C#
3DES encryption with ASP.NET, 160
authentication code, 293, 294–295
authorizing users, 99–102
binding session state to client, 140–141
blocking administrator logins, 73–74
blocking basic authentication without SSL, 70–71
connecting to SQL Server using Windows Authentication, 276
creating password hashes, 59–60
creating unique strings with hashes, 235
creating XML digital signature, 352–353
CryptDeriveKey method, 172
double decoding, 238
enhancing session token security, 136–137
escaping dangerous characters, 286
expiring sessions, 143
filtering dangerous SQL commands, 290
hashing with salt, 184–185
imperative code, 372
inheritance demands, 378
keeping memory clean, 188–189
keyed hashing using HMACSHA1 algorithm, 182–183
layering symmetric ciphers, 167–168
link demands, 377
password authentication delay, 81
RC2 encryption, 165
reflecting data, 228
Rijndael encryption, 163–164
saving IV with ciphertext, 174–175
securing View State, 135
setting a Deny override, 384
setting an Assert override, 382
setting and verifying cookie domain property, 126–127
SQL Authentication connection string, 277
SQL common query string, 280
storing and retrieving data from isolated storage, 193
using PrincipalPermission object, 393–394, 395
using PrincipalPermissionAttribute object, 393
using SQLParameter collection, 287, 288
validating numeric input, 220
validating passwords, 6–8
validating XML digital signature, 356
XML document decryption, 345–346
XML document encryption, 341–342
CAPTCHAs, 84–85
CAS.See Code Access Security (396, 416
Catch statement, 290
CBC (Cipher Block Chaining), 158
cert2spc.exe tool, 416
Certificate Creation utility, 416
Certificate Manager utility, 416
Certificate Verification utility, 416
certificates, mapping, 69–70
certmgr.exe tool, 416
CGI vulnerability scanners, 95
changing passwords, 25–27
chktrust.exe tool, 416
Cipher Block Chaining (CBC), 158
Cipher Feedback Mode (CFB), 158
CipherMode options, 157–158
ciphers, defined, 154
Clear method, 188
client certificate mapping, 69–70
ClientCertificate collection, 215, 216
ClientCertificate property, 208
code access permissions, 362
Code Access Security (CAS) model, 365–386
Code Access Security Policy utility, 416
code audit summaries
authentication, 105–106
authorization, 106–107
empowering users, 50
enhancing ASP.NET state management, 149
maintaining state, 147–148
malicious output, 254–257
passwords, 49–50
securing database drivers, 305
securing databases, 305–306
user credentials, 48–49
using ASP.NET tokens, 148
using cryptography in ASP.NET, 201
working with .NET encryption features, 201–202
writing secure data access code, 306–307
code groups
attaching permission sets to, 405–411
constructing hierarchies, 370–371
overview, 369–371
code identity, establishing, 368–369
coding standards summaries
authentication, 103–104
authorization, 104–105
constraining input, 251–253
empowering users, 48
enhancing ASP.NET state management, 146–147
handling malicious input, 251
limiting exposure to malicious input, 253–254
maintaining state, 145
passwords, 46–47
securing database drivers, 303
securing databases, 303
user credentials, 46
using ASP.NET tokens, 146
using cryptography in ASP.NET, 199
working with .NET encryption features, 200
writing secure data access code, 304
COM components
least privilege principle, 247–248
storing connection strings, 278
command execution, role of honey pots, 241–243
command injection, 207, 236–237
CompareValidator control, 220
compilation errors, 317
.config files, 62, 98–99. See also web.config file
controls, validator, 220–222
ControlToValidate property, 220
cookie-based tokens, 118
cookieless option, 123
cookies
Domain property, 125–127
Expires property, 128–130
marking as secure, 130
overview, 124
Path property, 127–128
protecting, 124–131
security issues, 124–131
sensitive information in, 131
as session tokens, 110–111
Cookies property, 208
credentials, user.See also passwords; usernames
establishing, 3–18
examples of harvesting, 13–14
limiting exposure, 15–16
role of secret questions, 38–42
credit cards, and e-mail security issues, 34–36
cross-site request forgery (CSRF), 310
cross-site scripting (XXS)
building login forms, 55–58
encoding data, 230–233
preventing attacks, 311–314
CryptDeriveKey method, 171, 172–173
CryptGenRandom function, 187
cryptoanalysis, 155
cryptography
and ASP.NET, 155–186
.NET Framework overview, 412–415
ways to attack systems, 155
.cs files, 62
.csproj files, 62
custom permissions, 363, 385–386
custom principals, 363