C# and ASP.NET Code and Data-Access Security


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

C# and ASP.NET Code and Data-Access Security

  1. 1. ASP.NET SecurityDarren SimMVP (ASP.NET / IIS)Member, Microsoft Developer Guidance Web Advisory CouncilDirector, Singapore Software Quality Testing Board (SGTQB)
  2. 2. ASP.NET Page Model
  3. 3. Authentication• Authentication in ASP.NET – IIS authentication – ASP.NET authentication• ASP.NET authentication providers – Forms, Windows, Passport, Default, and Custom
  4. 4. Forms Authentication• Uses cookie to authenticate• Uses session to authenticate• Enables SSL for logon page• Often used for personalization
  5. 5. Forms Authentication Workflow
  6. 6. Forms Authentication Configuration• Enable anonymous access in IIS• Configure <authentication> section – Set mode to ―Forms‖ – Add the <forms> section• Configure <authorization> section – Deny access to anonymous user• Create logon page – Validate the user – Provide authentication cookie – Redirect the user to the requested page
  7. 7. <forms> Section Attributes• loginUrl: unauthenticated request are redirected to this page• name: name of the authentication cookie• path: path of the authentication cookie• protection: All | None | Encryption | Validation• timeout: authentication cookie expiration time in minutes <authentication mode="Forms"> <forms name=".ASPXAUTH“ loginUrl="login.aspx" protection="All" timeout="30" path="/" /> </authentication>
  8. 8. Forms Authentication CodeIf FormsAuthentication.Authenticate(txtUserName.Value,txtUserPass.value)Then FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _chkPersistCookie.Checked)Else Response.Redirect("logon.aspx", false)End If
  9. 9. Windows Authentication• Can be used in combination with Basic, NTLM, Digest, Kerberos, and so forth• User is authenticated by IIS• Easiest of all• Request flow – Client makes request – IIS authenticates request, forwards to ASP.NET – Impersonation turned on? – ASP.NET returns response to client
  10. 10. Windows Authentication Configuration• Set mode to ―Windows‖• Configure <authorization> section• Example<authentication mode=" Windows" /><authorization> <deny users="?" /> <allow users= "*" /></authorization>
  11. 11. Authorization• Process of determining whether a user is allowed to perform a requested action• File-based authorization – Performed by FileAuthorizationModule – Performs checks against Windows ACLs• Custom – handle AuthorizeRequest event – Application level (global.asax) – HTTP module (implement IHttpModule)• URL-based authorization – Performed by UrlAuthorizationModule – Positive and negative assertions – Can selectively allow or deny access to URI namespaces
  12. 12. URL Authorization Configuration• Add <authorization> section• Add <allow> and <deny> sections• Example - allow ―Admins‖ or ―WebUsers‖ and deny all others:<authorization> <allow roles="Admins" /> <allow roles="WebUsers" /> <deny users="*" /></authorization>
  13. 13. Architecture of a Three-Tier Application Supporting Software App User Interface C User Interface L I Application Logic E Database Engine N T Database Database API DBMS / Database Server Application Server Architecture of a Three-Tier Application
  14. 14. Architecture of a Four-Tier Application Supporting Software App User Interface WEB WEB User Interface S C Application Logic E L Database Engine R I V E Database Database API E N R T DBMS / Database Server Application Server Architecture of a Four-Tier Application
  15. 15. ADO .NETADO.NET is the database API for managed applications (application servers) to talk to database servers (DBMS: Database Management Systems). a database API for managed applications; a set of classes in .NET FCL System.Data namespace; designed to work over the Web; integrates effortlessly with XML; maps very well to stateless, text-based protocol HTTP; accesses databases through modules known as data providers ( a set of APIs that make the accesses easy to program).
  16. 16. Two Data Providers1. The SQL Server .NET provider  interfaces to Microsoft SQL Server (7.0 or later)  all managed code  code runs faster  code not portable to other databases2. The OLE DB .NET provider  OLE: Object Linking and Imbedding  interfaces to databases through unmanaged OLE DB providers: SQLOLEDB for SQL Server (6.5 or earlier), MSDAORA for Oracle and Microsoft, Jet.OLEDB.4.0 for Microsoft Jet database engine.  code runs slower  code portable to other databases
  17. 17. The System.Data.SqlClient and System.Data.OleDb NamespacesClasses in System.Data.SqlClient are for SQL Server .NETusing System.Data.SqlClient;SqlConnection conn = new SqlConnection ("server=localhost;database=pubs;uid=sa;pwd=");try { conn.Open ();SqlCommand cmd = new SqlCommand ("select * from titles", conn); SqlDataReader reader = cmd.ExecuteReader (); while (reader.Read ()) Console.WriteLine (reader["title"]);} catch (SqlException ex) { Console.WriteLine (ex.Message);} finally { conn.Close (); }
  18. 18. The System.Data.SqlClient and System.Data.OleDb Namespaces Classes in System.Data.OleDb are for OLE DB .NET using System.Data.OleDb; OleDbConnection conn = newOleDbConnection("provider=sqloledb;server=localhost;database=pubs;uid=sa;pwd="); try { conn.Open (); OleDbCommand cmd = new OleDbCommand ("select * from titles", conn); OleDbDataReader reader = cmd.ExecuteReader (); while (reader.Read ()) Console.WriteLine (reader["title"]); } catch (OleDbException ex) { Console.WriteLine (ex.Message); } finally { conn.Close (); }
  19. 19. Pattern of database programming Create a connection object. Open the connection. Create a command object. Execute the command. Access the data. Close the connection.
