Skip to main content

Beginning ASP.NET Security

Beginning ASP.NET Security

Barry Dorrans

ISBN: 978-0-470-74365-2

Mar 2010

436 pages

In Stock

$44.99

Description

Programmers: protect and defend your Web apps against attack!

You may know ASP.NET, but if you don't understand how to secure your applications, you need this book. This vital guide explores the often-overlooked topic of teaching programmers how to design ASP.NET Web applications so as to prevent online thefts and security breaches.

You'll start with a thorough look at ASP.NET 3.5 basics and see happens when you don't implement security, including some amazing examples. The book then delves into the development of a Web application, walking you through the vulnerable points at every phase. Learn to factor security in from the ground up, discover a wealth of tips and industry best practices, and explore code libraries and more resources provided by Microsoft and others.

  • Shows you step by step how to implement the very latest security techniques
  • Reveals the secrets of secret-keeping—encryption, hashing, and not leaking information to begin with
  • Delves into authentication, authorizing, and securing sessions
  • Explains how to secure Web servers and Web services, including WCF and ASMX
  • Walks you through threat modeling, so you can anticipate problems
  • Offers best practices, techniques, and industry trends you can put to use right away

Defend and secure your ASP.NET 3.5 framework Web sites with this must-have guide.

ACKNOWLEDGMENTS xi

INTRODUCTION xxi

CHAPTER 1: WHY WEB SECURITY MATTERS 1

CHAPTER 2: HOW THE WEB WORKS 15

CHAPTER 3: SAFELY ACCEPTING USER INPUT 39

CHAPTER 4: USING QUERY STRINGS, FORM FIELDS, EVENTS, AND BROWSER INFORMATION 65

CHAPTER 5: CONTROLLING INFORMATION 87

CHAPTER 6: KEEPING SECRETS SECRET — HASHING AND ENCRYPTION 117

CHAPTER 7: ADDING USERNAMES AND PASSWORDS 151

CHAPTER 8: SECURELY ACCESSING DATABASES 185

CHAPTER 9: USING THE FILE SYSTEM 207

CHAPTER 10: SECURING XML 225

CHAPTER 11: SHARING DATA WITH WINDOWS COMMUNICATION FOUNDATION 255

CHAPTER 12: SECURING RICH INTERNET APPLICATIONS 289

CHAPTER 13: UNDERSTANDING CODE ACCESS SECURITY 315

CHAPTER 14: SECURING INTERNET INFORMATION SERVER (IIS) 329

CHAPTER 15: THIRD-PARTY AUTHENTICATION 359

CHAPTER 16: SECURE DEVELOPMENT WITH THE ASP.NET MVC FRAMEWORK 385

MVC Framework 398

INDEX 399

Chapter 12 Download
Chapter 15 Download
Chapter 2 Download
Chapter 3 Download
Chapter 5 Download
Chapter 6 Download
Chapter 7 Download
Chapter 8 Download
Chapter 9 Download
Chapter 10 Download
Chapter 11 Download
ChapterPageDetailsDatePrint Run
80Error in Code,code lines:
 if (csrfCookie.Value.Equals(tokenField))       throw new Exception( Mismatched CSRF tokens );
should read:
 if (!csrfCookie.Value.Equals(tokenField))       throw new Exception( Mismatched CSRF tokens ); 
7/31/11
6128Typo in code,Third line in both pieces of code on this page: // Create an instance of our encyrption algorithm. should read: // Create an instance of our encryption algorithm. 15 February 2010
6133Typo in figure caption,Caption to Figure 6-2: Key use in symmetric encryption should read: Key use in asymmetric encryption 15 February 2010
197Error in Text,The section “Adding a user to a database” should read:

Just because a login exists and can connect to SQL Server it doesn’t gain access to any databases. You must first grant an account access to the database. You can do this with the following SQL command:

USE [exampleDatabase]
GO
CREATE USER Olle FOR LOGIN Olle;
GO

This command creates a user within the database it is run in, in this example you first switch to the database exampleDatabase and then create a user Olle within for the SQL login account Olle. The user you create in a database does not have to have a name that matches with the actual login. If you want to create a user for a Windows login already granted access to SQL then you use the full Windows login details in the command, for example:

CREATE USER NetworkService FOR LOGIN [Puck\Network Service];

This command creates a user NetworkService for the Network Service account on the machine Puck, assuming you have already granted that Windows account access to the SQL server as described previously in “Connecting without Passwords”. You can use square brackets, [ and ] to enclose user names or account names if they contain spaces.

However adding a user to a database is only the first step, these new user accounts cannot do anything without some further work.
4/27/10
199Error in Text,... remove permissions from everyone else, as shown here:
DENY SELECT ON employee TO Public

should be:

As you can imagine, salary is sensitive data, and you would not want to allow anyone who has not been authorized to view this data. If you cannot use stored procedures, you can use views to limit access. First, you remove permissions on the table itself from everyone in the Public role using the following command:

DENY SELECT ON employee TO Public

Then you specifically grant table permissions to those who are allowed access (the Accounting role, for example, for ad-hoc reporting) using the following command:

GRANT SELECT ON employee TO Accounting
4/27/10
10251Change in Code,Change in Code Listing 10-11:

  public static bool VerifySignature(XmlDocument document, out X509Certificate signingCertificate)         {             // Create a new SignedXml object and load             // the signed XML document.             SignedXml signedXml = new SignedXml(document);              // Find the  Signature  node and create a new             // XmlNodeList object.             XmlNodeList nodeList = document.GetElementsByTagName( Signature );             if (nodeList.Count <= 0)             {                 throw new CryptographicException( No signature found. );             }              // Load the first  node.             signedXml.LoadXml((XmlElement)nodeList[0]);              signingCertificate = null;              // Extract the signing cerificate.             foreach (KeyInfoClause keyInfoClause in signedXml.