Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Security overview

Reply
Thread Tools

Security overview

 
 
Arturo Buonanni
Guest
Posts: n/a
 
      03-17-2006
I'm a programmer new to ASP.NET and web development in general.

I'm going to code a web application and I'm concerned about the
security issues that arise on this field (that's new to me).

I'm using VWD2005 Express Ed. and I've read the online help about
security.

Now I've a doubt about one thing. The online help states that you have
to validate every user input against script exploit and SQL injection
and that's quite fair. But it also states that ASP.NET validates every
"request" against potentially harmfull values (ie. scripts).
Now, if ASP.NET doesn't allows dangerous values in the request for
pages, how can one use scrips exploit? Why code against script expliot
in every page if dangelous values are not meant to ever reach the page?

I'm new to web development as I've said so I'm probably missing
something and I'd like to know what it is.

Thanks.
 
Reply With Quote
 
 
 
 
Paolo De Nictolis, Eng. [441410]
Guest
Posts: n/a
 
      03-17-2006
Hi Arturo,
please check AntiXSS Library:
http://www.programmazione.it/index.p...m&idItem=33147.

Paolo





"Arturo Buonanni" <(E-Mail Removed)> wrote in
message news:Xns97899EE018350Arturo.Buonanni@207.46.248.16 ...
> I'm a programmer new to ASP.NET and web development in general.
>
> I'm going to code a web application and I'm concerned about the
> security issues that arise on this field (that's new to me).
>
> I'm using VWD2005 Express Ed. and I've read the online help about
> security.
>
> Now I've a doubt about one thing. The online help states that you have
> to validate every user input against script exploit and SQL injection
> and that's quite fair. But it also states that ASP.NET validates every
> "request" against potentially harmfull values (ie. scripts).
> Now, if ASP.NET doesn't allows dangerous values in the request for
> pages, how can one use scrips exploit? Why code against script expliot
> in every page if dangelous values are not meant to ever reach the page?
>
> I'm new to web development as I've said so I'm probably missing
> something and I'd like to know what it is.
>
> Thanks.



 
Reply With Quote
 
 
 
 
Arturo Buonanni
Guest
Posts: n/a
 
      03-20-2006
Hi Paolo,

Thanks for your reply.

I foud the article very interesting but it failed to answer my former
question.
For what I understand XSS attack consist in the attacker redirecting a
visitor to a victim web site while inserting his own script in a field
(hidden on unnoticed) of the web site so that when user interacts with
the web site the code is executed.

If this is correct then my question rise again. If the ASP.NET
framework validate all form's fields input for harmfull values (let's
says script identifiers) how can be the attacker's code executed?

That's my point.

From what I read form the article it seems that the ASP.NET protection
could be faulty being based in "black lists" instead of "white lists"
and being so unable to handle new script identifiers of new harmfull
code. Is that the reason?

Anyway I still don't understand why MS advise you in the online help to
validate all user input against special carachters if the ASP.NET
framework already does it. In this way they are covertly saying that
the ASP.NET protection doesn't always works.

I'm still a bit confused about this.

Paolo De Nictolis, Eng. [441410] wrote:

> Hi Arturo,
> please check AntiXSS Library:
> http://www.programmazione.it/index.p...m&idItem=33147.
>
> Paolo
>
>
>
>
>
> "Arturo Buonanni" <(E-Mail Removed)>
> wrote in message
> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16 ...
>> I'm a programmer new to ASP.NET and web development in general.
>>
>> I'm going to code a web application and I'm concerned about the
>> security issues that arise on this field (that's new to me).
>>
>> I'm using VWD2005 Express Ed. and I've read the online help about
>> security.
>>
>> Now I've a doubt about one thing. The online help states that you
>> have to validate every user input against script exploit and SQL
>> injection and that's quite fair. But it also states that ASP.NET
>> validates every "request" against potentially harmfull values
>> (ie. scripts). Now, if ASP.NET doesn't allows dangerous values in
>> the request for pages, how can one use scrips exploit? Why code
>> against script expliot in every page if dangelous values are not
>> meant to ever reach the page?
>>
>> I'm new to web development as I've said so I'm probably missing
>> something and I'd like to know what it is.
>>
>> Thanks.

