Secure web Publications & Transactions
Agenda Web site Threats Dot NET based web site Protection  Protection of data & Cryptography
Threats – Top 10 Web Application Attacks  <ul><li>Cross Site Scripting (XSS) </li></ul><ul><li>Injection Flaws </li></ul><...
Threats – Top 10 Web Application Attacks  <ul><li>Information Leakage & Improper Error Handling </li></ul><ul><li>Broken A...
Threats – Other types of Attacks <ul><li>Anti DNS Pinning </li></ul><ul><li>History Stealing </li></ul><ul><li>Web Worms u...
Threats – Other types of Attacks <ul><li>Cross Protocol Exploitation </li></ul><ul><li>Dropping SSL after Login </li></ul>...
Dot Net <ul><li>Security Enforcement Guidelines with .NET </li></ul>
Dot Net - Validation <ul><li>Do not relay on ASP.NET Request validation </li></ul><ul><li>Validate input for length, range...
Dot Net - Validation <ul><li>Do not echo untrusted input  </li></ul><ul><li>If you need to write out untrusted data, encod...
Dot Net - Authentication - Forms <ul><li>Use membership providers instead of custom authentication  </li></ul><ul><li>Use ...
Dot Net - Authentication - Forms <ul><li>Do not store passwords directly in the user store  </li></ul><ul><li>Enforce stro...
Dot Net - Authentication - Forms <ul><li>Consider partitioning your site to restricted areas and public areas  </li></ul><...
Dot Net - Authorizations <ul><li>Use URL authorization for page and directory access control  </li></ul><ul><li>Configure ...
Dot Net - Code Access Security <ul><li>Consider code access security for partial trust applications  </li></ul><ul><li>Cho...
Dot Net - Code Access Security <ul><li>Declarative Security </li></ul><ul><ul><li>During compile time, specified in the as...
Dot Net - Code Access Security - Security <ul><li>To enforce permissions the runtime “ Walks the Stack” </li></ul><ul><ul>...
Dot Net - Isolated Storage <ul><li>A Virtual file system, unique to each assembly. </li></ul><ul><li>A set of types & meth...
Dot Net - Isolated Storage <ul><li>No need for file system path determination </li></ul><ul><li>Access to isolated storage...
Dot Net - Exception Management <ul><li>Use structured exception handling  </li></ul><ul><li>Do not reveal exception detail...
Dot Net - Impersonation/Delegation <ul><li>Know your tradeoffs with impersonation  </li></ul><ul><li>Avoid Calling LogonUs...
Dot Net - Parameter Manipulation <ul><li>Do not make security decisions based on parameters accessible on the client-side ...
Dot Net - Session <ul><li>Do not rely on client-side state management options  </li></ul><ul><li>Protect your out-of-proce...
Dot Net - Auditing and Logging <ul><li>Use health monitoring to log and audit events  </li></ul><ul><li>Instrument for use...
Dot Net - Deployment Considerations <ul><li>Use a least-privileged account for running ASP.NET applications  </li></ul><ul...
Dot Net - Communication Security <ul><li>Consider SSL vs. IPSec  </li></ul><ul><li>Optimize pages that use SSL  </li></ul>
Data <ul><li>Data Protection </li></ul>
Data Access <ul><li>Encrypt your connection strings  </li></ul><ul><li>Use least-privileged accounts for database access  ...
Data Access <ul><li>When using SQL authentication, use strong passwords  </li></ul><ul><li>When using SQL authentication, ...
Sensitive Data <ul><li>Avoid plaintext passwords in configuration files  </li></ul><ul><li>Use platform features to manage...
Cryptography <ul><li>Cryptography </li></ul>
Cryptography Turning plaintext into djqifsufyu. Alg Key Size in  Bits DES 64  (effective 56) 3-DES 192 ( effective 168) RC...
Cryptography - Digital Signatures <ul><li>Digital Signature Algorithm (DSA) </li></ul><ul><li>XML Digital Signatures (XMLD...
 
