This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of ".NET Security Cheatsheet"

From OWASP
Jump to: navigation, search
(Added AuthZ.)
(Added the rest of Troy's Tyranny of Evil content.)
Line 8: Line 8:
 
===Updating the Framework===
 
===Updating the Framework===
 
The .NET Framework is kept up-to-date by Microsoft with the Windows Update service. Developers do not normally need to run seperate updates to the Framework. Windows update can be accessed at http://windowsupdate.microsoft.com/ or from the Windows Update program on a Windows computer.
 
The .NET Framework is kept up-to-date by Microsoft with the Windows Update service. Developers do not normally need to run seperate updates to the Framework. Windows update can be accessed at http://windowsupdate.microsoft.com/ or from the Windows Update program on a Windows computer.
 +
 +
Individual frameworks can be kept up to date using NuGet. As Visual Studio prompts for updates, build it into your lifecycle.
  
 
==.NET Framework Guidance==
 
==.NET Framework Guidance==
Line 19: Line 21:
 
* Whitelist allowable values coming from the user. Use enums, TryParse or lookup values to assure that the data coming from the user is as expected.
 
* Whitelist allowable values coming from the user. Use enums, TryParse or lookup values to assure that the data coming from the user is as expected.
 
* Apply the principle of least privilege when setting up the Database User in your database of choice. The database user should only be able to access items that make sense for the use case.
 
* Apply the principle of least privilege when setting up the Database User in your database of choice. The database user should only be able to access items that make sense for the use case.
 +
* Use an indirect reference map. Don't allow users to see the primary key of a database row.
 +
 +
=== Encryption ===
 +
* Never, ever write your own encryption.
 +
* When using a hashing function, use a salt value added to the original value before hashing.
 +
* Use a strong hash algorithm.
 +
** In .NET 4.5 the strongest hashing algorithm is System.Security.Cryptography.SHA512.
 +
** Make sure your application can support a change in algorithm.
  
 
=== General ===
 
=== General ===
  
 
* Always check the MD5 hashes of the .NET Framework assemblies to prevent the possibility of rootkits in the framework. Altered assemblies are possible and simple to produce. Checking the MD5 hashes will prevent using altered assemblies on a server or client machine.
 
* Always check the MD5 hashes of the .NET Framework assemblies to prevent the possibility of rootkits in the framework. Altered assemblies are possible and simple to produce. Checking the MD5 hashes will prevent using altered assemblies on a server or client machine.
 +
* Lock down the config file.
 +
** Remove all aspects of configuration that are not in use.
 +
** Encrypt sensitive parts of the web.config using aspnet_regiis -pe
  
 
==ASP.NET Web Forms Guidance==
 
==ASP.NET Web Forms Guidance==
Line 28: Line 41:
 
ASP.NET Web Forms is the original browser-based application development API for the .NET framework, and is still the most common line of business platform the web application development.
 
ASP.NET Web Forms is the original browser-based application development API for the .NET framework, and is still the most common line of business platform the web application development.
  
=== Cross site scripting ===
+
* Always use HTTPS.
 +
 
 +
=== HTTP validation and encoding ===
  
 
* Do not disable validateRequest in the web.config or the page setup. This value enables the AntiXSS library in ASP.NET and should be left intact to present cross site scripting.
 
* Do not disable validateRequest in the web.config or the page setup. This value enables the AntiXSS library in ASP.NET and should be left intact to present cross site scripting.
 
* Whitelist allowable values anytime user input is accepted. The regex namespace is particularly useful for checking to make sure an email address or URI is as expected.
 
* Whitelist allowable values anytime user input is accepted. The regex namespace is particularly useful for checking to make sure an email address or URI is as expected.
 
* Always encode output to the browser using Server.HtmlEncode.
 
* Always encode output to the browser using Server.HtmlEncode.
 +
* Validate the URI format using Uri.IsWellFormedUriString.
  
 
=== Authorization and authentication ===
 
=== Authorization and authentication ===
  
* Use cookies for persistence when possible. Cookieless Auth will default to UseDeviceProfile
+
* Use cookies for persistence when possible. Cookieless Auth will default to UseDeviceProfile.
 
* Don't trust the URI of the request for persistence of the session or authorization. It can be easily faked.
 
* Don't trust the URI of the request for persistence of the session or authorization. It can be easily faked.
 
* Reduce the session time from the default of 20 minutes. If slidingExpiration is used this timeout starts after the last request, so active users won't be affected.
 
* Reduce the session time from the default of 20 minutes. If slidingExpiration is used this timeout starts after the last request, so active users won't be affected.
 
* If you don't require SSL, disable slidingExpiration.  
 
* If you don't require SSL, disable slidingExpiration.  
 +
* Always implement proper access controls.
 +
** Compare user provided username with User.Identity.Name.
 +
** Check roles against User.Identity.IsInRole.
 +
* Use the native membership provider.
 +
* Explicitly authorize resource requests, using User.Identity.Name.
 +
* Leverage role based authorization using User.Identity.IsInRole.
  
 +
==ASP.NET MVC Guidance==
  
 +
ASP.NET MVC is the new hotness from Microsoft, employing the popular MVC pattern used by frameworks like Ruby on Rails.
  