>
>
>


 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      03-20-2006
hi,

reasons are

a) black vs. white listing
b) the ValidateRequest feature was bugged in the past - don't rely on it
c) only the most obvious characters are blocked, like '<' otherwise there
would be too many false positives
d) you may need to accept characters which are considere illegal - and you
have to turn off the automatic validation
e) does not find more subtle attacks

ValidateRequest is a defense-in-depth measure meant to augment *not* replace
input validation.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Paolo,
>
> Thanks for your reply.
>
> I foud the article very interesting but it failed to answer my former
> question.
> For what I understand XSS attack consist in the attacker redirecting a
> visitor to a victim web site while inserting his own script in a field
> (hidden on unnoticed) of the web site so that when user interacts with
> the web site the code is executed.
> If this is correct then my question rise again. If the ASP.NET
> framework validate all form's fields input for harmfull values (let's
> says script identifiers) how can be the attacker's code executed?
>
> That's my point.
>
> From what I read form the article it seems that the ASP.NET protection
> could be faulty being based in "black lists" instead of "white lists"
> and being so unable to handle new script identifiers of new harmfull
> code. Is that the reason?
>
> Anyway I still don't understand why MS advise you in the online help
> to validate all user input against special carachters if the ASP.NET
> framework already does it. In this way they are covertly saying that
> the ASP.NET protection doesn't always works.
>
> I'm still a bit confused about this.
>
> Paolo De Nictolis, Eng. [441410] wrote:
>
>> Hi Arturo,
>> please check AntiXSS Library:
>> http://www.programmazione.it/index.p...m&idItem=33147.
>> Paolo
>>
>> "Arturo Buonanni" <(E-Mail Removed)>
>> wrote in message
>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16 ...
>>
>>> I'm a programmer new to ASP.NET and web development in general.
>>>
>>> I'm going to code a web application and I'm concerned about the
>>> security issues that arise on this field (that's new to me).
>>>
>>> I'm using VWD2005 Express Ed. and I've read the online help about
>>> security.
>>>
>>> Now I've a doubt about one thing. The online help states that you
>>> have to validate every user input against script exploit and SQL
>>> injection and that's quite fair. But it also states that ASP.NET
>>> validates every "request" against potentially harmfull values (ie.
>>> scripts). Now, if ASP.NET doesn't allows dangerous values in the
>>> request for pages, how can one use scrips exploit? Why code against
>>> script expliot in every page if dangelous values are not meant to
>>> ever reach the page?
>>>
>>> I'm new to web development as I've said so I'm probably missing
>>> something and I'd like to know what it is.
>>>
>>> Thanks.
>>>



 
Reply With Quote
 
Arturo Buonanni
Guest
Posts: n/a
 
      03-20-2006
Ok, so it seems that the ASP.NET protection against malicius code is
just a basic one that need to be enanched with coder work.

Given that I've no need to allow any HTML tag and that my users only
need to input plain text, would HTMLEncode() and URLEncode() be enough
for this?

Are there any other countermeasure that must be omplemented in order to
build a secure site (apart from authentication and authorization that
I give as assumptions)?

Dominick Baier [DevelopMentor] wrote:

