a developer using ASP.NET can implement to avoid this OWASP #1 in the top ten list of security vulnerabilities is to use Parameterized queries .
+
Equivalent to these solution us the use if Stored procedures which are a form of parameterized queries, for example:
+
  
// Build the query statement using parameterized query.
+
==Integrating Authentication with IIS==
string sql = "SELECT UserId FROM User WHERE " +
+
[[File:Iis.png]]
                "UserName = @UserName AND Password = @Password";
+
 
+
using (SqlCommand cmd = new SqlCommand(sql))
+
 
+
{
+
    // Create the parameter objects as specific as possible.
+
    cmd.Parameters.Add("@UserName", System.Data.SqlDbType.NVarChar, 50);
+
    cmd.Parameters.Add("@Password", System.Data.SqlDbType.NVarChar, 25);
+
 
+
    // Add the parameter values.  Validation should have already happened.
+
    cmd.Parameters["@UserName"].Value = UserName;
+
    cmd.Parameters["@Password"].Value = Password;
+
    cmd.Connection = connnection;
+
 
+
    try
+
    {
+
        cmd.Connection.Open();
+
        var userId = cmd.ExecuteScalar();
+
    }
+
    catch (SqlException sx)
+
    {
+
        // Handle exceptions before moving on.
+
    }
+
}
+
  
Source:(Jardine, 2013)
 
  
== Use an ORM(Object Relational Mapper) ==
+
Enable and configure the necessary type of authentication based on the security level required by your application. ASP.NET membership and ASP.NET login controls implicitly work with forms authentication.
ORM’s are a real blessing regarding protection against SQL injection. By default, the use of ORM will automatically send all SQL request as parameterized queries, however, it’s important to keep in mind that this from of security can be easily bypassed if the developer uses unparameterized HQL or Entity SQL queries dynamically with string concatenations
+
  
= Request Validation feature against XSS attacks =
+
The authentication methods used in IIS 7 are the following:
ASP.NET comes with a built-in request validation feature. This feature was added in the ASP.NET version 1.1, in addition this feature is enabled by default. Once a malformed request containing any HTML tags in send, ASP.NET will simply display an error as shown in the following figure
+
*Anonymous
Unfortunately, this inherent feature can also create issues when legitimate requests are sent by users who need to submit data containing certain kind of characters such as brackets.
+
*ASP.NET impersonation
Another disadvantage is that this does not avoid any attacks originated from other application or if stored in the database, neither will offer any protection when input is injected in HTML attributes.
+
*Basic
 +
*Client certificate mapping,  
 +
*Digest
 +
*Forms
 +
*Windows Integrated Security (NTLM or Kerberos)
  
= MVC’s CSFR anti-forgery system =
+
ASP.NET configuration works only for its resources. Keep in mind that if you need to configure access to resources of files contained in your application such as .txt, .gif, .jpg, these are done through the IIS permissions.  For example, even though the ASP.NET resources in a directory might be forbidden by a Web.config file, users can still seethe files located in that directory if directory browsing is turned on and no other restrictions are in place.
This is one handy feature found in .NET which contra rest the #8 owasp top 10 security issue.
+
  
== Use Anti-forgery Helpers ==
 
There are 2 methods which a developer can use to avoid CSFR attacks, these are Html.AntiForgeryToken() and the filter [ValidateAntiForgeryToken]. To use these features, call the AntiForgeryToken method from within your form, and add the ValidateAntiForgeryTokenAttribute to the action method you want to protect.
 
A combination between the Html.AntiForgeryToken() and Ajax.ActionLink is a recommended way to go in order to make sure that no attacker can send a false deletion request
 
  
$.ajaxPrefilter(
+
== Reference ==
      function (options, localOptions, jqXHR) {
+
http://msdn.microsoft.com/en-us/library/bwd43d0x%28v=vs.85%29.aspx
          if (options.type !== "GET") {
+
              var token = GetAntiForgeryToken();
+
              if (token !== null) {
+
                  if (options.data.indexOf("X-Requested-With") === -1) {
+
                      options.data = "X-Requested-With=XMLHttpRequest" + (options.data === "") ? "" : "&" + options.data;
+
                  }
+
                  options.data = options.data + "&" + token.name + '=' + token.value;
+
              }
+
          }
+
      }
+
      );
+
 
+
=== Limitations ===
+
 
+
*Users must accept cookies otherwise the [ValidateAntiForgeryToken] will deny their form’s posts
+
*Works only with POST request
+
*Can be bypassed if the application has XSS vulnerabilities since it will be possible to read _RequestVerificationToken value
+
 
+
= References =
+
Jardine, 2013.How to Fix SQL Injection Using Microsoft .Net Parameterized Queries,
+
URL: http://software-security.sans.org/developer-how-to/fix-sql-injection-microsoft-.net-with-parameterized-queries
+

Latest revision as of 07:06, 25 July 2013

ASP.NET Security

Securing web applications in ASP.NET requires an integration of configurations between the .NET framework and IIS. ASP.NET applications contains a web.config file where you can define many access and privileges for example, but they alone are not sufficient to protect the resources of your application. IIS plays a major role in protecting the website’s assets contained in it too. It is important to understand the interaction between these components in order to implement proper security

Integrating Authentication with IIS

Iis.png


Enable and configure the necessary type of authentication based on the security level required by your application. ASP.NET membership and ASP.NET login controls implicitly work with forms authentication.

The authentication methods used in IIS 7 are the following:

  • Anonymous
  • ASP.NET impersonation
  • Basic
  • Client certificate mapping,
  • Digest
  • Forms
  • Windows Integrated Security (NTLM or Kerberos)

ASP.NET configuration works only for its resources. Keep in mind that if you need to configure access to resources of files contained in your application such as .txt, .gif, .jpg, these are done through the IIS permissions. For example, even though the ASP.NET resources in a directory might be forbidden by a Web.config file, users can still seethe files located in that directory if directory browsing is turned on and no other restrictions are in place.


Reference

http://msdn.microsoft.com/en-us/library/bwd43d0x%28v=vs.85%29.aspx