ASP.net { or any web application } security

Discussion in 'ASP .Net Security' started by Bashar Naffa, Apr 18, 2007.

  1. Bashar Naffa

    Bashar Naffa Guest

    Hi all,

    I'm wondering how can i prevent this scenario:

    I have asp.net application , not using any kind of asp.net secuirty models [
    neither Windows Nor Forms Auth].
    Client can save a complete copy of the web site locally, he can change any
    Javascript funciton , then chnage the Action attribute in the form tag to
    point to the same page again, & it will submit .

    My question is: i want to access my website only within my web site links or
    requests, i don't want to accept the previous scenario, also i don't want to
    accept any custom http request come out of my internal web site.
    i can't depend on HTTP Reffer , because it's easily can be change through
    http sniffing tools or Packets editor tools.

    any Advice ???

    Bashar
     
    Bashar Naffa, Apr 18, 2007
    #1
    1. Advertising

  2. Well - you could generate one-time IDs that are only valid for a short period
    of time - you could append these to links as a query string.

    An HttpModule could check the appended IDs for validity...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hi all,
    >
    > I'm wondering how can i prevent this scenario:
    >
    > I have asp.net application , not using any kind of asp.net secuirty
    > models [ neither Windows Nor Forms Auth]. Client can save a complete
    > copy of the web site locally, he can change any Javascript funciton ,
    > then chnage the Action attribute in the form tag to point to the same
    > page again, & it will submit .
    >
    > My question is: i want to access my website only within my web site
    > links or
    > requests, i don't want to accept the previous scenario, also i don't
    > want to
    > accept any custom http request come out of my internal web site.
    > i can't depend on HTTP Reffer , because it's easily can be change
    > through
    > http sniffing tools or Packets editor tools.
    > any Advice ???
    >
    > Bashar
    >
     
    Dominick Baier, Apr 18, 2007
    #2
    1. Advertising

  3. Bashar Naffa

    Bashar Naffa Guest

    hi Dominick

    thank for your reply, i already think of your idea, which producing Token &
    expiry time. but i don't think this will solve the problem. for example you
    set the expiry as 1 min. for every request. then the hacker can save the html
    & replace what ever he want within 1 min & submit it back. you got me ?
    also, think of big & huge forms to fill, the user may not finish filling the
    forms withen that expiry time, so his submit will fail !

    by the way, i have another question to you, as security expert, can any
    tool, or application , or technology ..etc change the "http refferer" for any
    http header request ??

    Thanks in Advance
    Bashar
    --


    "Dominick Baier" wrote:

    > Well - you could generate one-time IDs that are only valid for a short period
    > of time - you could append these to links as a query string.
    >
    > An HttpModule could check the appended IDs for validity...
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > Hi all,
    > >
    > > I'm wondering how can i prevent this scenario:
    > >
    > > I have asp.net application , not using any kind of asp.net secuirty
    > > models [ neither Windows Nor Forms Auth]. Client can save a complete
    > > copy of the web site locally, he can change any Javascript funciton ,
    > > then chnage the Action attribute in the form tag to point to the same
    > > page again, & it will submit .
    > >
    > > My question is: i want to access my website only within my web site
    > > links or
    > > requests, i don't want to accept the previous scenario, also i don't
    > > want to
    > > accept any custom http request come out of my internal web site.
    > > i can't depend on HTTP Reffer , because it's easily can be change
    > > through
    > > http sniffing tools or Packets editor tools.
    > > any Advice ???
    > >
    > > Bashar
    > >

    >
    >
    >
     
    Bashar Naffa, Apr 18, 2007
    #3
  4. > by the way, i have another question to you, as security expert, can
    > any tool, or application , or technology ..etc change the "http
    > refferer" for any http header request ??



    what do you mean?