> hi,
>
> reasons are
>
> a) black vs. white listing
> b) the ValidateRequest feature was bugged in the past - don't rely
> on it
> c) only the most obvious characters are blocked, like '<'
> otherwise there would be too many false positives
> d) you may need to accept characters which are considere illegal -
> and you have to turn off the automatic validation
> e) does not find more subtle attacks
>
> ValidateRequest is a defense-in-depth measure meant to augment
> *not* replace input validation.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Hi Paolo,
>>
>> Thanks for your reply.
>>
>> I foud the article very interesting but it failed to answer my
>> former question.
>> For what I understand XSS attack consist in the attacker
>> redirecting a visitor to a victim web site while inserting his
>> own script in a field (hidden on unnoticed) of the web site so
>> that when user interacts with the web site the code is executed.
>> If this is correct then my question rise again. If the ASP.NET
>> framework validate all form's fields input for harmfull values
>> (let's says script identifiers) how can be the attacker's code
>> executed?
>>
>> That's my point.
>>
>> From what I read form the article it seems that the ASP.NET
>> protection could be faulty being based in "black lists" instead
>> of "white lists" and being so unable to handle new script
>> identifiers of new harmfull code. Is that the reason?
>>
>> Anyway I still don't understand why MS advise you in the online
>> help to validate all user input against special carachters if the
>> ASP.NET framework already does it. In this way they are covertly
>> saying that the ASP.NET protection doesn't always works.
>>
>> I'm still a bit confused about this.
>>
>> Paolo De Nictolis, Eng. [441410] wrote:
>>
>>> Hi Arturo,
>>> please check AntiXSS Library:
>>> http://www.programmazione.it/index.p...m&idItem=33147.
>>> Paolo
>>>
>>> "Arturo Buonanni"
>>> <(E-Mail Removed)> wrote in message
>>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16 ...
>>>
>>>> I'm a programmer new to ASP.NET and web development in general.
>>>>
>>>> I'm going to code a web application and I'm concerned about the
>>>> security issues that arise on this field (that's new to me).
>>>>
>>>> I'm using VWD2005 Express Ed. and I've read the online help
>>>> about security.
>>>>
>>>> Now I've a doubt about one thing. The online help states that
>>>> you have to validate every user input against script exploit
>>>> and SQL injection and that's quite fair. But it also states
>>>> that ASP.NET validates every "request" against potentially
>>>> harmfull values (ie. scripts). Now, if ASP.NET doesn't allows
>>>> dangerous values in the request for pages, how can one use
>>>> scrips exploit? Why code against script expliot in every page
>>>> if dangelous values are not meant to ever reach the page?
>>>>
>>>> I'm new to web development as I've said so I'm probably missing
>>>> something and I'd like to know what it is.
>>>>
>>>> Thanks.
>>>>

>
>


 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      03-20-2006
hi,

building secure sites is not only about throwing in some counter measure
- it is a combination of

- Threat Modeling leading to

- prevention
- detection
- reaction

good input validation is a prereq - but there is more

auth & authZ, least privilege, server hardening, error handling, logging
& instrumentation, data & communication protection etc...

HtmlEncode is OK if you are emitting the output to HTML - if you are concatenating
input into script blocks - this won't help you.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Ok, so it seems that the ASP.NET protection against malicius code is
> just a basic one that need to be enanched with coder work.
>
> Given that I've no need to allow any HTML tag and that my users only
> need to input plain text, would HTMLEncode() and URLEncode() be enough
> for this?
>
> Are there any other countermeasure that must be omplemented in order
> to build a secure site (apart from authentication and authorization
> that I give as assumptions)?
>
> Dominick Baier [DevelopMentor] wrote:
>
>> hi,
>>
>> reasons are
>>
>> a) black vs. white listing
>> b) the ValidateRequest feature was bugged in the past - don't rely
>> on it
>> c) only the most obvious characters are blocked, like '<'
>> otherwise there would be too many false positives
>> d) you may need to accept characters which are considere illegal -
>> and you have to turn off the automatic validation
>> e) does not find more subtle attacks
>> ValidateRequest is a defense-in-depth measure meant to augment *not*
>> replace input validation.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi Paolo,
>>>
>>> Thanks for your reply.
>>>
>>> I foud the article very interesting but it failed to answer my
>>> former question.
>>> For what I understand XSS attack consist in the attacker
>>> redirecting a visitor to a victim web site while inserting his
>>> own script in a field (hidden on unnoticed) of the web site so
>>> that when user interacts with the web site the code is executed.
>>> If this is correct then my question rise again. If the ASP.NET
>>> framework validate all form's fields input for harmfull values
>>> (let's says script identifiers) how can be the attacker's code
>>> executed?
>>> That's my point.
>>>
>>> From what I read form the article it seems that the ASP.NET
>>> protection could be faulty being based in "black lists" instead of
>>> "white lists" and being so unable to handle new script identifiers
>>> of new harmfull code. Is that the reason?
>>>
>>> Anyway I still don't understand why MS advise you in the online help
>>> to validate all user input against special carachters if the ASP.NET
>>> framework already does it. In this way they are covertly saying that
>>> the ASP.NET protection doesn't always works.
>>>
>>> I'm still a bit confused about this.
>>>
>>> Paolo De Nictolis, Eng. [441410] wrote:
>>>
>>>> Hi Arturo,
>>>> please check AntiXSS Library:
>>>> http://www.programmazione.it/index.p...m&idItem=33147.
>>>> Paolo
>>>> "Arturo Buonanni" <(E-Mail Removed)>
>>>> wrote in message
>>>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16 ...
>>>>
>>>>> I'm a programmer new to ASP.NET and web development in general.
>>>>>
>>>>> I'm going to code a web application and I'm concerned about the
>>>>> security issues that arise on this field (that's new to me).
>>>>>
>>>>> I'm using VWD2005 Express Ed. and I've read the online help about
>>>>> security.
>>>>>
>>>>> Now I've a doubt about one thing. The online help states that you
>>>>> have to validate every user input against script exploit and SQL
>>>>> injection and that's quite fair. But it also states that ASP.NET
>>>>> validates every "request" against potentially harmfull values (ie.
>>>>> scripts). Now, if ASP.NET doesn't allows dangerous values in the
>>>>> request for pages, how can one use scrips exploit? Why code
>>>>> against script expliot in every page if dangelous values are not
>>>>> meant to ever reach the page?
>>>>>
>>>>> I'm new to web development as I've said so I'm probably missing
>>>>> something and I'd like to know what it is.
>>>>>
>>>>> Thanks.
>>>>>



