Index
C
C#3DES encryption with ASP.NET, 160
authentication code, 293, 294–295
authorizing users, 99–102
binding session state to client, 140–141
blocking administrator logins, 73–74
blocking basic authentication without SSL, 70–71
connecting to SQL Server using Windows Authentication, 276
creating password hashes, 59–60
creating unique strings with hashes, 235
creating XML digital signature, 352–353
CryptDeriveKey method, 172
double decoding, 238
enhancing session token security, 136–137
escaping dangerous characters, 286
expiring sessions, 143
filtering dangerous SQL commands, 290
hashing with salt, 184–185
imperative code, 372
inheritance demands, 378
keeping memory clean, 188–189
keyed hashing using HMACSHA1 algorithm, 182–183
layering symmetric ciphers, 167–168
link demands, 377
password authentication delay, 81
pattern matching, 222, 224
RC2 encryption, 165
reflecting data, 228
request references, 215, 217
Rijndael encryption, 163–164
saving IV with ciphertext, 174–175
securing View State, 135
setting a Deny override, 384
setting an Assert override, 382
setting and verifying cookie domain property, 126–127
SQL Authentication connection string, 277
SQL common query string, 280
storing and retrieving data from isolated storage, 193
using PrincipalPermission object, 393–394, 395
using PrincipalPermissionAttribute object, 393
using SQLParameter collection, 287, 288
validating numeric input, 220
validating passwords, 6–8
validating XML digital signature, 356
XML document decryption, 345–346
XML document encryption, 341–342
CAPTCHAs, 84–85
CAS.See Code Access Security (396, 416
Catch statement, 290
CBC (Cipher Block Chaining), 158
cert2spc.exe tool, 416
Certificate Creation utility, 416
Certificate Manager utility, 416
Certificate Verification utility, 416
certificates, mapping, 69–70
certmgr.exe tool, 416
CGI vulnerability scanners, 95
changing passwords, 25–27
chktrust.exe tool, 416
Cipher Block Chaining (CBC), 158
Cipher Feedback Mode (CFB), 158
CipherMode options, 157–158
ciphers, defined, 154
ciphertext, 154, 170
Clear method, 188
client certificate mapping, 69–70
ClientCertificate collection, 215, 216
ClientCertificate property, 208
code access permissions, 362
Code Access Security (CAS) model, 365–386
Code Access Security Policy utility, 416
code audit summariesauthentication, 105–106
authorization, 106–107
empowering users, 50
enhancing ASP.NET state management, 149
maintaining state, 147–148
malicious output, 254–257
passwords, 49–50
securing database drivers, 305
securing databases, 305–306
user credentials, 48–49
using ASP.NET tokens, 148
using cryptography in ASP.NET, 201
working with .NET encryption features, 201–202
writing secure data access code, 306–307
code groupsattaching permission sets to, 405–411
constructing hierarchies, 370–371
overview, 369–371
code identity, establishing, 368–369
coding standards summariesauthentication, 103–104
authorization, 104–105
constraining input, 251–253
empowering users, 48
enhancing ASP.NET state management, 146–147
handling malicious input, 251
limiting exposure to malicious input, 253–254
maintaining state, 145
passwords, 46–47
securing database drivers, 303
securing databases, 303
user credentials, 46
using ASP.NET tokens, 146
using cryptography in ASP.NET, 199
working with .NET encryption features, 200
writing secure data access code, 304
COM componentsleast privilege principle, 247–248
storing connection strings, 278
command execution, role of honey pots, 241–243
command injection, 207, 236–237
CompareValidator control, 220
compilation errors, 317
.config files, 62, 98–99. See also web.config filecontrols, validator, 220–222
ControlToValidate property, 220
cookie-based tokens, 118
cookieless option, 123
cookiesDomain property, 125–127
Expires property, 128–130
marking as secure, 130
overview, 124
Path property, 127–128
protecting, 124–131
security issues, 124–131
sensitive information in, 131
as session tokens, 110–111
Cookies collection, 215, 216
Cookies property, 208
credentials, user.See also passwords; usernames
establishing, 3–18
examples of harvesting, 13–14
limiting exposure, 15–16
role of secret questions, 38–42
credit cards, and e-mail security issues, 34–36
cross-site request forgery (CSRF), 310
cross-site scripting (XXS)building login forms, 55–58
defined, 207, 310
encoding data, 230–233
preventing attacks, 311–314
token threats, 112, 139
CryptDeriveKey method, 171, 172–173
CryptGenRandom function, 187
cryptoanalysis, 155
CryptoAPI, 203, 412
cryptographyand ASP.NET, 155–186
.NET Framework overview, 412–415
ways to attack systems, 155
.cs files, 62
.csproj files, 62
custom permissions, 363, 385–386
custom principals, 363
CustomValidator control, 6, 220