How Deep are your Defenses?

So, you have built your secured web application. You have enabled ASP.NET’s handy authentication and authorization features. But have you done enough? No, not at all. What happens if you forget to deploy the web.config controlling access to the application’s administrative folder? Or if an attacker gains access to the box by exploting your database and references your business logic layers? Or if an attacker finds a SQL injection and starts writing directly to the database? In many cases, the short answer is “bad things” oftentimes leading to unemployment.

But it need not be so easy for an attacker. There are a number of tactics one can use to extend security beyond the web interface. Like a good army, you must practice defense in depth in order to protect the application.

As noted above, hardening the surface is easy—ASP.NET provides some very robust and flexible authentication and authorization features. And with version 2.0 it even provides some limited end-to-end solutions in the MembershipProviders and RoleProviders. But that just protects the surface—much like an eggshell, your application is hardish on the outside but very easily penetrable beyond the shell. Rather than relying upon the shell to provide security, you should implement a defense in depth to mitigate any effects of the shell being cracked.

Diving into the Business Logic

Far and away the easiest way to defend the Business Logic Layer is to take advantage of the .NET Framework’s security feature, particularly the PrincipalPermissionAttribute. This attribute can be applied to any class, method, property. If the Principal Permission check fails, a SecurityException will be thrown. For example, lets say you have a Customer object which should not be accessed by an unauthenticated user. You could simply decorate the object with a principal permission like so:

  [PrincipalPermission(SecurityAction.Demand, Authenticated=true)] public class Customer {     //code for your customer object. }           

Or, lets say you had an application where the requirements state that only administrators should be able to add users to roles. A feature you encapsulated in the AddRole(string) method. You could make certain no user could, say, add themselves to the Admins group, with code like this:

  [PrincipalPermission(SecurityAction.Demand, Role="Admins")] public void AddRole(string role) {   //code to add the role } 

In addition to providing an easy way to backstop all security, the IPrincipal interface is very useful for situations such as logging and auditing user actions. Just capture a reference to the principal object where necessary and use the IPrincipal.Identity.Name property to capture just whom is doing what to what.

There is one other massive advantage to using techniques like the above to embed security into your business logic libraries: security becomes much more testable. Testing a web interface is generally a manual job, whereas there are a number of unit testing frameworks available for .NET—such as NUnit or MbUnit—which allow for very quick and easy tests of PrincipalPermissions. All you need do is to replace the System.Threading.Thread.CurrentPrincipal with a properly constructed GenericPrincipal and look for SecurityExceptions as appropriate. And, with NUnit GUI, you can even take a pretty screenshot for the boss to prove it.

Beyond the Business Logic and Into the Data

The final line of defense in most web applications lies in the underlying datastore, typically a RDBMS of some sort. With ASP.NET, more often than not, that data store is a Sql Server. In one of those accidents of history, Sql Server is capable of being very, very secure but oftentimes the floodgates are left open by a combination of administrative and developer error. And, especially with regards to Sql Server 2000, this can lead to very, very bad things. Look at this video [56k beware] for what the combination of a misconfigured Sql Server installation and a poorly-coded website can do for you.

Insofar as securing Sql Server, there are a few basic steps that need to be done on installation. The principal one is to make certain the database is not running in the LOCAL SYSTEM context but rather as a restricted user account. This limits the damage that can be done in worst case scenarios. But this task is oftentimes well beyond the responsibility of the developer and as such cannot quite be relied upon.

From an application development perspective, there are many things that can be done to prevent Sql Injection scenarios from ever taking place in your ASP.NET applications. First and foremost, make sure to restrict your web application’s user accounts. There are absolutely no scenarios where the web application’s user account needs db_owner rights; if it requires full read/write access on all tables, use db_datareader and db_datawriter—though one could argue that all INSERTs/UPDATEs/DELETEs should take place through stored procedures. But under no circiumstances that I have seen has it been justified to give a web application rights to control access to a database. Nevermind some scenarios where pure developer laziness required the web application run with fully sysadmin rights.

Second, and possibly more important, one should always take advantage of ADO.NET parameters to pass data to the database. For example, this is bad:

  public void badSql(SqlConnection conn, string input) {  string sql = "SELECT * FROM Beers WHERE Type='{0}'";  SqlCommand cmd = conn.CreateCommand();  cmd.CommandText = string.Format(sql, input);    //execute command } 

And this is how the same method should be coded:

  public void goodSql(SqlConnection conn, string input) {     string sql = "SELECT * FROM Beers WHERE [email protected]";  SqlParameter param = new SqlParameter("@Type", SqlDbType.VarChar);    param.Value = input;    DbCommand cmd = conn.CreateCommand();   cmd.CommandText = sql;  cmd.Parameters.Add(param);  //execute command    } 

In addition to defending against Sql Injection, using parameterized statements is easier for your database server to digest and cache.

Finally, there is one more option for defending the database: using separate security contexts for access. For example, I develop many applications that have three front-ends: a public web application, which needs to SELECT a lot and INSERT very rarely. An application to manage the website, which needs full access to the database. And finally a web service application which needs to do a fair amount of both SELECTing and INSERTing, but only in limited ways. In the database server, I assign each application a different role and allow each of them access to the stored procedures and tables which they need. Meaning that, should I leave a data access method exposed which should not be exposed, it will still fail because it cannot access the data store.