 
Reply With Quote
 
Arturo Buonanni
Guest
Posts: n/a
 
      03-20-2006
Hi Dominick,

Thanks for your reply.

I understand that. I've already read most of the documentation
concerning security present on the VWD online help and downloaded some
more.

I'm now facing the usual coder "dilemma". From one side, my boss asks
me to "produce" something in the shortest term possible. In the other
side I don't want to release a "security" weak solution.

Given that I don't have the time to extend my knowledge to fully
include all securty aspects related to web application development, I
need to know wich action I, as a coder, can put on to build the most
secure solution possible.

Also consider that this solution will be probably hosted by someone
else web server so all issues related to the server's configuration
are out of my reach. I can only assume (and maybe verify) that our
host is putting on all effort to secure his servers.

From what I've read, related to coding, I must take care of:
- authentication;
- authorization (restricting users access to resource to the least
needed);
- input and output validation;
- error handling;
- securing configuration.

Is there anything else can I take care of not being able to configure
the web server to my own needs?

While we are in the topics, I've a question about configuration
encryption.

If I encrypth sections of my web.config on my dev. machine using
aspnet_regiis, will the server be able to decrypth them?

Aren't encription keys specific to each asp.net installation?

Thanks for thehelp.


On Mon, 20 Mar 2006 10:56:31 +0000 (UTC), Dominick Baier
[DevelopMentor] <(E-Mail Removed)> wrote:

