You are previewing Beginning ASP.NET Security.
O'Reilly logo
Beginning ASP.NET Security

Book Description

Programmers: protect and defend your Web apps against attack!

You may know ASP.NET, but if you don't understand how to secure your applications, you need this book. This vital guide explores the often-overlooked topic of teaching programmers how to design ASP.NET Web applications so as to prevent online thefts and security breaches.

You'll start with a thorough look at ASP.NET 3.5 basics and see happens when you don't implement security, including some amazing examples. The book then delves into the development of a Web application, walking you through the vulnerable points at every phase. Learn to factor security in from the ground up, discover a wealth of tips and industry best practices, and explore code libraries and more resources provided by Microsoft and others.

  • Shows you step by step how to implement the very latest security techniques

  • Reveals the secrets of secret-keeping—encryption, hashing, and not leaking information to begin with

  • Delves into authentication, authorizing, and securing sessions

  • Explains how to secure Web servers and Web services, including WCF and ASMX

  • Walks you through threat modeling, so you can anticipate problems

  • Offers best practices, techniques, and industry trends you can put to use right away

Defend and secure your ASP.NET 3.5 framework Web sites with this must-have guide.

Table of Contents

  1. Copyright
  2. ABOUT THE AUTHOR
  3. ACKNOWLEDGMENTS
  4. CREDITS
  5. INTRODUCTION
    1. WHO THIS BOOK IS FOR
    2. HOW THIS BOOK IS STRUCTURED
    3. WHAT YOU NEED TO USE THIS BOOK
    4. CONVENTIONS
    5. SOURCE CODE
    6. ERRATA
    7. p2p.wrox.com
  6. 1. Why Web Security Matters
    1. 1.1. ANATOMY OF AN ATTACK
    2. 1.2. RISKS AND REWARDS
    3. 1.3. BUILDING SECURITY FROM THE GROUND UP
      1. 1.3.1. Defense in Depth
      2. 1.3.2. Never Trust Input
      3. 1.3.3. Fail Gracefully
      4. 1.3.4. Watch for Attacks
      5. 1.3.5. Use Least Privilege
      6. 1.3.6. Firewalls and Cryptography Are Not a Panacea
      7. 1.3.7. Security Should Be Your Default State
      8. 1.3.8. Code Defensively
    4. 1.4. THE OWASP TOP TEN
    5. 1.5. MOVING FORWARD
    6. 1.6. CHECKLISTS
  7. I. The ASP.NET Security Basics
    1. 2. How the Web Works
      1. 2.1. EXAMINING HTTP
        1. 2.1.1. Requesting a Resource
        2. 2.1.2. Responding to a Request
        3. 2.1.3. Sniffing HTTP Requests and Responses
      2. 2.2. UNDERSTANDING HTML FORMS
      3. 2.3. EXAMINING HOW ASP.NET WORKS
        1. 2.3.1. Understanding How ASP.NET Events Work
        2. 2.3.2. Examining the ASP.NET Pipeline
        3. 2.3.3. Writing HTTP Modules
      4. 2.4. SUMMARY
    2. 3. Safely Accepting User Input
      1. 3.1. DEFINING INPUT
      2. 3.2. DEALING WITH INPUT SAFELY
        1. 3.2.1. Echoing User Input Safely
        2. 3.2.2. Mitigating Against XSS
        3. 3.2.3. The Microsoft Anti-XSS Library
          1. 3.2.3.1. The Security Run-time Engine
        4. 3.2.4. Constraining Input
        5. 3.2.5. Protecting Cookies
      3. 3.3. VALIDATING FORM INPUT
        1. 3.3.1. Validation Controls
        2. 3.3.2. Standard ASP.NET Validation Controls
          1. 3.3.2.1. Using the RequiredFieldValidator
          2. 3.3.2.2. Using the RangeValidator
          3. 3.3.2.3. Using the RegularExpressionValidator
          4. 3.3.2.4. Using the CompareValidator
          5. 3.3.2.5. Using the CustomValidator
          6. 3.3.2.6. Validation Groups
      4. 3.4. A CHECKLIST FOR HANDLING INPUT
    3. 4. Using Query Strings, Form Fields, Events, and Browser Information
      1. 4.1. USING THE RIGHT INPUT TYPE
      2. 4.2. QUERY STRINGS
      3. 4.3. FORM FIELDS
      4. 4.4. REQUEST FORGERY AND HOW TO AVOID IT
