Improving Web Application Security: Threats and - CGISecurity

More documents

Recommendations

Info

292 Part III: Building Secure Web ApplicationsIf you omit the second parameter or set it to false, then an error will not occur. If youwant to preserve the QueryString and Form collections instead of setting theenableViewStateMac to false, follow the workaround discussed in MicrosoftKnowledge Base article 316920, “PRB: View State Is Invalid” Error Message WhenYou Use Server.Transfer.”For information about configuring the element for view stateencryption and integrity checks, see Chapter 19, “Securing Your ASP.NETApplication and Web Services.”Use Page.ViewStateUserKey to Counter One-Click AttacksIf you authenticate your callers and use view state, set the Page.ViewStateUserKeyproperty in the Page_Init event handler to prevent one-click attacks. A one-clickattack occurs when an attacker creates a prefilled Web page (.htm or .aspx) with viewstate. The view state can be generated from a page that the attacker had previouslycreated, for example, a shopping cart page with 100 items. The attacker lures anunsuspecting user into browsing to the page, then causes the page to be sent to theserver where the view state is valid. The server has no way of knowing that the viewstate originated from the attacker. View state validation and MACs do not counterthis attack because the view state is valid and the page is executed under the securitycontext of the user.Set the Page.ViewStateUserKey property to a suitably unique value as acountermeasure to the one-click attack. The value should be unique to each user andis typically a user name or identifier. When the attacker creates the view state, theViewStateUserKey property is initialized to his or her name. When the user submitsthe page to the server, it is initialized with the attacker’s name. As a result, the viewstate MAC check fails and an exception condition is generated.Note This attack is usually not an issue for anonymously browsed pages (where no user name isavailable) because this type of page should make no sensitive transactions.Maintain Sensitive Data on the ServerDo not trust input parameters, especially when they are used to make securitydecisions at the server. Also, do not use clear text parameters for any form of sensitivedata. Instead, store sensitive data on the server in a session store and use a sessiontoken to reference the items in the store. Make sure that the user is authenticatedsecurely and that the authentication token is secured properly. For more information,see “Session Management” earlier in this chapter.
Chapter 10: Building Secure ASP.NET Pages and Controls 293Validate Input ParametersValidate all input parameters that come from form fields, query strings, cookies, andHTTP headers. The System.Text.RegularExpressions.Regex class helps validateinput parameters. For example, the following code shows how to use this class tovalidate a name passed through a query string parameter. The same technique can beused to validate other forms of input parameter, for example, from cookies or formfields. For example, to validate a cookie parameter, use Request.Cookies instead ofRequest.QueryString.using System.Text.RegularExpressions;. . .private void Page_Load(object sender, System.EventArgs e){// Name must contain between 1 and 40 alphanumeric characters// together with (optionally) special characters '`´ for names such// as D'Angeloif (!Regex.IsMatch(Request.QueryString["name"],@"^[\p{L}\p{Zs}\p{Lu}\p{Ll}]{1,40}$"))throw new Exception("Invalid name parameter");// Use individual regular expressions to validate all other// query string parameters. . .