ASP.NET security

Automated Security Analyzer for ASP.NET Websites - https://asafaweb.com/

ASP.NET APP SECURITY:

The worst 5 mistakes in the web.config file:

http://dotnetstories.wordpress.com/2007/10/13/the-worst-5-mistakes-in-the-webconfig-file/

http://www.developerfusion.com/article/6678/top-10-application-security-vulnerabilities-in-webconfig-files-part-one/

Custom errors and stack traces:

http://www.asp.net/web-forms/tutorials/deployment/deploying-web-site-projects/displaying-a-custom-error-page-cs

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Display Safe Error Messages:

http://msdn.microsoft.com/en-IN/library/994a1482(v=vs.100).aspx

http://msdn.microsoft.com/en-us/library/330a99hc(v=vs.100).aspx

Request validation:

http://www.troyhunt.com/2012/04/67-of-aspnet-websites-have-serious.html

Session Fixation:

http://www.dotnetfunda.com/articles/article1395-how-to-avoid-the-session-fixation-vulnerability-in-aspnet-.aspx

http://www.codeproject.com/Articles/210993/Session-Fixation-vulnerability-in-ASP-NET

Deploying-IT

http://www.troyhunt.com/2010/11/you-deploying-it-wrong-teamcity_25.html

http://www.hanselman.com/blog/WebDeploymentMadeAwesomeIfYoureUsingXCopyYoureDoingItWrong.aspx

Encrypting and Decrypting Configuration Sections

http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx

Using App Folder Path

Encrypting a Web Configuration Section:       aspnet_regiis -pef "connectionStrings" "AppPhysicalPath" -prov "RsaProtectedConfigurationProvider"

Decrypting a Web Configuration Section:      aspnet_regiis -pdf "connectionStrings" "AppPhysicalPath"

Where AppPhysicalPath Example: "C:\AppFolderName"

Using App Name

Encrypting a Web Configuration Section:       aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"

Decrypting a Web Configuration Section:      aspnet_regiis -pd "connectionStrings" -app "/SampleApplication"

Removing Unnecessary HTTP Headers in IIS and ASP.NET

http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html

http://www.4guysfromrolla.com/articles/120209-1.aspx

1.       ASP.NET Web.Config event and add the following:

<system.web>

  <httpRuntime enableVersionHeader="false" />

</system.web>

2.       MVC Application_Start event and add the following:

MvcHandler.DisableMvcResponseHeader = true;

3.       X-Powered-By:

This one is actually easily configurable straight out of the box in IIS 7.x, just jump right into the IIS configuration of the website and locate the “HTTP Response Headers” item. Remove X-Power-By.

Secure cookies

http://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html

1.       HTTP only cookies:

ASP.NET Code:

Response.Cookies.Add(new HttpCookie("HttpOnlyCookie")

    {

      Value = "I can't be read by JavaScript",

      HttpOnly = true

    });

Web.Config

<httpCookies httpOnlyCookies="true" />

2.       Secure cookies:

ASP.NET Code:

Response.Cookies.Add(new HttpCookie("SecureCookie")

{

    Value = "I won't be sent by the browser over a non-secure connection",

    Secure = true

});

Web.Config:

<httpCookies requireSSL="true" />

CLICKJACKING

http://www.codeproject.com/Articles/291562/Asp-net-web-application-Security-Review-Dos-Dont

1.       From Global File

void Application_BeginRequest(object sender, EventArgs e)

{

    HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");

}

2.       From IIS:

Open Internet Information Services (IIS) Manager.

In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.

Double-click the HTTP Response Headers icon in the feature list in the middle.

In the Actions pane on the right side, click Add.

In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.

Click OK to save your changes.