The following tips are simple, yet effective to maintain a portion of ASP.NET application security.
Web.config vulnerabilities: Default Error Message
When custom errors are disabled, ASP.NET gives a detailed default error message to clients.
Vulnerable configuration:
...
<customErrors mode="remote only">
Web.config vulnerabilities: Leaving Tracing Enabled in Web-Based Applications
Trace feature of ASP>NET can be used to ensure application security but it can also be used by an attacker to attack Web-based applications if it is left enabled in a production environment.
Vulnerable configuration:
<configuration>
<system web>
<trace enabled= "true" localOnly="false" >
Secure configuration:
<configuration>
<system web>
<trace enabled= "false" localOnly="true" >
Web.config Vulnerabilities: Enabled Debugging
Installing web applications in a debug mode is a common mistake that make applications vulnerable. To allow web application debugging, Visual Studio 2005 automatically modifies Web.config file.
The deployment of the ASP>NET applications is a simple process and which can compromise application security.
Vulnerable configuration:
<configuration>
<system web>
<compilation debug="true" >
Secure configuration:
<configuration>
<system web>
<compilation debug="false" >
Web.config Vulnerabilities: Cookies Accessible through Client-Side Script
Disabling cookies in client systems help to protect Web-based applications from Cross-Site Scripting attacks.
Vulnerable configuration:
<configuration>
<system web>
<httpCookies httpOnlyCookies="false" >
Secure configuration:
<configuration>
<system web>
<httpCookies httpOnlyCookies="true" >
Web.config Vulnerabilities: Enabled Cookieless Session State
The best way to prevent session hijacking is forcing the web application to use cookies for storing session token.
Vulnerable configuration:
<configuration>
<system web>
<sessionState cookieless="UserUri" >
Secure configuration:
<configuration>
<system web>
<sessionState cookieless="UseCookies" >
Web.config Vulnerabilities: Enabled Cookieless Authentication
Disable cookieless authentication and use cookie to store authentication tokens to prevent session hijacking in Web-based applications.
Vulnerable configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms cookieless="UseUri">
Secure configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms cookieless=" UseCookies">
Web.config Vulnerabilities: Failure to Require SSL for Authentication Cookies.
Use SSL in Web-based applications and force the application to authenticate only in SSL.
Vulnerable configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms requireSSL="false">
Secure configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms requireSSL="true">
Web.config Vulnerabilities: Sliding Expiration.
When an authentication token is stolen, set the session timeout setting to minimize the risk.
Vulnerable configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms slidingExpiration="true">
Secure configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms slidingExpiration="false">
Web.config Vulnerabilities: Non-Unique Authentication Cookie
On multiple web based applications unique cookie names must be defiend to avoid duplication. Globaly Unique Identifier(GUIDs) can be used.
".ASPXAUTH" is the default value for the authentication cookie.
Vulnerable configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms name=".ASPXAUTH">
Secure configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms name ="abdd9234mdssdo4......">
Web.config Vulnerabilities: Hardcoded Credential
Avoiding the login credentials in configuration file is the best way of securing web application.
Vulnerable configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms>
<credentials>
...
</credentials>
</forms>
Secure configuration:
<configuration>
<system web>
<authentication mode="Forms" >
<forms>
</forms>
Securing Session and View State
If ASP.NET application use view state, ensure the integrity of the view state by:
<% @ Page enableViewStateMac = true%>
This causes the ASP.NET to generate Message Authentication Code (MAC) on the page's view state when the page is posting back from client. Configure the validation attribute on the "machine.config" file to specify the type of encryption to use for data validation. Use (3DES) for encryption.
<machineKey validationKey="autogenerate | value"
decryptionKey=" autogenerate | value"
validation="SHA1|MD5|#DES">