>hi,
>
>building secure sites is not only about throwing in some counter measure
>- it is a combination of
>
>- Threat Modeling leading to
>
>- prevention
>- detection
>- reaction
>
>good input validation is a prereq - but there is more
>
>auth & authZ, least privilege, server hardening, error handling, logging
>& instrumentation, data & communication protection etc...
>
>HtmlEncode is OK if you are emitting the output to HTML - if you are concatenating
>input into script blocks - this won't help you.
>
>---------------------------------------
>Dominick Baier - DevelopMentor
>http://www.leastprivilege.com
>
>> Ok, so it seems that the ASP.NET protection against malicius code is
>> just a basic one that need to be enanched with coder work.
>>
>> Given that I've no need to allow any HTML tag and that my users only
>> need to input plain text, would HTMLEncode() and URLEncode() be enough
>> for this?
>>
>> Are there any other countermeasure that must be omplemented in order
>> to build a secure site (apart from authentication and authorization
>> that I give as assumptions)?
>>
>> Dominick Baier [DevelopMentor] wrote:
>>
>>> hi,
>>>
>>> reasons are
>>>
>>> a) black vs. white listing
>>> b) the ValidateRequest feature was bugged in the past - don't rely
>>> on it
>>> c) only the most obvious characters are blocked, like '<'
>>> otherwise there would be too many false positives
>>> d) you may need to accept characters which are considere illegal -
>>> and you have to turn off the automatic validation
>>> e) does not find more subtle attacks
>>> ValidateRequest is a defense-in-depth measure meant to augment *not*
>>> replace input validation.
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Hi Paolo,
>>>>
>>>> Thanks for your reply.
>>>>
>>>> I foud the article very interesting but it failed to answer my
>>>> former question.
>>>> For what I understand XSS attack consist in the attacker
>>>> redirecting a visitor to a victim web site while inserting his
>>>> own script in a field (hidden on unnoticed) of the web site so
>>>> that when user interacts with the web site the code is executed.
>>>> If this is correct then my question rise again. If the ASP.NET
>>>> framework validate all form's fields input for harmfull values
>>>> (let's says script identifiers) how can be the attacker's code
>>>> executed?
>>>> That's my point.
>>>>
>>>> From what I read form the article it seems that the ASP.NET
>>>> protection could be faulty being based in "black lists" instead of
>>>> "white lists" and being so unable to handle new script identifiers
>>>> of new harmfull code. Is that the reason?
>>>>
>>>> Anyway I still don't understand why MS advise you in the online help
>>>> to validate all user input against special carachters if the ASP.NET
>>>> framework already does it. In this way they are covertly saying that
>>>> the ASP.NET protection doesn't always works.
>>>>
>>>> I'm still a bit confused about this.
>>>>
>>>> Paolo De Nictolis, Eng. [441410] wrote:
>>>>
>>>>> Hi Arturo,
>>>>> please check AntiXSS Library:
>>>>> http://www.programmazione.it/index.p...m&idItem=33147.
>>>>> Paolo
>>>>> "Arturo Buonanni" <(E-Mail Removed)>
>>>>> wrote in message
>>>>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16 ...
>>>>>
>>>>>> I'm a programmer new to ASP.NET and web development in general.
>>>>>>
>>>>>> I'm going to code a web application and I'm concerned about the
>>>>>> security issues that arise on this field (that's new to me).
>>>>>>
>>>>>> I'm using VWD2005 Express Ed. and I've read the online help about
>>>>>> security.
>>>>>>
>>>>>> Now I've a doubt about one thing. The online help states that you
>>>>>> have to validate every user input against script exploit and SQL
>>>>>> injection and that's quite fair. But it also states that ASP.NET
>>>>>> validates every "request" against potentially harmfull values (ie.
>>>>>> scripts). Now, if ASP.NET doesn't allows dangerous values in the
>>>>>> request for pages, how can one use scrips exploit? Why code
>>>>>> against script expliot in every page if dangelous values are not
>>>>>> meant to ever reach the page?
>>>>>>
>>>>>> I'm new to web development as I've said so I'm probably missing
>>>>>> something and I'd like to know what it is.
>>>>>>
>>>>>> Thanks.
>>>>>>

>

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      03-20-2006
Hi,

yeah - that's the usual dilemma - you will learn a lot in your first "secure
application" - maybe you should reserve some budget for penetration testing.

Logging and Instrumentation is an important one too.

