I am on a project that involves processing financial information, and so I need to write secure asp.net pages using C# 2008 (https etc)
Can anyone recomment any tutorials then can help me understand more about writing secure asp.net apps?
Thanks
There's a whole book on this topic, Dominick Baier's Developing More-Secure Microsoft ASP.NET 2.0 Applications. It is outstanding, and has a ton of features and techniques that you won't find anywhere else, at least not without a lot of digging. I've used this book for web security design on two projects, and I highly recommend it.
EDIT TO ADD: Second recommendation, Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World. While much of the code in this book is about unmanaged code, the sections on understanding good security development practices, threat modeling, etc., really tell you what you need to be thinking about as you design and evaluate your web site's security issues.
If you are interested in using a SSL certificate to secure your site and its pages, keep in mind SSL is a technology that is in place at the Transport layer, meaning it is independent of what programming framework or language you are using. SSL certificates are installed either via IIS or the MMC certificates snap-in on the server/pc.
There are a few steps involved in using an SSL cert with IIS:
Generate a Certificate Request in IIS
Submit the Cert request to a trusted Certificate Authority (3rd party vendor such as Verisign, DigiCert, Thawte, etc.)
Install Certificate provided by vendor on server and apply it to your website
For testing, you can use makecert.exe to generate self-signed certificates. These will work in your browser for testing your app, but should never be used in production. Here's a good stackoverflow answer that suits your needs:
Using makecert for Development SSL
Once you go into production, you'll need a cert from a real Certificate Authority. Once you chose a vendor they will have specific instructions on how to generate the certificate. I recently used DigiCert and was happy with them.
In addition to implementing a SSL certificate, you of course need to make your actual website/application secure using authentication, roles, etc.
Here's a good primer to the asp.net security features:
http://msdn.microsoft.com/en-us/library/aa302388.aspx
Here is a good place to start:
The Anti Cross Site Scripting library from Microsoft:
http://channel9.msdn.com/posts/Jossie/Anti-XSS-Library-v31-Find-Fix-and-Verify-Errors/
Also, I'd assume you are going use Verisign. Here is a good link from Microsoft:
http://support.microsoft.com/kb/293817
Edit: I should also add, one thing to note. Don't have any Internet facing data that is sensitive. If you don't need it, don't collect or store it on the server that is exposed to the Internet.
Fiddler is a great way to try to spoof data in your own application to see if there is a security hole there are video tutorials on how to do this on the download site: http://www.fiddler2.com/fiddler2/
Here are some more tutorials on security from Microsoft including crypto:
http://msdn.microsoft.com/en-us/library/ms978512.aspx
Another good overview on security: http://davidhayden.com/blog/dave/archive/2005/10/23/2527.aspx
One last good link, Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication: http://msdn.microsoft.com/en-us/library/aa302387.aspx
Also, a stackoverflow question that is related: What measures should I take to secure my multi-tier ASP.NET application?
Related
I need of an information. I'm new in develop web application. I should use php and javascritp but it 's possible, in the future, I could use other languase like Java. During these days I'm following a course on the best practice to write secure code.
Is there any guide/book or any other valid resource, where I can find an explanation about the differrent kind of attaks on a web application and the ways to solve them?
Thanks
Luca
If you're looking for resources to secure your applications on the internet, the first thing to try is OWASP, or Open Web Application Security Project. Here are some useful articles about what you're looking for:
OWASP: Web Security Testing Guide
OWASP: Cheatsheets
OWASP: General Information
All of the resources above will show you the recommended ways to secure your web application against threats. I think it's more than enough for the first step in the security world.
Our Penetration testing Team is suggesting to configure Public Key Pinning Extension for HTTP at IIS level.
Wikipedia says it’s a deprecated security mechanism. And most of the blogs and articles not recommending pinning because it involves a huge risk.
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning
https://threatpost.com/google-to-ditch-public-key-pinning-in-chrome/128679/
Is it any good to have PKP on a Web site?
Please Advice.
What I can make sure is that compared to websites that don’t use any certificates or encrypted connections, public key pinning can make connection safer. When Google first introduced PKP, it was used to add a layer of security for web clients.
But after so long of technological changes, more safer technologies appear, which make PKP looks not perfect.
By terminating the connection PKP can help protect end users from man-in-the-middle (MITM) attacks. One way a MITM attack can happen is when an attacker uses a fraudulent certificate to create a spoofed site in order to harvest user’s personal information.
Now it seems that PKP is not safe, few websites use it, and even many browsers are giving up support for it. I think your Penetration testing Team know this, but why they insist on using it, you need to ask them. They may have some specail reason for using PKP.
I work as a developer for a young company, and I also develop personal projects. These are mainly C# and python apps. Our company purchased a code-signing certificate from a CA to avoid the "unknown publisher" warnings and some antivirus protection issues, but I wanted to avoid that cost for personal projects.
From my understanding, the only way to accomplish this is using a certificate from a trusted CA, but then why would one use a self-signed certificate? I know that they exist, but since most users aren't going to edit their trust stores, what do they realistically accomplish?
note: I'm asking specifically about code-signing certs, not SSL or otherwise
Self signed certificates are best suited for development , test and learning environments.
No where else you should be thinking about them
Certificates establish trust. It is impossible to trust a certificate that anyone can create because anyone else can also create one, e.g., a self signed certificate allows a man in the middle attack.
