book

Beginning ASP.NET Security

Name: Beginning ASP.NET Security
Author: Barry Dorrans
ISBN: 9780470743652

by Barry Dorrans

April 2010

Beginner

438 pages

10h 55m

English

Wrox

Read now

Unlock full access

Copyright
ABOUT THE AUTHOR
ACKNOWLEDGMENTS
CREDITS
INTRODUCTION
WHO THIS BOOK IS FORHOW THIS BOOK IS STRUCTUREDWHAT YOU NEED TO USE THIS BOOKCONVENTIONSSOURCE CODEERRATAp2p.wrox.com
1. Why Web Security Matters
1.1. ANATOMY OF AN ATTACK1.2. RISKS AND REWARDS1.3. BUILDING SECURITY FROM THE GROUND UP1.3.1. Defense in Depth1.3.2. Never Trust Input1.3.3. Fail Gracefully1.3.4. Watch for Attacks1.3.5. Use Least Privilege1.3.6. Firewalls and Cryptography Are Not a Panacea1.3.7. Security Should Be Your Default State1.3.8. Code Defensively1.4. THE OWASP TOP TEN1.5. MOVING FORWARD1.6. CHECKLISTS
I. The ASP.NET Security Basics
2. How the Web Works
2.1. EXAMINING HTTP2.1.1. Requesting a Resource2.1.2. Responding to a Request2.1.3. Sniffing HTTP Requests and Responses2.2. UNDERSTANDING HTML FORMS2.3. EXAMINING HOW ASP.NET WORKS2.3.1. Understanding How ASP.NET Events Work2.3.2. Examining the ASP.NET Pipeline2.3.3. Writing HTTP Modules2.4. SUMMARY
3. Safely Accepting User Input
3.1. DEFINING INPUT3.2. DEALING WITH INPUT SAFELY3.2.1. Echoing User Input Safely3.2.2. Mitigating Against XSS3.2.3. The Microsoft Anti-XSS Library3.2.3.1. The Security Run-time Engine3.2.4. Constraining Input3.2.5. Protecting Cookies3.3. VALIDATING FORM INPUT3.3.1. Validation Controls3.3.2. Standard ASP.NET Validation Controls3.3.2.1. Using the RequiredFieldValidator3.3.2.2. Using the RangeValidator3.3.2.3. Using the RegularExpressionValidator3.3.2.4. Using the CompareValidator3.3.2.5. Using the CustomValidator3.3.2.6. Validation Groups3.4. A CHECKLIST FOR HANDLING INPUT
4. Using Query Strings, Form Fields, Events, and Browser Information
4.1. USING THE RIGHT INPUT TYPE4.2. QUERY STRINGS4.3. FORM FIELDS4.4. REQUEST FORGERY AND HOW TO AVOID IT4.4.1. Mitigating Against CSRF4.5. PROTECTING ASP.NET EVENTS4.6. AVOIDING MISTAKES WITH BROWSER INFORMATION4.7. A CHECKLIST FOR QUERY STRINGS, FORMS, EVENTS, AND BROWSER INFORMATION