re encrypted config

it depends which provider you use - DPAPI is machine specific - RSA keys
can be exported and installed on different machines.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
> Thanks for your reply.
>
> I understand that. I've already read most of the documentation
> concerning security present on the VWD online help and downloaded some
> more.
>
> I'm now facing the usual coder "dilemma". From one side, my boss asks
> me to "produce" something in the shortest term possible. In the other
> side I don't want to release a "security" weak solution.
>
> Given that I don't have the time to extend my knowledge to fully
> include all securty aspects related to web application development, I
> need to know wich action I, as a coder, can put on to build the most
> secure solution possible.
>
> Also consider that this solution will be probably hosted by someone
> else web server so all issues related to the server's configuration
> are out of my reach. I can only assume (and maybe verify) that our
> host is putting on all effort to secure his servers.
>
> From what I've read, related to coding, I must take care of:
> - authentication;
> - authorization (restricting users access to resource to the least
> needed);
> - input and output validation;
> - error handling;
> - securing configuration.
> Is there anything else can I take care of not being able to configure
> the web server to my own needs?
>
> While we are in the topics, I've a question about configuration
> encryption.
>
> If I encrypth sections of my web.config on my dev. machine using
> aspnet_regiis, will the server be able to decrypth them?
>
> Aren't encription keys specific to each asp.net installation?
>
> Thanks for thehelp.
>
> On Mon, 20 Mar 2006 10:56:31 +0000 (UTC), Dominick Baier
> [DevelopMentor] <(E-Mail Removed)> wrote:
>
>> hi,
>>
>> building secure sites is not only about throwing in some counter
>> measure - it is a combination of
>>
>> - Threat Modeling leading to
>>
>> - prevention
>> - detection
>> - reaction
>> good input validation is a prereq - but there is more
>>
>> auth & authZ, least privilege, server hardening, error handling,
>> logging & instrumentation, data & communication protection etc...
>>
>> HtmlEncode is OK if you are emitting the output to HTML - if you are
>> concatenating input into script blocks - this won't help you.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Ok, so it seems that the ASP.NET protection against malicius code is
>>> just a basic one that need to be enanched with coder work.
>>>
>>> Given that I've no need to allow any HTML tag and that my users only
>>> need to input plain text, would HTMLEncode() and URLEncode() be
>>> enough for this?
>>>
>>> Are there any other countermeasure that must be omplemented in order
>>> to build a secure site (apart from authentication and authorization
>>> that I give as assumptions)?
>>>
>>> Dominick Baier [DevelopMentor] wrote:
>>>
>>>> hi,
>>>>
>>>> reasons are
>>>>
>>>> a) black vs. white listing
>>>> b) the ValidateRequest feature was bugged in the past - don't rely
>>>> on it
>>>> c) only the most obvious characters are blocked, like '<'
>>>> otherwise there would be too many false positives
>>>> d) you may need to accept characters which are considere illegal -
>>>> and you have to turn off the automatic validation
>>>> e) does not find more subtle attacks
>>>> ValidateRequest is a defense-in-depth measure meant to augment
>>>> *not*
>>>> replace input validation.
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Hi Paolo,
>>>>>
>>>>> Thanks for your reply.
>>>>>
>>>>> I foud the article very interesting but it failed to answer my
>>>>> former question.
>>>>> For what I understand XSS attack consist in the attacker
>>>>> redirecting a visitor to a victim web site while inserting his
>>>>> own script in a field (hidden on unnoticed) of the web site so
>>>>> that when user interacts with the web site the code is executed.
>>>>> If this is correct then my question rise again. If the ASP.NET
>>>>> framework validate all form's fields input for harmfull values
>>>>> (let's says script identifiers) how can be the attacker's code
>>>>> executed?
>>>>> That's my point.
>>>>> From what I read form the article it seems that the ASP.NET
>>>>> protection could be faulty being based in "black lists" instead of
>>>>> "white lists" and being so unable to handle new script identifiers
>>>>> of new harmfull code. Is that the reason?
>>>>>
>>>>> Anyway I still don't understand why MS advise you in the online
>>>>> help to validate all user input against special carachters if the
>>>>> ASP.NET framework already does it. In this way they are covertly
>>>>> saying that the ASP.NET protection doesn't always works.
>>>>>
>>>>> I'm still a bit confused about this.
>>>>>
>>>>> Paolo De Nictolis, Eng. [441410] wrote:
>>>>>
>>>>>> Hi Arturo,
>>>>>> please check AntiXSS Library:
>>>>>> http://www.programmazione.it/index.p...m&idItem=33147.
>>>>>> Paolo
>>>>>> "Arturo Buonanni" <(E-Mail Removed)>
>>>>>> wrote in message
>>>>>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16 ...
>>>>>>> I'm a programmer new to ASP.NET and web development in general.
>>>>>>>
>>>>>>> I'm going to code a web application and I'm concerned about the
>>>>>>> security issues that arise on this field (that's new to me).
>>>>>>>
>>>>>>> I'm using VWD2005 Express Ed. and I've read the online help
>>>>>>> about security.
>>>>>>>
>>>>>>> Now I've a doubt about one thing. The online help states that
>>>>>>> you have to validate every user input against script exploit and
>>>>>>> SQL injection and that's quite fair. But it also states that
>>>>>>> ASP.NET validates every "request" against potentially harmfull
>>>>>>> values (ie. scripts). Now, if ASP.NET doesn't allows dangerous
>>>>>>> values in the request for pages, how can one use scrips exploit?
>>>>>>> Why code against script expliot in every page if dangelous
>>>>>>> values are not meant to ever reach the page?
>>>>>>>
>>>>>>> I'm new to web development as I've said so I'm probably missing
>>>>>>> something and I'd like to know what it is.
>>>>>>>
>>>>>>> Thanks.
>>>>>>>