  20. 20. Connections, Commands, and DataReaders Connection objects represent physical connections to adatabase. SqlConnection or OleDbConnection Command objects represent the commands performed ona database. SqlCommand or OleDbCommand DataReader objects represent the data obtained by thecommands. SqlDataReader or OleDbDataReader
  21. 21. Connection ObjectsThe SqlConnection ClassThe ConnectionStringSqlConnection conn = new SqlConnection ();conn.ConnectionString = "server=localhost;database=pubs;uid=sa;pwd=";orSqlConnection conn = new SqlConnection ("server=localhost;database=pubs;uid=sa;pwd=");Errors in the connection string only throws exceptions at runtime.
  22. 22. Server Server Server=localhost or Server=(local) or Data Source=(local) SQL Server permits different instances of servers to be installed on a givenmachine. server=db1 (an database server computer named ―db1‖ at the CS departmentof UA) server=hawkeyewintellect (an instance of SQL Server named Wintellect on aremote machine named Hawkeye) Database or Initial Catalog: database name (e.g. Pubs) UID or User ID, Pwd: tempdb, tempdb
  23. 23. ServerMin Pool Size and Max Pool Size, the size of the connection pool (thedefaults are 0 and 100) Integrated Security: default to false, otherwise uses Windows access tokensfor authentication. Connect Timeout: how many seconds to wait for a connection to open(default=15). SqlConnection conn = new SqlConnection ("server=hawkeyewintellect;database=pubs;uid=sa;pwd=;" + "min pool size=10;max pool size=50;connect timeout=10");
  24. 24. Exceptions and Closing Open Connections Exceptions should never go uncaught, and open connections should always be closedbefore terminating. (Calling Close on a connection that‘s not open isn‘t harmful.) SqlConnection conn = new SqlConnection ("server=localhost;database=pubs;uid=sa;pwd="); //before try block try {conn.Open (); // TODO: Use the connection } catch (SqlException e) { Console.WriteLine (e.Message); // TODO: Handle the exception } finally { conn.Close ();}
  25. 25. Command Classes: SqlCommand and OleDbCommand. – Encapsulate SQL commands performed on a database. – Rely on connections established. – Include methods to execute the commands encapsulated inside. Example, delete a record from the Pubs database‘s ―Titles‖ table using an SQLDELETE command: SqlCommand cmd = new SqlCommand ("delete from titles where title_id = BU1032", conn); cmd.CommandTimeout = 10; // Allow 10 seconds, default 30. cmd.ExecuteNonQuery (); // Execute the command
  26. 26. The ExecuteNonQuery MethodFor executing DML and DDL commands: CREATE, INSERT, UPDATE,DELETE, … Not getting any data back. Examples: SqlCommand cmd = new SqlCommand ("create database MyDatabase", conn); cmd.ExecuteNonQuery (); SqlCommand cmd = new SqlCommand ("create table titles …", conn); cmd.ExecuteNonQuery (); SqlCommand cmd = new SqlCommand ("insert into titles (title_id, title, type, pubdate) " + "values (JP1001, Programming Microsoft .NET, " + "business, May 2002)", conn); cmd.ExecuteNonQuery ();
  27. 27. The ExecuteNonQuery Method SqlCommand cmd = new SqlCommand ("update titles set title_id = JP2002 " + "where title_id = JP1001", conn); cmd.ExecuteNonQuery (); SqlCommand cmd = new SqlCommand ("delete from titles where title_id = JP2002", conn); cmd.ExecuteNonQuery ();
  28. 28. The ExecuteScalar Method Executes a query command and returns a single value in theresult set, such as COUNT, AVG, MIN, MAX, and SUM. SqlCommand cmd = new SqlCommand ("select min (price) from titles", conn); decimal amount = (decimal) cmd.ExecuteScalar (); Console.WriteLine ("ExecuteScalar returned {0:c}", amount);
  29. 29. The ExecuteScalar MethodAnother common use for ExecuteScalar is to retrieve BLOBs(binary large objects) from databases.For example, retrieving an image from the ―Logo‖ field of thePubs database‘s ―Pub_info‖ table and encapsulates it in abitmap:use System.IO;use System.Drawing;use System.Data.SqlClient;SqlCommand cmd = new SqlCommand ("select logo from pub_info where pub_id=0736", conn); byte[] blob = (byte[]) cmd.ExecuteScalar (); stream.Write (blob, 0, blob.Length); Bitmap bitmap = new Bitmap (stream); stream.Close ();
  30. 30. Write a BLOB to a database.FileStream stream = new FileStream("Logo.jpg", FileMode.Open);byte[] blob = new byte[stream.Length];stream.Read (blob, 0, (int) stream.Length);stream.Close ();SqlCommand cmd = new SqlCommand("insert into pub_info (pub_id, logo) values (9937, @logo)", conn);cmd.Parameters.Add ("@logo", blob);cmd.ExecuteNonQuery ();
