Effective Security in ASP.Net Applications - PowerPoint PPT Presentation

About This Presentation
Title:

Effective Security in ASP.Net Applications

Description:

Application. Application Security. Error handling. Form authentication. Input validation ... mode='Windows|Passport|Forms|None' -- authentication mode ... – PowerPoint PPT presentation

Number of Views:438
Avg rating:3.0/5.0
Slides: 27
Provided by: Chan137
Learn more at: https://www.cs.odu.edu
Category:

less

Transcript and Presenter's Notes

Title: Effective Security in ASP.Net Applications


1
Effective Security in ASP.Net Applications
  • Jatin Sharma Summer 2005

2
Types of Threats
Network
Host
Application
Threats against the network

Threats against the host
Threats against the application
3
Application Security
  • Error handling
  • Form authentication
  • Input validation
  • Data access data protection

4
Error Handling
  • Use web.config to handle errorsThree different
    modes for customErrorsltcustomErrors
    modeRemoteOnly /gt
    or Off or
    On
  • Off display detailed asp.net error information
  • On display custom (friendly) messages.
  • RemoteOnly no detailed error for remote clients.

5
Securing the site with error handling
  • Example 1ltcustomErrors mode"On"
    defaultRedirect"error.aspx"/gt

6
Site Security
  • By default, site users are anonymous.
  • They may need to be authenticated and
    authorized.Authentication the process of
    verifying a users identity.Authorization to
    measure or establish the power or permission that
    has been given or granted by an authority.

7
ASP.Net Authentication
  • 4 different modes of authentication.- Windows
    uses windows authentication system on the web
    server (for intranet).- Forms uses ASP.Net
    form-based authentication (for internet).-
    Passport uses Microsofts Passport
    Authentication- None no authentication.

8
Specifying Authentication Type
  • Web.config

ltconfigurationgt ltsystem.webgt lt!--
mode"WindowsPassportFormsNone" --gt
ltauthentication mode"Windows" /gt
lt/system.webgt lt/configurationgt
9
Forms Authentication Options
Web.config
ltconfigurationgt ltsystem.webgt
ltauthentication mode"Forms"gt lt!--
forms Attributes name"cookie name" -
Authentication cookie name
loginUrl"url" - URL of login page
protection"AllNoneEncryptionValidation"
timeout"minutes" - Length of time cookie
valid path"/" - Cookie path
requireSSL"truefalse" - Restrict cookie to
SSL? slidingExpiration"truefalse" -
Renew cookie? --gt lt/authenticationgt
lt/system.webgt lt/configurationgtSee Page 862.
10
Authenticating Against the Web.Config file
  • ltconfigurationgt
  • ltsystem.webgt
  • ltauthentication mode"Forms"gt
  • ltforms name.MyCookie"
    loginUrlLogin.aspx
  • protectionAll"
  • timeout"15
  • path"/" gt
  • ltcredentials passwordFormatCleargt
    ltuser nameSam passwordSecret /gt
    ltuser nameFred passwordFred /gt
  • lt/credentialsgt
  • lt/formsgt
  • lt/authenticationgt
  • lt/system.webgt
  • lt/configurationgt

11
User Authorization
Web.config
lt!-- Deny access to anonymous (unauthenticated)
users --gt ltdeny users"?" /gt lt!-- Grant access
to Robin and Tim but no one else --gt ltallow
users"Bob, Alice" /gt ltdeny users"" /gt lt!--
Grant access to everyone EXCEPT Bob and Alice
--gt ltdeny usersRobin, Tim" /gt ltallow users""
/gt lt!-- Grant access to any manager --gt ltallow
roles"Manager" /gt ltdeny users"" /gt
12
The Login Page
  • First provide a namespace to the classes in the
    top of your class module as followsImports
    System.Web.Security