 
Reply With Quote
 
Arturo Buonanni
Guest
Posts: n/a
 
      03-20-2006
Hi Dominick,

Thank you for your quick reply.

So I'm now ready to start (like a lamb to the wolves).

About penetration testings, how can I arrange for that?

Are there some services that offer it?


On Mon, 20 Mar 2006 11:41:31 +0000 (UTC), Dominick Baier
[DevelopMentor] <(E-Mail Removed)> wrote:

>Hi,
>
>yeah - that's the usual dilemma - you will learn a lot in your first "secure
>application" - maybe you should reserve some budget for penetration testing.
>
>Logging and Instrumentation is an important one too.
>
>re encrypted config
>
>it depends which provider you use - DPAPI is machine specific - RSA keys
>can be exported and installed on different machines.
>
>---------------------------------------
>Dominick Baier - DevelopMentor
>http://www.leastprivilege.com
>
>> Hi Dominick,
>>
>> Thanks for your reply.
>>
>> I understand that. I've already read most of the documentation
>> concerning security present on the VWD online help and downloaded some
>> more.
>>
>> I'm now facing the usual coder "dilemma". From one side, my boss asks
>> me to "produce" something in the shortest term possible. In the other
>> side I don't want to release a "security" weak solution.
>>
>> Given that I don't have the time to extend my knowledge to fully
>> include all securty aspects related to web application development, I
>> need to know wich action I, as a coder, can put on to build the most
>> secure solution possible.
>>
>> Also consider that this solution will be probably hosted by someone
>> else web server so all issues related to the server's configuration
>> are out of my reach. I can only assume (and maybe verify) that our
>> host is putting on all effort to secure his servers.
>>
>> From what I've read, related to coding, I must take care of:
>> - authentication;
>> - authorization (restricting users access to resource to the least
>> needed);
>> - input and output validation;
>> - error handling;
>> - securing configuration.
>> Is there anything else can I take care of not being able to configure
>> the web server to my own needs?
>>
>> While we are in the topics, I've a question about configuration
>> encryption.
>>
>> If I encrypth sections of my web.config on my dev. machine using
>> aspnet_regiis, will the server be able to decrypth them?
>>
>> Aren't encription keys specific to each asp.net installation?
>>
>> Thanks for thehelp.
>>
>> On Mon, 20 Mar 2006 10:56:31 +0000 (UTC), Dominick Baier
>> [DevelopMentor] <(E-Mail Removed)> wrote:
>>
>>> hi,
>>>
>>> building secure sites is not only about throwing in some counter
>>> measure - it is a combination of
>>>
>>> - Threat Modeling leading to
>>>
>>> - prevention
>>> - detection
>>> - reaction
>>> good input validation is a prereq - but there is more
>>>
>>> auth & authZ, least privilege, server hardening, error handling,
>>> logging & instrumentation, data & communication protection etc...
>>>
>>> HtmlEncode is OK if you are emitting the output to HTML - if you are
>>> concatenating input into script blocks - this won't help you.
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Ok, so it seems that the ASP.NET protection against malicius code is
>>>> just a basic one that need to be enanched with coder work.
>>>>
>>>> Given that I've no need to allow any HTML tag and that my users only
>>>> need to input plain text, would HTMLEncode() and URLEncode() be
>>>> enough for this?
>>>>
>>>> Are there any other countermeasure that must be omplemented in order
>>>> to build a secure site (apart from authentication and authorization
>>>> that I give as assumptions)?
>>>>
>>>> Dominick Baier [DevelopMentor] wrote:
>>>>
>>>>> hi,
>>>>>
>>>>> reasons are
>>>>>
>>>>> a) black vs. white listing