  31. 31. The ExecuteReader Method For performing database queries and obtain the results as quickly andefficiently as possible. Returns a DataReader object. Pulls back only the data to be ―Read‖ by the DataReader not allrecords satisfying the query condition. SqlCommand cmd = new SqlCommand ("select * from titles", conn); SqlDataReader reader = cmd.ExecuteReader (); while (reader.Read ()) Console.WriteLine (reader["title"]); Each call to ―Read‖ returns one row from the result set. It uses a property indexer to extract the value of the record‘s ―title‖ field. Fields can be referenced by name or by numeric index (0-based).
  32. 32. DataReader Reads data. Reads schema (meta data) . Stream-based access to the results of database queries. Fast and efficient. Read-only and forward-only. Closing a DataReader: reader.Close( ) does NOT close the connection, only frees it for others to use. D-E-F-E-N-S-I-V-E P-R-O-G-R-A-M-M-I-N-G.
  33. 33. DataSets Set-based Database Accesses capture an entire query in memory support backward and forward traversal edit data and propagate the changes back to the database.
  34. 34. DataSet, DataTable and DataAdapter .NET supports set-based database accesses through three classes: DataSet: equivalent of an in-memory database. It consists of a collection of DataTables. DataTables are created by a DataAdapter (SqlDataAdapter and OleDbDataAdapter). DataSet doesn‘t interact with databases directly. DataAdapter reads the physical data sources and fills DataTables and DataSets
  35. 35. DataSets vs. DataReaders To simply query a database and read through the records one at a timeuntil you find the one you‘re looking for, then DataReader is the right tool.DataReaders (1) retrieve only the data that you actually use, and (2) theydon‘t consume memory by not storing every record that you read, but (3)they can‘t iterate backward. To use all the query results and to iterate backward and forwardthrough a result set, or to cache the result set in memory, use a DataSet.Many controls that support DataSets are perfectly capable of binding toDataReaders.
  36. 36. DataGrid (GUI)• DataGrid is an ASP control for displaying datasets.• Database displaying procedure: – Use DataAdapter to get data from the database. – Fill the data into a DataSet – Bind the DataSet to a DataGrid – Select the fields (columns) to be displayed and their header texts.
  37. 37. Example: DataAdapter, DataSet and DataGrid (GUI)<asp:DataGrid ID="MyDataGrid" OnItemCommand="OnItemCommand" RunAt="server"> <Columns> <asp:BoundColumn HeaderText="Title" DataField="title" /> <asp:BoundColumn HeaderText="Price" DataField="price" DataFormatString="{0:c}"/> <asp:ButtonColumn HeaderText="Action" Text="Add to Cart" CommandName="AddToCart" /> </Columns></asp:DataGrid>Examples/C9/Congo-MySQL/ViewCart.aspx
  38. 38. Example:DataAdapter, DataSet and DataGrid (GUI) void Page_Load (Object sender, EventArgs e) { if (!IsPostBack) { string ConnectString = ConfigurationSettings.AppSettings["connectString"]; MySqlDataAdapter adapter = new MySqlDataAdapter ("select * from titles where price != 0", ConnectString); DataSet ds = new DataSet (); adapter.Fill (ds); MyDataGrid.DataSource = ds; MyDataGrid.DataBind ();//Bind data to GUI } }
  39. 39. Transaction Commands A transaction is a logical unit of operations grouped together. If one of the operations fails, the others will fail (or be rolled back).Distributed transactions — transactions that span two or moredatabases. The .NET Framework supports distributed transactions. The .NET supports local transactions (one database):
  40. 40. Transacted Commands// Start a local transaction trans = conn.BeginTransaction (IsolationLevel.Serializable); // Create and initialize a SqlCommand object SqlCommand cmd = new SqlCommand (); cmd.Connection = conn; cmd.Transaction = trans; // Debit $1,000 from account 1111 cmd.CommandText = "update accounts set balance = " + "balance - 1000 where account_id = 1111"; cmd.ExecuteNonQuery (); // Credit $1,000 to account 2222 cmd.CommandText = "update accounts set balance = " + "balance + 1000 where account_id = 2222"; cmd.ExecuteNonQuery (); // Commit the transaction (commit changes) trans.Commit ();
  41. 41. Transacted Commands IsolationLevel.Serializable locks down the records whilethey‘re updated so that they can‘t be read or written.Committing the transaction writes the changes to thedatabase.
