Basic security for ASP.NET applications

Tags: , , , , , | Categories: .NET, Security Posted by oleksii on 5/17/2011 4:03 PM | Comments (0)

Part 2

See Part 1 (debug, error pages, back-ups, config encryption)

I am continuing the series of posts about ASP.NET security and will do a little bit of basic hacking at the end today.

  1. Most of the web applications use passwords. These passwords must not be store as is. Rather consider generating hash code or using one-way encryption. If the database is stolen (like recent incident with Sony), users passwords cannot be decrypted and thus cannot be used to get access to other systems. It’s is a well-known fact, people do not have many different passwords to access different resources
  2. Credit cards' information is extremely sensitive data, generally it is better to avoid storing such data at all. Otherwise it is a whole new topic and totally paranoid approach to the security (which frankly goes beyond my limited knowledge)
  3. Production servers must have recent updates and patches, any new security hole is quickly shared and attack scripts are freely distributed. Such scripts are used to perform repeated anonymous attacks
  4. Do not use "stupid" encryption (see below)

Modern ASP.NET usually works over plain HTTP where it is possible to use Basic authentication. Basic authentication sends username and password in a virtually unencrypted way – Base64 encoded. To demonstrate its vulnerability I set up a simple ASP.NET MVC application and turned off default Forms authentication. Then, I quickly googled a Basic authentication sample. First link and I have a controller method that use Basic authentication. This is how GUI looks to the user

Seems quite secure, so I type in my user name and super-strong long password

Then I hit log in and catch the traffic using Fiddler. Let's see the request headers.

GET http://localhost:6105/secure HTTP/1.1
Host: localhost:6105
Authorization: Basic QWxpY2U6Skgsd21udmwqNjczMDVAOzt3alVXRVVO
 

All is good, but the user name and the password is encoded in the Authorization header. One don't need to be a magician to get the user name and the password. This functionality has been in Fiddler for a long time.

And with a few lines of code I do the same in C#

So make sure you don't use Basic authentication over plain HTTP, and better disable it in IIS.

If you enjoyed this post, make sure you subscribe to my RSS feed!