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > hi Dominick
    >
    > thank for your reply, i already think of your idea, which producing
    > Token &
    > expiry time. but i don't think this will solve the problem. for
    > example you
    > set the expiry as 1 min. for every request. then the hacker can save
    > the html
    > & replace what ever he want within 1 min & submit it back. you got me
    > ?
    > also, think of big & huge forms to fill, the user may not finish
    > filling the
    > forms withen that expiry time, so his submit will fail !
    > by the way, i have another question to you, as security expert, can
    > any tool, or application , or technology ..etc change the "http
    > refferer" for any http header request ??
    >
    > Thanks in Advance
    > Bashar
    >> Well - you could generate one-time IDs that are only valid for a
    >> short period of time - you could append these to links as a query
    >> string.
    >>
    >> An HttpModule could check the appended IDs for validity...
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Hi all,
    >>>
    >>> I'm wondering how can i prevent this scenario:
    >>>
    >>> I have asp.net application , not using any kind of asp.net secuirty
    >>> models [ neither Windows Nor Forms Auth]. Client can save a complete
    >>> copy of the web site locally, he can change any Javascript funciton
    >>> , then chnage the Action attribute in the form tag to point to the
    >>> same page again, & it will submit .
    >>>
    >>> My question is: i want to access my website only within my web site
    >>> links or
    >>> requests, i don't want to accept the previous scenario, also i don't
    >>> want to
    >>> accept any custom http request come out of my internal web site.
    >>> i can't depend on HTTP Reffer , because it's easily can be change
    >>> through
    >>> http sniffing tools or Packets editor tools.
    >>> any Advice ???
    >>> Bashar
    >>>
     
    Dominick Baier, Apr 18, 2007
    #4
  5. Bashar Naffa

    Bashar Naffa Guest

    what i meanis:
    do you know "REFERRER" key in any http header ? it tell the server from
    whcih URI that request was redirected.
    for example
    you are in Page1.aspx & click on link that will navigate you to page2.aspx.
    check the Request.Headers["Referrer"] in the load event of Page2.aspx, you
    find the value of URI Page1.aspx.

    in that way , you can detect from where your requests are coming ? from
    inside your application ? or from another sites or local copies.

    my question is, can the attacker change this Referrer manually so he can
    fake this validation ? like what happen in phishing for example.

    I hope this is was clear


    "Dominick Baier" wrote:

    > > by the way, i have another question to you, as security expert, can
    > > any tool, or application , or technology ..etc change the "http
    > > refferer" for any http header request ??

    >
    >
    > what do you mean?
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > hi Dominick
    > >
    > > thank for your reply, i already think of your idea, which producing
    > > Token &
    > > expiry time. but i don't think this will solve the problem. for
    > > example you
    > > set the expiry as 1 min. for every request. then the hacker can save
    > > the html
    > > & replace what ever he want within 1 min & submit it back. you got me
    > > ?
    > > also, think of big & huge forms to fill, the user may not finish
    > > filling the
    > > forms withen that expiry time, so his submit will fail !
    > > by the way, i have another question to you, as security expert, can
    > > any tool, or application , or technology ..etc change the "http
    > > refferer" for any http header request ??
    > >
    > > Thanks in Advance
    > > Bashar
    > >> Well - you could generate one-time IDs that are only valid for a
    > >> short period of time - you could append these to links as a query
    > >> string.
    > >>
    > >> An HttpModule could check the appended IDs for validity...
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> Hi all,
    > >>>
    > >>> I'm wondering how can i prevent this scenario:
    > >>>
    > >>> I have asp.net application , not using any kind of asp.net secuirty
    > >>> models [ neither Windows Nor Forms Auth]. Client can save a complete
    > >>> copy of the web site locally, he can change any Javascript funciton
    > >>> , then chnage the Action attribute in the form tag to point to the
    > >>> same page again, & it will submit .
    > >>>
    > >>> My question is: i want to access my website only within my web site
    > >>> links or
    > >>> requests, i don't want to accept the previous scenario, also i don't
    > >>> want to
    > >>> accept any custom http request come out of my internal web site.
    > >>> i can't depend on HTTP Reffer , because it's easily can be change
    > >>> through
    > >>> http sniffing tools or Packets editor tools.
    > >>> any Advice ???
    > >>> Bashar
    > >>>

