Security overview

Discussion in 'ASP .Net Security' started by Arturo Buonanni, Mar 17, 2006.

  1. I'm a programmer new to ASP.NET and web development in general.

    I'm going to code a web application and I'm concerned about the
    security issues that arise on this field (that's new to me).

    I'm using VWD2005 Express Ed. and I've read the online help about
    security.

    Now I've a doubt about one thing. The online help states that you have
    to validate every user input against script exploit and SQL injection
    and that's quite fair. But it also states that ASP.NET validates every
    "request" against potentially harmfull values (ie. scripts).
    Now, if ASP.NET doesn't allows dangerous values in the request for
    pages, how can one use scrips exploit? Why code against script expliot
    in every page if dangelous values are not meant to ever reach the page?

    I'm new to web development as I've said so I'm probably missing
    something and I'd like to know what it is.

    Thanks.
     
    Arturo Buonanni, Mar 17, 2006
    #1
    1. Advertising

  2. Hi Arturo,
    please check AntiXSS Library:
    http://www.programmazione.it/index.php?entity=eitem&idItem=33147.

    Paolo





    "Arturo Buonanni" <> wrote in
    message news:Xns97899EE018350Arturo.Buonanni@207.46.248.16...
    > I'm a programmer new to ASP.NET and web development in general.
    >
    > I'm going to code a web application and I'm concerned about the
    > security issues that arise on this field (that's new to me).
    >
    > I'm using VWD2005 Express Ed. and I've read the online help about
    > security.
    >
    > Now I've a doubt about one thing. The online help states that you have
    > to validate every user input against script exploit and SQL injection
    > and that's quite fair. But it also states that ASP.NET validates every
    > "request" against potentially harmfull values (ie. scripts).
    > Now, if ASP.NET doesn't allows dangerous values in the request for
    > pages, how can one use scrips exploit? Why code against script expliot
    > in every page if dangelous values are not meant to ever reach the page?
    >
    > I'm new to web development as I've said so I'm probably missing
    > something and I'd like to know what it is.
    >
    > Thanks.
     
    Paolo De Nictolis, Eng. [441410], Mar 17, 2006
    #2
    1. Advertising

  3. Hi Paolo,

    Thanks for your reply.

    I foud the article very interesting but it failed to answer my former
    question.
    For what I understand XSS attack consist in the attacker redirecting a
    visitor to a victim web site while inserting his own script in a field
    (hidden on unnoticed) of the web site so that when user interacts with
    the web site the code is executed.

    If this is correct then my question rise again. If the ASP.NET
    framework validate all form's fields input for harmfull values (let's
    says script identifiers) how can be the attacker's code executed?

    That's my point.

    From what I read form the article it seems that the ASP.NET protection
    could be faulty being based in "black lists" instead of "white lists"
    and being so unable to handle new script identifiers of new harmfull
    code. Is that the reason?

    Anyway I still don't understand why MS advise you in the online help to
    validate all user input against special carachters if the ASP.NET
    framework already does it. In this way they are covertly saying that
    the ASP.NET protection doesn't always works.

    I'm still a bit confused about this.

    Paolo De Nictolis, Eng. [441410] wrote:

    > Hi Arturo,
    > please check AntiXSS Library:
    > http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
    >
    > Paolo
    >
    >
    >
    >
    >
    > "Arturo Buonanni" <>
    > wrote in message
    > news:Xns97899EE018350Arturo.Buonanni@207.46.248.16...
    >> I'm a programmer new to ASP.NET and web development in general.
    >>
    >> I'm going to code a web application and I'm concerned about the
    >> security issues that arise on this field (that's new to me).
    >>
    >> I'm using VWD2005 Express Ed. and I've read the online help about
    >> security.
    >>
    >> Now I've a doubt about one thing. The online help states that you
    >> have to validate every user input against script exploit and SQL
    >> injection and that's quite fair. But it also states that ASP.NET
    >> validates every "request" against potentially harmfull values
    >> (ie. scripts). Now, if ASP.NET doesn't allows dangerous values in
    >> the request for pages, how can one use scrips exploit? Why code
    >> against script expliot in every page if dangelous values are not
    >> meant to ever reach the page?
    >>
    >> I'm new to web development as I've said so I'm probably missing
    >> something and I'd like to know what it is.
    >>
    >> Thanks.