        1. 4.4.1. Mitigating Against CSRF
      5. 4.5. PROTECTING ASP.NET EVENTS
      6. 4.6. AVOIDING MISTAKES WITH BROWSER INFORMATION
      7. 4.7. A CHECKLIST FOR QUERY STRINGS, FORMS, EVENTS, AND BROWSER INFORMATION
    4. 5. Controlling Information
      1. 5.1. CONTROLLING VIEWSTATE
        1. 5.1.1. Validating ViewState
        2. 5.1.2. Encrypting Viewstate
        3. 5.1.3. Protecting Against ViewState One-Click Attacks
        4. 5.1.4. Removing ViewState from the Client Page
        5. 5.1.5. Disabling Browser Caching
      2. 5.2. ERROR HANDLING AND LOGGING
        1. 5.2.1. Improving Your Error Handling
        2. 5.2.2. Watching for Special Exceptions
        3. 5.2.3. Logging Errors and Monitoring Your Application
          1. 5.2.3.1. Using the Windows Event Log
          2. 5.2.3.2. Using Email to Log Events
          3. 5.2.3.3. Using ASP.NET Tracing
          4. 5.2.3.4. Using Performance Counters
          5. 5.2.3.5. Using WMI Events
          6. 5.2.3.6. Another Alternative: Logging Frameworks
      3. 5.3. LIMITING SEARCH ENGINES
        1. 5.3.1. Controlling Robots with a Metatag
        2. 5.3.2. Controlling Robots with robots.txt
      4. 5.4. PROTECTING PASSWORDS IN CONFIG FILES
      5. 5.5. A CHECKLIST FOR QUERY STRINGS, FORMS, EVENTS, AND BROWSER INFORMATION
    5. 6. Keeping Secrets Secret — Hashing and Encryption
      1. 6.1. PROTECTING INTEGRITY WITH HASHING
        1. 6.1.1. Choosing a Hashing Algorithm
        2. 6.1.2. Protecting Passwords with Hashing
          1. 6.1.2.1. Salting Passwords
          2. 6.1.2.2. Generating Secure Random Numbers
      2. 6.2. ENCRYPTING DATA
        1. 6.2.1. Understanding Symmetric Encryption
          1. 6.2.1.1. Protecting Data with Symmetric Encryption
          2. 6.2.1.2. Choosing a Symmetric Algorithm
          3. 6.2.1.3. Generating Keys and Initialization Vectors
          4. 6.2.1.4. Encrypting and Decrypting Your Data
          5. 6.2.1.5. Using Session Keys
          6. 6.2.1.6. Ensuring That Data Does Not Change
          7. 6.2.1.7. Putting it All Together
        2. 6.2.2. Sharing Secrets with Asymmetric Encryption
          1. 6.2.2.1. Using Asymmetric Encryption without Certificates
          2. 6.2.2.2. Using Certificates for Asymmetric Encryption
          3. 6.2.2.3. Getting a Certificate
          4. 6.2.2.4. Encrypting Your Data
          5. 6.2.2.5. Decrypting Your Data
          6. 6.2.2.6. Ensuring That Data Does Not Change
          7. 6.2.2.7. Allowing Access to a Certificate's Private Key
          8. 6.2.2.8. Creating Test Certificates with MAKECERT
          9. 6.2.2.9. Putting it All Together
        3. 6.2.3. Using the Windows DPAPI
      3. 6.3. A CHECKLIST FOR ENCRYPTION
  8. II. Securing Common ASP.NET Tasks
    1. 7. Adding Usernames and Passwords
      1. 7.1. AUTHENTICATION AND AUTHORIZATION
      2. 7.2. DISCOVERING YOUR OWN IDENTITY
      3. 7.3. ADDING AUTHENTICATION IN ASP.NET
        1. 7.3.1. Using Forms Authentication
          1. 7.3.1.1. Configuring Forms Authentication
          2. 7.3.1.2. Using SQL as a Membership Store
          3. 7.3.1.3. Creating Users
          4. 7.3.1.4. Examining How Users Are Stored
          5. 7.3.1.5. Configuring the Membership Settings
          6. 7.3.1.6. Creating Users Programmatically
          7. 7.3.1.7. Supporting Password Changes and Resets
        2. 7.3.2. Windows Authentication
          1. 7.3.2.1. Configuring IIS for Windows Authentication
          2. 7.3.2.2. Impersonation with Windows Authentication
      4. 7.4. AUTHORIZATION IN ASP.NET
        1. 7.4.1. Examining <allow>and <deny>
        2. 7.4.2. Role-Based Authorization
          1. 7.4.2.1. Configuring Roles with Forms-Based Authentication
          2. 7.4.2.2. Using the Configuration Tools to Manage Roles
