Security Solutions for ASP. NET Web applications

Source: Internet
Author: User
Tags sql injection attack

Asp.net Web Application Security Risks

1. major threats to the Assembly: unverified access, reverse engineering, code injection, program information obtained through exceptions, unaudited access.

2. security risks between the client and Web applications: code injection Cross-Site Scripting or buffer overflow attacks), network monitoring password and sensitive application data detection), parameter cracking form field, query string, Cookie, view status, HTTP header information), session status variable ID acquisition, Information Acquisition usually uses an exception ).

3. Security Risks between Web application clients and Enterprise Services: non-audit access, cracking configuration data, network monitoring, unrestricted proxy, and data replication.

4. Security Risks between Web service clients and their services: Unaudited access, parameter cracking, configuration data acquisition, network monitoring, and message reply.

5. Security Risks between Remoting clients and servers: Unaudited access, parameter cracking, serialization, and network monitoring.

6. security risks between the client and data: non-review access, SQL injection, detailed information on cracking data models and links, network monitoring, cracking configuration data, and cracking specific application data.

Considerations for asp.net Security Architecture

1. Authenticate the user in the browser;

2. protect sensitive data in the browser and firewall channels. 2) block parameter cracking. 3) block session attacks and Cookie reply attacks.

3. On the Web application side 1) provide security configuration 2) handle exceptions 3) Audit users 4) Verify Input

4. Application Server 1) Authenticate and review uploaded identities 2) review and record activities and transactions

5. protect sensitive data between application servers and databases

6. Encrypt Or hash sensitive data in the database

Asp.net Web Application Security Risk Prevention Measures

1. prevent Cross-Site Scripting attacks (Cross-Site Scripting Attack)

Attack method: attackers can input scripts or HTML content on the page to obtain sensitive data.

Threat index: 6

Attack result: the application is rejected or restarted, and the error stack information is obtained. ※the code is used to initiate the next attack.

※Note: If CustomErrors is not disabled in the asp.net configuration file, an error line code or database connection string may be displayed in case of a System exception, which may cause configuration data leakage, causing a risk.

Precaution: asp.net control verification or server-side input verification.

Client-side verification and server-side verification are used to verify user input. By comparing the consistency between the control input and Its HTML Decoding value, check whether the input string contains special HTML characters, this serves as a basis for converting special HTML characters to prevent the script from being triggered when the script is sent back.

2. Prevent SQL Injection attacks SQL Injection Attack)

Attack method: attacks that inject the input SQL text and return results by modifying the image input or URL parameters and taking advantage of the particularity of the SQL query conditions.

Threat index: 9

Attack results: Sensitive data can be queried and system data can be modified.

Preventive Measure: when data is updated and queried, convert the input parameters using the database parameter object or custom method to invalidate the injected SQL file.

3. Verify user input

Client-based verification and server-side verification are important when client-side Javascript is disabled)

Client verification is mainly used to verify the type, length, and Association of user input. This function is provided by the system extension control );

Server-side verification is divided into two parts:

1) input verification

For input verification, You need to verify the HTML special characters of the user's input text, and throw a system error if there are special characters. The length of data should be controlled as far as possible through the allowed input length of the control on the screen;

2) data verification

Verify the data type and length. This verification behavior is performed on the object.

4. Use the Hash algorithm to save the password

Use asp.net Membership to manage users. Use the Hash algorithm and Salt to encrypt user passwords, which is highly secure;

For other passwords to be saved, the system infrastructure provides the Hash Encryption Algorithm for non-reverse encryption, which is used as verification creden。, or is used first without being saved in data storage.

5. Data Security

1) Encrypt Sensitive data: the infrastructure should provide Hash encryption algorithms to support data encryption.

2) XML data security: prevents XML data attacks.

Attack methods: XPath injection and XXE extension XML Entity) injection attacks.

Threat index: 8

Attack result: Get XML file information.

Preventive Measure: Do not store sensitive information in XML. All sensitive information in configuration files must be encrypted and saved. Data to be written into XML must pass verification first.

3) ViewState Data Security: prevents sensitive data from being obtained from ViewState.

Attack method: obtain sensitive information by decoding ViewState.

Threat index: 6

Attack result: obtain sensitive information in ViewState.

Preventive Measure: Disable or avoid ViewState, and use simple controls to save sensitive information in encryption mode.

Association problems: handle sensitive data when using JSON strings.

6. Store security information to the Registry and configuration file

Controls the access permissions of remote users to the configuration file to protect sensitive data in the configuration file.

7. modify the configuration file before publishing

To prevent misstack information speculation and attack by other means of information discovery, the asp.net Web application should correct the configuration file before release.

Speculative attack of error stack information

Attack method: System exception occurs. The code on the error page is used to speculate on the next attack.

Threat index: 6

Attack result: speculative system version and code logic.

Preventive Measure: capture system exceptions and use the unified page for handling. This does not indicate the error stack information, set the custom error node to <mermerrors mode = "Off"/> to prevent the error message from being displayed to the remote user; disable the debug switch <compilation defaultLanguage = "vb" debug = "false"/> to prevent source code leakage or code injection by debugging information.

At the same time, we should disable Trace optimization performance and prevent attackers from using Trace to speculate on the Code Execution Process and details: <trace enabled = "false" requestLimit = "10" pageOutput = "false" traceMode = "SortByTime"/>

Web services should prevent remote users from using the WSDL description for speculative attacks.

Attack method: access the Web Service WSDL file to obtain information about the Web service.

Threat index: 4

Attack results: Obtain the Web service method description, speculate Web service parameters, and perform the next attack.

Preventive Measure: In the configuration file, specify the content that does not represent the Web method description. modify the configuration file as follows:

 
 
  1. < webServices>  
  2.  
  3. < protocols>  
  4.  
  5. < remove name="Documentation"/>  
  6.  
  7. < /protocols>  
  8.  
  9. < /webServices>  
  10.  

8. Use a Session but not a Cookieless Session

Cause: the Session of Cookieless will expose the SessionID in the URL, making it easy for others to attack.

9. Preventive Engineering

Attack method: Obtain the Assembly and use tools for reverse engineering.

Threat index: 9

Attack results: Understand Program Logic and steal development results.

Preventive Measure: perform strong encryption and obfuscation engineering at release.

The preceding section describes the Security Solutions for ASP. NET Web applications.

  1. Introduction to "three-layer structure" in ASP. NET
  2. 26 methods for optimizing ASP. NET performance
  3. Comparison of html controls and web controls in ASP. NET
  4. Object Description in ASP. NET
  5. Summary of Session common problems in ASP. NET

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.