ASP.net { or any web application } security
 

Hi all,

I'm wondering how can i prevent this scenario:

I have asp.net application , not using any kind of asp.net secuirty models [
neither Windows Nor Forms Auth].
Client can save a complete copy of the web site locally, he can change any
Javascript funciton , then chnage the Action attribute in the form tag to
point to the same page again, & it will submit .

My question is: i want to access my website only within my web site links or
requests, i don't want to accept the previous scenario, also i don't want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change through
http sniffing tools or Packets editor tools.

any Advice ???

Bashar

Re: ASP.net { or any web application } security
 

Well - you could generate one-time IDs that are only valid for a short period
of time - you could append these to links as a query string.

An HttpModule could check the appended IDs for validity...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hi all,
>
> I'm wondering how can i prevent this scenario:
>
> I have asp.net application , not using any kind of asp.net secuirty
> models [ neither Windows Nor Forms Auth]. Client can save a complete
> copy of the web site locally, he can change any Javascript funciton ,
> then chnage the Action attribute in the form tag to point to the same
> page again, & it will submit .
>
> My question is: i want to access my website only within my web site
> links or
> requests, i don't want to accept the previous scenario, also i don't
> want to
> accept any custom http request come out of my internal web site.
> i can't depend on HTTP Reffer , because it's easily can be change
> through
> http sniffing tools or Packets editor tools.
> any Advice ???
>
> Bashar
>

Re: ASP.net { or any web application } security
 

hi Dominick

thank for your reply, i already think of your idea, which producing Token &
expiry time. but i don't think this will solve the problem. for example you
set the expiry as 1 min. for every request. then the hacker can save the html
& replace what ever he want within 1 min & submit it back. you got me ?
also, think of big & huge forms to fill, the user may not finish filling the
forms withen that expiry time, so his submit will fail !

by the way, i have another question to you, as security expert, can any
tool, or application , or technology ..etc change the "http refferer" for any
http header request ??

Thanks in Advance
Bashar
--


"Dominick Baier" wrote:

> Well - you could generate one-time IDs that are only valid for a short period
> of time - you could append these to links as a query string.
>
> An HttpModule could check the appended IDs for validity...
>
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
>
> > Hi all,
> >
> > I'm wondering how can i prevent this scenario:
> >
> > I have asp.net application , not using any kind of asp.net secuirty
> > models [ neither Windows Nor Forms Auth]. Client can save a complete
> > copy of the web site locally, he can change any Javascript funciton ,
> > then chnage the Action attribute in the form tag to point to the same
> > page again, & it will submit .
> >
> > My question is: i want to access my website only within my web site
> > links or
> > requests, i don't want to accept the previous scenario, also i don't
> > want to
> > accept any custom http request come out of my internal web site.
> > i can't depend on HTTP Reffer , because it's easily can be change
> > through
> > http sniffing tools or Packets editor tools.
> > any Advice ???
> >
> > Bashar
> >
>
>
>

Re: ASP.net { or any web application } security
 

> by the way, i have another question to you, as security expert, can
> any tool, or application , or technology ..etc change the "http
> refferer" for any http header request ??


what do you mean?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> hi Dominick
>
> thank for your reply, i already think of your idea, which producing
> Token &
> expiry time. but i don't think this will solve the problem. for
> example you
> set the expiry as 1 min. for every request. then the hacker can save
> the html
> & replace what ever he want within 1 min & submit it back. you got me
> ?
> also, think of big & huge forms to fill, the user may not finish
> filling the
> forms withen that expiry time, so his submit will fail !
> by the way, i have another question to you, as security expert, can
> any tool, or application , or technology ..etc change the "http
> refferer" for any http header request ??
>
> Thanks in Advance
> Bashar
>> Well - you could generate one-time IDs that are only valid for a
>> short period of time - you could append these to links as a query
>> string.
>>
>> An HttpModule could check the appended IDs for validity...
>>
>> -----
>> Dominick Baier (http://www.leastprivilege.com)
>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>> (http://www.microsoft.com/mspress/books/9989.asp)
>>
>>> Hi all,
>>>
>>> I'm wondering how can i prevent this scenario:
>>>
>>> I have asp.net application , not using any kind of asp.net secuirty
>>> models [ neither Windows Nor Forms Auth]. Client can save a complete
>>> copy of the web site locally, he can change any Javascript funciton
>>> , then chnage the Action attribute in the form tag to point to the
>>> same page again, & it will submit .
>>>
>>> My question is: i want to access my website only within my web site
>>> links or
>>> requests, i don't want to accept the previous scenario, also i don't
>>> want to
>>> accept any custom http request come out of my internal web site.
>>> i can't depend on HTTP Reffer , because it's easily can be change
>>> through
>>> http sniffing tools or Packets editor tools.
>>> any Advice ???
>>> Bashar
>>>

Re: ASP.net { or any web application } security
 

what i meanis:
do you know "REFERRER" key in any http header ? it tell the server from
whcih URI that request was redirected.
for example
you are in Page1.aspx & click on link that will navigate you to page2.aspx.
check the Request.Headers["Referrer"] in the load event of Page2.aspx, you
find the value of URI Page1.aspx.

in that way , you can detect from where your requests are coming ? from
inside your application ? or from another sites or local copies.

my question is, can the attacker change this Referrer manually so he can
fake this validation ? like what happen in phishing for example.