          3. 7.4.2.3. Managing Roles Programmatically
          4. 7.4.2.4. Managing Role Members Programmatically
          5. 7.4.2.5. Roles with Windows Authentication
          6. 7.4.2.6. Limiting Access to Files and Folders
        3. 7.4.3. Checking Users and Roles Programmatically
          1. 7.4.3.1. Securing Object References
      5. 7.5. A CHECKLIST FOR AUTHENTICATION AND AUTHORIZATION
    2. 8. Securely Accessing Databases
      1. 8.1. WRITING BAD CODE: DEMONSTRATING SQL INJECTION
      2. 8.2. FIXING THE VULNERABILITY
      3. 8.3. MORE SECURITY FOR SQL SERVER
        1. 8.3.1. Connecting Without Passwords
        2. 8.3.2. SQL Permissions
          1. 8.3.2.1. Adding a User to a Database
          2. 8.3.2.2. Managing SQL Permissions
          3. 8.3.2.3. Groups and Roles
          4. 8.3.2.4. Least Privilege Accounts
        3. 8.3.3. Using Views
        4. 8.3.4. SQL Express User Instances
        5. 8.3.5. Drawbacks of the VS Built-in Web Server
        6. 8.3.6. Dynamic SQL Stored Procedures
        7. 8.3.7. Using SQL Encryption
          1. 8.3.7.1. Encrypting by Pass Phrase
          2. 8.3.7.2. SQL Symmetric Encryption
          3. 8.3.7.3. SQL Asymmetric Encryption
          4. 8.3.7.4. Calculating Hashes and HMACs in SQL
      4. 8.4. A CHECKLIST FOR SECURELY ACCESSING DATABASES
    3. 9. Using the File System
      1. 9.1. ACCESSING EXISTING FILES SAFELY
        1. 9.1.1. Making Static Files Secure
          1. 9.1.1.1. Checking That Your Application Can Access Files
        2. 9.1.2. Making a File Downloadable and Setting Its Name
        3. 9.1.3. Adding Further Checks to File Access
          1. 9.1.3.1. Adding Role Checks
          2. 9.1.3.2. Anti-Leeching Checks
        4. 9.1.4. Accessing Files on a Remote System
      2. 9.2. CREATING FILES SAFELY
      3. 9.3. HANDLING USER UPLOADS
        1. 9.3.1. Using the File Upload_Control
      4. 9.4. A CHECKLIST FOR SECURELY ACCESSING FILES
    4. 10. Securing XML
      1. 10.1. VALIDATING XML
        1. 10.1.1. Well-Formed XML
        2. 10.1.2. Valid XML
        3. 10.1.3. XML Parsers
      2. 10.2. QUERYING XML
        1. 10.2.1. Avoiding XPath Injection
      3. 10.3. SECURING XML DOCUMENTS
        1. 10.3.1. Encrypting XML Documents
          1. 10.3.1.1. Using a Symmetric Encryption Key with XML
          2. 10.3.1.2. Using an Asymmetric Key Pair to Encrypt and Decrypt XML
          3. 10.3.1.3. Using an X509 Certificate to Encrypt and Decrypt XML
        2. 10.3.2. Signing XML Documents
      4. 10.4. A CHECKLIST FOR XML
  9. III. Advanced ASP.NET Scenarios
    1. 11. Sharing Data with Windows Communication Foundation
      1. 11.1. CREATING AND CONSUMING WCF SERVICES
      2. 11.2. SECURITY AND PRIVACY WITH WCF
        1. 11.2.1. Transport Security
        2. 11.2.2. Message Security
        3. 11.2.3. Mixed Mode
        4. 11.2.4. Selecting the Security Mode
        5. 11.2.5. Choosing the Client Credentials
      3. 11.3. ADDING SECURITY TO AN INTERNET SERVICE
      4. 11.4. SIGNING MESSAGES WITH WCF
      5. 11.5. LOGGING AND AUDITING IN WCF
      6. 11.6. VALIDATING PARAMETERS USING INSPECTORS
      7. 11.7. USING MESSAGE INSPECTORS
      8. 11.8. THROWING ERRORS IN WCF
      9. 11.9. A CHECKLIST FOR SECURING WCF
    2. 12. Securing Rich Internet Applications
      1. 12.1. RIA ARCHITECTURE
      2. 12.2. SECURITY IN AJAX APPLICATIONS
        1. 12.2.1. The XMLHttpRequest Object
        2. 12.2.2. The Ajax Same Origin Policy
        3. 12.2.3. The Microsoft ASP.NET Ajax Framework
          1. 12.2.3.1. Examining the UpdatePanel
          2. 12.2.3.2. Examining the ScriptManager
          3. 12.2.3.3. Security Considerations with UpdatePanel and ScriptManager
      3. 12.3. SECURITY IN SILVERLIGHT APPLICATIONS
        1. 12.3.1. Understanding the CoreCLR Security Model