    >
    >
    >
     
    Arturo Buonanni, Mar 20, 2006
    #3
  4. hi,

    reasons are

    a) black vs. white listing
    b) the ValidateRequest feature was bugged in the past - don't rely on it
    c) only the most obvious characters are blocked, like '<' otherwise there
    would be too many false positives
    d) you may need to accept characters which are considere illegal - and you
    have to turn off the automatic validation
    e) does not find more subtle attacks

    ValidateRequest is a defense-in-depth measure meant to augment *not* replace
    input validation.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Paolo,
    >
    > Thanks for your reply.
    >
    > I foud the article very interesting but it failed to answer my former
    > question.
    > For what I understand XSS attack consist in the attacker redirecting a
    > visitor to a victim web site while inserting his own script in a field
    > (hidden on unnoticed) of the web site so that when user interacts with
    > the web site the code is executed.
    > If this is correct then my question rise again. If the ASP.NET
    > framework validate all form's fields input for harmfull values (let's
    > says script identifiers) how can be the attacker's code executed?
    >
    > That's my point.
    >
    > From what I read form the article it seems that the ASP.NET protection
    > could be faulty being based in "black lists" instead of "white lists"
    > and being so unable to handle new script identifiers of new harmfull
    > code. Is that the reason?
    >
    > Anyway I still don't understand why MS advise you in the online help
    > to validate all user input against special carachters if the ASP.NET
    > framework already does it. In this way they are covertly saying that
    > the ASP.NET protection doesn't always works.
    >
    > I'm still a bit confused about this.
    >
    > Paolo De Nictolis, Eng. [441410] wrote:
    >
    >> Hi Arturo,
    >> please check AntiXSS Library:
    >> http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
    >> Paolo
    >>
    >> "Arturo Buonanni" <>
    >> wrote in message
    >> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16...
    >>
    >>> I'm a programmer new to ASP.NET and web development in general.
    >>>
    >>> I'm going to code a web application and I'm concerned about the
    >>> security issues that arise on this field (that's new to me).
    >>>
    >>> I'm using VWD2005 Express Ed. and I've read the online help about
    >>> security.
    >>>
    >>> Now I've a doubt about one thing. The online help states that you
    >>> have to validate every user input against script exploit and SQL
    >>> injection and that's quite fair. But it also states that ASP.NET
    >>> validates every "request" against potentially harmfull values (ie.
    >>> scripts). Now, if ASP.NET doesn't allows dangerous values in the
    >>> request for pages, how can one use scrips exploit? Why code against
    >>> script expliot in every page if dangelous values are not meant to
    >>> ever reach the page?
    >>>
    >>> I'm new to web development as I've said so I'm probably missing
    >>> something and I'd like to know what it is.
    >>>
    >>> Thanks.
    >>>
     
    Dominick Baier [DevelopMentor], Mar 20, 2006
    #4
  5. Ok, so it seems that the ASP.NET protection against malicius code is
    just a basic one that need to be enanched with coder work.

    Given that I've no need to allow any HTML tag and that my users only
    need to input plain text, would HTMLEncode() and URLEncode() be enough
    for this?

    Are there any other countermeasure that must be omplemented in order to
    build a secure site (apart from authentication and authorization that
    I give as assumptions)?

    Dominick Baier [DevelopMentor] wrote:

