book

Beginning ASP.NET Security

Name: Beginning ASP.NET Security
Author: Barry Dorrans
ISBN: 9780470743652

by Barry Dorrans

April 2010

Beginner

438 pages

10h 55m

English

Wrox

Read now

Unlock full access

Copyright
ABOUT THE AUTHOR
ACKNOWLEDGMENTS
CREDITS
INTRODUCTION
WHO THIS BOOK IS FORHOW THIS BOOK IS STRUCTUREDWHAT YOU NEED TO USE THIS BOOKCONVENTIONSSOURCE CODEERRATAp2p.wrox.com
1. Why Web Security Matters
1.1. ANATOMY OF AN ATTACK1.2. RISKS AND REWARDS1.3. BUILDING SECURITY FROM THE GROUND UP1.3.1. Defense in Depth1.3.2. Never Trust Input1.3.3. Fail Gracefully1.3.4. Watch for Attacks1.3.5. Use Least Privilege1.3.6. Firewalls and Cryptography Are Not a Panacea1.3.7. Security Should Be Your Default State1.3.8. Code Defensively1.4. THE OWASP TOP TEN1.5. MOVING FORWARD1.6. CHECKLISTS
I. The ASP.NET Security Basics
2. How the Web Works
2.1. EXAMINING HTTP2.1.1. Requesting a Resource2.1.2. Responding to a Request2.1.3. Sniffing HTTP Requests and Responses2.2. UNDERSTANDING HTML FORMS2.3. EXAMINING HOW ASP.NET WORKS2.3.1. Understanding How ASP.NET Events Work2.3.2. Examining the ASP.NET Pipeline2.3.3. Writing HTTP Modules2.4. SUMMARY
3. Safely Accepting User Input
3.1. DEFINING INPUT3.2. DEALING WITH INPUT SAFELY3.2.1. Echoing User Input Safely3.2.2. Mitigating Against XSS3.2.3. The Microsoft Anti-XSS Library3.2.3.1. The Security Run-time Engine3.2.4. Constraining Input3.2.5. Protecting Cookies3.3. VALIDATING FORM INPUT3.3.1. Validation Controls3.3.2. Standard ASP.NET Validation Controls3.3.2.1. Using the RequiredFieldValidator3.3.2.2. Using the RangeValidator3.3.2.3. Using the RegularExpressionValidator3.3.2.4. Using the CompareValidator3.3.2.5. Using the CustomValidator3.3.2.6. Validation Groups3.4. A CHECKLIST FOR HANDLING INPUT
4. Using Query Strings, Form Fields, Events, and Browser Information
4.1. USING THE RIGHT INPUT TYPE4.2. QUERY STRINGS4.3. FORM FIELDS4.4. REQUEST FORGERY AND HOW TO AVOID IT4.4.1. Mitigating Against CSRF4.5. PROTECTING ASP.NET EVENTS4.6. AVOIDING MISTAKES WITH BROWSER INFORMATION4.7. A CHECKLIST FOR QUERY STRINGS, FORMS, EVENTS, AND BROWSER INFORMATION

