ASP.NET Application Configuration Security Tips

The following tips are simple, yet effective to maintain a portion of ASP.NET application security.

Web.config vulnerabilities: Default Error Message

When custom errors are disabled, ASP.NET gives a detailed default error message to clients.
Vulnerable configuration:

Secure configuration:

Web.config vulnerabilities: Leaving Tracing Enabled in Web-Based Applications

Trace feature of ASP>NET can be used to ensure application security but it can also be used by an attacker to attack Web-based applications if it is left enabled in a production environment.

Vulnerable configuration:

Secure configuration:

Web.config Vulnerabilities: Enabled Debugging

Installing web applications in a debug mode is a common mistake that make applications vulnerable. To allow web application debugging, Visual Studio 2005 automatically modifies Web.config file.

The deployment of the ASP>NET applications is a simple process and which can compromise application security.

Vulnerable configuration:

Secure configuration:

Web.config Vulnerabilities: Cookies Accessible through Client-Side Script

Disabling cookies in client systems help to protect Web-based applications from Cross-Site Scripting attacks.

Vulnerable configuration:

Secure configuration:

Web.config Vulnerabilities: Enabled Cookieless Session State

The best way to prevent session hijacking is forcing the web application to use cookies for storing session token.

Vulnerable configuration:

Secure configuration:

Web.config Vulnerabilities: Enabled Cookieless Authentication

Disable cookieless authentication and use cookie to store authentication tokens to prevent session hijacking in Web-based applications.

Vulnerable configuration:

Secure configuration:

Web.config Vulnerabilities: Failure to Require SSL for Authentication Cookies.

Use SSL in Web-based applications and force the application to authenticate only in SSL.

Vulnerable configuration:

Secure configuration:

Web.config Vulnerabilities: Sliding Expiration.

When an authentication token is stolen, set the session timeout setting to minimize the risk.

Vulnerable configuration:

Secure configuration:

Web.config Vulnerabilities: Non-Unique Authentication Cookie

On multiple web based applications unique cookie names must be defiend to avoid duplication. Globaly Unique Identifier(GUIDs) can be used.

“.ASPXAUTH” is the default value for the authentication cookie.

Vulnerable configuration:

Secure configuration:

Web.config Vulnerabilities: Hardcoded Credential

Avoiding the login credentials in configuration file is the best way of securing web application.

Vulnerable configuration:

<forms>

…

</credentials>

</forms>

Secure configuration:

<forms>

</forms>

Securing Session and View State

If ASP.NET application use view state, ensure the integrity of the view state by:

<% @ Page enableViewStateMac = true%>

This causes the ASP.NET to generate Message Authentication Code (MAC) on the page’s view state when the page is posting back from client. Configure the validation attribute on the “machine.config” file to specify the type of encryption to use for data validation. Use (3DES) for encryption.