Index - Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

Index

S

S/MIME, and e-mail, 35, 36

sa account, 278

salt, adding, 184–186

schema, XML encryption, 334–339

secret questions, 38–42

secrets, protecting, 190–195

secure data access code, writing, 274–302

Secure Sockets Layer (SSL)

blocking basic authentication without, 70–72

and client certificate mapping, 69–70

and cookie security, 130

defined, 196

how it works, 196

processing overhead, 204

protecting communications, 196–198

and rule of least privilege, 272

system requirements, 196–197

when to use, 150, 197

security, user threat summary, 2–3.See also security policy summaries

security checks

overriding, 379–385

role-based, 392–396

security policies, 364, 396–399

security policy summaries

brute-force attacks, 86

building login forms, 57–58

changing passwords, 27

connecting to data sources, 279

cookie issues, 131

creating random numbers, 188

credential harvesting, 16

data reflecting, 229

designing secure tokens, 116–117

double decoding, 239

easily guessed credentials, 12

educating users, 44

employing file authorization, 92–93

employing symmetric cryptography, 156–177

encapsulating, 236

encoding data, 233

ensuring least privilege, 272

error handling, 322

exception handling, 241

hardening server applications, 250

honey drops, 243

identifying input sources, 207–211

idle accounts, 18

increasing token security, 144

involving users, 45

keeping memory clean, 190

limiting database attack surface, 270

making session tokens more secure, 141–142

parameterizing, 237

Passport authentication, 78

password aging and history issues, 25

pattern matching, 226

preventing Web site informatio leakage, 315

programming defensively, 218

protecting communications with SSL, 198

protecting secrets, 195

reading and writing to data files, 302

reducing attack exposure, 247

reducing attack scope, 248

resetting passwords, 33–34

role-based and resource-based user authorization, 91

secret questions, 42

securing database location, 265

securing databases, 274

sending information via e-mail, 36

session state, 123–124

SQL injection attacks, 291

storing passwords, 22

strong passwords, 10

syntax checking, 240

temporary passwords, 37–38

token mechanisms, 119

URL authorization, 99

using forms authentication, 65

validator controls, 222

View State feature, 135

Windows authentication, 75

working with hashing algorithms, 186

writing secure HTML code, 314

writing secure SQL code, 296

XML digital signatures, 357

XML encryption, 348

SecurityPermission class, 375

secutil.exe tool, 417

sensitive information

role of secret questions, 38–42

sending via e-mail, 34–36

Server object

HtmlEncode method, 232, 233

UrlEncode method, 232, 233

UrlPathEncode method, 232, 233

server-side code, limiting attack scope, 248

server-side code access

defined, 206

double decoding, 237–239

preventing, 227–229

role of honey pots, 241–243

SERVER_NAME server variable, 209, 210

ServerVariables collection, 215, 216

ServerVariables property, 208

ServiceControllerPermission class, 375

session fixation

defined, 111

designing secure tokens, 113–117

keeping tokens alive, 142–144

protecting cookies, 124–131

and View State feature, 131–135

session hijacking

designing secure tokens, 113–117

keeping tokens alive, 142–144

protecting cookies, 124–131

session tokens, destroying, 142–144

sessions

role of tokens, 110–111

terminating, 142–144

Set Registry utility, 417

setreg.exe tool, 417

SHA-1 hashing algorithm

defined, 180

verifying data integrity, 182–183

in web.config file, 58, 59, 61, 62

SHA-256 hashing algorithm, 180

SHA-384 hashing algorithm, 180

SHA-512 hashing algorithm, 180, 203

SHA1CryptoServiceProvider class, 414

shell commands

escaping data, 225–226

exception handling, 241

side-channel leakage, 155

signatures, digital.See digitally signed XML documents

signcode.exe tool, 417

signing XML data, 348–357

SiteIdentityPermission class, 375

skip verification, as code group membership condition, 371

sn.exe tool, 417

sniffing, 54, 242

Snort, 242

.soap files, 62

social engineering

and administrative accounts, 12

defined, 3, 310

empowering users, 42–45

preventing credential harvesting, 13–16

preventing information leaks, 314–315

SocketPermission class, 375

Software Publisher Certificate Test utility, 416

spamming, 3, 13–16

SQL, writing secure code, 291–296

SQL Authentication, 276–277

SQL injection

building login forms, 55–58

defined, 206, 262

escaping data, 225–226

examples, 280–285

filtering and escaping dangerous characters, 285–287

parameterizing, 236–237

preventing, 280–291

role of honey pots, 241–243

SQL query strings, 280–281

SQL Server

application roles, 279

database authorization, 278–279

fixed database roles, 279

managing session state, 119, 122–123

recording login attempts, 267–268

and rule of least privilege, 271

user-defined database roles, 279

SQL statements

Catch statement, 290

escaping data, 225–226

role of SQLParameter collection, 287–288

syntax checking, 239–240

Try statement, 290

SqlClientPermission class, 375

SQLParameter collection, 287–288

stack walking, 366–367

state, session

checklist for secure token design, 113–117

client vs. server management and storage, 150

enhancing built-in ASP.NET features, 135–144

maintaining, 113–124

managing in-process, 119, 120

managing with ASP.NET State Service, 119, 120–122

managing with SQL Server, 119, 122–123

methods for storing, 119–124

and session termination, 142–144

and token mechanisms, 117–119

storeadm.exe tool, 417

stored procedures, when to use, 292

storing passwords, 19–22

strict data typing, enabling, 212–213

strong data typing, enabling, 212–213

Strong Name utility, 417

strong names

as code group membership condition, 371

as type of evidence, 368

strong passwords, enforcing, 4–10

StrongNameIdentityPermission class, 375

structured error handling, 318–322

summaries.See code audit summaries; coding standards summaries; security policy summaries

symmetric cryptography

vs. asymmetric cryptography, 177

establishing keys, 170–173

key algorithms, 414

layering ciphers, 167–169

overview, 155, 156–157

role of initialization vector, 170, 173–176

security policy summary, 177

selecting algorithms, 166–169

SymmetricAlgorithm class, 163

syntax checking, 219, 239–240

syntax errors, 317

System.Random class, 187