5. Controlling Information
5.1. CONTROLLING VIEWSTATE5.1.1. Validating ViewState5.1.2. Encrypting Viewstate5.1.3. Protecting Against ViewState One-Click Attacks5.1.4. Removing ViewState from the Client Page5.1.5. Disabling Browser Caching5.2. ERROR HANDLING AND LOGGING5.2.1. Improving Your Error Handling5.2.2. Watching for Special Exceptions5.2.3. Logging Errors and Monitoring Your Application5.2.3.1. Using the Windows Event Log5.2.3.2. Using Email to Log Events5.2.3.3. Using ASP.NET Tracing5.2.3.4. Using Performance Counters5.2.3.5. Using WMI Events5.2.3.6. Another Alternative: Logging Frameworks5.3. LIMITING SEARCH ENGINES5.3.1. Controlling Robots with a Metatag5.3.2. Controlling Robots with robots.txt5.4. PROTECTING PASSWORDS IN CONFIG FILES5.5. A CHECKLIST FOR QUERY STRINGS, FORMS, EVENTS, AND BROWSER INFORMATION
6. Keeping Secrets Secret — Hashing and Encryption
6.1. PROTECTING INTEGRITY WITH HASHING6.1.1. Choosing a Hashing Algorithm6.1.2. Protecting Passwords with Hashing6.1.2.1. Salting Passwords6.1.2.2. Generating Secure Random Numbers6.2. ENCRYPTING DATA6.2.1. Understanding Symmetric Encryption6.2.1.1. Protecting Data with Symmetric Encryption6.2.1.2. Choosing a Symmetric Algorithm6.2.1.3. Generating Keys and Initialization Vectors6.2.1.4. Encrypting and Decrypting Your Data6.2.1.5. Using Session Keys6.2.1.6. Ensuring That Data Does Not Change6.2.1.7. Putting it All Together6.2.2. Sharing Secrets with Asymmetric Encryption6.2.2.1. Using Asymmetric Encryption without Certificates6.2.2.2. Using Certificates for Asymmetric Encryption6.2.2.3. Getting a Certificate6.2.2.4. Encrypting Your Data6.2.2.5. Decrypting Your Data6.2.2.6. Ensuring That Data Does Not Change6.2.2.7. Allowing Access to a Certificate's Private Key6.2.2.8. Creating Test Certificates with MAKECERT6.2.2.9. Putting it All Together6.2.3. Using the Windows DPAPI6.3. A CHECKLIST FOR ENCRYPTION
II. Securing Common ASP.NET Tasks
7. Adding Usernames and Passwords
7.1. AUTHENTICATION AND AUTHORIZATION7.2. DISCOVERING YOUR OWN IDENTITY7.3. ADDING AUTHENTICATION IN ASP.NET7.3.1. Using Forms Authentication7.3.1.1. Configuring Forms Authentication7.3.1.2. Using SQL as a Membership Store7.3.1.3. Creating Users7.3.1.4. Examining How Users Are Stored7.3.1.5. Configuring the Membership Settings7.3.1.6. Creating Users Programmatically7.3.1.7. Supporting Password Changes and Resets7.3.2. Windows Authentication7.3.2.1. Configuring IIS for Windows Authentication7.3.2.2. Impersonation with Windows Authentication7.4. AUTHORIZATION IN ASP.NET7.4.1. Examining <allow>and <deny>7.4.2. Role-Based Authorization7.4.2.1. Configuring Roles with Forms-Based Authentication7.4.2.2. Using the Configuration Tools to Manage Roles7.4.2.3. Managing Roles Programmatically7.4.2.4. Managing Role Members Programmatically7.4.2.5. Roles with Windows Authentication7.4.2.6. Limiting Access to Files and Folders7.4.3. Checking Users and Roles Programmatically7.4.3.1. Securing Object References7.5. A CHECKLIST FOR AUTHENTICATION AND AUTHORIZATION
8. Securely Accessing Databases
8.1. WRITING BAD CODE: DEMONSTRATING SQL INJECTION8.2. FIXING THE VULNERABILITY8.3. MORE SECURITY FOR SQL SERVER8.3.1. Connecting Without Passwords8.3.2. SQL Permissions8.3.2.1. Adding a User to a Database8.3.2.2. Managing SQL Permissions8.3.2.3. Groups and Roles8.3.2.4. Least Privilege Accounts8.3.3. Using Views8.3.4. SQL Express User Instances8.3.5. Drawbacks of the VS Built-in Web Server8.3.6. Dynamic SQL Stored Procedures8.3.7. Using SQL Encryption8.3.7.1. Encrypting by Pass Phrase8.3.7.2. SQL Symmetric Encryption8.3.7.3. SQL Asymmetric Encryption8.3.7.4. Calculating Hashes and HMACs in SQL8.4. A CHECKLIST FOR SECURELY ACCESSING DATABASES
9. Using the File System
9.1. ACCESSING EXISTING FILES SAFELY9.1.1. Making Static Files Secure9.1.1.1. Checking That Your Application Can Access Files9.1.2. Making a File Downloadable and Setting Its Name9.1.3. Adding Further Checks to File Access9.1.3.1. Adding Role Checks9.1.3.2. Anti-Leeching Checks9.1.4. Accessing Files on a Remote System9.2. CREATING FILES SAFELY9.3. HANDLING USER UPLOADS9.3.1. Using the File Upload_Control9.4. A CHECKLIST FOR SECURELY ACCESSING FILES
10. Securing XML
