Current Popular IT I Pertemuan 9 Matakuliah: T0403/Current Popular IT I Tahun: 2008

Current Popular IT IPertemuan 9

Matakuliah : T0403/Current Popular IT ITahun : 2008

Learning Outcomes

• Learner know security details in ASP.NET• Learner can implement security in ASP.NET• Learner can use security controls in ASP.NET

Bina Nusantara Copyright © Surya Sujarwo 2008

Material Outline

• What, Why, Who in Security• Treating Client with Caution• Storing Secrets• Securing Database Access• Implementing Password

Policies• Impersonation• Validation in Depth• Using Login Controls• Using ASP.NET Membership• Security Processing for

Each Request

Bina Nusantara Copyright © Surya Sujarwo 2008

• Configuring System Security• A Matter of Trust• Form Authentication• Session State• Security for Pages and

Compilation• The Provider Model• Membership• SqlMembershipProvider• Role Manager• SqlRoleProvider

What, Why, Who in Security

• What ?– Vulnerability (application used other than the way it is

intended)– Threat (possibility of a vulnerability)– Exploit (using a vulnerability to realize a theat)

• Why ?– Web Application – A double edged sword– The law: “Security: Organizations must take reasonable precautions to protect

personal information from loss, misuse and unauthorized access, disclosure, alteration

and destruction.”– Attacks on Web Application

• Unauthorized Access• Code Execution• Denial of Service• Information Theft• Damage to Information

Bina Nusantara References: Professional ASP.NET Security (Russ Basiura, et al, 2002)

What, Why, Who in Security (Continue…)

– Buffer Overflows– Script Injection and Cross-Site Scripting (steal cookie)– SQL Injection– Distributed Denial of Service (DDOS) [many attack one]– Social Engineering (human tricked)– Brute Force Attacks– Everybody is Attacked Sooner or Later– Security is Not Just about Keeping People Out

• Who?– The Network (Network Administrators)– Web Servers (Application designers)– Database Servers (Database Administrators)– Client Machines (Programmers, Users, Managers)


Treating Client with Caution

• Script Injection– Prevent script adding in the textbox input

• Cross-Site Scripting– Don’t loop through all QueryString collections– Check the QueryString value of attack possibility

• SQL Injection– Use parameter in sql query– Use validation, filtering and encoding in input fields


Storing Secrets

• In .config file• In memory (Application)• Use hashing

(FormAuthentication.HasPasswordForStoringInConfigFile)

• Use Data Protection API (DPAI)– CryptProtectData– CryptUnprotectData


Securing Database Access

• Use component (dll) for connection string.• COM+ Object Contruction

– Using [ConstructoionEnabled(Default=“connectionstring”)]

• Using Trusted Connections – Trusted_Connection=yes– Use current ASPNET user account

• Use Stored Procedures– Use With ENCRYPTION


Implementing Password Policies

• Set minimum length• Requiring mixed case (upper & lower)• Requiring numbers & symbols• Requiring password updates• Choosing random passwords for users

– E-mailing new password, change password link

• Preventing brute force attacks


Impersonation

• Why?– Avoid granting privileges to ASP.NET account– Allow users action depending on their privileges

• Configured– Disable:– Enable: – Code:


Validation in Depth

• Remembering user input is evil• Forcing the user to enter something

(RequiredFieldValidator)• Ensuring that a value is within a range

(RangeValidator)• Checking and comparing values

(CompareValidator)• Using the RegularExpressionValidator• To receive HTML in textbox:

– Using server.HtmlEncode

Bina Nusantara References: ASP.NET 3.5 For DUMMIES(Ken Cox, 2008)

Using Login Controls

Bina Nusantara References: ASP.NET 3.5 Unleashed (Stephen Walther, 2008)

Using Login Controls (Continue…)


Using Login Controls (Continue…)


Using ASP.NET Membership

• Setting Expiration

• Membership class– CreateUser — create a new user.– DeleteUser — delete an existing user.– FindUsersByEmail —retrieve all users who have a particular email

address.– FindUsersByName —retrieve all users who have a particular username.– GeneratePassword — generate a random password.– GetAllUsers —retrieve all users.– GetNumberOfUsersOnline — retrieve a count of all users online.– GetUser —retrieve a user by username.– GetUserNameByEmail —retrieve the username for a user with a

particular email address.– UpdateUser — update a user.– ValidateUser — validate a username and password.


