Beginning ASP NET Security

BEGINNING

ASP.NET SECURITY

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

CHAPTER 1 Why Web Security Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

PART I THE ASP.NET SECURITY BASICS

CHAPTER 2 How the Web Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

CHAPTER 3 Safely Accepting User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

CHAPTER 4 Using Query Strings, Form Fields, Events,

and Browser Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

CHAPTER 5 Controlling Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

CHAPTER 6 Keeping Secrets Secret — Hashing and Encrypton. . . . . . . . . . . . . . . . . 117

PART II SECURING COMMON ASP.NET TASKS

CHAPTER 7 Adding Usernames and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

CHAPTER 8 Securely Accessing Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

CHAPTER 9 Using the File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

CHAPTER 10 Securing XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

PART III ADVANCED ASP.NET SCENARIOS

CHAPTER 11 Sharing Data with Windows Communication Foundation . . . . . . . . . . 255

CHAPTER 12 Securing Rich Internet Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

CHAPTER 13 Understanding Code Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

CHAPTER 14 Securing Internet Information Server (IIS) . . . . . . . . . . . . . . . . . . . . . . . . 329

CHAPTER 15 Third-Party Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

CHAPTER 16 Secure Development with the ASP.NET MVC Framework . . . . . . . . . . 385

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Download from Wow! eBook <www.wowebook.com>

BEGINNING

ASP.NET Security

BEGINNING

ASP.NET Security

Barry Dorrans

A John Wiley and Sons, Ltd., Publication

Beginning ASP.NET Security

This edition fi rst published 2010

© 2010 John Wiley & Sons, Ltd

Registered offi ce

John Wiley & Sons Ltd,

The Atrium, Southern Gate,

Chichester, West Sussex, PO19 8SQ,

United Kingdom

For details of our global editorial offi ces, for customer services and for information about how to apply for permission to

reuse the copyright material in this book please see our website at www.wiley.com.

The right of the author to be identifi ed as the author of this work has been asserted in accordance with the Copyright,

Designs and Patents Act 1988.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any

form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK

Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available

in electronic books.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and

product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective

owners. The publisher is not associated with any product or vendor mentioned in this book. This publication is designed

to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding

that the publisher is not engaged in rendering professional services. If professional advice or other expert assistance is

required, the services of a competent professional should be sought.

ISBN: 978-0-470-74365-2

A catalogue record for this book is available from the British Library

Set in 9.5/12 Sabon Roman at MacMillan Publishing Solutions

Printed in Great Britain by Bell and Bain, Glasgow

To mum, who asked me more about the book's progress

almost as often as the long-suffering Wrox staff did.

And to Emilicon, who had to put up with my stress

and frustration when the words didn’t come.

Download from Wow! eBook <www.wowebook.com>

ABOUT THE AUTHOR

BARRY DORRANS is a consultant based in the United

Kingdom, a public speaker, and Microsoft MVP in the

“Visual Tools — Security” category. His development

experience started out with a Sinclair ZX Spectrum,

graduating through IBM PCs, minicomputers,

mainframes, C++, SQL, Visual Basic, and the .NET

framework. His approach to development and speaking

blends humor with the paranoia suitable for considering

security. In recent years, Barry has mentored developers

through the full lifecycle of ASP.NET development,

worked on the SubText Open Source blogging platform,

and started his own Open Source project for Information

Card identity providers, SharpSTS. Born in Northern

Ireland, he still misses the taste of real Guinness.

ACKNOWLEDGMENTS

CLICHÉD THOUGH IT IS, there are too many people to thank individually. I would like to specifi cally

acknowledge the help and inspiration of two fellow Microsoft MVPs — Dominick Baier (who has

been my main sounding board) and Alex Smolen (my Technical Editor, who has been there to catch

my mistakes and point out what I missed).

I’d also like to thank at those folks in various Microsoft teams who have put up with my questions,

queries, and misunderstandings with good humor over the years, and during the writing process,

especially the UK DPE team, without whose help I doubt I’d learn anywhere near as much.

Part of the confi dence to write this book has come from my involvement with the UK developer

community, especially the DeveloperDeveloperDeveloper conferences. It would be impossible to

thank everyone who has let me speak, or come along to listen, but I would like to give special

thanks to community leaders and fellow authors Craig Murphy and Phil Winstanley for their

unfl inching support of both my speaking engagements and their advice, as well as to

Trevor Dwyer, who bullied me into my fi rst very conference presentation all those years ago.

CREDITS

ASSOCIATE PUBLISHER

Chris Webb

ASSISTANT EDITOR

Colleen Goldring

PUBLISHING ASSISTANT

Ellie Scott

DEVELOPMENT EDITOR

Kevin Shafer

TECHNICAL EDITOR

Alex Smolen

PROJECT EDITOR

Juliet Booker

CONTENT EDITOR

Juliet Booker

COPY EDITOR

Richard Walshe

SENIOR MARKETING MANAGER

Louise Breinholt

MARKETING EXECUTIVE

Kate Batchelor

COMPOSITOR

Macmillan Publishing Solutions, Chennai, India

PROOF READER

Alex Grey

INDEXER

Jack Lewis – j&j Indexing

COVER IMAGE

© technotr/istockphoto

VP CONSUMER AND TECHNOLOGY PUBLISHING

DIRECTOR

Michelle Leete

ASSOCIATE PRODUCTION DIRECTOR BOOK

CONTENT MANAGEMENT

Martin Tribe

Download from Wow! eBook <www.wowebook.com>

CONTENTS

ACKNOWLEDGMENTS xi

INTRODUCTION xxi

CHAPTER 1: WHY WEB SECURITY MATTERS 1

Anatomy of an Attack 2

Risks and Rewards 5

Building Security from the Ground Up 6

Defense in Depth 8

Never Trust Input 8

Fail Gracefully 8

Watch for Attacks 8

Use Least Privilege 8

Firewalls and Cryptography Are Not a Panacea 9

Security Should Be Your Default State 9

Code Defensively 10

The OWASP Top Ten 10

Moving Forward 12

Checklists 12

PART I: THE ASP.NET SECURITY BASICS

CHAPTER 2: HOW THE WEB WORKS 15

Examining HTTP 15

Requesting a Resource 16

Responding to a Request 18

Sniffi ng HTTP Requests and Responses 19

Understanding HTML Forms 22

Examining How ASP.NET Works 30

Understanding How ASP.NET Events Work 30

Examining the ASP.NET Pipeline 34

Writing HTTP Modules 34

Summary 37