Rejecting hackers-ASP. NET web applications Program Chapter 2 Security Analysis
Major threats:
ØAccount hijacking: Such threats include taking over the accounts of legitimate users, and sometimes even rejecting them to access their own accounts.
ØMan-in-the-middle attack(Man-in-the-middle): Intercept in some wayWebCommunication allows attackers to read and modify data transmitted between two systems.
ØPhishing: A man-in-the-middle attack. An attacker can trick a legitimate user into entering a password by using a forged email orWebForm, which is similar to legalWebForm in the site.
ØUnauthorized access: Access to restricted content and data without the consent of the content owner.
ØInformation Leakage: Related information is exposed or cannot be protected. Attackers can exploit this information to compromise system security.
ØPrivilege extended(Privilege Escalation): Allows attackers to gain access privileges to advanced accounts.
ØSniffing(Sniffing): Uses the network monitoring utility to intercept passwords or other sensitive information transmitted over the network.
2.2Verify user
2.2.1 Build login form
Conclusion: The logon form should protect the user certificate and defend against attacks.
Threats: account hijacking, information leakage,SQLInjection (SQL Injection), Cross-site scripting (Cross-Site Scripting)
Security Policy:
ØAlways passSSLConnection transfer logon criteria
ØUseHTTP POSTMethod To send form data
ØAlways validate form input
ØDo not rely on hidden form fields to transmit data because they can be modified by the customer or sensitive information may be exposed.
ØDo not display too much information in the logon Failure error message
2.2.2 Use Form Verification
Summary: insecure verification form settings can be weakenedWebApplication Security
Threats: account hijacking and Information Leakage
Tip:
InWeb. configUser Password Stored in should be used immediately at the beginningMD5OrSHA-1Encryption, but it can also be cracked by dictionary or brute force attack. tool:Www. oxid. it/cain.htmlInCain & Abel
Non- ingASP. NETResources MajorityASP. NETSecurity features only protectASP. NETResources, so additional measures must be taken to protect non-ASP. NETFile. To do this, you must useIis5OrIIS6Map these resourcesASP. NET ISAPIFilter. For exampleIIS 5: 1,InInternet Services ManagerSelect related properties for the application to be configured. 2,In theHome Directory"Tab, click"Configuration"Button. 3,In theAPP Mappings"Tab, click"Add"Button. 4,Click"Browse"Button and go. Net ISAPIFilter (generally located inC: \ winnt \ Microsoft. NET \ framework \ <version> \ aspnet_isapi.dll). 5,Input to mapASP. NETOr enter".*Ing all extensions ). Note: adding a wildcard application ing will makeASP. NETProcess all file extensions. Most static content works normally; however, for ing to other applications (suchPerlOrCold fusioin. Wildcard ing may affect server performance, depending onWebDirectory content type.ASP. NETThere is a special handler for static content, but it canWebTest the website running performance. |
Security Policy:
ØNever use it on the product system or deploymentPasswordformat = "clear"
ØUnderstanding inWeb. configRisks of storing plaintext certificates in files
ØWhen form verification is used, additional measures are taken to protectASP. NETProcessed files
ØCarefully plan authorizationCookieTo restrict the exposure of hijacking.
2.2.3 UseWindowsVerify
Summary:WindowsVerification can be safe, but it is only possible after proper configuration.
Threats: account hijacking, man-in-the-middle, and Information Leakage
Tip:
ASP. NETProvides localIISSupport for verification methods, CalledWindowsVerify.IISProvide4Standard verification methods:
NBasic Verification
NDigest Verification
NIntegrationWindowsVerify
NClient certificate ing
Blocking not usedSSLBasic Verification: Using system; Using system. Web Using system. Security. Principal; Namespace httpauthmodules { Public class authenticationmodule: ihttpmodule { Public authenticationmodule () { } Public void Init (httpapplication httpapp) { // Register the event handler with Application object. Httpapp. authenticaterequest + = New eventhandler (this. authenticaterequest ); } Private void authenticaterequest (Object OBJ, eventargs EA) { Httpapplication objapp = (httpapplication) OBJ; Httpcontxt objcontext = (httpcontext) objapp. context; // Deny access if user is using basic authentication without SSL If (ojbapp. User. Identity. authenticationtype = "Basic "&& Objcontext. Request. issecureconnection = false) { Objcontext. response. statuscode = 403; Objapp. response. End (); } } Public void dispose () { } } } |
Security Policy:
ØAlways setSSLEach page used for basic verification
ØUse unique fields for protected and unprotected content
ØTry to use integration in the Intranet environmentWindowsVerify
ØPrevents privileged users from being authenticated to block brute-force attacks against them
2.2.4 UsePassportVerify
Summary:PassportVerification has many advantages, but must be aware of the risks it brings.