Security Processing for Each Request

• ASP.NET synchronous pipeline events:1. BeginRequest2. AuthenticateRequest3. PostAuthenticateRequest4. AuthorizeRequest5. PostAuthorizeRequest6. ResolveRequestCache7. PostResolveRequestCache8. PostMapRequestHandler9. AcquireRequestState10. PostAcquireRequestState11. PreRequestHandlerExecute

Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow, 2006)

12. At this stage, the selected handler executes the current request. The most familiar handler is the Page handler.

13. PostRequestHandlerExecute14. ReleaseRequestState15. PostReleaseRequestState16. UpdateRequestCache17. PostUpdateRequestCache18. EndRequest

Configuring System Security

• Location

• Path Attribute– A specific page e.g. default.aspx– A specific folder e.g. “subfolder”– A combined path e.g. “subfolder/default.aspx” or

“subfolder/sub1”– The combination of a website name and nested path

information e.g. “Default Web Site/subfolderA”


Configuring System Security (Continue…)

• Locking attributes (separate by comma)– lockAttributes– lockElements– lockAllAttributesExcept– lockAllElementsExcept


A Matter of Trust


Trust Level

Used For

Full Any and all code is allowed to run. Mainly intended for backwards compatibility with ASP.NET 1.0 and 1.1 applications that were not aware of how to use CAS or how to work with ASP.NET trust levels.

High Among other restrictions, ASP.NET code cannot call into unmanaged Win32 APIs. A good first step for securing Internet-facing ASP.NET applications.

Medium Intended as the default trust level for shared hosting environments where multiple untrusted customers use the same machine. Also recommended for any Internet-facing production applications.

Low A set of permissions suitable for applications such as Sharepoint that provide their own sandboxed execution environment. Also useful for read-only applications that don’t require network access to other backend servers.

Minimal Locked down web servers that allow only the barebones minimum in your ASP.NET code. You will be able to add two numbers together and write out the results to a web page, but not much else.

A Matter of Trust (Continue…)

• Configuring trust


Form Authentication

• Tasks– During AuthenticateRequest, the FormsAuthenticationModule checks the validity of

the forms authentication ticket (carried in a cookie or in a cookieless format on the URL) if one exists. If a valid ticket is found, this results in a GenericPrincipal referencing a FormsIdentity as the value for HttpContext.Current.User. The actual information in the ticket is available as an instance of a FormsAuthenticationTicket off of the FormsIdentity.

– During AuthorizeRequest, other modules and logic such as the UrlAuthorizationModule attempt to authorize access to the currently requested URL. If an authenticated user was not created earlier by the FormAuthenticationModule, any URL that requires some type of authenticated user will fail authorization. However, even if forms authentication created a user, authorization rules that require roles can still fail unless you have written custom logic to associate a FormsIdentity with a set of roles or used a feature like Role Manager that performs this association automatically.

– If authorization fails during AuthorizeRequest, the current request is short-circuited and immediately forwarded to the EndRequest phase of the pipeline. The FormsAuthenticationModule runs during EndRequest and if it detects that Response.StatusCode is set to 401, the module automatically redirects the current request to the login page that is configured for forms authentication (login.aspx by default).


Session State

• Session state not equivalent to logon session


Security Feature Forms Authentication

Session State

Control DNS domain of cookie Yes No

Control path of cookie Yes No

Require SSL for cookie Yes No

Information is shareable across applications

Yes No

Supports absolute expirations Yes No

A valid Identifier can be easily forged No Yes

Security for Pages and Compilation

• Request Validation– Check : Form variables, Query string variables, The

Cookie collection– The check:

• < followed by an exclamation point (<!)• < followed by the letter a through z (<a)• & followed by a pound sign (&#12)

• Viewstate Protection– Securing with:


The Provider Model

• Why Have Providers?– Abstraction (separation of functionality afforded by device

driver model, and retaining the ability to write custom code)

• Patterns found in the Provider Model– Strategy

• Encapsulates important pieces of a feature’s functionality in a manner that allows functionality to be swapped out with different implementation

– Factory method• Separate the creation of certain classes from the feature that

consumes it

– Singleton (Single instance)

– Façade• Wrapping complex details from multiple subsystems with an easy

to use class or programming interface.Bina Nusantara References: Professional ASP.NET 2.0 Security, Membership and Role Management (Stefan Schackow,

2006)

Membership

• Membership classes:– Membership– MembershipUser– MembershipProvider


SqlMembershipProvider

• Options:– connectionStringName– commandTimeout

• Default SqlProvider connection string:

• Changing the default connection string:


Role Manager

• Roles class– Provider (default provider)– Providers– ApplicationName– Enabled– CacheRolesInCookie– MaxCachedResults

• RolePrincipal class– GetRoles– IsInRole– ProviderName


Role Manager (Continue…)

• RoleManagerModule tasks:– Early during the request lifecycle, it places a

RolePrincipal instance on HttpContext.Current.User if the Role Manager feature is enabled. This work occurs during the PostAuthenticateRequest event.

– At the end of a request, the module serializes the RolePrincipal into a cookie if cookie caching has been enabled for Role Manager. The module does this during the EndRequest event.


SqlRoleProvider

• Enable Role Manager• The data layer for the role manager


That’s AllThank You for the Attention

Bina Nusantara

Documents

Current Popular IT I Pertemuan 9 Matakuliah: T0403/Current Popular IT I Tahun: 2008