10.1. VALIDATING XML10.1.1. Well-Formed XML10.1.2. Valid XML10.1.3. XML Parsers10.2. QUERYING XML10.2.1. Avoiding XPath Injection10.3. SECURING XML DOCUMENTS10.3.1. Encrypting XML Documents10.3.1.1. Using a Symmetric Encryption Key with XML10.3.1.2. Using an Asymmetric Key Pair to Encrypt and Decrypt XML10.3.1.3. Using an X509 Certificate to Encrypt and Decrypt XML10.3.2. Signing XML Documents10.4. A CHECKLIST FOR XML
III. Advanced ASP.NET Scenarios
11. Sharing Data with Windows Communication Foundation
11.1. CREATING AND CONSUMING WCF SERVICES11.2. SECURITY AND PRIVACY WITH WCF11.2.1. Transport Security11.2.2. Message Security11.2.3. Mixed Mode11.2.4. Selecting the Security Mode11.2.5. Choosing the Client Credentials11.3. ADDING SECURITY TO AN INTERNET SERVICE11.4. SIGNING MESSAGES WITH WCF11.5. LOGGING AND AUDITING IN WCF11.6. VALIDATING PARAMETERS USING INSPECTORS11.7. USING MESSAGE INSPECTORS11.8. THROWING ERRORS IN WCF11.9. A CHECKLIST FOR SECURING WCF
12. Securing Rich Internet Applications
12.1. RIA ARCHITECTURE12.2. SECURITY IN AJAX APPLICATIONS12.2.1. The XMLHttpRequest Object12.2.2. The Ajax Same Origin Policy12.2.3. The Microsoft ASP.NET Ajax Framework12.2.3.1. Examining the UpdatePanel12.2.3.2. Examining the ScriptManager12.2.3.3. Security Considerations with UpdatePanel and ScriptManager12.3. SECURITY IN SILVERLIGHT APPLICATIONS12.3.1. Understanding the CoreCLR Security Model12.3.2. Using the HTML Bridge12.3.2.1. Controlling Access to the HTML DOM12.3.2.2. Exposing Silverlight Classes and Members to the DOM12.3.3. Accessing the Local File System12.3.4. Using Cryptography in Silverlight12.3.5. Accessing the Web and Web Services with Silverlight12.4. USING ASP.NET AUTHENTICATION AND AUTHORIZATION IN AJAX AND SILVERLIGHT12.5. A CHECKLIST FOR SECURING AJAX AND SILVERLIGHT
13. Understanding Code Access Security
13.1. UNDERSTANDING CODE ACCESS SECURITY13.1.1. Using ASP.NET Trust Levels13.1.1.1. Demanding Minimum CAS Permissions13.1.1.2. Asking and Checking for CAS Permissions13.1.1.2.1. Imperative Demands13.1.1.2.2. Declarative Demands13.1.1.3. Testing Your Application Under a New Trust Level13.1.1.4. Using the Global Assembly Cache to Run Code Under Full Trust13.1.2. .NET 4 Changes for Trust and ASP.NET13.2. A CHECKLIST FOR CODE NOT UNDER FULL TRUST
14. Securing Internet Information Server (IIS)
14.1. INSTALLING AND CONFIGURING IIS714.1.1. IIS Role Services14.1.1.1. Removing Global Features for an Individual Web Site14.1.2. Creating and Configuring Application Pools14.1.3. Configuring Trust Levels in IIS14.1.3.1. Locking Trust Levels14.1.3.2. Creating Custom Trust Levels14.2. FILTERING REQUESTS14.2.1. Filtering Double-Encoded Requests14.2.2. Filtering Requests with Non-ASCII Characters14.2.3. Filtering Requests Based on File Extension14.2.4. Filtering Requests Based on Request Size14.2.5. Filtering Requests Based on HTTP Verbs14.2.6. Filtering Requests Based on URL Sequences14.2.7. Filtering Requests Based on Request Segments14.2.8. Filtering Requests Based on a Request Header14.2.9. Satus Codes Returned to Denied Requests14.3. USING LOG PARSER TO MINE IIS LOG FILES14.4. USING CERTIFICATES14.4.1. Requesting an SSL Certificate14.4.2. Configuring a Site to Use HTTPS14.4.3. Setting up a Test Certification Authority14.5. A CHECKLIST FOR SECURING INTERNET INFORMATION SERVER (IIS)
15. Third-Party Authentication
15.1. A BRIEF HISTORY OF FEDERATED IDENTITY15.2. USING THE WINDOWS IDENTITY FOUNDATION TO ACCEPT SAML AND INFORMATION CARDS15.2.1.15.2.1.1. Creating a "Claims-Aware" Web Site15.2.1.2. Accepting Information Cards15.2.1.3. Working with a Claims Identity15.3. USING OPENID WITH YOUR WEB SITE15.4. USING WINDOWS LIVE ID WITH YOUR WEB SITE15.5. A STRATEGY FOR INTEGRATING THIRD-PARTY AUTHENTICATION WITH FORMS AUTHENTICATION15.6. SUMMARY
16. Secure Development with the ASP.NET MVC Framework
16.1. MVC INPUT AND OUTPUT16.1.1. Protecting Yourself Against XSS16.1.2. Protecting an MVC Application Against CSRF16.1.3. Securing Model Binding16.1.4. Providing Validation for and Error Messages from Your Model16.2. AUTHENTICATION AND AUTHORIZATION WITH ASP.NET MVC16.2.1. Authorizing Actions and Controllers16.2.2. Protecting Public Controller Methods16.2.3. Discovering the Current User16.2.4. Customizing Authorization with an Authorization Filter16.3. ERROR HANDLING WITH ASP.NET MVC16.4. A CHECKLIST FOR SECURE DEVELOPMENT WITH THE ASP.NET MVC FRAMEWORK