    > hi,
    >
    > reasons are
    >
    > a) black vs. white listing
    > b) the ValidateRequest feature was bugged in the past - don't rely
    > on it
    > c) only the most obvious characters are blocked, like '<'
    > otherwise there would be too many false positives
    > d) you may need to accept characters which are considere illegal -
    > and you have to turn off the automatic validation
    > e) does not find more subtle attacks
    >
    > ValidateRequest is a defense-in-depth measure meant to augment
    > *not* replace input validation.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi Paolo,
    >>
    >> Thanks for your reply.
    >>
    >> I foud the article very interesting but it failed to answer my
    >> former question.
    >> For what I understand XSS attack consist in the attacker
    >> redirecting a visitor to a victim web site while inserting his
    >> own script in a field (hidden on unnoticed) of the web site so
    >> that when user interacts with the web site the code is executed.
    >> If this is correct then my question rise again. If the ASP.NET
    >> framework validate all form's fields input for harmfull values
    >> (let's says script identifiers) how can be the attacker's code
    >> executed?
    >>
    >> That's my point.
    >>
    >> From what I read form the article it seems that the ASP.NET
    >> protection could be faulty being based in "black lists" instead
    >> of "white lists" and being so unable to handle new script
    >> identifiers of new harmfull code. Is that the reason?
    >>
    >> Anyway I still don't understand why MS advise you in the online
    >> help to validate all user input against special carachters if the
    >> ASP.NET framework already does it. In this way they are covertly
    >> saying that the ASP.NET protection doesn't always works.
    >>
    >> I'm still a bit confused about this.
    >>
    >> Paolo De Nictolis, Eng. [441410] wrote:
    >>
    >>> Hi Arturo,
    >>> please check AntiXSS Library:
    >>> http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
    >>> Paolo
    >>>
    >>> "Arturo Buonanni"
    >>> <> wrote in message
    >>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16...
    >>>
    >>>> I'm a programmer new to ASP.NET and web development in general.
    >>>>
    >>>> I'm going to code a web application and I'm concerned about the
    >>>> security issues that arise on this field (that's new to me).
    >>>>
    >>>> I'm using VWD2005 Express Ed. and I've read the online help
    >>>> about security.
    >>>>
    >>>> Now I've a doubt about one thing. The online help states that
    >>>> you have to validate every user input against script exploit
    >>>> and SQL injection and that's quite fair. But it also states
    >>>> that ASP.NET validates every "request" against potentially
    >>>> harmfull values (ie. scripts). Now, if ASP.NET doesn't allows
    >>>> dangerous values in the request for pages, how can one use
    >>>> scrips exploit? Why code against script expliot in every page
    >>>> if dangelous values are not meant to ever reach the page?
    >>>>
    >>>> I'm new to web development as I've said so I'm probably missing
    >>>> something and I'd like to know what it is.
    >>>>
    >>>> Thanks.
    >>>>

    >
    >
     
    Arturo Buonanni, Mar 20, 2006
    #5
  6. hi,

    building secure sites is not only about throwing in some counter measure
    - it is a combination of

    - Threat Modeling leading to

    - prevention
    - detection
    - reaction

    good input validation is a prereq - but there is more

    auth & authZ, least privilege, server hardening, error handling, logging
    & instrumentation, data & communication protection etc...

    HtmlEncode is OK if you are emitting the output to HTML - if you are concatenating
    input into script blocks - this won't help you.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Ok, so it seems that the ASP.NET protection against malicius code is
    > just a basic one that need to be enanched with coder work.
    >
    > Given that I've no need to allow any HTML tag and that my users only
    > need to input plain text, would HTMLEncode() and URLEncode() be enough
    > for this?
    >
    > Are there any other countermeasure that must be omplemented in order
    > to build a secure site (apart from authentication and authorization
    > that I give as assumptions)?
    >
    > Dominick Baier [DevelopMentor] wrote:
    >
    >> hi,
    >>
    >> reasons are
    >>
    >> a) black vs. white listing
    >> b) the ValidateRequest feature was bugged in the past - don't rely
    >> on it
    >> c) only the most obvious characters are blocked, like '<'
    >> otherwise there would be too many false positives
    >> d) you may need to accept characters which are considere illegal -
    >> and you have to turn off the automatic validation
    >> e) does not find more subtle attacks
    >> ValidateRequest is a defense-in-depth measure meant to augment *not*
    >> replace input validation.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi Paolo,
    >>>
    >>> Thanks for your reply.
    >>>
    >>> I foud the article very interesting but it failed to answer my
    >>> former question.
    >>> For what I understand XSS attack consist in the attacker
    >>> redirecting a visitor to a victim web site while inserting his
    >>> own script in a field (hidden on unnoticed) of the web site so
    >>> that when user interacts with the web site the code is executed.
    >>> If this is correct then my question rise again. If the ASP.NET
    >>> framework validate all form's fields input for harmfull values
    >>> (let's says script identifiers) how can be the attacker's code
    >>> executed?
    >>> That's my point.
    >>>
    >>> From what I read form the article it seems that the ASP.NET
    >>> protection could be faulty being based in "black lists" instead of
    >>> "white lists" and being so unable to handle new script identifiers
    >>> of new harmfull code. Is that the reason?
    >>>
    >>> Anyway I still don't understand why MS advise you in the online help
    >>> to validate all user input against special carachters if the ASP.NET
    >>> framework already does it. In this way they are covertly saying that
    >>> the ASP.NET protection doesn't always works.
    >>>
    >>> I'm still a bit confused about this.
    >>>
    >>> Paolo De Nictolis, Eng. [441410] wrote:
    >>>
    >>>> Hi Arturo,
    >>>> please check AntiXSS Library:
    >>>> http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
    >>>> Paolo
    >>>> "Arturo Buonanni" <>
    >>>> wrote in message
    >>>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16...
    >>>>
    >>>>> I'm a programmer new to ASP.NET and web development in general.
    >>>>>
    >>>>> I'm going to code a web application and I'm concerned about the
    >>>>> security issues that arise on this field (that's new to me).
    >>>>>
    >>>>> I'm using VWD2005 Express Ed. and I've read the online help about
    >>>>> security.
    >>>>>
    >>>>> Now I've a doubt about one thing. The online help states that you
    >>>>> have to validate every user input against script exploit and SQL
    >>>>> injection and that's quite fair. But it also states that ASP.NET
    >>>>> validates every "request" against potentially harmfull values (ie.
    >>>>> scripts). Now, if ASP.NET doesn't allows dangerous values in the
    >>>>> request for pages, how can one use scrips exploit? Why code
    >>>>> against script expliot in every page if dangelous values are not
    >>>>> meant to ever reach the page?
    >>>>>
    >>>>> I'm new to web development as I've said so I'm probably missing
    >>>>> something and I'd like to know what it is.
    >>>>>
    >>>>> Thanks.
    >>>>>
     