13
The Login Page (cont.)
14
Using the Authenticate() Method
Private Sub Button1_Click(ByVal sender As
System.Object, ByVal e As System.EventArgs)
Handles Button1.Click If FormsAuthentication.Aut
henticate(txtName.Text, txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage
(txtName.Text, False) Else
lblMessage.Text "Bad Login" End IfEnd Sub
15
Global.Asax
  • protected void Application_AuthenticateRequest(Obj
    ect sender, EventArgs e)
  • if (HttpContext.Current.User ! null)
  • if (HttpContext.Current.User.Identity.IsA
    uthenticated)
  • if (HttpContext.Current.
    User.Identity is FormsIdentity)
  • // Get Forms Identity From
    Current User
  • FormsIdentity id (FormsIdentity)HttpContext.
    Current.User.Identity
  • // Get Forms Ticket From Identity object
  • FormsAuthenticationTicket ticket id.Ticket
  • // Retrieve stored user-data (our roles from
    db)
  • string userData ticket.UserData
  • string roles userData.Split(',')
  • // Create a new Generic Principal Instance
    and assign to Current User

16
The Authenticate() Method (cont.)
  • The FormsAuthentication Object handles form
    security as specified in the Web.Config.
  • RedirectFromLogin Page redirects to the requested
    page if the user has the permission.

17
Authenticating Against a Database
cnn.Open() Dim i As Integer Dim
myCommand As New SqlClient.SqlCommand
myCommand.Connection cnn
myCommand.CommandText "select from userList
where uname'" _ txtName.Text "'
and upassword'" txtPassword.Text "'"
i myCommand.ExecuteScalar If i
gt 0 Then FormsAuthentication.RedirectF
romLoginPage(txtName.Text, False) Else
lblMessage.Text "Bad Login"
End If Cnn.Close() End Sub
18
SQL Injection
  • Exploits applications that use external input in
    database commands
  • The technique
  • Find a ltformgt field or query string parameter
    used to generate SQL commands
  • Submit input that modifies the commands
  • Compromise, corrupt, and destroy data

19
How SQL Injection Works
Model Query
SELECT COUNT () FROM Users WHERE
UserNameJeff AND Passwordimbatman
Malicious Query
SELECT COUNT () FROM Users WHERE UserName or
11-- AND Password
"or 11" matches every record in the table
"--" comments out the remainder of the query
20
Avoid SQL Injection
  • Validation Control.
  • SQL Stored Procedure.

21
Accessing Data Securely
Use stored procedures
Never use sa to access Web databases
Store connection strings securely
Apply administrative protections to SQL Server
Optionally use SSL/TLS or IPSec to secure
the connection to the database server 2
22
The sa Account
  • For administration only never use it to access a
    database programmatically
  • Instead, use one or more accounts that have
    limited database permissions
  • For queries, use SELECT-only account
  • Better yet, use stored procs and grant account
    EXECUTE permission for the stored procs
  • Reduces an attacker's ability to execute harmful
    commands (e.g., DROP TABLE)

23
Creating a Limited Account
USE Login GO -- Add account named webuser to
Login database EXEC sp_addlogin 'webuser',
'mxyzptlk', 'Login' -- Grant webuser access to
the database EXEC sp_grantdbaccess 'webuser' --
Limit webuser to calling proc_IsUserValid GRANT
EXECUTE ON proc_IsUserValid TO webuser
24
Connection Strings
  • Storing plaintext database connection strings in
    Web.config is risky
  • Vulnerable to file disclosure attacks
  • Storing encrypted database connection strings
    increases security
  • Encrypting connection strings is easy
  • System.Security.Cryptography classes

25
Databse Passwords
  • Encrypting
  • string name FormsAuthentication.HashPasswordForS
    toringInConfigFile(TextBox2.Text,"MD5")
  • Decrypting
  • string pwd FormsAuthentication.HashPasswordForSt
    oringInConfigFile(TextBox2.Text,"MD5")
  • string command "SELECT roles FROM users WHERE
    username '" TextBox1.Text "' AND pass '"
    pwd "'"

26
Thank You
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Effective Security in ASP.Net Applications" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!