}For more information about using regular expressions and how to validate inputdata, see “Input Validation” earlier in this chapter.Exception ManagementCorrect exception handling in your Web pages prevents sensitive exception detailsfrom being revealed to the user. The following recommendations apply to ASP.NETWeb pages and controls.● Return generic error pages to the client.●Implement page-level or application-level error handlers.For more information about exception management, see Chapter 7, “Building SecureAssemblies.”Return Generic Error Pages to the ClientIn the event of an unhandled exception, that is, one that propagates to the applicationboundary, return a generic error page to the user. To do this, configure the element as follows:
Page 1:
Improving WebApplication SecurityTh
Page 4 and 5:
Information in this document, inclu
Page 6 and 7:
viImproving Web Application Securit
Page 8 and 9:
viiiImproving Web Application Secur
Page 10 and 11:
xImproving Web Application Security
Page 12 and 13:
xiiImproving Web Application Securi
Page 14 and 15:
xivImproving Web Application Securi
Page 16 and 17:
xviImproving Web Application Securi
Page 18 and 19:
xviiiImproving Web Application Secu
Page 20 and 21:
xxImproving Web Application Securit
Page 22 and 23:
xxiiImproving Web Application Secur
Page 27 and 28:
Contents xxvii.NET Remoting Securit
Page 29 and 30:
Contents xxixStaying Secure (contin
Page 31 and 32:
Contents xxxiASP.NET Architecture o
Page 33 and 34:
Contents xxxiiiSummary ............
Page 35 and 36:
Contents xxxvIndex of Checklists 68
Page 37 and 38:
Contents xxxviiChecklistSecuring Da
Page 39 and 40:
Contents xxxixHow ToIndex 743How To
Page 41 and 42:
Contents xliRestricting Server-to-S
Page 43 and 44:
ForewordsForeword by Mark CurpheyWh
Page 45 and 46:
Forewords xlvForeword by Joel Scamb
Page 47:
Forewords xlviiFinally, techniques
Page 50 and 51:
lImproving Web Application Security
Page 52 and 53:
liiImproving Web Application Securi
Page 54 and 55:
livImproving Web Application Securi
Page 56 and 57:
lviImproving Web Application Securi
Page 58 and 59:
lviiiImproving Web Application Secu
Page 60 and 61:
lxImproving Web Application Securit
Page 62 and 63:
lxiiImproving Web Application Secur
Page 64 and 65:
lxivImproving Web Application Secur
Page 66 and 67:
lxviImproving Web Application Secur
Page 68 and 69:
lxviiiImproving Web Application Sec
Page 70 and 71:
lxxImproving Web Application Securi
Page 72 and 73:
lxxiiImproving Web Application Secu
Page 75 and 76:
Fast Track — How To Implementthe
Page 77 and 78:
Fast Track — How To Implement the
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85:
Part IIntroduction to Threats andCo
Page 88 and 89:
4 Part I: Introduction to Threats a
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
10 Part I: Introduction to Threats
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 129 and 130:
3Threat ModelingIn This Chapter●
Page 131 and 132:
Chapter 3: Threat Modeling 47Threat
Page 133 and 134:
Chapter 3: Threat Modeling 49Archit
Page 135 and 136:
Chapter 3: Threat Modeling 51Figure
Page 137 and 138:
Chapter 3: Threat Modeling 53Identi
Page 139 and 140:
Chapter 3: Threat Modeling 55Docume
Page 141 and 142:
Chapter 3: Threat Modeling 57●●
Page 143 and 144:
Chapter 3: Threat Modeling 59●●
Page 145 and 146:
Chapter 3: Threat Modeling 61Note I
Page 147 and 148:
Chapter 3: Threat Modeling 63Risk =
Page 149 and 150:
Chapter 3: Threat Modeling 65Table
Page 151:
Part IIDesigning SecureWeb Applicat
Page 154 and 155:
70 Part II: Designing Secure Web Ap
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
100 Part II:Designing Secure Web Ap
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 211:
Part IIIBuilding Secure WebApplicat
Page 214 and 215:
130 Part III: Building Secure Web A
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 265 and 266:
8Code Access Security in PracticeIn
Page 267 and 268:
Chapter 8: Code Access Security in
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327: 242 Part III: Building Secure Web A
Page 383 and 384: 11Building Secure ServicedComponent
Page 385 and 386: Chapter 11: Building Secure Service
Page 401: Chapter 11: Building Secure Service
Page 426 and 427:
Page 428 and 429:
Page 430 and 431:
Page 432 and 433:
Page 434 and 435:
Page 436 and 437:
Page 438 and 439:
Page 440 and 441:
Page 442 and 443:
Page 444 and 445:
Page 446 and 447:
Page 448 and 449:
Page 450 and 451:
Page 452 and 453:
Page 454 and 455:
Page 456 and 457:
Page 458 and 459:
Page 460 and 461:
Page 462 and 463:
Page 464 and 465:
Page 466 and 467:
Page 468 and 469:
Page 470 and 471:
Page 472 and 473:
Page 474 and 475:
Page 476 and 477:
Page 478 and 479:
Page 480 and 481:
Page 482 and 483:
Page 485:
Part IVSecuring Your Network,Host,
Page 488 and 489:
404 Part IV: Securing Your Network,
Page 490 and 491:
Page 492 and 493:
Page 494 and 495:
Page 496 and 497:
Page 498 and 499:
Page 500 and 501:
Page 502 and 503:
Page 504 and 505:
Page 506 and 507:
Page 508 and 509:
Page 510 and 511:
Page 512 and 513:
Page 514 and 515:
Page 516 and 517:
Page 518 and 519:
Page 520 and 521:
Page 522 and 523:
Page 524 and 525:
Page 526 and 527:
Page 528 and 529:
Page 530 and 531:
Page 532 and 533:
Page 534 and 535:
Page 536 and 537:
Page 538 and 539:
Page 540 and 541:
Page 542 and 543:
Page 544 and 545:
Page 546 and 547:
Page 548 and 549:
Page 550 and 551:
Page 552 and 553:
Page 554 and 555:
Page 556 and 557:
Page 558 and 559:
Page 560 and 561:
Page 562 and 563:
Page 564 and 565:
Page 566 and 567:
Page 568 and 569:
Page 570 and 571:
Page 572 and 573:
Page 574 and 575:
Page 576 and 577:
Page 578 and 579:
Page 580 and 581:
Page 582 and 583:
Page 585 and 586:
18Securing Your Database ServerIn T
Page 587 and 588:
Chapter 18: Securing Your Database
Page 589 and 590:
Page 591 and 592:
Page 593 and 594:
Page 595 and 596:
Page 597 and 598:
Page 599 and 600:
Page 601 and 602:
Page 603 and 604:
Page 605 and 606:
Page 607 and 608:
Page 609 and 610:
Page 611 and 612:
Page 613 and 614:
Page 615 and 616:
Page 617 and 618:
Page 619 and 620:
Page 621 and 622:
Page 623 and 624:
Page 625:
Page 628 and 629:
Page 630 and 631:
Page 632 and 633:
Page 634 and 635:
Page 636 and 637:
Page 638 and 639:
Page 640 and 641:
Page 642 and 643:
Page 644 and 645:
Page 646 and 647:
Page 648 and 649:
Page 650 and 651:
Page 652 and 653:
Page 654 and 655:
Page 656 and 657:
Page 658 and 659:
Page 660 and 661:
Page 662 and 663:
Page 664 and 665:
Page 666 and 667:
Page 668 and 669:
Page 670 and 671:
Page 672 and 673:
Page 674 and 675:
Page 676 and 677:
Page 678 and 679:
Page 680 and 681:
Page 682 and 683:
Page 684 and 685:
Page 686 and 687:
Page 689 and 690:
21Code ReviewIn This Chapter●●
Page 691 and 692:
Chapter 21: Code Review 607For exam
Page 693 and 694:
Chapter 21: Code Review 609Identify
Page 695 and 696:
Chapter 21: Code Review 611Check to
Page 697 and 698:
Chapter 21: Code Review 613Check th
Page 699 and 700:
Chapter 21: Code Review 615Buffer O
Page 701 and 702:
Chapter 21: Code Review 617Is Your
Page 703 and 704:
Chapter 21: Code Review 619●Does
Page 705 and 706:
Chapter 21: Code Review 621Do You S