5. Controlling Information
5.1. CONTROLLING VIEWSTATE5.1.1. Validating ViewState5.1.2. Encrypting Viewstate5.1.3. Protecting Against ViewState One-Click Attacks5.1.4. Removing ViewState from the Client Page5.1.5. Disabling Browser Caching5.2. ERROR HANDLING AND LOGGING5.2.1. Improving Your Error Handling5.2.2. Watching for Special Exceptions5.2.3. Logging Errors and Monitoring Your Application5.2.3.1. Using the Windows Event Log5.2.3.2. Using Email to Log Events5.2.3.3. Using ASP.NET Tracing5.2.3.4. Using Performance Counters5.2.3.5. Using WMI Events5.2.3.6. Another Alternative: Logging Frameworks5.3. LIMITING SEARCH ENGINES5.3.1. Controlling Robots with a Metatag5.3.2. Controlling Robots with robots.txt5.4. PROTECTING PASSWORDS IN CONFIG FILES5.5. A CHECKLIST FOR QUERY STRINGS, FORMS, EVENTS, AND BROWSER INFORMATION
6. Keeping Secrets Secret — Hashing and Encryption
6.1. PROTECTING INTEGRITY WITH HASHING6.1.1. Choosing a Hashing Algorithm6.1.2. Protecting Passwords with Hashing6.1.2.1. Salting Passwords6.1.2.2. Generating Secure Random Numbers6.2. ENCRYPTING DATA6.2.1. Understanding Symmetric Encryption6.2.1.1. Protecting Data with Symmetric Encryption6.2.1.2. Choosing a Symmetric Algorithm6.2.1.3. Generating Keys and Initialization Vectors6.2.1.4. Encrypting and Decrypting Your Data6.2.1.5. Using Session Keys6.2.1.6. Ensuring That Data Does Not Change6.2.1.7. Putting it All Together6.2.2. Sharing Secrets with Asymmetric Encryption6.2.2.1. Using Asymmetric Encryption without Certificates6.2.2.2. Using Certificates for Asymmetric Encryption6.2.2.3. Getting a Certificate6.2.2.4. Encrypting Your Data6.2.2.5. Decrypting Your Data6.2.2.6. Ensuring That Data Does Not Change6.2.2.7. Allowing Access to a Certificate's Private Key6.2.2.8. Creating Test Certificates with MAKECERT6.2.2.9. Putting it All Together6.2.3. Using the Windows DPAPI6.3. A CHECKLIST FOR ENCRYPTION
II. Securing Common ASP.NET Tasks
7. Adding Usernames and Passwords
7.1. AUTHENTICATION AND AUTHORIZATION7.2. DISCOVERING YOUR OWN IDENTITY7.3. ADDING AUTHENTICATION IN ASP.NET7.3.1. Using Forms Authentication7.3.1.1. Configuring Forms Authentication7.3.1.2. Using SQL as a Membership Store7.3.1.3. Creating Users7.3.1.4. Examining How Users Are Stored7.3.1.5. Configuring the Membership Settings7.3.1.6. Creating Users Programmatically7.3.1.7. Supporting Password Changes and Resets7.3.2. Windows Authentication7.3.2.1. Configuring IIS for Windows Authentication7.3.2.2. Impersonation with Windows Authentication7.4. AUTHORIZATION IN ASP.NET7.4.1. Examining <allow>and <deny>7.4.2. Role-Based Authorization7.4.2.1. Configuring Roles with Forms-Based Authentication7.4.2.2. Using the Configuration Tools to Manage Roles7.4.2.3. Managing Roles Programmatically7.4.2.4. Managing Role Members Programmatically7.4.2.5. Roles with Windows Authentication7.4.2.6. Limiting Access to Files and Folders7.4.3. Checking Users and Roles Programmatically7.4.3.1. Securing Object References7.5. A CHECKLIST FOR AUTHENTICATION AND AUTHORIZATION
8. Securely Accessing Databases
8.1. WRITING BAD CODE: DEMONSTRATING SQL INJECTION8.2. FIXING THE VULNERABILITY8.3. MORE SECURITY FOR SQL SERVER8.3.1. Connecting Without Passwords8.3.2. SQL Permissions8.3.2.1. Adding a User to a Database8.3.2.2. Managing SQL Permissions8.3.2.3. Groups and Roles8.3.2.4. Least Privilege Accounts8.3.3. Using Views8.3.4. SQL Express User Instances8.3.5. Drawbacks of the VS Built-in Web Server8.3.6. Dynamic SQL Stored Procedures8.3.7. Using SQL Encryption8.3.7.1. Encrypting by Pass Phrase8.3.7.2. SQL Symmetric Encryption8.3.7.3. SQL Asymmetric Encryption8.3.7.4. Calculating Hashes and HMACs in SQL8.4. A CHECKLIST FOR SECURELY ACCESSING DATABASES
9. Using the File System
9.1. ACCESSING EXISTING FILES SAFELY9.1.1. Making Static Files Secure9.1.1.1. Checking That Your Application Can Access Files9.1.2. Making a File Downloadable and Setting Its Name9.1.3. Adding Further Checks to File Access9.1.3.1. Adding Role Checks9.1.3.2. Anti-Leeching Checks9.1.4. Accessing Files on a Remote System9.2. CREATING FILES SAFELY9.3. HANDLING USER UPLOADS9.3.1. Using the File Upload_Control9.4. A CHECKLIST FOR SECURELY ACCESSING FILES
10. Securing XML
