Asp. NET security issues--Creating a secure Web application

To put a question clearly, it is necessary to have a prerequisite, but also we have some words to pass, as we talk about Oo, we know the object-oriented, as well as some of the characteristics of object-oriented; Understand the design pattern, as soon as you hear the "observer", immediately know what the meaning.

Here's a look at some of the concepts of security:

First, let's look at what is security?

We often mention "Implementing security", "creating a secure system." So security is generally defined a lot, such as: security is to ensure that the system can be completely in the way we want to run, security is to prevent the way we do not want to run the system ... There are a lot of definitions, but I don't know if anyone has found that the definition of security we understand is very narrow. How do you say that? We generally think that security is the case: take certain measures (mainly programming code) to handle the accident when the program is running, or to prevent accidental occurrence. But security is not just a matter of code, so we have more to think about in terms of security programming.

What is security

We cannot guarantee that a system is absolutely safe and cannot be 100% safe. The definition of security is subject to a lot of restrictions, first let's take a look at an example.

We've all used bank ATM machines, and if someone picks up our card and wants to steal our money, he'll have to guess our password. If the length of the password is only one digit, then the first time the cardholder guesses the probability is 1/10, he can steal our money only 10 times (assuming it can be guessed unlimited), then the system's security line is very poor; if the password is 2 digits, then the password is 100 possible, then the first chance to pick up the card is 1/ 100, the second is 1/99, the third 1/98 ... the security line for the system is also poor.

If the password is limited to 3 times, if the password is 2 digits, then the probability of the password being guessed is greatly reduced:

The odds of first guessing is 1/100.

The odds of a second guess (not in the first time) are (99/100) * (1/99) =0.01

The probability of a third guess (not in the first two) is (99/100) * (98/99) * (1/98) =0.01

The probability of guessing within three times is: 0.01+1.01+0.01=0.03

So, when we limit the number of attempts, the system is safer than before, but the system is not safe enough to say a little better than before, but the stakes are still great.

In order to make the system more secure, it is necessary to reduce the system password can be guessed the possible line, we can start from two aspects:

1. Make password attempts to reduce the number of times, such as users can only enter a password;

2. Increase the number of digits of the password, such as 6 digits. This password is guessed the probability is even more small, the risk is also a lot of small, the system security line has been improved. Therefore, we often say that security is not safe, is only a relative concept. Say so much, is to say a point: do not put safety view, safety is not safe to see our environment.

Before we go back to the topic, let's share some of the terms:

Vulnerability is a feature of the system that may make application systems unsafe for the way we expect them to. The general expression of the system is not a good feature.

A threat is the possibility of using the wrong human nature to break up the system safely.

Use is the way to take advantage of fragile lines.

The bottom line is this: fragile lines lead to threats, and exploits threaten, in short, attacks.

Ii. security issues in Web applications

First, let's look at attacks on the web. There are many types of attacks, some of which can be prevented with ASP.net code, but other attacks can be disruptive, such as direct attacks on the server. Here's a look at the typical example.

As we have said before, an attack is to exploit the fragility of the system to achieve a certain threat. The results of the attack are also many, such as:

Unauthorized access-users gain more permissions, so they can use the application in other ways, and if they get the password of the webmaster, spread political rhetoric.

Code execution-runs malicious code on the target system, and can also cause other threats, such as Trojans.

Denial of service-legitimate users are blocked from accessing the application

Theft of information-confidential information stolen

Destroy the information--the information has been modified. For example, sites have been altered to release offensive messages and political rhetoric.

Let's take a look at some of the common vulnerabilities, their use, and the threats they pose.