Upcoming SlideShare
Loading in …5
×

Secure Web Applications Ver0.01

1,798 views
1,709 views

Published on

Web Security with asp.net

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
1,798
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
125
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Secure Web Applications Ver0.01

  1. 1. Secure web Publications & Transactions
  2. 2. Agenda Web site Threats Dot NET based web site Protection Protection of data & Cryptography
  3. 3. Threats – Top 10 Web Application Attacks <ul><li>Cross Site Scripting (XSS) </li></ul><ul><li>Injection Flaws </li></ul><ul><li>Malicious File Execution </li></ul><ul><li>Insecure Direct Object Reference </li></ul><ul><li>Cross Site Request Forgery (CSRF) </li></ul>
  4. 4. Threats – Top 10 Web Application Attacks <ul><li>Information Leakage & Improper Error Handling </li></ul><ul><li>Broken Authentication & Session Management </li></ul><ul><li>Insecure Cryptographic storage </li></ul><ul><li>Insecure Communications </li></ul><ul><li>Failure to restrict URL Access </li></ul>
  5. 5. Threats – Other types of Attacks <ul><li>Anti DNS Pinning </li></ul><ul><li>History Stealing </li></ul><ul><li>Web Worms using XHR/Flash/QuickTime as a vector </li></ul><ul><li>Intranet Hacking </li></ul><ul><li>Session Fixation using URL Re-writing </li></ul>
  6. 6. Threats – Other types of Attacks <ul><li>Cross Protocol Exploitation </li></ul><ul><li>Dropping SSL after Login </li></ul><ul><li>Denial of Service (DOS )Attack </li></ul><ul><li>SQL Injection </li></ul>
  7. 7. Dot Net <ul><li>Security Enforcement Guidelines with .NET </li></ul>
  8. 8. Dot Net - Validation <ul><li>Do not relay on ASP.NET Request validation </li></ul><ul><li>Validate input for length, range, format, and type </li></ul><ul><li>Validate input from all sources like QueryString, cookies, and HTML controls </li></ul>
  9. 9. Dot Net - Validation <ul><li>Do not echo untrusted input </li></ul><ul><li>If you need to write out untrusted data, encode the output </li></ul><ul><li>Avoid user-supplied file name and path input </li></ul><ul><li>Do not rely on client-side validation </li></ul>
  10. 10. Dot Net - Authentication - Forms <ul><li>Use membership providers instead of custom authentication </li></ul><ul><li>Use SSL to protect credentials and authentication cookies </li></ul><ul><li>If you cannot use SSL, consider reducing session lifetime </li></ul><ul><li>Validate user login information </li></ul>
  11. 11. Dot Net - Authentication - Forms <ul><li>Do not store passwords directly in the user store </li></ul><ul><li>Enforce strong passwords </li></ul><ul><li>Protect access to your credential store </li></ul><ul><li>Do not persist authentication cookies </li></ul><ul><li>Restrict authentication tickets to HTTPS connections </li></ul>
  12. 12. Dot Net - Authentication - Forms <ul><li>Consider partitioning your site to restricted areas and public areas </li></ul><ul><li>Use unique cookie names and paths </li></ul>
  13. 13. Dot Net - Authorizations <ul><li>Use URL authorization for page and directory access control </li></ul><ul><li>Configure ACLs on your Web site files </li></ul><ul><li>Use ASP.NET role manager for roles authorization </li></ul><ul><li>If your role lookup is expensive, consider role caching </li></ul><ul><li>Protect your authorization cookie </li></ul>
  14. 14. Dot Net - Code Access Security <ul><li>Consider code access security for partial trust applications </li></ul><ul><li>Choose a trust level that does not exceed your application's requirements </li></ul><ul><li>Create a custom trust policy if your application needs additional permissions </li></ul><ul><li>Use Medium trust in shared hosting environments </li></ul>
  15. 15. Dot Net - Code Access Security <ul><li>Declarative Security </li></ul><ul><ul><li>During compile time, specified in the assembly meta data (+decide) </li></ul></ul><ul><li>Imperative security </li></ul><ul><ul><li>Enforced during run-time, by CLR (+decide) </li></ul></ul><ul><li>Set the Permissions </li></ul><ul><ul><li>Like isolated storage permission, UIPermission, Registry permission (+decide) </li></ul></ul>
  16. 16. Dot Net - Code Access Security - Security <ul><li>To enforce permissions the runtime “ Walks the Stack” </li></ul><ul><ul><li>If an untrusted assembly is encountered in the stack walk a security exception is thrown and permission is denied </li></ul></ul>