    Dominick Baier [DevelopMentor], Mar 20, 2006
    #6
  7. Hi Dominick,

    Thanks for your reply.

    I understand that. I've already read most of the documentation
    concerning security present on the VWD online help and downloaded some
    more.

    I'm now facing the usual coder "dilemma". From one side, my boss asks
    me to "produce" something in the shortest term possible. In the other
    side I don't want to release a "security" weak solution.

    Given that I don't have the time to extend my knowledge to fully
    include all securty aspects related to web application development, I
    need to know wich action I, as a coder, can put on to build the most
    secure solution possible.

    Also consider that this solution will be probably hosted by someone
    else web server so all issues related to the server's configuration
    are out of my reach. I can only assume (and maybe verify) that our
    host is putting on all effort to secure his servers.

    From what I've read, related to coding, I must take care of:
    - authentication;
    - authorization (restricting users access to resource to the least
    needed);
    - input and output validation;
    - error handling;
    - securing configuration.

    Is there anything else can I take care of not being able to configure
    the web server to my own needs?

    While we are in the topics, I've a question about configuration
    encryption.

    If I encrypth sections of my web.config on my dev. machine using
    aspnet_regiis, will the server be able to decrypth them?

    Aren't encription keys specific to each asp.net installation?

    Thanks for thehelp.


    On Mon, 20 Mar 2006 10:56:31 +0000 (UTC), Dominick Baier
    [DevelopMentor] <> wrote:

    >hi,
    >
    >building secure sites is not only about throwing in some counter measure
    >- it is a combination of
    >
    >- Threat Modeling leading to
    >
    >- prevention
    >- detection
    >- reaction
    >
    >good input validation is a prereq - but there is more
    >
    >auth & authZ, least privilege, server hardening, error handling, logging
    >& instrumentation, data & communication protection etc...
    >
    >HtmlEncode is OK if you are emitting the output to HTML - if you are concatenating
    >input into script blocks - this won't help you.
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >http://www.leastprivilege.com
    >
    >> Ok, so it seems that the ASP.NET protection against malicius code is
    >> just a basic one that need to be enanched with coder work.
    >>
    >> Given that I've no need to allow any HTML tag and that my users only
    >> need to input plain text, would HTMLEncode() and URLEncode() be enough
    >> for this?
    >>
    >> Are there any other countermeasure that must be omplemented in order
    >> to build a secure site (apart from authentication and authorization
    >> that I give as assumptions)?
    >>
    >> Dominick Baier [DevelopMentor] wrote:
    >>
    >>> hi,
    >>>
    >>> reasons are
    >>>
    >>> a) black vs. white listing
    >>> b) the ValidateRequest feature was bugged in the past - don't rely
    >>> on it
    >>> c) only the most obvious characters are blocked, like '<'
    >>> otherwise there would be too many false positives
    >>> d) you may need to accept characters which are considere illegal -
    >>> and you have to turn off the automatic validation
    >>> e) does not find more subtle attacks
    >>> ValidateRequest is a defense-in-depth measure meant to augment *not*
    >>> replace input validation.
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi Paolo,
    >>>>
    >>>> Thanks for your reply.
    >>>>
    >>>> I foud the article very interesting but it failed to answer my
    >>>> former question.
    >>>> For what I understand XSS attack consist in the attacker
    >>>> redirecting a visitor to a victim web site while inserting his
    >>>> own script in a field (hidden on unnoticed) of the web site so
    >>>> that when user interacts with the web site the code is executed.
    >>>> If this is correct then my question rise again. If the ASP.NET
    >>>> framework validate all form's fields input for harmfull values
    >>>> (let's says script identifiers) how can be the attacker's code
    >>>> executed?
    >>>> That's my point.
    >>>>
    >>>> From what I read form the article it seems that the ASP.NET
    >>>> protection could be faulty being based in "black lists" instead of
    >>>> "white lists" and being so unable to handle new script identifiers
    >>>> of new harmfull code. Is that the reason?
    >>>>
    >>>> Anyway I still don't understand why MS advise you in the online help
    >>>> to validate all user input against special carachters if the ASP.NET
    >>>> framework already does it. In this way they are covertly saying that
    >>>> the ASP.NET protection doesn't always works.
    >>>>
    >>>> I'm still a bit confused about this.
    >>>>
    >>>> Paolo De Nictolis, Eng. [441410] wrote:
    >>>>
    >>>>> Hi Arturo,
    >>>>> please check AntiXSS Library:
    >>>>> http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
    >>>>> Paolo
    >>>>> "Arturo Buonanni" <>
    >>>>> wrote in message
    >>>>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16...
    >>>>>
    >>>>>> I'm a programmer new to ASP.NET and web development in general.
    >>>>>>
    >>>>>> I'm going to code a web application and I'm concerned about the
    >>>>>> security issues that arise on this field (that's new to me).
    >>>>>>
    >>>>>> I'm using VWD2005 Express Ed. and I've read the online help about
    >>>>>> security.
    >>>>>>
    >>>>>> Now I've a doubt about one thing. The online help states that you
    >>>>>> have to validate every user input against script exploit and SQL
    >>>>>> injection and that's quite fair. But it also states that ASP.NET
    >>>>>> validates every "request" against potentially harmfull values (ie.
    >>>>>> scripts). Now, if ASP.NET doesn't allows dangerous values in the
    >>>>>> request for pages, how can one use scrips exploit? Why code
    >>>>>> against script expliot in every page if dangelous values are not
    >>>>>> meant to ever reach the page?
    >>>>>>
    >>>>>> I'm new to web development as I've said so I'm probably missing
    >>>>>> something and I'd like to know what it is.
    >>>>>>
    >>>>>> Thanks.
    >>>>>>

    >
     
    Arturo Buonanni, Mar 20, 2006
    #7
  8. Hi,

    yeah - that's the usual dilemma - you will learn a lot in your first "secure
    application" - maybe you should reserve some budget for penetration testing.

    Logging and Instrumentation is an important one too.