10.1. VALIDATING XML10.1.1. Well-Formed XML10.1.2. Valid XML10.1.3. XML Parsers10.2. QUERYING XML10.2.1. Avoiding XPath Injection10.3. SECURING XML DOCUMENTS10.3.1. Encrypting XML Documents10.3.1.1. Using a Symmetric Encryption Key with XML10.3.1.2. Using an Asymmetric Key Pair to Encrypt and Decrypt XML10.3.1.3. Using an X509 Certificate to Encrypt and Decrypt XML10.3.2. Signing XML Documents10.4. A CHECKLIST FOR XML
III. Advanced ASP.NET Scenarios
11. Sharing Data with Windows Communication Foundation
11.1. CREATING AND CONSUMING WCF SERVICES11.2. SECURITY AND PRIVACY WITH WCF11.2.1. Transport Security11.2.2. Message Security11.2.3. Mixed Mode11.2.4. Selecting the Security Mode11.2.5. Choosing the Client Credentials11.3. ADDING SECURITY TO AN INTERNET SERVICE11.4. SIGNING MESSAGES WITH WCF11.5. LOGGING AND AUDITING IN WCF11.6. VALIDATING PARAMETERS USING INSPECTORS11.7. USING MESSAGE INSPECTORS11.8. THROWING ERRORS IN WCF11.9. A CHECKLIST FOR SECURING WCF
12. Securing Rich Internet Applications
12.1. RIA ARCHITECTURE12.2. SECURITY IN AJAX APPLICATIONS12.2.1. The XMLHttpRequest Object12.2.2. The Ajax Same Origin Policy12.2.3. The Microsoft ASP.NET Ajax Framework12.2.3.1. Examining the UpdatePanel12.2.3.2. Examining the ScriptManager12.2.3.3. Security Considerations with UpdatePanel and ScriptManager12.3. SECURITY IN SILVERLIGHT APPLICATIONS12.3.1. Understanding the CoreCLR Security Model12.3.2. Using the HTML Bridge12.3.2.1. Controlling Access to the HTML DOM12.3.2.2. Exposing Silverlight Classes and Members to the DOM12.3.3. Accessing the Local File System12.3.4. Using Cryptography in Silverlight12.3.5. Accessing the Web and Web Services with Silverlight12.4. USING ASP.NET AUTHENTICATION AND AUTHORIZATION IN AJAX AND SILVERLIGHT12.5. A CHECKLIST FOR SECURING AJAX AND SILVERLIGHT
13. Understanding Code Access Security
13.1. UNDERSTANDING CODE ACCESS SECURITY13.1.1. Using ASP.NET Trust Levels13.1.1.1. Demanding Minimum CAS Permissions13.1.1.2. Asking and Checking for CAS Permissions13.1.1.2.1. Imperative Demands13.1.1.2.2. Declarative Demands13.1.1.3. Testing Your Application Under a New Trust Level13.1.1.4. Using the Global Assembly Cache to Run Code Under Full Trust13.1.2. .NET 4 Changes for Trust and ASP.NET13.2. A CHECKLIST FOR CODE NOT UNDER FULL TRUST
14. Securing Internet Information Server (IIS)
14.1. INSTALLING AND CONFIGURING IIS714.1.1. IIS Role Services14.1.1.1. Removing Global Features for an Individual Web Site14.1.2. Creating and Configuring Application Pools14.1.3. Configuring Trust Levels in IIS14.1.3.1. Locking Trust Levels14.1.3.2. Creating Custom Trust Levels14.2. FILTERING REQUESTS14.2.1. Filtering Double-Encoded Requests14.2.2. Filtering Requests with Non-ASCII Characters14.2.3. Filtering Requests Based on File Extension14.2.4. Filtering Requests Based on Request Size14.2.5. Filtering Requests Based on HTTP Verbs14.2.6. Filtering Requests Based on URL Sequences14.2.7. Filtering Requests Based on Request Segments14.2.8. Filtering Requests Based on a Request Header14.2.9. Satus Codes Returned to Denied Requests14.3. USING LOG PARSER TO MINE IIS LOG FILES14.4. USING CERTIFICATES14.4.1. Requesting an SSL Certificate14.4.2. Configuring a Site to Use HTTPS14.4.3. Setting up a Test Certification Authority14.5. A CHECKLIST FOR SECURING INTERNET INFORMATION SERVER (IIS)
15. Third-Party Authentication
15.1. A BRIEF HISTORY OF FEDERATED IDENTITY15.2. USING THE WINDOWS IDENTITY FOUNDATION TO ACCEPT SAML AND INFORMATION CARDS15.2.1.15.2.1.1. Creating a "Claims-Aware" Web Site15.2.1.2. Accepting Information Cards15.2.1.3. Working with a Claims Identity15.3. USING OPENID WITH YOUR WEB SITE15.4. USING WINDOWS LIVE ID WITH YOUR WEB SITE15.5. A STRATEGY FOR INTEGRATING THIRD-PARTY AUTHENTICATION WITH FORMS AUTHENTICATION15.6. SUMMARY
16. Secure Development with the ASP.NET MVC Framework
16.1. MVC INPUT AND OUTPUT16.1.1. Protecting Yourself Against XSS16.1.2. Protecting an MVC Application Against CSRF16.1.3. Securing Model Binding16.1.4. Providing Validation for and Error Messages from Your Model16.2. AUTHENTICATION AND AUTHORIZATION WITH ASP.NET MVC16.2.1. Authorizing Actions and Controllers16.2.2. Protecting Public Controller Methods16.2.3. Discovering the Current User16.2.4. Customizing Authorization with an Authorization Filter16.3. ERROR HANDLING WITH ASP.NET MVC16.4. A CHECKLIST FOR SECURE DEVELOPMENT WITH THE ASP.NET MVC FRAMEWORK

