# Basic security for ASP.NET applications

Tags: , , , , , | Categories: .NET, Security Posted by oleksii on 5/17/2011 4:03 PM | Comments (0)

## Part 2

##### See Part 1 (debug, error pages, back-ups, config encryption)

I am continuing the series of posts about ASP.NET security and will do a little bit of basic hacking at the end today.

1. Most of the web applications use passwords. These passwords must not be store as is. Rather consider generating hash code or using one-way encryption. If the database is stolen (like recent incident with Sony), users passwords cannot be decrypted and thus cannot be used to get access to other systems. It’s is a well-known fact, people do not have many different passwords to access different resources
2. Credit cards' information is extremely sensitive data, generally it is better to avoid storing such data at all. Otherwise it is a whole new topic and totally paranoid approach to the security (which frankly goes beyond my limited knowledge)
3. Production servers must have recent updates and patches, any new security hole is quickly shared and attack scripts are freely distributed. Such scripts are used to perform repeated anonymous attacks
4. Do not use "stupid" encryption (see below)

Modern ASP.NET usually works over plain HTTP where it is possible to use Basic authentication. Basic authentication sends username and password in a virtually unencrypted way – Base64 encoded. To demonstrate its vulnerability I set up a simple ASP.NET MVC application and turned off default Forms authentication. Then, I quickly googled a Basic authentication sample. First link and I have a controller method that use Basic authentication. This is how GUI looks to the user

Seems quite secure, so I type in my user name and super-strong long password

GET http://localhost:6105/secure HTTP/1.1
Authorization: Basic QWxpY2U6Skgsd21udmwqNjczMDVAOzt3alVXRVVO