>>>>> b) the ValidateRequest feature was bugged in the past - don't rely
>>>>> on it
>>>>> c) only the most obvious characters are blocked, like '<'
>>>>> otherwise there would be too many false positives
>>>>> d) you may need to accept characters which are considere illegal -
>>>>> and you have to turn off the automatic validation
>>>>> e) does not find more subtle attacks
>>>>> ValidateRequest is a defense-in-depth measure meant to augment
>>>>> *not*
>>>>> replace input validation.
>>>>> ---------------------------------------
>>>>> Dominick Baier - DevelopMentor
>>>>> http://www.leastprivilege.com
>>>>>> Hi Paolo,
>>>>>>
>>>>>> Thanks for your reply.
>>>>>>
>>>>>> I foud the article very interesting but it failed to answer my
>>>>>> former question.
>>>>>> For what I understand XSS attack consist in the attacker
>>>>>> redirecting a visitor to a victim web site while inserting his
>>>>>> own script in a field (hidden on unnoticed) of the web site so
>>>>>> that when user interacts with the web site the code is executed.
>>>>>> If this is correct then my question rise again. If the ASP.NET
>>>>>> framework validate all form's fields input for harmfull values
>>>>>> (let's says script identifiers) how can be the attacker's code
>>>>>> executed?
>>>>>> That's my point.
>>>>>> From what I read form the article it seems that the ASP.NET
>>>>>> protection could be faulty being based in "black lists" instead of
>>>>>> "white lists" and being so unable to handle new script identifiers
>>>>>> of new harmfull code. Is that the reason?
>>>>>>
>>>>>> Anyway I still don't understand why MS advise you in the online
>>>>>> help to validate all user input against special carachters if the
>>>>>> ASP.NET framework already does it. In this way they are covertly
>>>>>> saying that the ASP.NET protection doesn't always works.
>>>>>>
>>>>>> I'm still a bit confused about this.
>>>>>>
>>>>>> Paolo De Nictolis, Eng. [441410] wrote:
>>>>>>
>>>>>>> Hi Arturo,
>>>>>>> please check AntiXSS Library:
>>>>>>> http://www.programmazione.it/index.p...m&idItem=33147.
>>>>>>> Paolo
>>>>>>> "Arturo Buonanni" <(E-Mail Removed)>
>>>>>>> wrote in message
>>>>>>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16 ...
>>>>>>>> I'm a programmer new to ASP.NET and web development in general.
>>>>>>>>
>>>>>>>> I'm going to code a web application and I'm concerned about the
>>>>>>>> security issues that arise on this field (that's new to me).
>>>>>>>>
>>>>>>>> I'm using VWD2005 Express Ed. and I've read the online help
>>>>>>>> about security.
>>>>>>>>
>>>>>>>> Now I've a doubt about one thing. The online help states that
>>>>>>>> you have to validate every user input against script exploit and
>>>>>>>> SQL injection and that's quite fair. But it also states that
>>>>>>>> ASP.NET validates every "request" against potentially harmfull
>>>>>>>> values (ie. scripts). Now, if ASP.NET doesn't allows dangerous
>>>>>>>> values in the request for pages, how can one use scrips exploit?
>>>>>>>> Why code against script expliot in every page if dangelous
>>>>>>>> values are not meant to ever reach the page?
>>>>>>>>
>>>>>>>> I'm new to web development as I've said so I'm probably missing
>>>>>>>> something and I'd like to know what it is.
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>

>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cooling Overview - Lower Noise, Better Thermals Silverstrand Front Page News 0 01-10-2006 12:36 AM
Security overview help darrel ASP .Net 0 05-23-2005 02:40 PM
two setup overview questions =?Utf-8?B?Q2hyaXM=?= ASP .Net 9 01-17-2005 03:32 PM
Computer Certification: Overview Rowdy Yates MCSE 0 04-30-2004 02:15 PM
70-229 Exam Overview Matthew Carr MCSD 1 08-12-2003 06:55 AM



Advertisments