Index - Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

Index

A

account hijacking

assigning temporary passwords, 36–38

avoiding easily guessed credentials, 10–12

blocking brute-force attacks, 78–86

building login forms, 55–58

changing passwords, 25–27

defined, 3, 54

designing secure tokens, 113–117

empowering users, 42–45

enforcing strong passwords, 4–10

and forms authentication, 58–65

keeping tokens alive, 142–144

limiting idle accounts, 16–18

and Passport authentication, 75–78

password aging and history issues, 22–25

protecting cookies, 124–131

resetting lost or forgotten passwords, 28–42

secret questions, 38–42

sending information via e-mail, 34–36

token threats, 111

ways to store passwords, 19–22

and Windows authentication, 65–75

account lockouts, 79–81

accounts, user.See also users

empowering users, 42–45

idle, limiting, 16–18

locking against brute-force attacks, 79–81

administration pages, limiting access to, 246

administrative accounts, as targets, 12

algorithms, selecting, 166–169

aliases, 15.See also usernames

AllowRestrictedChars value, 250

application compromise, and reading and writing to data files, 296–302

application destruction, and reading and writing to data files, 296–302

applications

hiding unused code, 244–245

limiting access to code, 246

locking down file system access in IIS, 297–298

reading and writing to data files, 296–302

reducing attack scope, 247–248

reducing exposure to attack, 243–247

ASA files, vulnerabilities, 227

.asax files, 62

.ascx files, 62

.ashx files, 62

.asmx files, 62

ASP files, vulnerabilities, 227

AspMaxRequestEntityAllowed metabase setting, 249

ASP.NET

authorizing users, 86–102

blocking HTML user input, 231–233

vs. classic ASP, 212

and cryptography, 155–186

enhancing built-in state management features, 135–144

and forms authentication, 58–65

hardening server applications, 248–250

methods for bounds checking, 219–222

methods for storing session states, 119–124

resource filename extensions, 62–63

securing tokens, 110–144

validator controls, 220–222

View State feature, 131–135

and Windows authentication, 65–75

ASP.NET State Service, 119, 120–122

.aspx files, 62

Assert overrides, 380–382

asymmetric cryptography, 155, 156, 177–178, 414

auditing security code, 214

authentication.See also forms authentication; Windows authentication

building login forms, 55–58

C# code, 293, 294–295

database overview, 275–276

defined, 154, 275, 364

list of threats, 54

overview, 55, 364

VB.NET code, 293–294, 295, 296

authentication tokens, 110, 111

authorization

database overview, 278–279

defined, 278, 364

.NET Framework overview, 364

authorizing users, 86–102

.axd files, 62