Content preview from Beginning ASP.NET Security

Chapter 10. Securing XML

Extensible Markup Language (XML) has emerged as the standard way to transfer data and metadata between systems. XML is a rich standard, and its extensibility has led to various additions, including schemas and query languages. You may have already used it without knowing it. XML underpins Web services, .NET configuration files, and even IIS7 configuration. However, as you add XML support to your application, you are adding another vector for attack and potential vulnerabilities. Like any input, XML should be considered untrusted until you validate and sanitize it.

In this chapter, you will learn about the following:

How to accept and validate XML
How to query XML safely
How to sign XML documents to ensure them against tampering
How to encrypt XML to prevent eavesdropping

Note

This chapter will only concentrate on the security aspects of XML. For a more detailed exploration of XML and all its associated technologies, Professional XML by Bill Evjen, Kent Sharkey, Thiru Thangarathinam, Michael Kay, Alessandro Vernet, and Sam Ferguson (Indianapolis: Wrox, 2007) is highly recommended.

VALIDATING XML

Like any input, XML should be validated before trusting and using it. XML has two validation points:

Is it "well-formed"?
Is it "valid"?

Well-Formed XML

An XML document is said to be well-formed when it conforms to the XML syntax specification, and contains no references to external resources — unless a document type definition (DTD) is specified.

Following is an example:

<?xml ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780470743652Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business