        2. 12.3.2. Using the HTML Bridge
          1. 12.3.2.1. Controlling Access to the HTML DOM
          2. 12.3.2.2. Exposing Silverlight Classes and Members to the DOM
        3. 12.3.3. Accessing the Local File System
        4. 12.3.4. Using Cryptography in Silverlight
        5. 12.3.5. Accessing the Web and Web Services with Silverlight
      4. 12.4. USING ASP.NET AUTHENTICATION AND AUTHORIZATION IN AJAX AND SILVERLIGHT
      5. 12.5. A CHECKLIST FOR SECURING AJAX AND SILVERLIGHT
    3. 13. Understanding Code Access Security
      1. 13.1. UNDERSTANDING CODE ACCESS SECURITY
        1. 13.1.1. Using ASP.NET Trust Levels
          1. 13.1.1.1. Demanding Minimum CAS Permissions
          2. 13.1.1.2. Asking and Checking for CAS Permissions
            1. 13.1.1.2.1. Imperative Demands
            2. 13.1.1.2.2. Declarative Demands
          3. 13.1.1.3. Testing Your Application Under a New Trust Level
          4. 13.1.1.4. Using the Global Assembly Cache to Run Code Under Full Trust
        2. 13.1.2. .NET 4 Changes for Trust and ASP.NET
      2. 13.2. A CHECKLIST FOR CODE NOT UNDER FULL TRUST
    4. 14. Securing Internet Information Server (IIS)
      1. 14.1. INSTALLING AND CONFIGURING IIS7
        1. 14.1.1. IIS Role Services
          1. 14.1.1.1. Removing Global Features for an Individual Web Site
        2. 14.1.2. Creating and Configuring Application Pools
        3. 14.1.3. Configuring Trust Levels in IIS
          1. 14.1.3.1. Locking Trust Levels
          2. 14.1.3.2. Creating Custom Trust Levels
      2. 14.2. FILTERING REQUESTS
        1. 14.2.1. Filtering Double-Encoded Requests
        2. 14.2.2. Filtering Requests with Non-ASCII Characters
        3. 14.2.3. Filtering Requests Based on File Extension
        4. 14.2.4. Filtering Requests Based on Request Size
        5. 14.2.5. Filtering Requests Based on HTTP Verbs
        6. 14.2.6. Filtering Requests Based on URL Sequences
        7. 14.2.7. Filtering Requests Based on Request Segments
        8. 14.2.8. Filtering Requests Based on a Request Header
        9. 14.2.9. Satus Codes Returned to Denied Requests
      3. 14.3. USING LOG PARSER TO MINE IIS LOG FILES
      4. 14.4. USING CERTIFICATES
        1. 14.4.1. Requesting an SSL Certificate
        2. 14.4.2. Configuring a Site to Use HTTPS
        3. 14.4.3. Setting up a Test Certification Authority
      5. 14.5. A CHECKLIST FOR SECURING INTERNET INFORMATION SERVER (IIS)
    5. 15. Third-Party Authentication
      1. 15.1. A BRIEF HISTORY OF FEDERATED IDENTITY
      2. 15.2. USING THE WINDOWS IDENTITY FOUNDATION TO ACCEPT SAML AND INFORMATION CARDS
        1. 15.2.1.
          1. 15.2.1.1. Creating a "Claims-Aware" Web Site
          2. 15.2.1.2. Accepting Information Cards
          3. 15.2.1.3. Working with a Claims Identity
      3. 15.3. USING OPENID WITH YOUR WEB SITE
      4. 15.4. USING WINDOWS LIVE ID WITH YOUR WEB SITE
      5. 15.5. A STRATEGY FOR INTEGRATING THIRD-PARTY AUTHENTICATION WITH FORMS AUTHENTICATION
      6. 15.6. SUMMARY
    6. 16. Secure Development with the ASP.NET MVC Framework
      1. 16.1. MVC INPUT AND OUTPUT
        1. 16.1.1. Protecting Yourself Against XSS
        2. 16.1.2. Protecting an MVC Application Against CSRF
        3. 16.1.3. Securing Model Binding
        4. 16.1.4. Providing Validation for and Error Messages from Your Model
      2. 16.2. AUTHENTICATION AND AUTHORIZATION WITH ASP.NET MVC
        1. 16.2.1. Authorizing Actions and Controllers
        2. 16.2.2. Protecting Public Controller Methods
        3. 16.2.3. Discovering the Current User
        4. 16.2.4. Customizing Authorization with an Authorization Filter
      3. 16.3. ERROR HANDLING WITH ASP.NET MVC
      4. 16.4. A CHECKLIST FOR SECURE DEVELOPMENT WITH THE ASP.NET MVC FRAMEWORK