    re encrypted config

    it depends which provider you use - DPAPI is machine specific - RSA keys
    can be exported and installed on different machines.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Dominick,
    >
    > Thanks for your reply.
    >
    > I understand that. I've already read most of the documentation
    > concerning security present on the VWD online help and downloaded some
    > more.
    >
    > I'm now facing the usual coder "dilemma". From one side, my boss asks
    > me to "produce" something in the shortest term possible. In the other
    > side I don't want to release a "security" weak solution.
    >
    > Given that I don't have the time to extend my knowledge to fully
    > include all securty aspects related to web application development, I
    > need to know wich action I, as a coder, can put on to build the most
    > secure solution possible.
    >
    > Also consider that this solution will be probably hosted by someone
    > else web server so all issues related to the server's configuration
    > are out of my reach. I can only assume (and maybe verify) that our
    > host is putting on all effort to secure his servers.
    >
    > From what I've read, related to coding, I must take care of:
    > - authentication;
    > - authorization (restricting users access to resource to the least
    > needed);
    > - input and output validation;
    > - error handling;
    > - securing configuration.
    > Is there anything else can I take care of not being able to configure
    > the web server to my own needs?
    >
    > While we are in the topics, I've a question about configuration
    > encryption.
    >
    > If I encrypth sections of my web.config on my dev. machine using
    > aspnet_regiis, will the server be able to decrypth them?
    >
    > Aren't encription keys specific to each asp.net installation?
    >
    > Thanks for thehelp.
    >
    > On Mon, 20 Mar 2006 10:56:31 +0000 (UTC), Dominick Baier
    > [DevelopMentor] <> wrote:
    >
    >> hi,
    >>
    >> building secure sites is not only about throwing in some counter
    >> measure - it is a combination of
    >>
    >> - Threat Modeling leading to
    >>
    >> - prevention
    >> - detection
    >> - reaction
    >> good input validation is a prereq - but there is more
    >>
    >> auth & authZ, least privilege, server hardening, error handling,
    >> logging & instrumentation, data & communication protection etc...
    >>
    >> HtmlEncode is OK if you are emitting the output to HTML - if you are
    >> concatenating input into script blocks - this won't help you.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Ok, so it seems that the ASP.NET protection against malicius code is
    >>> just a basic one that need to be enanched with coder work.
    >>>
    >>> Given that I've no need to allow any HTML tag and that my users only
    >>> need to input plain text, would HTMLEncode() and URLEncode() be
    >>> enough for this?
    >>>
    >>> Are there any other countermeasure that must be omplemented in order
    >>> to build a secure site (apart from authentication and authorization
    >>> that I give as assumptions)?
    >>>
    >>> Dominick Baier [DevelopMentor] wrote:
    >>>
    >>>> hi,
    >>>>
    >>>> reasons are
    >>>>
    >>>> a) black vs. white listing
    >>>> b) the ValidateRequest feature was bugged in the past - don't rely
    >>>> on it
    >>>> c) only the most obvious characters are blocked, like '<'
    >>>> otherwise there would be too many false positives
    >>>> d) you may need to accept characters which are considere illegal -
    >>>> and you have to turn off the automatic validation
    >>>> e) does not find more subtle attacks
    >>>> ValidateRequest is a defense-in-depth measure meant to augment
    >>>> *not*
    >>>> replace input validation.
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hi Paolo,
    >>>>>
    >>>>> Thanks for your reply.
    >>>>>
    >>>>> I foud the article very interesting but it failed to answer my
    >>>>> former question.
    >>>>> For what I understand XSS attack consist in the attacker
    >>>>> redirecting a visitor to a victim web site while inserting his
    >>>>> own script in a field (hidden on unnoticed) of the web site so
    >>>>> that when user interacts with the web site the code is executed.
    >>>>> If this is correct then my question rise again. If the ASP.NET
    >>>>> framework validate all form's fields input for harmfull values
    >>>>> (let's says script identifiers) how can be the attacker's code
    >>>>> executed?
    >>>>> That's my point.
    >>>>> From what I read form the article it seems that the ASP.NET
    >>>>> protection could be faulty being based in "black lists" instead of
    >>>>> "white lists" and being so unable to handle new script identifiers
    >>>>> of new harmfull code. Is that the reason?
    >>>>>
    >>>>> Anyway I still don't understand why MS advise you in the online
    >>>>> help to validate all user input against special carachters if the
    >>>>> ASP.NET framework already does it. In this way they are covertly
    >>>>> saying that the ASP.NET protection doesn't always works.
    >>>>>
    >>>>> I'm still a bit confused about this.
    >>>>>
    >>>>> Paolo De Nictolis, Eng. [441410] wrote:
    >>>>>
    >>>>>> Hi Arturo,
    >>>>>> please check AntiXSS Library:
    >>>>>> http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
    >>>>>> Paolo
    >>>>>> "Arturo Buonanni" <>
    >>>>>> wrote in message
    >>>>>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16...
    >>>>>>> I'm a programmer new to ASP.NET and web development in general.
    >>>>>>>
    >>>>>>> I'm going to code a web application and I'm concerned about the
    >>>>>>> security issues that arise on this field (that's new to me).
    >>>>>>>
    >>>>>>> I'm using VWD2005 Express Ed. and I've read the online help
    >>>>>>> about security.
    >>>>>>>
    >>>>>>> Now I've a doubt about one thing. The online help states that
    >>>>>>> you have to validate every user input against script exploit and
    >>>>>>> SQL injection and that's quite fair. But it also states that
    >>>>>>> ASP.NET validates every "request" against potentially harmfull
    >>>>>>> values (ie. scripts). Now, if ASP.NET doesn't allows dangerous
    >>>>>>> values in the request for pages, how can one use scrips exploit?
    >>>>>>> Why code against script expliot in every page if dangelous
    >>>>>>> values are not meant to ever reach the page?
    >>>>>>>
    >>>>>>> I'm new to web development as I've said so I'm probably missing
    >>>>>>> something and I'd like to know what it is.
    >>>>>>>
    >>>>>>> Thanks.
    >>>>>>>
     
    Dominick Baier [DevelopMentor], Mar 20, 2006
    #8
  9. Hi Dominick,

    Thank you for your quick reply.