I hope this is was clear


"Dominick Baier" wrote:

> > by the way, i have another question to you, as security expert, can
> > any tool, or application , or technology ..etc change the "http
> > refferer" for any http header request ??
>
>
> what do you mean?
>
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
>
> > hi Dominick
> >
> > thank for your reply, i already think of your idea, which producing
> > Token &
> > expiry time. but i don't think this will solve the problem. for
> > example you
> > set the expiry as 1 min. for every request. then the hacker can save
> > the html
> > & replace what ever he want within 1 min & submit it back. you got me
> > ?
> > also, think of big & huge forms to fill, the user may not finish
> > filling the
> > forms withen that expiry time, so his submit will fail !
> > by the way, i have another question to you, as security expert, can
> > any tool, or application , or technology ..etc change the "http
> > refferer" for any http header request ??
> >
> > Thanks in Advance
> > Bashar
> >> Well - you could generate one-time IDs that are only valid for a
> >> short period of time - you could append these to links as a query
> >> string.
> >>
> >> An HttpModule could check the appended IDs for validity...
> >>
> >> -----
> >> Dominick Baier (http://www.leastprivilege.com)
> >> Developing More Secure Microsoft ASP.NET 2.0 Applications
> >> (http://www.microsoft.com/mspress/books/9989.asp)
> >>
> >>> Hi all,
> >>>
> >>> I'm wondering how can i prevent this scenario:
> >>>
> >>> I have asp.net application , not using any kind of asp.net secuirty
> >>> models [ neither Windows Nor Forms Auth]. Client can save a complete
> >>> copy of the web site locally, he can change any Javascript funciton
> >>> , then chnage the Action attribute in the form tag to point to the
> >>> same page again, & it will submit .
> >>>
> >>> My question is: i want to access my website only within my web site
> >>> links or
> >>> requests, i don't want to accept the previous scenario, also i don't
> >>> want to
> >>> accept any custom http request come out of my internal web site.
> >>> i can't depend on HTTP Reffer , because it's easily can be change
> >>> through
> >>> http sniffing tools or Packets editor tools.
> >>> any Advice ???
> >>> Bashar
> >>>
>
>
>

Re: ASP.net { or any web application } security
 

Hi,

yes this is easily possible - have a look at www.fiddlertool.com


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> what i meanis:
> do you know "REFERRER" key in any http header ? it tell the server
> from
> whcih URI that request was redirected.
> for example
> you are in Page1.aspx & click on link that will navigate you to
> page2.aspx.
> check the Request.Headers["Referrer"] in the load event of Page2.aspx,
> you
> find the value of URI Page1.aspx.
> in that way , you can detect from where your requests are coming ?
> from inside your application ? or from another sites or local copies.
>
> my question is, can the attacker change this Referrer manually so he
> can fake this validation ? like what happen in phishing for example.
>
> I hope this is was clear
>
> "Dominick Baier" wrote:
>
>>> by the way, i have another question to you, as security expert, can
>>> any tool, or application , or technology ..etc change the "http
>>> refferer" for any http header request ??
>>>
>> what do you mean?
>>
>> -----
>> Dominick Baier (http://www.leastprivilege.com)
>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>> (http://www.microsoft.com/mspress/books/9989.asp)
>>
>>> hi Dominick
>>>
>>> thank for your reply, i already think of your idea, which producing
>>> Token &
>>> expiry time. but i don't think this will solve the problem. for
>>> example you
>>> set the expiry as 1 min. for every request. then the hacker can save
>>> the html
>>> & replace what ever he want within 1 min & submit it back. you got
>>> me
>>> ?
>>> also, think of big & huge forms to fill, the user may not finish
>>> filling the
>>> forms withen that expiry time, so his submit will fail !
>>> by the way, i have another question to you, as security expert, can
>>> any tool, or application , or technology ..etc change the "http
>>> refferer" for any http header request ??
>>> Thanks in Advance
>>> Bashar
>>>> Well - you could generate one-time IDs that are only valid for a
>>>> short period of time - you could append these to links as a query
>>>> string.
>>>>
>>>> An HttpModule could check the appended IDs for validity...
>>>>
>>>> -----
>>>> Dominick Baier (http://www.leastprivilege.com)
>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>>>> (http://www.microsoft.com/mspress/books/9989.asp)
>>>>> Hi all,
>>>>>
>>>>> I'm wondering how can i prevent this scenario:
>>>>>
>>>>> I have asp.net application , not using any kind of asp.net
>>>>> secuirty models [ neither Windows Nor Forms Auth]. Client can save
>>>>> a complete copy of the web site locally, he can change any
>>>>> Javascript funciton , then chnage the Action attribute in the form
>>>>> tag to point to the same page again, & it will submit .
>>>>>
>>>>> My question is: i want to access my website only within my web
>>>>> site
>>>>> links or
>>>>> requests, i don't want to accept the previous scenario, also i
>>>>> don't
>>>>> want to
>>>>> accept any custom http request come out of my internal web site.
>>>>> i can't depend on HTTP Reffer , because it's easily can be change
>>>>> through
>>>>> http sniffing tools or Packets editor tools.
>>>>> any Advice ???
>>>>> Basha