Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.net { or any web application } security

Reply
Thread Tools

ASP.net { or any web application } security

 
 
Bashar Naffa
Guest
Posts: n/a
 
      04-18-2007
Hi all,

I'm wondering how can i prevent this scenario:

I have asp.net application , not using any kind of asp.net secuirty models [
neither Windows Nor Forms Auth].
Client can save a complete copy of the web site locally, he can change any
Javascript funciton , then chnage the Action attribute in the form tag to
point to the same page again, & it will submit .

My question is: i want to access my website only within my web site links or
requests, i don't want to accept the previous scenario, also i don't want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change through
http sniffing tools or Packets editor tools.

any Advice ???

Bashar
 
Reply With Quote
 
 
 
 
Dominick Baier
Guest
Posts: n/a
 
      04-18-2007
Well - you could generate one-time IDs that are only valid for a short period
of time - you could append these to links as a query string.

An HttpModule could check the appended IDs for validity...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hi all,
>
> I'm wondering how can i prevent this scenario:
>
> I have asp.net application , not using any kind of asp.net secuirty
> models [ neither Windows Nor Forms Auth]. Client can save a complete
> copy of the web site locally, he can change any Javascript funciton ,
> then chnage the Action attribute in the form tag to point to the same
> page again, & it will submit .
>
> My question is: i want to access my website only within my web site
> links or
> requests, i don't want to accept the previous scenario, also i don't
> want to
> accept any custom http request come out of my internal web site.
> i can't depend on HTTP Reffer , because it's easily can be change
> through
> http sniffing tools or Packets editor tools.
> any Advice ???
>
> Bashar
>



 
Reply With Quote
 
 
 
 
Bashar Naffa
Guest
Posts: n/a
 
      04-18-2007
hi Dominick

thank for your reply, i already think of your idea, which producing Token &
expiry time. but i don't think this will solve the problem. for example you
set the expiry as 1 min. for every request. then the hacker can save the html
& replace what ever he want within 1 min & submit it back. you got me ?
also, think of big & huge forms to fill, the user may not finish filling the
forms withen that expiry time, so his submit will fail !

by the way, i have another question to you, as security expert, can any
tool, or application , or technology ..etc change the "http refferer" for any
http header request ??

Thanks in Advance
Bashar
--


"Dominick Baier" wrote:

> Well - you could generate one-time IDs that are only valid for a short period
> of time - you could append these to links as a query string.
>
> An HttpModule could check the appended IDs for validity...
>
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
>
> > Hi all,
> >
> > I'm wondering how can i prevent this scenario:
> >
> > I have asp.net application , not using any kind of asp.net secuirty
> > models [ neither Windows Nor Forms Auth]. Client can save a complete
> > copy of the web site locally, he can change any Javascript funciton ,
> > then chnage the Action attribute in the form tag to point to the same
> > page again, & it will submit .
> >
> > My question is: i want to access my website only within my web site
> > links or
> > requests, i don't want to accept the previous scenario, also i don't
> > want to
> > accept any custom http request come out of my internal web site.
> > i can't depend on HTTP Reffer , because it's easily can be change
> > through
> > http sniffing tools or Packets editor tools.
> > any Advice ???
> >
> > Bashar
> >

>
>
>

 
Reply With Quote
 
Dominick Baier
Guest
Posts: n/a
 
      04-18-2007
> by the way, i have another question to you, as security expert, can
> any tool, or application , or technology ..etc change the "http
> refferer" for any http header request ??



