Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

Code Audit Fast Track

Establishing User Credentials

Enforcing Strong Passwords

Does the application allow for and enforce strong passwords?

Does the application require both a username and password?

Avoiding Easily Guessed Credentials

Does the application avoid using sequential user account numbers?

Do account numbers or usernames follow predictable patterns?

Do customer service personnel select passwords for users rather than users selecting their own?

Does the system create default passwords?

Preventing Credential Harvesting

Do account numbers or usernames follow predictable patterns?

Are identifiable account numbers or usernames passed as query strings on URLs?

Do account numbers or usernames unnecessarily appear on HTML pages?

Limiting Idle Accounts

Does the system have large numbers of idle accounts?

Is it possible to determine another user’s account activity?

Are users notified via e-mail after major account changes?

Managing Passwords

Storing Passwords

Are password hashes rather than actual passwords stored?

Are password hashes stored using well-established hashing algorithms?

Can encryption keys be easily changed?

Do password hashes use random salts?

Password Aging and Password Histories

Does the application allow for password aging and do passwords expire after a set amount of time?

Does the application enforce password histories to prevent users from reusing passwords?

Changing Passwords

Is it convenient for users to change their passwords?

Are users reminded to regularly change their passwords?

Does the password change process require the previous password?

Does the system confirm password changes via e-mail?

Does the system expire all active sessions after changing passwords?

Resetting Lost or Forgotten Passwords

Resetting Passwords

Does the system allow only password resets, rather than retrieval?

Does the system require users to answer secret or other questions to reset the password?

Does the system send an e-mail to confirm the password change?

Sending Information Via E-Mail

Does the system avoid sending sensitive information via e-mail?

Assigning Temporary Passwords

If using temporary passwords, does the system use a strong random password algorithm?

If your system uses temporary passwords, do they have a short expiration period?

Using Secret Questions

Are secret questions treated as password equivalents?

Do the secret questions have a great number of possible of answers?

Does the system avoid secret questions with common answers?

Does the system prevent users from setting their own secret questions?

Empowering Users

Educating Users

Is a help page available to educate users on security?

Does the Web site provide other methods to educate users?

Involving Users

Are users able to view a history of transactions and events related to their account?

Are users able to view a history of account logins, including dates, times, and IP addresses?

Do users have an easy and intuitive way to report security incidents?

Can advanced users customize their security options?

Are users able to revoke or delete unused accounts?