 
+
* Always use HTTPS.
==ASP.NET MVC Guidance==
+
* Use the Syncronizer token pattern. In Web Forms, this is handled by ViewState, but in MVC you need to use ValidateAntiForgeryToken.
 +
* Decorate controller methods using PrincipalPermission to prevent unrestricted URL access.
  
 
==XAML Guidance==
 
==XAML Guidance==
Line 51: Line 76:
  
 
==WCF Guidance==
 
==WCF Guidance==
 +
 +
* Always use HTTPS.
  
 
== Authors and Primary Editors  ==
 
== Authors and Primary Editors  ==

Revision as of 01:55, 21 November 2012

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This page intends to provide quick basic .NET security tips for developers.

The .NET Framework

The .NET Framework is Microsoft's principal platform for line of business development. It is the supporting API for ASP.NET, Windows Desktop applications, Windows Communication Foundation services, SharePoint, Visual Studio Tools for Office and other technologies.

Updating the Framework

The .NET Framework is kept up-to-date by Microsoft with the Windows Update service. Developers do not normally need to run seperate updates to the Framework. Windows update can be accessed at http://windowsupdate.microsoft.com/ or from the Windows Update program on a Windows computer.

Individual frameworks can be kept up to date using NuGet. As Visual Studio prompts for updates, build it into your lifecycle.

.NET Framework Guidance

The .NET Framework is the set of APIs that support an advanced type system, data, graphics, network, file handling and most of the rest of what is needed to write line of business apps in the Microsoft ecosystem. It is a nearly ubiquitous library that is strong named and versioned at the assembly level.

Data Access

  • Use Parameterized SQL commands for all data access, without exception.
  • Do not use SqlCommand with a string parameter made up of a concatenated SQL String.
  • Whitelist allowable values coming from the user. Use enums, TryParse or lookup values to assure that the data coming from the user is as expected.
  • Apply the principle of least privilege when setting up the Database User in your database of choice. The database user should only be able to access items that make sense for the use case.
  • Use an indirect reference map. Don't allow users to see the primary key of a database row.

Encryption

  • Never, ever write your own encryption.
  • When using a hashing function, use a salt value added to the original value before hashing.
  • Use a strong hash algorithm.
    • In .NET 4.5 the strongest hashing algorithm is System.Security.Cryptography.SHA512.
    • Make sure your application can support a change in algorithm.

General

  • Always check the MD5 hashes of the .NET Framework assemblies to prevent the possibility of rootkits in the framework. Altered assemblies are possible and simple to produce. Checking the MD5 hashes will prevent using altered assemblies on a server or client machine.
  • Lock down the config file.
    • Remove all aspects of configuration that are not in use.
    • Encrypt sensitive parts of the web.config using aspnet_regiis -pe

ASP.NET Web Forms Guidance

ASP.NET Web Forms is the original browser-based application development API for the .NET framework, and is still the most common line of business platform the web application development.

  • Always use HTTPS.

HTTP validation and encoding

  • Do not disable validateRequest in the web.config or the page setup. This value enables the AntiXSS library in ASP.NET and should be left intact to present cross site scripting.
  • Whitelist allowable values anytime user input is accepted. The regex namespace is particularly useful for checking to make sure an email address or URI is as expected.
  • Always encode output to the browser using Server.HtmlEncode.
  • Validate the URI format using Uri.IsWellFormedUriString.

Authorization and authentication

  • Use cookies for persistence when possible. Cookieless Auth will default to UseDeviceProfile.
  • Don't trust the URI of the request for persistence of the session or authorization. It can be easily faked.
  • Reduce the session time from the default of 20 minutes. If slidingExpiration is used this timeout starts after the last request, so active users won't be affected.
  • If you don't require SSL, disable slidingExpiration.
  • Always implement proper access controls.
    • Compare user provided username with User.Identity.Name.
    • Check roles against User.Identity.IsInRole.
  • Use the native membership provider.
  • Explicitly authorize resource requests, using User.Identity.Name.
  • Leverage role based authorization using User.Identity.IsInRole.

ASP.NET MVC Guidance

ASP.NET MVC is the new hotness from Microsoft, employing the popular MVC pattern used by frameworks like Ruby on Rails.

  • Always use HTTPS.
  • Use the Syncronizer token pattern. In Web Forms, this is handled by ViewState, but in MVC you need to use ValidateAntiForgeryToken.
  • Decorate controller methods using PrincipalPermission to prevent unrestricted URL access.

XAML Guidance

Windows Forms Guidance

WCF Guidance

  • Always use HTTPS.

Authors and Primary Editors

Troy Hunt - troyhunt [at] hotmail.com
Bill Sempf - bill [at] pointweb.net
Patrick Leclerc - patrick.leclerc [at] owasp.org
Jerry Hoff - jerry.hoff [at] owasp.org


Other Cheatsheets

OWASP Cheat Sheets Project Homepage


V - T - E Cheat Sheets
Developer / Builder
Assessment / Breaker
Mobile
OpSec / Defender
Draft and Beta
All Pages In This Category
Retrieved from "https://wiki.owasp.org/index.php?title=.NET_Security_Cheatsheet&oldid=139975"