See Part 1 (debug, error pages, back-ups, config encryption)
I am continuing the series of posts about ASP.NET security and will do a little bit of basic hacking at the end today.
- Most of the web applications use passwords. These passwords must not be store as is. Rather consider generating hash code or using one-way encryption. If the database is stolen (like recent incident with Sony), users passwords cannot be decrypted and thus cannot be used to get access to other systems. It’s is a well-known fact, people do not have many different passwords to access different resources
- Credit cards' information is extremely sensitive data, generally it is better to avoid storing such data at all. Otherwise it is a whole new topic and totally paranoid approach to the security (which frankly goes beyond my limited knowledge)
- Production servers must have recent updates and patches, any new security hole is quickly shared and attack scripts are freely distributed. Such scripts are used to perform repeated anonymous attacks
- Do not use "stupid" encryption (see below)
Modern ASP.NET usually works over plain HTTP where it is possible to use Basic authentication. Basic authentication sends username and password in a virtually unencrypted way – Base64 encoded. To demonstrate its vulnerability I set up a simple ASP.NET MVC application and turned off default Forms authentication. Then, I quickly googled a Basic authentication sample. First link and I have a controller method that use Basic authentication. This is how GUI looks to the user
Seems quite secure, so I type in my user name and super-strong long password
Then I hit log in and catch the traffic using Fiddler. Let's see the request headers.
GET http://localhost:6105/secure HTTP/1.1
Authorization: Basic QWxpY2U6Skgsd21udmwqNjczMDVAOzt3alVXRVVO
All is good, but the user name and the password is encoded in the Authorization header. One don't need to be a magician to get the user name and the password. This functionality has been in Fiddler for a long time.
And with a few lines of code I do the same in C#
So make sure you don't use Basic authentication over plain HTTP, and better disable it in IIS.
If you enjoyed this post, make sure you subscribe to my RSS feed!