Content preview from Beginning ASP.NET Security

Chapter 16. Secure Development with the ASP.NET MVC Framework

In late 2007, Microsoft introduced a preview of the ASP.NET Model-View-Controller (MVC) Framework, which represented a different approach to developing Web applications with ASP .NET. The v1.0 release came in 2009. The MVC framework departs from the event-driven model inherent to Web Forms development, and exposes more of the "rawness" behind HTTP and Web development. As stated in Professional ASP.NET MVC 1.0 by Rob Conery, Scott Hanselman, Phil Haack, and Scott Guthrie (Indianapolis: Wrox, 2009), in doing so, the MVC framework follows these three guiding tenets:

Be more extensible, maintainable, and flexible
Be testable
Get out of the user's way when necessary

By following these tenets, nothing is hidden or abstracted from the developer. There is no ViewState, no Web controls, and no drag-and drop-designers. MVC allows the developer to concentrate on development, and not on how Web forms implement things in the pipeline or in the controls.

The purpose of this chapter does not enter into a discussion about which approach is best, but rather highlights areas where an ASP.NET MVC developer should pay particular attention to security issues. Not all of these issues are new to ASP.NET MVC. Some you will have already discovered in earlier chapters. But the approaches or solutions to the vulnerabilities and issues are answered in terms and code specific to the MVC framework.

In this chapter, you will build upon your understanding ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780470743652Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Beginning ASP.NET Security

by Barry Dorrans

Chapter 16. Secure Development with the ASP.NET MVC Framework

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.