  42. 42. Uses DataGrid to represent a DataSet in XML DataSet ds = new DataSet (); ds.ReadXml (Server.MapPath ("Bonuses.xml")); MyDataGrid.DataSource = ds;
  43. 43. SQL Injection• How Web pages works?• INPUT rendered from Textbox Web Control• Query String• Use values concat a SQL command – Search knowledge base – Paged results – Look for specific record • User credentials
  44. 44. What really exists!• DON‘T LIKE – More comfort for the user string sql = "select * from KB where content like " + search.Text + "• Hacker types: % string sql = "select * from KB where content like %• User authentication!
  45. 45. SQL Injection Attack• Developer concate SQL statements string sql = "select * from Users where user =" + User.Text + " and pwd=" + Password.Text + ""• Hacker types: ‗ or 1=1 --‗ string sql = "select * from Users where user = or 1=1 -- and pwd="• Result is the first database entry – Maybe the Admin
  46. 46. SQL Injection Attack• Take over control• User types: ; xp_cmdshell format c: /q /yes ; drop database myDB; -- select * from tabelle where id=1; xp_cmdshell format c: /q /yes ; drop database myDB; --• Result: Hacker can do everything – SQL process runs with system privileges
  47. 47. SQL Injection Attack• Never use ―sa‖ – Default blank password – Hacker knows a lot about sa – Trusted Security – Application user • Only with needed access rights• Storing Connection Strings – Web.Config • Hashed not clear text – error case source code is often visible
  48. 48. Best Solution• Use parameterized Select sql = "select * from Users where user = @user and pwd = @pwd"; SqlCommand cmd = new SqlCommand(sql,con); cmd.Parameters.Add("@user",User.Text); cmd.Parameters.Add("@pwd",Password.Text);• Use Stored Procedures• Cookie & URL Injection
  49. 49. Cross site-scripting• User Input is stored in Database• Database content is presented• Injection of – HTML code – JScript code• A different denial of service <script>• Redirect the user to dialer page <script language=Jscript> window.navigate(net.htm);</script>
  50. 50. Cross site-scripting• Don‘t trust the user – Use validators controls – Use regexp • Remove: < > " % ; ) ( & + - – Check for the length – Use Server.HtmlEncode• .NET 1.1 – Default no HTML code in Textboxes – Page Attribut ValidateRequest =false
  51. 51. HTTP Harvesting• Database driven websites• Display result based on – Text Input, Querystring, Cookie• Special type of SQL query language• Datagrid list with detail link – Detail.aspx?id=1• Session attaching+ pagelink• Email address for spammer
  52. 52. Prevent HTTP harvesting• Encrypt querystrings• Combine user input with textboxes• Use Jscript to write the data• Draw the data – System.drawing• Monitor the web usage• Third party review
  53. 53. Canonicalization• Character Sets URL, Querystring, Filename – %20=― ―• IP Address as decimal• Compare values – HTMLDecode
  54. 54. Architecture• Operation System – Reduce the rights of accounts • Never use Admin Rights – Switch of unused services and ports• Web Farm – Use ipsec to encrypt traffic • Between SQL Server and Web Application • Session Management – IP restrictions• Change common used things – Directories, users, path
  55. 55. Page TitleSubhead• Copy: Consed te commodipit, velismo digniam iure ver iriure ea core do odipsum velisci elissim velendreet lummodiamet, qui enisl utpate feuisl eniam nibh eui eugue dolumsandre enim alis nonsequat alit loborpero dit laore molore vel iure• Copy: Consed te commodipit, velismo digniam iure ver iriure ea core do odipsum velisci elissim velendreet lummodiamet, qui enisl utpate feuisl eniam nibh eui eugue dolumsandre enim alis nonsequat alit loborpero dit laore molore vel iure