ASP.net { or any web application } security

B

Bashar Naffa

Hi all,

I'm wondering how can i prevent this scenario:

I have asp.net application , not using any kind of asp.net secuirty models [
neither Windows Nor Forms Auth].
Client can save a complete copy of the web site locally, he can change any
Javascript funciton , then chnage the Action attribute in the form tag to
point to the same page again, & it will submit .

My question is: i want to access my website only within my web site links or
requests, i don't want to accept the previous scenario, also i don't want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change through
http sniffing tools or Packets editor tools.

any Advice ???

Bashar
 
D

Dominick Baier

Well - you could generate one-time IDs that are only valid for a short period
of time - you could append these to links as a query string.

An HttpModule could check the appended IDs for validity...
 
B

Bashar Naffa

hi Dominick

thank for your reply, i already think of your idea, which producing Token &
expiry time. but i don't think this will solve the problem. for example you
set the expiry as 1 min. for every request. then the hacker can save the html
& replace what ever he want within 1 min & submit it back. you got me ?
also, think of big & huge forms to fill, the user may not finish filling the
forms withen that expiry time, so his submit will fail !

by the way, i have another question to you, as security expert, can any
tool, or application , or technology ..etc change the "http refferer" for any
http header request ??

Thanks in Advance
Bashar
--


Dominick Baier said:
Well - you could generate one-time IDs that are only valid for a short period
of time - you could append these to links as a query string.

An HttpModule could check the appended IDs for validity...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Hi all,

I'm wondering how can i prevent this scenario:

I have asp.net application , not using any kind of asp.net secuirty
models [ neither Windows Nor Forms Auth]. Client can save a complete
copy of the web site locally, he can change any Javascript funciton ,
then chnage the Action attribute in the form tag to point to the same
page again, & it will submit .

My question is: i want to access my website only within my web site
links or
requests, i don't want to accept the previous scenario, also i don't
want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change
through
http sniffing tools or Packets editor tools.
any Advice ???

Bashar
 
D

Dominick Baier

by the way, i have another question to you, as security expert, can
any tool, or application , or technology ..etc change the "http
refferer" for any http header request ??


what do you mean?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
hi Dominick

thank for your reply, i already think of your idea, which producing
Token &
expiry time. but i don't think this will solve the problem. for
example you
set the expiry as 1 min. for every request. then the hacker can save
the html
& replace what ever he want within 1 min & submit it back. you got me
?
also, think of big & huge forms to fill, the user may not finish
filling the
forms withen that expiry time, so his submit will fail !
by the way, i have another question to you, as security expert, can
any tool, or application , or technology ..etc change the "http
refferer" for any http header request ??

Thanks in Advance
Bashar
Well - you could generate one-time IDs that are only valid for a
short period of time - you could append these to links as a query
string.

An HttpModule could check the appended IDs for validity...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Hi all,

I'm wondering how can i prevent this scenario:

I have asp.net application , not using any kind of asp.net secuirty
models [ neither Windows Nor Forms Auth]. Client can save a complete
copy of the web site locally, he can change any Javascript funciton
, then chnage the Action attribute in the form tag to point to the
same page again, & it will submit .

My question is: i want to access my website only within my web site
links or
requests, i don't want to accept the previous scenario, also i don't
want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change
through
http sniffing tools or Packets editor tools.
any Advice ???
Bashar
 
B

Bashar Naffa

what i meanis:
do you know "REFERRER" key in any http header ? it tell the server from
whcih URI that request was redirected.
for example
you are in Page1.aspx & click on link that will navigate you to page2.aspx.
check the Request.Headers["Referrer"] in the load event of Page2.aspx, you
find the value of URI Page1.aspx.

in that way , you can detect from where your requests are coming ? from
inside your application ? or from another sites or local copies.

my question is, can the attacker change this Referrer manually so he can
fake this validation ? like what happen in phishing for example.

I hope this is was clear


Dominick Baier said:
by the way, i have another question to you, as security expert, can
any tool, or application , or technology ..etc change the "http
refferer" for any http header request ??


what do you mean?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
hi Dominick

thank for your reply, i already think of your idea, which producing
Token &
expiry time. but i don't think this will solve the problem. for
example you
set the expiry as 1 min. for every request. then the hacker can save
the html
& replace what ever he want within 1 min & submit it back. you got me
?
also, think of big & huge forms to fill, the user may not finish
filling the
forms withen that expiry time, so his submit will fail !
by the way, i have another question to you, as security expert, can
any tool, or application , or technology ..etc change the "http
refferer" for any http header request ??

Thanks in Advance
Bashar
Well - you could generate one-time IDs that are only valid for a
short period of time - you could append these to links as a query
string.

An HttpModule could check the appended IDs for validity...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Hi all,

I'm wondering how can i prevent this scenario:

I have asp.net application , not using any kind of asp.net secuirty
models [ neither Windows Nor Forms Auth]. Client can save a complete
copy of the web site locally, he can change any Javascript funciton
, then chnage the Action attribute in the form tag to point to the
same page again, & it will submit .

My question is: i want to access my website only within my web site
links or
requests, i don't want to accept the previous scenario, also i don't
want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change
through
http sniffing tools or Packets editor tools.
any Advice ???
Bashar
 
D

Dominick Baier

Hi,

yes this is easily possible - have a look at www.fiddlertool.com


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
what i meanis:
do you know "REFERRER" key in any http header ? it tell the server
from
whcih URI that request was redirected.
for example
you are in Page1.aspx & click on link that will navigate you to
page2.aspx.
check the Request.Headers["Referrer"] in the load event of Page2.aspx,
you
find the value of URI Page1.aspx.
in that way , you can detect from where your requests are coming ?
from inside your application ? or from another sites or local copies.

my question is, can the attacker change this Referrer manually so he
can fake this validation ? like what happen in phishing for example.

I hope this is was clear

Dominick Baier said:
by the way, i have another question to you, as security expert, can
any tool, or application , or technology ..etc change the "http
refferer" for any http header request ??
what do you mean?

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
hi Dominick

thank for your reply, i already think of your idea, which producing
Token &
expiry time. but i don't think this will solve the problem. for
example you
set the expiry as 1 min. for every request. then the hacker can save
the html
& replace what ever he want within 1 min & submit it back. you got
me
?
also, think of big & huge forms to fill, the user may not finish
filling the
forms withen that expiry time, so his submit will fail !
by the way, i have another question to you, as security expert, can
any tool, or application , or technology ..etc change the "http
refferer" for any http header request ??
Thanks in Advance
Bashar
Well - you could generate one-time IDs that are only valid for a
short period of time - you could append these to links as a query
string.

An HttpModule could check the appended IDs for validity...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Hi all,

I'm wondering how can i prevent this scenario:

I have asp.net application , not using any kind of asp.net
secuirty models [ neither Windows Nor Forms Auth]. Client can save
a complete copy of the web site locally, he can change any
Javascript funciton , then chnage the Action attribute in the form
tag to point to the same page again, & it will submit .

My question is: i want to access my website only within my web
site
links or
requests, i don't want to accept the previous scenario, also i
don't
want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change
through
http sniffing tools or Packets editor tools.
any Advice ???
Basha
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top