Improving Web Application Security: Threats and - CGISecurity

Chapter 9: Using Code Access Security with ASP.NET 2475. Configure your Web application for medium trust. Add the following toWeb.config or place it in Machine.config inside a element that points toyour application:6. Reference the event log assembly from your ASP.NET Web application.Since a strong named assembly must be in the GAC and not the \bin directory of aWeb application, then you must add the assembly to the list of assemblies used inthe application if you are not using code behind files. You can obtain thePublicKeyToken of your assembly by using the following command:sn -Tp eventlogwapper.dllNote Use a capital –T switch.Then add the following code to Machine.config or Web.config:Note In between successive rebuilds of your wrapper assembly, you might need to recycle theASP.NET worker process because your wrapper assembly, which is installed in the GAC is cachedby the ASP.NET process. To recycle the ASP.NET worker process (Aspnet_wp.exe) you can run theiisreset.exe utility.7. Protect the code that calls the Assert method. The Assert call means that any codethat calls the event log wrapper is able to interact with the event log. To preventmalicious code from calling the event log wrapper and potentially using it to fillthe event log, you can issue a full demand for a custom permission prior to callingAssert and update the medium trust policy file to grant your Web application thecustom permission. This solution entails a reasonable amount of developer effort.For more information about how to develop a custom permission, see “How To:Create a Custom Encryption Permission” in the “How To” section of this guide.