beefing up security in asp.net part 2 dot net bangalore 4th meet up on august 08 2015
TRANSCRIPT
Devouring Security
Marudhamaran Gunasekaran@gmaran23
Beefing up Security in ASP.NETPart 2
Dot Net Bangalore 4th meet up August 08 2015 @ Prowareness,
Bangalore
Part 1Screen recording https://vimeo.com/gmaran23/beefingupsecurityinaspdotnet Slides http://www.slideshare.net/gmaran23/beefing-up-security-in-aspnet-dot-net-bangalore
Part 2 – (this presentation)Screen recordinghttps://vimeo.com/gmaran23/beefingupsecurityinaspdotnetpart2
Controlling HTTP requests size or leaving it to default
<system.web> <httpRuntime maxRequestLength=“4096"/> </system.web>
• Leave it to default of 4 MB • Or be wary about the consequences or adjusting the size
Securing the __VIEWSTATE
<pages enableEventValidation="true" enableViewStateMac="true" viewStateEncryptionMode="Always" />
Leave useUnsafeHeaderParsing to default
<system.net> <settings> <httpWebRequest useUnsafeHeaderParsing="false"/> </settings> </system.net>
protection from invalid http requests
Beefing up Forms Authentication
<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120"</authentication>
• Shorter timeout is more secure
Beefing up Forms Authentication
<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies"/></authentication>
• UseCookies and Not the Uri for authentication information
Beefing up Forms Authentication<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies" name="NotVeryObvious"/></authentication>
• Obscure the name of auth cookie from the default .ASPXAUTH
Beefing up Forms Authentication
<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies" name="NotVeryObvious" requireSSL="true" /></authentication>
• Send authentication information only over SSL
Beefing up Forms Authentication<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies" name="NotVeryObvious" requireSSL="true" slidingExpiration="false"/></authentication>
• When timeout expires, require re-authentication
Beefing up Forms Authentication<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies" name="NotVeryObvious" requireSSL="true" slidingExpiration="false"
protection="All" /></authentication>
• Protection by verification and encryption
Password policies within Membership
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15"> <providers> <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="DefaultConnection" applicationName="SqliModernApp" enablePasswordRetrieval="false" passwordFormat="Hashed" minRequiredPasswordLength="7" maxInvalidPasswordAttempts="5" passwordAttemptWindow="30" minRequiredNonAlphanumericCharacters="1"/> </providers> </membership>
Protecting Sensitive Configurations
• Web.config protection – single server deployment - https://msdn.microsoft.com/en-us/library/ms998280.aspx
aspnet_regiis.exe -pef "connectionStrings" C:\WebDirRootFolder -prov "DataProtectionConfigurationProvider“
Protecting Sensitive Configurations
• Web.config protection – web farm deployment - https://msdn.microsoft.com/en-us/library/ff650304.aspx
aspnet_regiis.exe -pef "connectionStrings" C:\WebDirRootFolder
Protecting Sensitive Configurations
• RSA based web.config encryption –how to synchronize (export and import) key pairs
• https://msdn.microsoft.com/en-us/library/ff650304.aspx#paght000006_webfarmscenarios
https://twitter.com/gmaran23
SqliXMLXSSOWASP ZAPASP.NET Security
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://vimeo.com/gmaran23 Developer focused talks
1. https://renouncedthoughts.wordpress.com/2014/01/14/devouring-security-sql-injection-exploitation-and-prevention-part-1/
2. https://renouncedthoughts.wordpress.com/2014/02/07/devouring-security-sql-injection-exploitation-and-prevention-part-2/
3. https://renouncedthoughts.wordpress.com/2014/05/09/sql-injection-testing-for-qa-testers/
4. https://renouncedthoughts.wordpress.com/2014/05/09/devouring-security-xml-attack-surface-and-defenses/
5. https://renouncedthoughts.wordpress.com/2014/09/26/devouring-security-cross-site-scripting-xss/
6. https://renouncedthoughts.wordpress.com/2015/05/20/practical-security-testing-for-developers-using-owasp-zap-at-dot-net-bangalore-3rd-meet-up-on-feb-21-2015/