    >
    >
    >
     
    Bashar Naffa, Apr 18, 2007
    #5
  6. Hi,

    yes this is easily possible - have a look at www.fiddlertool.com


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > what i meanis:
    > do you know "REFERRER" key in any http header ? it tell the server
    > from
    > whcih URI that request was redirected.
    > for example
    > you are in Page1.aspx & click on link that will navigate you to
    > page2.aspx.
    > check the Request.Headers["Referrer"] in the load event of Page2.aspx,
    > you
    > find the value of URI Page1.aspx.
    > in that way , you can detect from where your requests are coming ?
    > from inside your application ? or from another sites or local copies.
    >
    > my question is, can the attacker change this Referrer manually so he
    > can fake this validation ? like what happen in phishing for example.
    >
    > I hope this is was clear
    >
    > "Dominick Baier" wrote:
    >
    >>> by the way, i have another question to you, as security expert, can
    >>> any tool, or application , or technology ..etc change the "http
    >>> refferer" for any http header request ??
    >>>

    >> what do you mean?
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> hi Dominick
    >>>
    >>> thank for your reply, i already think of your idea, which producing
    >>> Token &
    >>> expiry time. but i don't think this will solve the problem. for
    >>> example you
    >>> set the expiry as 1 min. for every request. then the hacker can save
    >>> the html
    >>> & replace what ever he want within 1 min & submit it back. you got
    >>> me
    >>> ?
    >>> also, think of big & huge forms to fill, the user may not finish
    >>> filling the
    >>> forms withen that expiry time, so his submit will fail !
    >>> by the way, i have another question to you, as security expert, can
    >>> any tool, or application , or technology ..etc change the "http
    >>> refferer" for any http header request ??
    >>> Thanks in Advance
    >>> Bashar
    >>>> Well - you could generate one-time IDs that are only valid for a
    >>>> short period of time - you could append these to links as a query
    >>>> string.
    >>>>
    >>>> An HttpModule could check the appended IDs for validity...
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> Hi all,
    >>>>>
    >>>>> I'm wondering how can i prevent this scenario:
    >>>>>
    >>>>> I have asp.net application , not using any kind of asp.net
    >>>>> secuirty models [ neither Windows Nor Forms Auth]. Client can save
    >>>>> a complete copy of the web site locally, he can change any
    >>>>> Javascript funciton , then chnage the Action attribute in the form
    >>>>> tag to point to the same page again, & it will submit .
    >>>>>
    >>>>> My question is: i want to access my website only within my web
    >>>>> site
    >>>>> links or
    >>>>> requests, i don't want to accept the previous scenario, also i
    >>>>> don't
    >>>>> want to
    >>>>> accept any custom http request come out of my internal web site.
    >>>>> i can't depend on HTTP Reffer , because it's easily can be change
    >>>>> through
    >>>>> http sniffing tools or Packets editor tools.
    >>>>> any Advice ???
    >>>>> Basha
     
    Dominick Baier, Apr 18, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patrick
    Replies:
    2
    Views:
    671
    Steven Cheng[MSFT]
    Oct 1, 2004
  2. Aussie Rules

    ASP.net Web application admin... security

    Aussie Rules, Sep 27, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    337
    Walter Wang [MSFT]
    Sep 28, 2006
  3. Replies:
    0
    Views:
    1,766
  4. Michael Randrup
    Replies:
    3
    Views:
    315
    Henning Krause [MVP]
    Mar 27, 2006
  5. Jeremy Smith
    Replies:
    1
    Views:
    141
    Jeff Cochran
    Aug 6, 2004
Loading...

Share This Page