    So I'm now ready to start (like a lamb to the wolves).

    About penetration testings, how can I arrange for that?

    Are there some services that offer it?


    On Mon, 20 Mar 2006 11:41:31 +0000 (UTC), Dominick Baier
    [DevelopMentor] <> wrote:

    >Hi,
    >
    >yeah - that's the usual dilemma - you will learn a lot in your first "secure
    >application" - maybe you should reserve some budget for penetration testing.
    >
    >Logging and Instrumentation is an important one too.
    >
    >re encrypted config
    >
    >it depends which provider you use - DPAPI is machine specific - RSA keys
    >can be exported and installed on different machines.
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >http://www.leastprivilege.com
    >
    >> Hi Dominick,
    >>
    >> Thanks for your reply.
    >>
    >> I understand that. I've already read most of the documentation
    >> concerning security present on the VWD online help and downloaded some
    >> more.
    >>
    >> I'm now facing the usual coder "dilemma". From one side, my boss asks
    >> me to "produce" something in the shortest term possible. In the other
    >> side I don't want to release a "security" weak solution.
    >>
    >> Given that I don't have the time to extend my knowledge to fully
    >> include all securty aspects related to web application development, I
    >> need to know wich action I, as a coder, can put on to build the most
    >> secure solution possible.
    >>
    >> Also consider that this solution will be probably hosted by someone
    >> else web server so all issues related to the server's configuration
    >> are out of my reach. I can only assume (and maybe verify) that our
    >> host is putting on all effort to secure his servers.
    >>
    >> From what I've read, related to coding, I must take care of:
    >> - authentication;
    >> - authorization (restricting users access to resource to the least
    >> needed);
    >> - input and output validation;
    >> - error handling;
    >> - securing configuration.
    >> Is there anything else can I take care of not being able to configure
    >> the web server to my own needs?
    >>
    >> While we are in the topics, I've a question about configuration
    >> encryption.
    >>
    >> If I encrypth sections of my web.config on my dev. machine using
    >> aspnet_regiis, will the server be able to decrypth them?
    >>
    >> Aren't encription keys specific to each asp.net installation?
    >>
    >> Thanks for thehelp.
    >>
    >> On Mon, 20 Mar 2006 10:56:31 +0000 (UTC), Dominick Baier
    >> [DevelopMentor] <> wrote:
    >>
    >>> hi,
    >>>
    >>> building secure sites is not only about throwing in some counter
    >>> measure - it is a combination of
    >>>
    >>> - Threat Modeling leading to
    >>>
    >>> - prevention
    >>> - detection
    >>> - reaction
    >>> good input validation is a prereq - but there is more
    >>>
    >>> auth & authZ, least privilege, server hardening, error handling,
    >>> logging & instrumentation, data & communication protection etc...
    >>>
    >>> HtmlEncode is OK if you are emitting the output to HTML - if you are
    >>> concatenating input into script blocks - this won't help you.
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Ok, so it seems that the ASP.NET protection against malicius code is
    >>>> just a basic one that need to be enanched with coder work.
    >>>>
    >>>> Given that I've no need to allow any HTML tag and that my users only
    >>>> need to input plain text, would HTMLEncode() and URLEncode() be
    >>>> enough for this?
    >>>>
    >>>> Are there any other countermeasure that must be omplemented in order
    >>>> to build a secure site (apart from authentication and authorization
    >>>> that I give as assumptions)?
    >>>>
    >>>> Dominick Baier [DevelopMentor] wrote:
    >>>>
    >>>>> hi,
    >>>>>
    >>>>> reasons are
    >>>>>
    >>>>> a) black vs. white listing
    >>>>> b) the ValidateRequest feature was bugged in the past - don't rely
    >>>>> on it
    >>>>> c) only the most obvious characters are blocked, like '<'