Made it this far? First, go and secure your web applications from end to end. Second, remember to kick this post. And last, make sure to check out the handy ASP.NET security resources Scott Guthrie posted (scroll down to the bulleted lists).


Category: Time: 2006-11-10 Views: 1

Related post

  • How baby are your baby-steps in TDD? 2011-09-22

    Today we were training TDD and found the following point of misunderstanding. The task is for the input "1,2" return sum of numbers which is 3. What I have written (in C#) was: numbers = input.Split(','); return int.Parse(numbers[0]) + int.Parse

  • "How jailed are your sites from each other", how can it be achieved? 2011-08-13

    I read a lot about if someone gained access to one of my websites then they should be jailed into that website. I understand what this mean although not sure how to achieve this. I have a debian web server running multiple php/mysqli websites set up

  • OT: How Cool Are Your Flash Projects? 2004-09-10

    I tend to work from home and office quite a lot, and transfer my IDE drive between the two places on a daily basis. My old 5.25″ IDE caddy was seriously in need of replacing due to damage and the fact the internal fan had packed in, so I replaced it

  • What are your suggestions on learning how to think? 2011-02-12

    First of all, this is not the generic 'make me a better programmer' question, even though the outcome of asking this question might seem similar to it. On programmers.SE, I've read and seen these get closed here, here, here, here, and here. We all kn

  • What are your techniques for storing numpy structures in django database fields and how do you serialize them for http? 2013-01-07

    I want to publish a small web project that is supposed to contain some of my research results to present it to the scientific community. All my analysis I ran so far have been written in python already, thus I considered to use django web framework t

  • How often are "Links to Your Site" updated in the Google Webmaster tool? 2014-10-28

    How often are "Links to Your Site" updated in the Google Webmaster tool? I found this thread with various replies on the matter, from "every few days" and "around 20 to 30 days" to "backlinks to my website that were remo

  • MITM attacks - how likely are they? 2010-06-20

    How likely are "Man in the Middle" attacks in internet security? What actual machines, apart from ISP servers, are going to be "in the middle" of internet communications? What are the actual risks associated with MITM attacks, as oppos

  • How secure are virtual machines really? False sense of security? 2011-04-12

    I was reading this CompTIA Security+ SYO-201 book, and the author David Prowse claims that: Whichever VM you select, the VM cannot cross the software boundaries set in place. For example, a virus might infect a computer when executed and spread to ot

  • How "enforcable" are email disclaimers 2012-08-12

    Perhaps a more policy questions, and undoubtedly different in differnet parts of the world, but enterprise email "signatures" often include a snippet simmilar to the following: This email and any files transmitted with it are confidential and co

  • How safe are my passwords at after-sales service? 2012-11-27

    My phone is currently inoperative. Samsung asked me to drop it at an approved repair center, which will handle shipment and reception to/from Samsung. Being unable to boot my phone, it was impossible for me to remove personal files from it. I am awar

  • How deep is enough to represent an algorithm in UML sequence diagram? 2014-05-10

    I have three simple classes. LoginController, UsersCatalog and User. UsersCatalog has an array of User. I have to represent a simple process of login. LoginController has a method login(username, password) that simply calls a method authenticate(user

  • How secure are the FIDO U2F tokens 2014-10-22

    Google and Yubico just announced the availability of cryptographic security tokens following the FIDO U2F specification. Is this just another 2FA option, or is this significantly better than solutions such as SecureID and TOTP? Specifically: In what

  • Does how deep a page is in the page hierarchy affect it's ranking? 2015-01-16

    Does how deep a page is in the page hierarchy affect it's ranking? For example, if I click 5 times on a "show more" button to get to a certain page, would it be considered "deep" within the site page hierarchy and does this (negatively

  • How deep can I bury a 1 MHz transmitter 2015-03-24

    So in designing a deep underground sensor network, my team wants to use a 1 MHz radio, but we cannot determine a way to model the soil, so as to calculate how deep i can bury a radio for showing proof of concept. The soil we are going to be using wil

  • How to Hire Your First Employees While Running Your Startup 2015-09-07

    Hiring your first employees is an exciting milestone for any startup founder. It's a sign your startup is (literally) growing and getting traction. However, it's also notoriously stressful, time-consuming and difficult. After all, if it's just you an

  • How to Connect Your Assistant to the IoT 2016-02-15

    Building an AI assistant with How to Build Your Own AI Assistant Using Customizing Your Assistant with Intent and Context Empowering Your Assistant with Entities How to Connect Your Assistant to the IoT The potentia

  • Where are Your Conversions Coming From? 2001-11-02

    Do you know where your conversions, downloads, sales, inquiries or leads are coming from? Tracking the effectiveness of your advertising placements, whether they be on pay-per-click search engines, ad swaps with fellow publishers, or paid sponsorship

  • How accessible are you? 2005-06-13

    It is important in selling services to provide differing degrees of access to people based on how valuable they are to you. Give the most access to your best clients, including response to emails and voice mail within 20 minutes, and perhaps even a d

  • How to Calculate Your Hourly Rate 2009-02-26

    If you're new to freelancing or business ownership, you may be unsure about how to set your rates. Even if you're a seasoned professional, it's always a good idea to revisit what you charge as you get more experienced, when there are changes in your

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C), All Rights Reserved.

processed in 1.955 (s). 13 q(s)