Index - Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

Index

C

C#

3DES encryption with ASP.NET, 160

authentication code, 293, 294–295

authorizing users, 99–102

binding session state to client, 140–141

blocking administrator logins, 73–74

blocking basic authentication without SSL, 70–71

connecting to SQL Server using Windows Authentication, 276

creating password hashes, 59–60

creating unique strings with hashes, 235

creating XML digital signature, 352–353

CryptDeriveKey method, 172

double decoding, 238

enhancing session token security, 136–137

escaping dangerous characters, 286

expiring sessions, 143

filtering dangerous SQL commands, 290

hashing with salt, 184–185

imperative code, 372

inheritance demands, 378

keeping memory clean, 188–189

keyed hashing using HMACSHA1 algorithm, 182–183

layering symmetric ciphers, 167–168

link demands, 377

password authentication delay, 81

pattern matching, 222, 224

RC2 encryption, 165

reflecting data, 228

request references, 215, 217

Rijndael encryption, 163–164

saving IV with ciphertext, 174–175

securing View State, 135

setting a Deny override, 384

setting an Assert override, 382

setting and verifying cookie domain property, 126–127

SQL Authentication connection string, 277

SQL common query string, 280

storing and retrieving data from isolated storage, 193

using PrincipalPermission object, 393–394, 395

using PrincipalPermissionAttribute object, 393

using SQLParameter collection, 287, 288

validating numeric input, 220

validating passwords, 6–8

validating XML digital signature, 356

XML document decryption, 345–346

XML document encryption, 341–342

CAPTCHAs, 84–85

CAS.See Code Access Security (396, 416

Catch statement, 290

CBC (Cipher Block Chaining), 158

cert2spc.exe tool, 416

Certificate Creation utility, 416

Certificate Manager utility, 416

Certificate Verification utility, 416

certificates, mapping, 69–70

certmgr.exe tool, 416

CGI vulnerability scanners, 95

changing passwords, 25–27

chktrust.exe tool, 416

Cipher Block Chaining (CBC), 158

Cipher Feedback Mode (CFB), 158

CipherMode options, 157–158

ciphers, defined, 154

ciphertext, 154, 170

Clear method, 188

client certificate mapping, 69–70

ClientCertificate collection, 215, 216

ClientCertificate property, 208

code access permissions, 362

Code Access Security (CAS) model, 365–386

Code Access Security Policy utility, 416

code audit summaries

authentication, 105–106

authorization, 106–107

empowering users, 50

enhancing ASP.NET state management, 149

maintaining state, 147–148

malicious output, 254–257

passwords, 49–50

securing database drivers, 305

securing databases, 305–306

user credentials, 48–49

using ASP.NET tokens, 148

using cryptography in ASP.NET, 201

working with .NET encryption features, 201–202

writing secure data access code, 306–307

code groups

attaching permission sets to, 405–411

constructing hierarchies, 370–371

overview, 369–371

code identity, establishing, 368–369

coding standards summaries

authentication, 103–104

authorization, 104–105

constraining input, 251–253

empowering users, 48

enhancing ASP.NET state management, 146–147

handling malicious input, 251

limiting exposure to malicious input, 253–254

maintaining state, 145

passwords, 46–47

securing database drivers, 303

securing databases, 303

user credentials, 46

using ASP.NET tokens, 146

using cryptography in ASP.NET, 199

working with .NET encryption features, 200

writing secure data access code, 304

COM components

least privilege principle, 247–248

storing connection strings, 278

command execution, role of honey pots, 241–243

command injection, 207, 236–237

CompareValidator control, 220

compilation errors, 317

.config files, 62, 98–99. See also web.config file

controls, validator, 220–222

ControlToValidate property, 220

cookie-based tokens, 118

cookieless option, 123

cookies

Domain property, 125–127

Expires property, 128–130

marking as secure, 130

overview, 124

Path property, 127–128

protecting, 124–131

security issues, 124–131

sensitive information in, 131

as session tokens, 110–111

Cookies collection, 215, 216

Cookies property, 208

credentials, user.See also passwords; usernames

establishing, 3–18

examples of harvesting, 13–14

limiting exposure, 15–16

role of secret questions, 38–42

credit cards, and e-mail security issues, 34–36

cross-site request forgery (CSRF), 310

cross-site scripting (XXS)

building login forms, 55–58

defined, 207, 310

encoding data, 230–233

preventing attacks, 311–314

token threats, 112, 139

CryptDeriveKey method, 171, 172–173

CryptGenRandom function, 187

cryptoanalysis, 155

CryptoAPI, 203, 412

cryptography

and ASP.NET, 155–186

.NET Framework overview, 412–415

ways to attack systems, 155

.cs files, 62

.csproj files, 62

custom permissions, 363, 385–386

custom principals, 363

CustomValidator control, 6, 220