Verify and authorize users-Reading Notes for Web Security (2)

Rejecting hackers-ASP. NET web applications Program Chapter 2 Security Analysis

Major threats:

ØAccount hijacking: Such threats include taking over the accounts of legitimate users, and sometimes even rejecting them to access their own accounts.

ØMan-in-the-middle attack(Man-in-the-middle): Intercept in some wayWebCommunication allows attackers to read and modify data transmitted between two systems.

ØPhishing: A man-in-the-middle attack. An attacker can trick a legitimate user into entering a password by using a forged email orWebForm, which is similar to legalWebForm in the site.

ØUnauthorized access: Access to restricted content and data without the consent of the content owner.

ØInformation Leakage: Related information is exposed or cannot be protected. Attackers can exploit this information to compromise system security.

ØPrivilege extended(Privilege Escalation): Allows attackers to gain access privileges to advanced accounts.

ØSniffing(Sniffing): Uses the network monitoring utility to intercept passwords or other sensitive information transmitted over the network.

2.2Verify user

2.2.1 Build login form

Conclusion: The logon form should protect the user certificate and defend against attacks.

Threats: account hijacking, information leakage,SQLInjection (SQL Injection), Cross-site scripting (Cross-Site Scripting)

Security Policy:

ØAlways passSSLConnection transfer logon criteria

ØUseHTTP POSTMethod To send form data

ØAlways validate form input

ØDo not rely on hidden form fields to transmit data because they can be modified by the customer or sensitive information may be exposed.

ØDo not display too much information in the logon Failure error message

2.2.2 Use Form Verification

Summary: insecure verification form settings can be weakenedWebApplication Security

Threats: account hijacking and Information Leakage

Tip:

InWeb. configUser Password Stored in should be used immediately at the beginningMD5OrSHA-1Encryption, but it can also be cracked by dictionary or brute force attack. tool:Www. oxid. it/cain.htmlInCain & Abel

Non- ingASP. NETResources MajorityASP. NETSecurity features only protectASP. NETResources, so additional measures must be taken to protect non-ASP. NETFile. To do this, you must useIis5OrIIS6Map these resourcesASP. NET ISAPIFilter. For exampleIIS 5: 1,InInternet Services ManagerSelect related properties for the application to be configured. 2,In theHome Directory"Tab, click"Configuration"Button. 3,In theAPP Mappings"Tab, click"Add"Button. 4,Click"Browse"Button and go. Net ISAPIFilter (generally located inC: \ winnt \ Microsoft. NET \ framework \ <version> \ aspnet_isapi.dll). 5,Input to mapASP. NETOr enter".*Ing all extensions ). Note: adding a wildcard application ing will makeASP. NETProcess all file extensions. Most static content works normally; however, for ing to other applications (suchPerlOrCold fusioin. Wildcard ing may affect server performance, depending onWebDirectory content type.ASP. NETThere is a special handler for static content, but it canWebTest the website running performance.

Security Policy:

ØNever use it on the product system or deploymentPasswordformat = "clear"

ØUnderstanding inWeb. configRisks of storing plaintext certificates in files

ØWhen form verification is used, additional measures are taken to protectASP. NETProcessed files

ØCarefully plan authorizationCookieTo restrict the exposure of hijacking.

2.2.3 UseWindowsVerify

Summary:WindowsVerification can be safe, but it is only possible after proper configuration.

Threats: account hijacking, man-in-the-middle, and Information Leakage

Tip:

ASP. NETProvides localIISSupport for verification methods, CalledWindowsVerify.IISProvide4Standard verification methods:

NBasic Verification

NDigest Verification

NIntegrationWindowsVerify

NClient certificate ing

Blocking not usedSSLBasic Verification: Using system; Using system. Web Using system. Security. Principal; Namespace httpauthmodules { Public class authenticationmodule: ihttpmodule { Public authenticationmodule () { } Public void Init (httpapplication httpapp) { // Register the event handler with Application object. Httpapp. authenticaterequest + = New eventhandler (this. authenticaterequest ); } Private void authenticaterequest (Object OBJ, eventargs EA) { Httpapplication objapp = (httpapplication) OBJ; Httpcontxt objcontext = (httpcontext) objapp. context; // Deny access if user is using basic authentication without SSL If (ojbapp. User. Identity. authenticationtype = "Basic "&& Objcontext. Request. issecureconnection = false) { Objcontext. response. statuscode = 403; Objapp. response. End (); } } Public void dispose () { } } }

Security Policy:

ØAlways setSSLEach page used for basic verification

ØUse unique fields for protected and unprotected content

ØTry to use integration in the Intranet environmentWindowsVerify

ØPrevents privileged users from being authenticated to block brute-force attacks against them

2.2.4 UsePassportVerify

Summary:PassportVerification has many advantages, but must be aware of the risks it brings.