    >>>>> otherwise there would be too many false positives
    >>>>> d) you may need to accept characters which are considere illegal -
    >>>>> and you have to turn off the automatic validation
    >>>>> e) does not find more subtle attacks
    >>>>> ValidateRequest is a defense-in-depth measure meant to augment
    >>>>> *not*
    >>>>> replace input validation.
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Hi Paolo,
    >>>>>>
    >>>>>> Thanks for your reply.
    >>>>>>
    >>>>>> I foud the article very interesting but it failed to answer my
    >>>>>> former question.
    >>>>>> For what I understand XSS attack consist in the attacker
    >>>>>> redirecting a visitor to a victim web site while inserting his
    >>>>>> own script in a field (hidden on unnoticed) of the web site so
    >>>>>> that when user interacts with the web site the code is executed.
    >>>>>> If this is correct then my question rise again. If the ASP.NET
    >>>>>> framework validate all form's fields input for harmfull values
    >>>>>> (let's says script identifiers) how can be the attacker's code
    >>>>>> executed?
    >>>>>> That's my point.
    >>>>>> From what I read form the article it seems that the ASP.NET
    >>>>>> protection could be faulty being based in "black lists" instead of
    >>>>>> "white lists" and being so unable to handle new script identifiers
    >>>>>> of new harmfull code. Is that the reason?
    >>>>>>
    >>>>>> Anyway I still don't understand why MS advise you in the online
    >>>>>> help to validate all user input against special carachters if the
    >>>>>> ASP.NET framework already does it. In this way they are covertly
    >>>>>> saying that the ASP.NET protection doesn't always works.
    >>>>>>
    >>>>>> I'm still a bit confused about this.
    >>>>>>
    >>>>>> Paolo De Nictolis, Eng. [441410] wrote:
    >>>>>>
    >>>>>>> Hi Arturo,
    >>>>>>> please check AntiXSS Library:
    >>>>>>> http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
    >>>>>>> Paolo
    >>>>>>> "Arturo Buonanni" <>
    >>>>>>> wrote in message
    >>>>>>> news:Xns97899EE018350Arturo.Buonanni@207.46.248.16...
    >>>>>>>> I'm a programmer new to ASP.NET and web development in general.
    >>>>>>>>
    >>>>>>>> I'm going to code a web application and I'm concerned about the
    >>>>>>>> security issues that arise on this field (that's new to me).
    >>>>>>>>
    >>>>>>>> I'm using VWD2005 Express Ed. and I've read the online help
    >>>>>>>> about security.
    >>>>>>>>
    >>>>>>>> Now I've a doubt about one thing. The online help states that
    >>>>>>>> you have to validate every user input against script exploit and
    >>>>>>>> SQL injection and that's quite fair. But it also states that
    >>>>>>>> ASP.NET validates every "request" against potentially harmfull
    >>>>>>>> values (ie. scripts). Now, if ASP.NET doesn't allows dangerous
    >>>>>>>> values in the request for pages, how can one use scrips exploit?
    >>>>>>>> Why code against script expliot in every page if dangelous
    >>>>>>>> values are not meant to ever reach the page?
    >>>>>>>>
    >>>>>>>> I'm new to web development as I've said so I'm probably missing
    >>>>>>>> something and I'd like to know what it is.
    >>>>>>>>
    >>>>>>>> Thanks.
    >>>>>>>>

    >
     
    Arturo Buonanni, Mar 20, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXM=?=

    two setup overview questions

    =?Utf-8?B?Q2hyaXM=?=, Jan 16, 2005, in forum: ASP .Net
    Replies:
    9
    Views:
    370
    Scott Allen
    Jan 17, 2005
  2. darrel

    Security overview help

    darrel, May 23, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    400
    darrel
    May 23, 2005
  3. Bernard Segonnes

    Print and print overview and current page

    Bernard Segonnes, Nov 4, 2004, in forum: Java
    Replies:
    0
    Views:
    468
    Bernard Segonnes
    Nov 4, 2004
  4. jacksu
    Replies:
    1
    Views:
    805
    Riyad
    Nov 30, 2004
  5. Angus Parvis

    looking for java technology overview

    Angus Parvis, Apr 5, 2005, in forum: Java
    Replies:
    2
    Views:
    418
    Angus Parvis
    Apr 6, 2005
Loading...

Share This Page