Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

Coding Standards Fast Track

Authenticating Users

Building Login Forms

Always use SSL for transmitting user credentials.

Always use the HTTP POST method for transmitting user credentials.

All form input must be validated against SQL injection and cross-site-scripting attacks.

Do not rely on hidden form fields to transfer sensitive data.

Use the same error message for failed username or failed password; do not reveal any other information in an error message.

Using Forms Authentication

If possible, keep authenticated users on an SSL connection to prevent cookie hijacking.

Avoid storing credentials in the web.config file, but if you do so, at least use MD5 or SHA-1 hashes.

Configure the site so that all protected resources are handled by ASP.NET using wildcard application mappings.

Using Windows Authentication

Always use SSL with basic authentication.

Isolate protected and unprotected content and use unique realms for each.

Block privileged users from brute-force attacks by preventing them from authenticating.

Using Passport Authentication

Use the strongest security settings available when using Passport authentication.

Blocking Brute-Force Attacks

Carefully consider the benefits and risks of an account lockout policy.

Insert random delays in the authentication process to slow brute-force attacks.

Vary responses to both failed and successful password authentication, varying the HTTP status code and the error message text.

Ask users to answer their secret questions after seeing multiple failed logins.

Provide advanced users the option to limit account login to specific IP addresses.

Use unique login URLs for different blocks of users.

Consider using a CAPTCHA after a predefined number of failed logins.

Provide the capability to selectively limit features or temporarily suspend an account without having to completely shut down a user.

Authorizing Users

Deciding How to Authorize

Build the application around well-defined security roles.

Set strict file ACLs and enforce other authorization limitations so that you can identify these settings early in the development process.

Employing File Authorization

Set restricted NTFS permissions on Web content files, even if you’re not using Windows authentication and file authorization.

Use file authorization to implement both resource-based and role-based security.

Apply specific and detailed NTFS permissions to increase application security.

Applying URL Authorization

For protected content, always start the authorization section with <deny users=”?”/>.

End the authorization section with <deny users=”*”> or <allow users=”*”>.

If you’re using the verbs attribute with allow elements, always follow it with a deny element.

Use HttpForbiddenHandler or HttpNotFoundHandler to block everyone’s access to certain files.

Carefully plan the web.config hierarchy to avoid unintentionally allowing access to files.

Authorizing Users Through Code

Use declarative, imperative, and explicit role checks to provide multiple layers of authorization.