www.it-ebooks.info www.it-ebooks.info BEGINNING ASP.NET SECURITY INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi CHAPTER 1 Why Web Security Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 PART I THE ASP.NET SECURITY BASICS CHAPTER 2 How the Web Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 CHAPTER 3 Safely Accepting User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 CHAPTER 4 Using Query Strings, Form Fields, Events, and Browser Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 CHAPTER 5 Controlling Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 CHAPTER 6 Keeping Secrets Secret — Hashing and Encrypton. . . . . . . . . . . . . . . . . 117 PART II SECURING COMMON ASP.NET TASKS CHAPTER 7 Adding Usernames and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 CHAPTER 8 Securely Accessing Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 CHAPTER 9 Using the File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 CHAPTER 10 Securing XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 PART III ADVANCED ASP.NET SCENARIOS CHAPTER 11 Sharing Data with Windows Communication Foundation . . . . . . . . . . 255 CHAPTER 12 Securing Rich Internet Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 CHAPTER 13 Understanding Code Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 CHAPTER 14 Securing Internet Information Server (IIS) . . . . . . . . . . . . . . . . . . . . . . . . 329 CHAPTER 15 Third-Party Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 CHAPTER 16 Secure Development with the ASP.NET MVC Framework . . . . . . . . . . 385 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399    www.it-ebooks.info www.it-ebooks.info BEGINNING ASP.NET Security www.it-ebooks.info www.it-ebooks.info BEGINNING ASP.NET Security Barry Dorrans A John Wiley and Sons, Ltd., Publicatio n www.it-ebooks.info Beginning ASP.NET Security This edition fi rst published 2010 © 2010 John Wiley & Sons, Ltd Registered offi ce John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom For details of our global editorial offi ces, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com. The right of the author to be identifi ed as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought. ISBN: 978-0-470-74365-2 A catalogue record for this book is available from the British Library Set in 9.5/12 Sabon Roman at MacMillan Publishing Solutions Printed in Great Britain by Bell and Bain, Glasgow www.it-ebooks.info To mum, who asked me more about the book's progress almost as often as the long-suffering Wrox staff did. And to Emilicon, who had to put up with my stress and frustration when the words didn’t come. www.it-ebooks.info www.it-ebooks.info [...]... XML 238 238 242 245 246 252 PART III: ADVANCED ASP.NET SCENARIOS CHAPTER 11: SHARING DATA WITH WINDOWS COMMUNICATION FOUNDATION Creating and Consuming WCF Services Security and Privacy with WCF Transport Security 255 256 259 259 xvii www.it-ebooks.info CONTENTS Message Security Mixed Mode Selecting the Security Mode Choosing the Client Credentials Adding Security to an Internet Service Signing Messages... 1: WHY WEB SECURITY MATTERS Anatomy of an Attack Risks and Rewards Building Security from the Ground Up Defense in Depth Never Trust Input Fail Gracefully Watch for Attacks Use Least Privilege Firewalls and Cryptography Are Not a Panacea Security Should Be Your Default State Code Defensively The OWASP Top Ten Moving Forward Checklists 1 2 5 6 8 8 8 8 8 9 9 10 10 12 12 PART I: THE ASP.NET SECURITY BASICS... SECURING RICH INTERNET APPLICATIONS RIA Architecture Security in Ajax Applications The XMLHttpRequest Object The Ajax Same Origin Policy The Microsoft ASP.NET Ajax Framework Examining the UpdatePanel Examining the ScriptManager Security Considerations with UpdatePanel and ScriptManager Security in Silverlight Applications Understanding the CoreCLR Security Model Using the HTML Bridge Controlling Access... very broad sections, each containing several chapters Chapter 1,“Why Web Security Matters,” begins with a general introduction to Web security, illustrates an attack on an application, and introduces some general principles for secure development Part I, “The ASP.NET Security Basics,” addresses everyday common functions of an ASP.NET Web site — the functions that can expose your application, and how... secure A security incident (or multiple security incidents) damages the reputation of the software manufacturer, and impacts the sales of the product BUILDING SECURITY FROM THE GROUND UP When you gather the requirements for your system, you normally consider functionality, performance, the user experience, maintainability, and other attributes But what about security? www.it-ebooks.info Building Security. .. worried Security is a diffi cult topic to discuss Often, developers know they must take security into account during their development life cycle, but do not know what they must look for, and can be too timid to ask about the potential threats and attacks that their applications could be subjected to This book provides a practical introduction to developing securely for ASP.NET Rather than approaching security. .. depending on where you live WHO THIS BOOK IS FOR This book is for developers who already have a solid understanding of ASP.NET, but who need to know about the potential issues and common security vulnerabilities that ASP.NET can have The book does not teach you how to construct and develop an ASP.NET Web site, but instead will expand upon your existing knowledge, and provide you with the understanding and... Understanding HTML Forms Examining How ASP.NET Works Understanding How ASP.NET Events Work Examining the ASP.NET Pipeline Writing HTTP Modules Summary 16 18 19 22 30 30 34 34 37 www.it-ebooks.info CONTENTS CHAPTER 3: SAFELY ACCEPTING USER INPUT Defining Input Dealing with Input Safely 39 39 41 Echoing User Input Safely Mitigating Against XSS The Microsoft Anti-XSS Library The Security Run-time Engine Constraining... File System Using Cryptography in Silverlight Accessing the Web and Web Services with Silverlight Using ASP.NET Authentication and Authorization in Ajax and Silverlight A Checklist for Securing Ajax and Silverlight CHAPTER 13: UNDERSTANDING CODE ACCESS SECURITY Understanding Code Access Security Using ASP.NET Trust Levels Demanding Minimum CAS Permissions Asking and Checking for CAS Permissions Testing... However, the assumption that security does not need to be specified is a huge risk When security is not explicitly part of the software requirements, it may never get considered Microsoft itself has made great advances in recent years in developing secure code by changing its approach and embracing the Security Development Lifecycle (SDL), which highlighted the need to integrate security into the software . 399    www.it-ebooks.info www.it-ebooks.info BEGINNING ASP. NET Security www.it-ebooks.info www.it-ebooks.info BEGINNING ASP. NET Security Barry Dorrans A John Wiley and Sons, Ltd., Publicatio n www.it-ebooks.info Beginning ASP. NET Security This. and Responses 19 Understanding HTML Forms 22 Examining How ASP. NET Works 30 Understanding How ASP. NET Events Work 30 Examining the ASP. NET Pipeline 34 Writing HTTP Modules 34 Summary 37 www.it-ebooks.info xiv CONTENTS CHAPTER. Cryptography Are Not a Panacea 9 Security Should Be Your Default State 9 Code Defensively 10 The OWASP Top Ten 10 Moving Forward 12 Checklists 12 PART I: THE ASP. NET SECURITY BASICS CHAPTER 2: HOW