This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of ".NET Security Cheat Sheet"
Xandersherry (talk | contribs) (Update encryption recommendations.) |
Xandersherry (talk | contribs) (Specify ASP.NET Identity as the framework that provides PBKDF2 by default.) |
||
Line 150: | Line 150: | ||
** Compare user provided username with User.Identity.Name. | ** Compare user provided username with User.Identity.Name. | ||
** Check roles against User.Identity.IsInRole. | ** Check roles against User.Identity.IsInRole. | ||
− | * Use the ASP.NET | + | * Use the ASP.NET Membership provider and role provider, but review the password storage. The default storage hashes the password with a single iteration of SHA-1 which is rather weak. The ASP.NET MVC4 template uses [http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity ASP.NET Identity] instead of ASP.NET Membership, and ASP.NET Identity uses PBKDF2 by default, which is better. Review the OWASP [[Password Storage Cheat Sheet]] for more information. |
* Explicitly authorize resource requests. | * Explicitly authorize resource requests. | ||
* Leverage role based authorization using User.Identity.IsInRole. | * Leverage role based authorization using User.Identity.IsInRole. |
Revision as of 20:52, 19 November 2014
Last revision (mm/dd/yy): 11/19/2014 IntroductionThis page intends to provide quick basic .NET security tips for developers. The .NET FrameworkThe .NET Framework is Microsoft's principal platform for enterprise development. It is the supporting API for ASP.NET, Windows Desktop applications, Windows Communication Foundation services, SharePoint, Visual Studio Tools for Office and other technologies. Updating the FrameworkThe .NET Framework is kept up-to-date by Microsoft with the Windows Update service. Developers do not normally need to run seperate updates to the Framework. Windows update can be accessed at Windows Update or from the Windows Update program on a Windows computer. Individual frameworks can be kept up to date using NuGet. As Visual Studio prompts for updates, build it into your lifecycle. Remember that third party libraries have to be updated separately and not all of them use Nuget. ELMAH for instance, requires a separate update effort. .NET Framework GuidanceThe .NET Framework is the set of APIs that support an advanced type system, data, graphics, network, file handling and most of the rest of what is needed to write enterprise apps in the Microsoft ecosystem. It is a nearly ubiquitous library that is strong named and versioned at the assembly level. Data Access
Encryption
General
ASP.NET Web Forms GuidanceASP.NET Web Forms is the original browser-based application development API for the .NET framework, and is still the most common enterprise platform for web application development.
protected override OnInit(EventArgs e) { base.OnInit(e); ViewStateUserKey = Session.SessionID; } If you don't use Viewstate, then look to the default master page of the ASP.NET Web Forms default template for a manual anti-CSRF token using a double-submit cookie. private const string AntiXsrfTokenKey = "__AntiXsrfToken"; private const string AntiXsrfUserNameKey = "__AntiXsrfUserName"; private string _antiXsrfTokenValue; protected void Page_Init(object sender, EventArgs e) { // The code below helps to protect against XSRF attacks var requestCookie = Request.Cookies[AntiXsrfTokenKey]; Guid requestCookieGuidValue; if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue)) { // Use the Anti-XSRF token from the cookie _antiXsrfTokenValue = requestCookie.Value; Page.ViewStateUserKey = _antiXsrfTokenValue; } else { // Generate a new Anti-XSRF token and save to the cookie _antiXsrfTokenValue = Guid.NewGuid().ToString("N"); Page.ViewStateUserKey = _antiXsrfTokenValue; var responseCookie = new HttpCookie(AntiXsrfTokenKey) { HttpOnly = true, Value = _antiXsrfTokenValue }; if (FormsAuthentication.RequireSSL && Request.IsSecureConnection) { responseCookie.Secure = true; } Response.Cookies.Set(responseCookie); } Page.PreLoad += master_Page_PreLoad; } protected void master_Page_PreLoad(object sender, EventArgs e) { if (!IsPostBack) { // Set Anti-XSRF token ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey; ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty; } else { // Validate the Anti-XSRF token if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty)) { throw new InvalidOperationException("Validation of Anti-XSRF token failed."); } } }
<httpRuntime enableVersionHeader="false" />
HttpContext.Current.Response.Headers.Remove("Server");
HTTP validation and encoding
Forms authentication
ASP.NET MVC GuidanceASP.NET MVC (Model-View-Controller) is a contemporary web application framework that uses more standardizes HTTP communication than the Web Forms postback model.
MvcHandler.DisableMvcResponseHeader = true;
HttpContext.Current.Response.Headers.Remove("Server");
if (MembershipService.ValidateUser(model.UserName, model.Password)) { FormsService.SignIn(model.UserName, model.RememberMe); if (IsLocalUrl(returnUrl)) { return Redirect(returnUrl); } else { return RedirectToAction("Index", "Home"); } }
<% using(Html.Form(“Form", "Update")) { %> <%= Html.AntiForgeryToken() %> <% } %> and on the controller method:
[ValidateAntiForgeryToken] public ViewResult Update() { // gimmee da codez }
XAML Guidance
Windows Forms Guidance
WCF Guidance
Authors and Primary EditorsBill Sempf - bill.sempf(at)owasp.org Other Cheatsheets |