Threat: account hijacking

Security Policy:

ØAvoid storing sensitive financial and personal informationWebUse on sitePassport

ØIf you usePassport, You can consider implementing additional methods to verify the user

2.2.5 Blocking brute-force attacks

Conclusion: brute-force attacks cannot be completely blocked, but they can be limited to their validity.

Threats: account hijacking, denial of service, lack of resources (Resource starvation)

Tools:Combomania(For adultsWebThe website launches a violent attack)

:Www.securibox.net/phpbb2/dload.php? Action = viewall

password verification latency: private void authenticaterequest (Object OBJ, eventargs EA) { httpapplication objapp = (httpapplication) OBJ; httpcontext objcontext = (httpcontext) objapp. context; // If user identity is not blank, pause for a random amount of time If (objapp. User. Identity. Name! = "") { random Rand = new random (); thread. sleep (Rand. next (minseconds, maxseconds) * 1000 ); } }

Conditions that indicate violent attacks or account abuse:

ØFrom the sameIPMultiple logon failures at the address

ØFrom the sameIPAddress, using multiple user names to log on

ØFrom multiple differentIPLogon with the same account address

ØDuring one usage, excessive bandwidth usage and consumption

ØFailed logon attempts use sequential usernames and passwords in alphabetical order

ØUse someone email orIRCCustomer referenceURLLog On

ØPassHttp: // User: password@www.example.com/login.htmFormat, referenceURL

ØTo protect adultsWebSite, and reference the site with a known password to shareURL

ØUse a suspicious password commonly used by computer hackers to log on, for exampleOwnsyou (ownzyou),Washere (waxhere),Zealots,HacksyouAnd similar passwords (seeWww.securibox.net/phpbb2/viewtopic.php? T = 8563)

Security Policy:

ØThe account locking policy is only used in the controlled environment, or the risk of endangering account security is greater than that of consecutiveDoSAccount lock policy used for attack risk

ØInsert random latency during verification to mitigate brute-force attacks

ØConsider blocking multiple logon failuresIPBut consider the impact of blocking the proxy used by multiple clients.

ØChange the response to failed or successful password verification

ØAfter seeing multiple failed logons, the user is requested to answer the secret question.

ØProvides user-related options to restrict specificIPAddress to log on to the account

ØUnique logon for users in different regionsURL

ØUseCaptachaPrevent Automatic attacks

ØIf the attack is suspicious, the account function is restricted.

2.3Authorized User

2.3.1 Determine how to authorize

Conclusion: In-depth authorization policies are the basis for reliable application security

Threats: unauthorized access and extended privileges

Verification Method	Subject object	Identity object	Certificate	Angular color
Forms	Genericprincipal	Formsidentity	Stored inWeb. configOr custom VerificationCodeMedium	Use custom code to create
Windows	Genericprincipal	Windowsidentity	Provided by the underlying operating system or domain	WindowsOr an Active Directory Group
Passport	Genericprincipal	Passportidentity	. NET Passport	Custom-basedPassportCreate a user group

ASP. NETThere are some role-based authorization methods:

ØURLAuthorization

ØUser-based declarative Security

ØUser-based mandatory security

ØExplicit role check

Security Policy:

ØImplement the foundation of strong authorization in the early stage of application design

ØDevelop a role-based solid authorization Solution

ØUse resource-based authorization to Enhance Role-based authorization

ØAlways use multi-role-based authorization and resource-based authorization

2.3.2 Use File authorization

Summary: file authorization provides a layered and meticulous Security Method

Threats: unauthorized access, extended privileges

Security Policy:

ØAlways inWebRestricted content filesNTFSPermission, even if you are not usingWindowsAuthentication and file authorization

ØUse File authorization to implement resource-based security and role-based security

ØApplication-specific and detailedNTFSPermission to enhance application security

ØOnly allow usersWebRead content

2.3.3 ApplicationURLAuthorization

URLAuthorization is used to control user-based , Role, resource or usedHTTPPredicate access mechanism.URLAuthorization is based on the request-related entity, so it can take effect for any form of authentication. It also allows you to set limits on unauthenticated users.

Security Policy:

ØUseURLAuthorize to restrict accessWebSite Resources

ØUseVerbAttribute orHttpmethodnotallowedhandlerTo block unusedHTTPPredicate

ØUseHttpforbiddenhandlerOrHttpnotfoundhandlerTo block each user's access to a specific file

2.3.4 User authorization through code

You can use3Method implementation:

ØDeclarative authorization

ØMandatory authorization

ØExplicit authorization

Security Policy:

ØUse declarative, mandatory, and explicit role checks to provide multi-layer authorization

ØIf you use. NetThe framework should implement robust declarative authorization technology