what do you mean?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> hi Dominick
>
> thank for your reply, i already think of your idea, which producing
> Token &
> expiry time. but i don't think this will solve the problem. for
> example you
> set the expiry as 1 min. for every request. then the hacker can save
> the html
> & replace what ever he want within 1 min & submit it back. you got me
> ?
> also, think of big & huge forms to fill, the user may not finish
> filling the
> forms withen that expiry time, so his submit will fail !
> by the way, i have another question to you, as security expert, can
> any tool, or application , or technology ..etc change the "http
> refferer" for any http header request ??
>
> Thanks in Advance
> Bashar
>> Well - you could generate one-time IDs that are only valid for a
>> short period of time - you could append these to links as a query
>> string.
>>
>> An HttpModule could check the appended IDs for validity...
>>
>> -----
>> Dominick Baier (http://www.leastprivilege.com)
>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>> (http://www.microsoft.com/mspress/books/9989.asp)
>>
>>> Hi all,
>>>
>>> I'm wondering how can i prevent this scenario:
>>>
>>> I have asp.net application , not using any kind of asp.net secuirty
>>> models [ neither Windows Nor Forms Auth]. Client can save a complete
>>> copy of the web site locally, he can change any Javascript funciton
>>> , then chnage the Action attribute in the form tag to point to the
>>> same page again, & it will submit .
>>>
>>> My question is: i want to access my website only within my web site
>>> links or
>>> requests, i don't want to accept the previous scenario, also i don't
>>> want to
>>> accept any custom http request come out of my internal web site.
>>> i can't depend on HTTP Reffer , because it's easily can be change
>>> through
>>> http sniffing tools or Packets editor tools.
>>> any Advice ???
>>> Bashar
>>>



 
Reply With Quote
 
Bashar Naffa
Guest
Posts: n/a
 
      04-18-2007

what i meanis:
do you know "REFERRER" key in any http header ? it tell the server from
whcih URI that request was redirected.
for example
you are in Page1.aspx & click on link that will navigate you to page2.aspx.
check the Request.Headers["Referrer"] in the load event of Page2.aspx, you
find the value of URI Page1.aspx.

in that way , you can detect from where your requests are coming ? from
inside your application ? or from another sites or local copies.

my question is, can the attacker change this Referrer manually so he can
fake this validation ? like what happen in phishing for example.

I hope this is was clear


"Dominick Baier" wrote:

> > by the way, i have another question to you, as security expert, can
> > any tool, or application , or technology ..etc change the "http
> > refferer" for any http header request ??

>
>
> what do you mean?
>
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
>
> > hi Dominick
> >
> > thank for your reply, i already think of your idea, which producing
> > Token &
> > expiry time. but i don't think this will solve the problem. for
> > example you
> > set the expiry as 1 min. for every request. then the hacker can save
> > the html
> > & replace what ever he want within 1 min & submit it back. you got me
> > ?
> > also, think of big & huge forms to fill, the user may not finish
> > filling the
> > forms withen that expiry time, so his submit will fail !
> > by the way, i have another question to you, as security expert, can
> > any tool, or application , or technology ..etc change the "http
> > refferer" for any http header request ??
> >
> > Thanks in Advance
> > Bashar
> >> Well - you could generate one-time IDs that are only valid for a
> >> short period of time - you could append these to links as a query
> >> string.
> >>
> >> An HttpModule could check the appended IDs for validity...
> >>
> >> -----
> >> Dominick Baier (http://www.leastprivilege.com)
> >> Developing More Secure Microsoft ASP.NET 2.0 Applications
> >> (http://www.microsoft.com/mspress/books/9989.asp)
> >>
> >>> Hi all,
> >>>
> >>> I'm wondering how can i prevent this scenario:
> >>>
> >>> I have asp.net application , not using any kind of asp.net secuirty
> >>> models [ neither Windows Nor Forms Auth]. Client can save a complete
> >>> copy of the web site locally, he can change any Javascript funciton
> >>> , then chnage the Action attribute in the form tag to point to the
> >>> same page again, & it will submit .
> >>>
> >>> My question is: i want to access my website only within my web site
> >>> links or
> >>> requests, i don't want to accept the previous scenario, also i don't
> >>> want to
> >>> accept any custom http request come out of my internal web site.
> >>> i can't depend on HTTP Reffer , because it's easily can be change
> >>> through
> >>> http sniffing tools or Packets editor tools.
> >>> any Advice ???
> >>> Bashar
> >>>

