Friday, September 27, 2013

ASP.NET security

Automated Security Analyzer for ASP.NET Websites - https://asafaweb.com/

ASP.NET APP SECURITY:

The worst 5 mistakes in the web.config file:



Custom errors and stack traces:


Display Safe Error Messages:


Request validation:


Session Fixation:


Deploying-IT


Encrypting and Decrypting Configuration Sections

Using App Folder Path
Encrypting a Web Configuration Section:       aspnet_regiis -pef "connectionStrings" "AppPhysicalPath" -prov "RsaProtectedConfigurationProvider"
Decrypting a Web Configuration Section:      aspnet_regiis -pdf "connectionStrings" "AppPhysicalPath"

Where AppPhysicalPath Example: "C:\AppFolderName"
Using App Name
Encrypting a Web Configuration Section:       aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"
Decrypting a Web Configuration Section:      aspnet_regiis -pd "connectionStrings" -app "/SampleApplication"


Removing Unnecessary HTTP Headers in IIS and ASP.NET
1.       ASP.NET Web.Config event and add the following:
<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

2.       MVC Application_Start event and add the following:
MvcHandler.DisableMvcResponseHeader = true;

3.       X-Powered-By:
This one is actually easily configurable straight out of the box in IIS 7.x, just jump right into the IIS configuration of the website and locate the “HTTP Response Headers” item. Remove X-Power-By.


Secure cookies

1.       HTTP only cookies:
ASP.NET Code:
Response.Cookies.Add(new HttpCookie("HttpOnlyCookie")
    {
      Value = "I can't be read by JavaScript",
      HttpOnly = true
    });

Web.Config
<httpCookies httpOnlyCookies="true" />

2.       Secure cookies:
ASP.NET Code:
Response.Cookies.Add(new HttpCookie("SecureCookie")
{
    Value = "I won't be sent by the browser over a non-secure connection",
    Secure = true
});

Web.Config:
<httpCookies requireSSL="true" />


CLICKJACKING

1.       From Global File
void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
}

2.       From IIS:
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.

Click OK to save your changes.

Git Commands and Using Them in Visual Studio

 Git is a widely used version control system that allows developers to manage changes to their code and collaborate with other IDE like Visu...