ASP.NET Security Dominik Pinter, dominikp@kentico.com, @DominikPinter About me •6 years experience with ASP.NET development •MCPD for .NET 4.0 •Certified Ethical Hacker •Working at Kentico software •Development -> Product management •Likes: beer, scotch whiskey, cloud, security •@DominikPinter Agenda •Introduction •Development –Authentication –Writing secure code •Deployment • •Resistance is futile • •A.K.A • •No website is 100% Secure • Development process F:\Home\Presentations\Connection\KC-obrazky\security-process-0.png F:\Home\Presentations\Connection\KC-obrazky\security-process-1.png Security process F:\Home\Presentations\Connection\KC-obrazky\security-process-2.png Requirements Security related certifications •PCI (Payment Card Industry) = Credit cards –PA = Vendor cerfitication •Safe Harbor = Trasferring data between EU and US •HIPAA = Private medical information F:\Home\Presentations\Connection\KC-obrazky\security-process-3.png Design F:\Home\Presentations\Connection\KC-obrazky\security-process-4.png Development Authentication HTTP Basic Authentication •GET http://localhost/page HTTP/1.1 •Host: localhost •User-Agent: Mozilla/5.0 … •Accept: text/html,application/xhtml+xml,… •Accept-Language: en-us,en;q=0.5 •Accept-Encoding: gzip,deflate •Connection: keep-alive •Authorization: Basic dXNlcjpwYXNzd29yZA== Support in HTTP protocol HTTP response 401 User name and password encoded in Base64 Not safe without SSL (HTTPS) ASP.NET Forms Authentication •Built in ASP.NET •Uses forms and HTTP POST •Cookie based •Prepared components •Web.config settings •Integrated with ASP.NET membership providers ASP.NET Membership Providers •.NET way how to work with Users, Roles, … •SQL Tables + Standard classes •Providers model • Demo zakladni template s ASP.NET providerem DEMO • •DEMO • •ASP.NET Forms + Membership providers ASP.NET Windows Authentication •Web.config: • • •IIS • • Prepnuti na Windows mode DEMO • •DEMO • •ASP.NET Windows auhentication OAuth Basics •An authentication mechanism for web applications/web services • • •OAuth 1.0 - RFC 5849 http://tools.ietf.org/html/rfc5849 •OAuth 2.0 – draft http://tools.ietf.org/html/draft-ietf-oauth-v2-31 • Problem: 3rd applications built upon existing web services, for example social networks need access to your an user account. The user doesn‘t want to give them an user name and a password. Solution: The original web service can give them a temporary token for accessing the user account. OAuth – How It Works 3d party application User (Browser) Original webservice 3 1 2 4 5 1.User sends request to 3rd party application 2.3rd party application requests access token 3.User is redirected to original web service 4.User authenticates by user name and password to original web service 5.3rd party application gets the access token Demo OAuth DEMO • •DEMO • •OAuth Claim Based Authentication Demo s WIF DEMO • •DEMO • •Claim based authentication Writing Secure Code •SQLi => LinqToSQL, ASP.NET Entity Framework •XSS => Request validation, AntiXSS library, Output encoding •CSRF => ViewState validation (WebForms) •Clickjacking => X-Frame-Option:SAMEORIGIN •Session attacks => Session ID regeneration •OWASP project Demo na utoky + ukazky obran F:\Home\Presentations\Connection\KC-obrazky\security-process-5.png Deployment •Create Checklist and use it! •Delete all the testing data! •Turn off all debugging features! •Deploy to well secured environment! •Configure SSL! •Limit access to private data! •Consider external security audit • Ukazka sekci ve web.configu Q&A •? •Thank you • • • • • • • • • •dominikp@kentico.com •@DominikPinter • C:\@@Kentico-Works\Images\Logo_3D_TagCMS.jpg