Your question is mixing several issues, and I think that's what's causing the trouble. A commercial CA is useful in exactly one, and only one, situation: where you need a third-party that everyone trusts. They are useless, and actually a determent, in cases where you do not want that.
So a commercial code-signing CA is useful for signing public web sites. A commercial CA is less useful for signing private API certificates (though on some platforms, particularly iOS, there are reasons to use one anyway).
Similarly, a commercial CA is useful if you have an OS that trusts that CA for code-signing. If you're on a recent version of macOS, however, then you really need one that's signed specifically by Apple.
But if you control the platform yourself, for example in an embedded system or a plugin engine, it is completely appropriate to self-sign the binaries. "Self-sign" just means "using the root certificate." There's nothing magical about commercial roots. They're "self-signed." It's just that others trust them. If you don't need anyone's trust but yourself, then using your own root is better than a commercial one.
(There are some details I'm glossing over here to get to the core point. In particular, often "self-signed" are really secondary certificates that are rooted to some self-signed cert. That's something that's normal for commercial certs, and good practice even if you create your own root. But the basic intuitions are the same.)
If the question is specifically "why would I use a self-signed cert for signing Windows binaries outside of a controlled environment like an enterprise," then the answer is you probably shouldn't, and why do you think you should? But for the general problem of "code signing" across all possible platforms, there are many cases where using your own root is ideal. And inside an enterprise, signing your own binaries is very normal.
We're developing a mobile application with Xamarin which will operate on Android and iOS initially, with plans to port to Windows phone in the future (if the 3 people who use it scream loud enough).
The nature of the data being transmitted and the actions that this application will allow (SSO into another read/write system) we want to take every step we can to secure the data transfer layer as much as possible.
Naturally this takes us down the path of SSL/TLS Certificate Pinning (in addition to other mitigations in the API calls themselves) to protect the clients from connecting to MITM proxies and the like.
We operate the API endpoint and have complete control of the certificates and thus we are comfortable with storing public keys in the app to pin to, as we will be able to update our certs and deploy with new pins in sufficient time. All certificates are valid 3rd party signed certs (not self signed).
Unfortunately it appears that doing the SSL Pinning with Xamarin is not performed very often, as we've found it difficult to find implemented examples.
OWASP provide some .NET sample SSL Pinning code which uses ServicePointManager.ServerCertificateValidationCallback to provide a callback to check the SSL pin; but doesn't specifically mention it working under Xamarin.
Additional Google searches for this code often returns people using it to do the exact opposite of what we're wanting - they use it reduce the SSL certificate checking, not increase it!
I can see one answer which suggests this approach works OK Android and iOS - but I'm most interested in specific experiences in around using this in Xamarin, specifically Xamarin.Forms, to pin SSL/TLS Certificates.
I have validated that SSL/TLS Key Pinning works on Android (though only in an emulator at this point) using ServicePointManager.ServerCertificateValidationCallback
What is the easiest free method of encrypting my web traffic? I'd like to be able to log in to sites on my web server without sending my password in plaintext.
Edit: My web server is running on the LAMP stack , although it is a shared host so I don't have root.
Get an X.509 certificate (for example, generating your own, or getting one free from StartSSL), and use it to set up SSL—a server-specific configuration task.
If you can't configure a new listener in your web server, there's not really a good option. In theory you could do a little hacking with some JavaScript crypto library, like JavaScrypt, and come up with something safe. I've toyed with several options but I don't know enough about it to come up with anything I feel confident about.
I don't know your circumstances, but if it were me, I'd consider another host.
https
Use a self-signed certificate.
Tell us your web server software for a detailed implementation description!
Since you don't have root your best bet is to contact your hosting provider and see what they can do for you. You may already have SSL access (try using https://yourdomain.com) using a self-certified key.
You should be able to talk them into installing a StartSSL key for you. This provides you with SSL encryption and browsers won't complain that it isn't signed by a valid Certificate Authority.
As stated above, publishing your own certification is free, however knowing more about your environment, may get you more specific answers. Are you running IIS? What will you be logging into that needs encryption? Are you using Windows Servers on the back end?
use Digest Authentication. Since you're on LAMP, you can configure it on Apache with mod_auth_digest.
Since you are trying to reduce costs, any ssl solutions will probably not be an option.
First it requires a signed certificate that cost a bit, the free ones is not always included in all web browsers.
Second to be able to utilize an ssl certificate your server ip must be dedicated to you. This is not the case in every cheap web hosting option. There are technologies that in the future will make it possible to host multiple ssl enabled sites on a single ip, but it's not here yet.
As mentioned before Digest Authentication is one option that doesn't require ssl certificate or dedicated ip.
It's a method of authentication that doesn't reveal your password even though everything else in the communication is unprotected.
In Apache this can be applied in individual directories by specific .htaccess files.
I'll repeat the previous link on mod_auth_digest.
This one is usually already installed on most servers so you won't have to ask you web hosting provider.
You don't always require root access to setup Apache to use SSL, but you will likely need to modify config files, which is either done thru your providers interface, or via files via a shell account. Either way you will need a server certificate; either self-signed, from a major company like Verisign, or one of the smaller free places like cacert.org. As noted by others, this does require a dedicated IP to your server or instance on the server.
I would recommend SSL first, but mod_auth_digest isn't a bad backup idea.