Page 707 and 708:
Chapter 21: Code Review 623The foll
Page 709 and 710:
Chapter 21: Code Review 625●Do yo
Page 711 and 712:
Chapter 21: Code Review 627●Do yo
Page 713 and 714:
Chapter 21: Code Review 629●●Is
Page 715 and 716:
Chapter 21: Code Review 631Do You V
Page 717 and 718:
Chapter 21: Code Review 633Do You S
Page 719 and 720:
Chapter 21: Code Review 635Do You E
Page 721 and 722:
Chapter 21: Code Review 637Check th
Page 723 and 724:
Chapter 21: Code Review 639Do You P
Page 725 and 726:
Chapter 21: Code Review 641Search f
Page 727 and 728:
22Deployment ReviewIn This Chapter
Page 729 and 730:
Chapter 22: Deployment Review 645Pa
Page 731 and 732:
Chapter 22: Deployment Review 647
Page 733 and 734:
Page 735 and 736:
Chapter 22: Deployment Review 651Re
Page 737 and 738:
Chapter 22: Deployment Review 653Fo
Page 739 and 740:
Page 741 and 742:
Chapter 22: Deployment Review 657Ma
Page 743 and 744:
Page 745 and 746:
Chapter 22: Deployment Review 661Th
Page 747 and 748:
Chapter 22: Deployment Review 663Th
Page 749 and 750:
Chapter 22: Deployment Review 665Ac
Page 751 and 752:
Page 753 and 754:
Chapter 22: Deployment Review 669Ho
Page 755 and 756:
Page 757 and 758:
Chapter 22: Deployment Review 673Fi
Page 759 and 760:
Chapter 22: Deployment Review 675Au
Page 761 and 762:
Chapter 22: Deployment Review 677SQ
Page 763 and 764:
Page 765 and 766:
Related Security ResourcesRelated M
Page 767 and 768:
Related Security Resources 683Commu
Page 769:
Related Security Resources 685Commo
Page 772 and 773:
688 Improving Web Application Secur
Page 774 and 775:
Page 776 and 777:
Page 778 and 779:
Page 780 and 781:
Page 782 and 783:
Page 784 and 785:
Page 786 and 787:
Page 788 and 789:
Page 790 and 791:
Page 793 and 794:
Checklist:Securing Enterprise Servi
Page 795:
Checklist: Securing Enterprise Serv
Page 798 and 799:
Page 801 and 802:
Checklist:Securing Data AccessHow t
Page 803:
Checklist: Securing Data Access 719
Page 806 and 807:
Page 808 and 809:
Page 810 and 811:
Page 812 and 813:
Page 814 and 815:
Page 816 and 817:
Page 819 and 820:
Checklist:Security Review for Manag
Page 821 and 822:
Checklist: Security Review for Mana
Page 823 and 824:
Page 825:
Page 829 and 830:
How To:Implement Patch ManagementAp
Page 831 and 832:
How To: Implement Patch Management
Page 833 and 834:
Page 835 and 836:
Page 837 and 838:
Page 839 and 840:
How To:Harden the TCP/IP StackAppli
Page 841 and 842:
How To: Harden the TCP/IP Stack 757
Page 843 and 844:
Page 845 and 846:
Page 847:
Page 850 and 851:
Page 852 and 853:
Page 854 and 855:
Page 856 and 857:
Page 858 and 859:
Page 861 and 862:
How To:Use IPSec for Filtering Port
Page 863 and 864:
How To: Use IPSec for Filtering Por
Page 865 and 866:
Page 867 and 868:
Page 869 and 870:
Page 871 and 872:
How To:Use the Microsoft BaselineSe
Page 873 and 874:
How To: Use the Microsoft Baseline
Page 875 and 876:
Page 877:
Page 880 and 881:
Page 882 and 883:
Page 885 and 886:
How To:Use URLScanApplies ToSummary
Page 887 and 888:
How To: Use URLScan 803Throttling R
Page 889 and 890:
How To:Create a CustomEncryption Pe
Page 891 and 892:
How To: Create a Custom Encryption
Page 893 and 894:
Page 895 and 896:
Page 897 and 898:
Page 899 and 900:
Page 901 and 902:
Page 903 and 904:
Page 905 and 906:
Page 907 and 908:
How To:Use Code Access Security Pol
Page 909 and 910:
How To: Use Code Access Security Po
Page 911 and 912:
Page 913 and 914:
Page 915:
Page 918 and 919:
patterns & practicesProven practice
show all

Improving Web Application Security: Threats and - CGISecurity

Create successful ePaper yourself

Delete template?

Save as template?