>
>
>

 
Reply With Quote
 
Dominick Baier
Guest
Posts: n/a
 
      04-18-2007
Hi,

yes this is easily possible - have a look at www.fiddlertool.com


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> what i meanis:
> do you know "REFERRER" key in any http header ? it tell the server
> from
> whcih URI that request was redirected.
> for example
> you are in Page1.aspx & click on link that will navigate you to
> page2.aspx.
> check the Request.Headers["Referrer"] in the load event of Page2.aspx,
> you
> find the value of URI Page1.aspx.
> in that way , you can detect from where your requests are coming ?
> from inside your application ? or from another sites or local copies.
>
> my question is, can the attacker change this Referrer manually so he
> can fake this validation ? like what happen in phishing for example.
>
> I hope this is was clear
>
> "Dominick Baier" wrote:
>
>>> by the way, i have another question to you, as security expert, can
>>> any tool, or application , or technology ..etc change the "http
>>> refferer" for any http header request ??
>>>

>> what do you mean?
>>
>> -----
>> Dominick Baier (http://www.leastprivilege.com)
>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>> (http://www.microsoft.com/mspress/books/9989.asp)
>>
>>> hi Dominick
>>>
>>> thank for your reply, i already think of your idea, which producing
>>> Token &
>>> expiry time. but i don't think this will solve the problem. for
>>> example you
>>> set the expiry as 1 min. for every request. then the hacker can save
>>> the html
>>> & replace what ever he want within 1 min & submit it back. you got
>>> me
>>> ?
>>> also, think of big & huge forms to fill, the user may not finish
>>> filling the
>>> forms withen that expiry time, so his submit will fail !
>>> by the way, i have another question to you, as security expert, can
>>> any tool, or application , or technology ..etc change the "http
>>> refferer" for any http header request ??
>>> Thanks in Advance
>>> Bashar
>>>> Well - you could generate one-time IDs that are only valid for a
>>>> short period of time - you could append these to links as a query
>>>> string.
>>>>
>>>> An HttpModule could check the appended IDs for validity...
>>>>
>>>> -----
>>>> Dominick Baier (http://www.leastprivilege.com)
>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>>>> (http://www.microsoft.com/mspress/books/9989.asp)
>>>>> Hi all,
>>>>>
>>>>> I'm wondering how can i prevent this scenario:
>>>>>
>>>>> I have asp.net application , not using any kind of asp.net
>>>>> secuirty models [ neither Windows Nor Forms Auth]. Client can save
>>>>> a complete copy of the web site locally, he can change any
>>>>> Javascript funciton , then chnage the Action attribute in the form
>>>>> tag to point to the same page again, & it will submit .
>>>>>
>>>>> My question is: i want to access my website only within my web
>>>>> site
>>>>> links or
>>>>> requests, i don't want to accept the previous scenario, also i
>>>>> don't
>>>>> want to
>>>>> accept any custom http request come out of my internal web site.
>>>>> i can't depend on HTTP Reffer , because it's easily can be change
>>>>> through
>>>>> http sniffing tools or Packets editor tools.
>>>>> any Advice ???
>>>>> Basha



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Web application or mvc web application? Andy B ASP .Net 0 08-13-2008 11:32 AM
501 PIX "deny any any" "allow any any" Any Anybody? Networking Student Cisco 4 11-16-2006 10:40 PM
Going from anonymous security to Windows Security in an ASP.NET application Michael Randrup ASP .Net Security 3 03-27-2006 09:18 PM
IT-Security, Security, e-security COMSOLIT Messmer Computer Support 0 09-05-2003 08:34 AM
any one got any views on the msce for security? m33p MCSE 5 07-08-2003 01:57 PM



Advertisments