  17. 17. Dot Net - Isolated Storage <ul><li>A Virtual file system, unique to each assembly. </li></ul><ul><li>A set of types & methods supported by the Framework for local storage. </li></ul><ul><li>Each assembly is given access to a segregated storage on disk. </li></ul><ul><li>No access to other data is allowed. Isolated storage is </li></ul><ul><li>100% private </li></ul>
  18. 18. Dot Net - Isolated Storage <ul><li>No need for file system path determination </li></ul><ul><li>Access to isolated storage is restricted by zone: </li></ul><ul><ul><li>Internet Zone: small quota </li></ul></ul><ul><ul><li>Intranet Zone: larger quota </li></ul></ul><ul><ul><li>Restricted Sites: No access </li></ul></ul>
  19. 19. Dot Net - Exception Management <ul><li>Use structured exception handling </li></ul><ul><li>Do not reveal exception details to the client </li></ul><ul><li>Use a global error handler to catch unhandled exceptions </li></ul>
  20. 20. Dot Net - Impersonation/Delegation <ul><li>Know your tradeoffs with impersonation </li></ul><ul><li>Avoid Calling LogonUser </li></ul><ul><li>Avoid programmatic impersonation where possible </li></ul><ul><li>If you need to impersonate, consider threading issues </li></ul><ul><li>If you need to impersonate, clean up appropriately </li></ul>
  21. 21. Dot Net - Parameter Manipulation <ul><li>Do not make security decisions based on parameters accessible on the client-side </li></ul><ul><li>Validate all input parameters </li></ul><ul><li>Avoid storing sensitive data in ViewState </li></ul><ul><li>Encrypt ViewState if it must contain sensitive data </li></ul>
  22. 22. Dot Net - Session <ul><li>Do not rely on client-side state management options </li></ul><ul><li>Protect your out-of-process state service </li></ul><ul><li>Protect SQL Server session state </li></ul>
  23. 23. Dot Net - Auditing and Logging <ul><li>Use health monitoring to log and audit events </li></ul><ul><li>Instrument for user management events </li></ul><ul><li>Instrument for unusual activity </li></ul><ul><li>Instrument for significant business operations </li></ul><ul><li>Consider using an application-specific event source </li></ul><ul><li>Protect audit and log files </li></ul>
  24. 24. Dot Net - Deployment Considerations <ul><li>Use a least-privileged account for running ASP.NET applications </li></ul><ul><li>Encrypt configuration sections that store sensitive data </li></ul><ul><li>Consider your key storage location </li></ul><ul><li>Block Protected File Retrieval by Using HttpForbiddenHandler </li></ul><ul><li>Configure the MachineKey to use the same keys on all servers in a Web farm </li></ul><ul><li>Lock configuration settings to enforce policy settings </li></ul>
  25. 25. Dot Net - Communication Security <ul><li>Consider SSL vs. IPSec </li></ul><ul><li>Optimize pages that use SSL </li></ul>
  26. 26. Data <ul><li>Data Protection </li></ul>
  27. 27. Data Access <ul><li>Encrypt your connection strings </li></ul><ul><li>Use least-privileged accounts for database access </li></ul><ul><li>Use Windows authentication where possible </li></ul><ul><li>If you use Windows authentication, use a trusted service account </li></ul><ul><li>If you cannot use a domain account, consider mirrored accounts </li></ul>
  28. 28. Data Access <ul><li>When using SQL authentication, use strong passwords </li></ul><ul><li>When using SQL authentication, protect credentials over the network </li></ul><ul><li>When using SQL authentication, protect credentials in configuration files </li></ul><ul><li>Validate untrusted input passed to your data access methods </li></ul><ul><li>When constructing SQL queries, use type safe SQL parameters </li></ul><ul><li>Avoid dynamic queries that accept user input </li></ul>
  29. 29. Sensitive Data <ul><li>Avoid plaintext passwords in configuration files </li></ul><ul><li>Use platform features to manage keys where possible </li></ul><ul><li>Do not pass sensitive data from page to page </li></ul><ul><li>Protect sensitive data over the wire </li></ul><ul><li>Do not cache sensitive data </li></ul>
  30. 30. Cryptography <ul><li>Cryptography </li></ul>
  31. 31. Cryptography Turning plaintext into djqifsufyu. Alg Key Size in Bits DES 64 (effective 56) 3-DES 192 ( effective 168) RC2 40, 128 Rijndael 128, 192 or 256
  32. 32. Cryptography - Digital Signatures <ul><li>Digital Signature Algorithm (DSA) </li></ul><ul><li>XML Digital Signatures (XMLDSIG) </li></ul>

×