Difference between revisions of "CRV2 FrameworkSpecIssuesASPNet"

From OWASP
Jump to: navigation, search
 
(10 intermediate revisions by one user not shown)
Line 1: Line 1:
 
= ASP.NET Security =
 
= ASP.NET Security =
  
== Input validation Input ==
+
Securing web applications in ASP.NET requires an integration of configurations between the .NET framework and IIS.  ASP.NET applications contains a web.config file where you can define many access and privileges for example, but they alone are not sufficient to protect the resources of your application. IIS plays a major role in protecting the website’s assets contained in it too. It is important to understand the interaction between these components in order to implement proper security
Anything coming from external sources can be consider as input in a web application. Not only the user inserting data through a web form, but also data retrieved from a web service or database, headers sent from the browsers fall under this concept.
+
  
Defining what is known as trust boundary can help us to visualize all possible untrusted inputs. ASP.NET has different types of validations depending on the level of control to be applied. By default, web pages code is validated against malicious users. The following is a list types of validations used (MSDN, 2013):
+
==Integrating Authentication with IIS==
 +
[[File:Iis.png]]
  
{| cellpadding=5 style="border:1px solid #BBB"
 
|Type of validation  || Control to use  || Description
 
|-
 
|Required entry|| RequiredFieldValidator|| Ensures that the user does not skip an entry. For details, see How to: Validate Required Entries for ASP.NET Server Controls.
 
|Comparison to a value|| CompareValidator|| Compares a user's entry against a constant value, against the value of another control (using a comparison operator such as less than, equal, or greater than), or for a specific data type. For details, see How to: Validate Against a Specific Value for ASP.NET Server Controls and How to: Validate Against a Data Type for ASP.NET Server Controls.
 
|Required entry|| DD || FF
 
|Required entry|| DD || FF
 
|Required entry|| DD || FF
 
|}
 
  
A way of defining when input is safe can be done through defining a trust boundary.
+
Enable and configure the necessary type of authentication based on the security level required by your application. ASP.NET membership and ASP.NET login controls implicitly work with forms authentication.
== Data Encryption ==
+
== Authentication and Authorization==
+
  
== creating a Semi- Trusted Application ==
+
The authentication methods used in IIS 7 are the following:
 +
*Anonymous
 +
*ASP.NET impersonation
 +
*Basic
 +
*Client certificate mapping,
 +
*Digest
 +
*Forms
 +
*Windows Integrated Security (NTLM or Kerberos)
 +
 
 +
ASP.NET configuration works only for its resources. Keep in mind that if you need to configure access to resources of files contained in your application such as .txt, .gif, .jpg, these are done through the IIS permissions.  For example, even though the ASP.NET resources in a directory might be forbidden by a Web.config file, users can still seethe files located in that directory if directory browsing is turned on and no other restrictions are in place.
 +
 
 +
 
 +
== Reference ==
 +
http://msdn.microsoft.com/en-us/library/bwd43d0x%28v=vs.85%29.aspx

Latest revision as of 07:06, 25 July 2013

ASP.NET Security

Securing web applications in ASP.NET requires an integration of configurations between the .NET framework and IIS. ASP.NET applications contains a web.config file where you can define many access and privileges for example, but they alone are not sufficient to protect the resources of your application. IIS plays a major role in protecting the website’s assets contained in it too. It is important to understand the interaction between these components in order to implement proper security

Integrating Authentication with IIS

Iis.png


Enable and configure the necessary type of authentication based on the security level required by your application. ASP.NET membership and ASP.NET login controls implicitly work with forms authentication.

The authentication methods used in IIS 7 are the following:

  • Anonymous
  • ASP.NET impersonation
  • Basic
  • Client certificate mapping,
  • Digest
  • Forms
  • Windows Integrated Security (NTLM or Kerberos)

ASP.NET configuration works only for its resources. Keep in mind that if you need to configure access to resources of files contained in your application such as .txt, .gif, .jpg, these are done through the IIS permissions. For example, even though the ASP.NET resources in a directory might be forbidden by a Web.config file, users can still seethe files located in that directory if directory browsing is turned on and no other restrictions are in place.


Reference

http://msdn.microsoft.com/en-us/library/bwd43d0x%28v=vs.85%29.aspx