Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

Code Audit Fast Track

Maintaining State

Designing a Secure Token

Is the token tightly bound to the user’s session?

Does the server transmit the token to the client in a secure manner?

Does the application use a sufficiently large keyspace?

Does the application use a strong random-number generator for tokens?

Will the system accept any token provided by the client?

Is it possible for a user to manipulate the token to hop to another account?

Does the token identify the client?

Does the token properly limit its scope?

Does the token have both relative and absolute timeouts?

Does the client store the token after the session ends?

Does the user have the option to terminate a session?

Does the application create new tokens for each login?

Selecting a Token Mechanism

Does the application use a secure mechanism for transferring cookies?

Does the application use HttpOnly tokens with Internet Explorer clients?

Does the application use SSL when appropriate?

Using State Providers

If you’re not using the ASP.NET Session State service, is the service _disabled?

If you’re using the ASP.NET Session State service, does the system use a nonstandard port?

If you’re using the ASP.NET Session State service, does the system use appropriate controls to limit access to the service port?

Does the web.config file contain encrypted session state connection strings created with aspnet_setreg.exe?

Does the application avoid cookieless tokens?

Does the application use short cookie timeouts?

Using ASP.NET Tokens

Using Cookies

Does the code set a specific domain and path on all cookies?

Does the code check the domain and path on incoming cookies to block cookies with the incorrect scope?

Does the application set the appropriate cookie expiration properties?

Does the application mark cookies as secure when they’re sent over SSL connections?

Does the application avoid saving sensitive information in cookies?

Does the application encrypt all data stored in cookies?

Working with View State

Does the application disable View State on pages where it is not used?

Does the application enable the View State MAC when using View State?

Does the machineKey element in the machine.config file use 3DES as the validation method?

Does the application set a unique View State user key for each user?

Enhancing ASP.NET State Management

Creating Tokens

Does the application use a strong random-number generator for session tokens?

Does the application ensure the authenticity of the session token?

Does the system use the IsolateApps setting to ensure unique keys between applications?

Does the application use client variables to tightly bind to the client _session?

Terminating Sessions

Does the application use absolute timeouts in addition to idle timeouts to enforce a maximum token age?

Does the application use hit counters to limit the use of any one token?