Threat: account hijacking
Security Policy:
ØAvoid storing sensitive financial and personal informationWebUse on sitePassport
ØIf you usePassport, You can consider implementing additional methods to verify the user
2.2.5 Blocking brute-force attacks
Conclusion: brute-force attacks cannot be completely blocked, but they can be limited to their validity.
Threats: account hijacking, denial of service, lack of resources (Resource starvation)
Tools:Combomania(For adultsWebThe website launches a violent attack)
:Www.securibox.net/phpbb2/dload.php? Action = viewall
password verification latency: private void authenticaterequest (Object OBJ, eventargs EA) { httpapplication objapp = (httpapplication) OBJ; httpcontext objcontext = (httpcontext) objapp. context; // If user identity is not blank, pause for a random amount of time If (objapp. User. Identity. Name! = "") { random Rand = new random (); thread. sleep (Rand. next (minseconds, maxseconds) * 1000 ); } } |
Conditions that indicate violent attacks or account abuse:
ØFrom the sameIPMultiple logon failures at the address
ØFrom the sameIPAddress, using multiple user names to log on
ØFrom multiple differentIPLogon with the same account address
ØDuring one usage, excessive bandwidth usage and consumption
ØFailed logon attempts use sequential usernames and passwords in alphabetical order
ØUse someone email orIRCCustomer referenceURLLog On
ØPassHttp: // User: password@www.example.com/login.htmFormat, referenceURL
ØTo protect adultsWebSite, and reference the site with a known password to shareURL
ØUse a suspicious password commonly used by computer hackers to log on, for exampleOwnsyou (ownzyou),Washere (waxhere),Zealots,HacksyouAnd similar passwords (seeWww.securibox.net/phpbb2/viewtopic.php? T = 8563)
Security Policy:
ØThe account locking policy is only used in the controlled environment, or the risk of endangering account security is greater than that of consecutiveDoSAccount lock policy used for attack risk
ØInsert random latency during verification to mitigate brute-force attacks
ØConsider blocking multiple logon failuresIPBut consider the impact of blocking the proxy used by multiple clients.
ØChange the response to failed or successful password verification
ØAfter seeing multiple failed logons, the user is requested to answer the secret question.
ØProvides user-related options to restrict specificIPAddress to log on to the account
ØUnique logon for users in different regionsURL
ØUseCaptachaPrevent Automatic attacks
ØIf the attack is suspicious, the account function is restricted.
2.3Authorized User
2.3.1 Determine how to authorize
Conclusion: In-depth authorization policies are the basis for reliable application security
Threats: unauthorized access and extended privileges
Verification Method |
Subject object |
Identity object |
Certificate |
Angular color |
Forms |
Genericprincipal |
Formsidentity |
Stored inWeb. configOr custom VerificationCodeMedium |
Use custom code to create |
Windows |
Genericprincipal |
Windowsidentity |
Provided by the underlying operating system or domain |
WindowsOr an Active Directory Group |
Passport |
Genericprincipal |
Passportidentity |
. NET Passport |
Custom-basedPassportCreate a user group |
ASP. NETThere are some role-based authorization methods:
ØURLAuthorization
ØUser-based declarative Security
ØUser-based mandatory security
ØExplicit role check
Security Policy:
ØImplement the foundation of strong authorization in the early stage of application design
ØDevelop a role-based solid authorization Solution
ØUse resource-based authorization to Enhance Role-based authorization
ØAlways use multi-role-based authorization and resource-based authorization
2.3.2 Use File authorization
Summary: file authorization provides a layered and meticulous Security Method
Threats: unauthorized access, extended privileges
Security Policy:
ØAlways inWebRestricted content filesNTFSPermission, even if you are not usingWindowsAuthentication and file authorization
ØUse File authorization to implement resource-based security and role-based security
ØApplication-specific and detailedNTFSPermission to enhance application security
ØOnly allow usersWebRead content
2.3.3 ApplicationURLAuthorization
URLAuthorization is used to control user-based , Role, resource or usedHTTPPredicate access mechanism.URLAuthorization is based on the request-related entity, so it can take effect for any form of authentication. It also allows you to set limits on unauthenticated users.
Security Policy:
ØUseURLAuthorize to restrict accessWebSite Resources
ØUseVerbAttribute orHttpmethodnotallowedhandlerTo block unusedHTTPPredicate
ØUseHttpforbiddenhandlerOrHttpnotfoundhandlerTo block each user's access to a specific file
2.3.4 User authorization through code
You can use3Method implementation:
ØDeclarative authorization
ØMandatory authorization
ØExplicit authorization
Security Policy:
ØUse declarative, mandatory, and explicit role checks to provide multi-layer authorization
ØIf you use. NetThe framework should implement robust declarative authorization technology