Top ASP.NET Items : Security

More on medium trust: what permission are you missing?

Tales from the Evil Empire — Fri, 04 Dec 2009 18:51:13 GMT

Yesterday, I asked some questions about your usage of medium trust . Thank you all for the great answers and comments (but don’t read too much into that, I’m just playing with stuff). If you haven’t answered yet, feel free to do so . Now I have an additional question: What missing permission is preventing you from running in medium trust? Please answer in comments. And thanks again for the great feedback. Read More......(read more)

How important is medium trust to you?

Tales from the Evil Empire — Fri, 04 Dec 2009 05:05:54 GMT

I would be very grateful if you could drop me a note in comments answering the following questions: Do you run all, some or none of your web sites in medium trust? Why do you choose to run in that trust level? Are your sites externally hosted and if so does your hoster constrain the trust level? Don’t read anything into this, I’d just like to see some different opinions on medium trust. Read More......(read more)

New tools to prevent SQL injection attacks

Wed, 25 Jun 2008 17:00:00 GMT

I've blogged in the past about injection attacks . Microsoft publishes additional new tools to detect and protect against injection attacks. The first tool, developed by HP, crawls web sites to automatically detect possible attacks, the second blocks dangerous requests from being executed, and the last one analyzes code to look for dangerous practice. http://www.microsoft.com/technet/security/advisory/954462.mspx Read More......(read more)

Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates

ScottGu's Blog — Fri, 06 Apr 2007 07:31:31 GMT

SSL enables browsers to communicate with a web-server over a secure channel that prevents eavesdropping, tampering and message forgery. You should always use SSL for login pages where users are entering usernames/passwords, as well as for all other sensitive pages on sites (for example: account pages that show financial or personal information). Configuring SSL on Windows with previous versions of IIS has been a pain. Figuring out how to install and manage a certificate, and then associate it with a web-site, is something I bet most web developers don't know how to enable. The good news is that IIS 7.0 makes it radically easier to configure and enable SSL. IIS 7.0 also now has built-in support for creating "Self Signed Certificates" that enable...(read more)

JSON Hijacking and How ASP.NET AJAX 1.0 Avoids these Attacks

ScottGu's Blog — Wed, 04 Apr 2007 18:39:55 GMT

Recently some reports have been issued by security researchers describing ways hackers can use the JSON wire format used by most popular AJAX frameworks to try and exploit cross domain scripts within browsers. Specifically, these attacks use HTTP GET requests invoked via an HTML <script src=""> include element to circumvent the "same origin policy" enforced by browsers (which limits JavaScript objects like XmlHttpRequest to only calling URLs on the same domain that the page was loaded from), and then look for ways to exploit the JSON payload content. ASP.NET AJAX 1.0 includes a number of default settings and built-in features that prevent it from being susceptible to these types of JSON hijacking attacks. Below are some details of how...(read more)

Tip/Trick: Integrating ASP.NET Security with Classic ASP and Non-ASP.NET URLs

ScottGu's Blog — Mon, 05 Mar 2007 02:17:38 GMT

One of the questions I am often asked is "How can I integrate ASP.NET security with Classic ASP other non-ASP.NET URLs?". Specifically, people want to know if they can integrate ASP.NET's Forms Authentication, Role Based Security, and URL Authorization features with Classic ASP, PHP, JSP, .HTM, .JPG and other non-ASP.NET URLs. The good news is that this is pretty easy with ASP.NET 2.0 and IIS 6.0 today, and will get even easier in the IIS 7.0 timeframe. The below blog post demonstrates how to integrate ASP.NET 2.0's Forms Authentication and Login/Membership features with classic ASP and static .HTML files. For a much more detailed walkthrough of how to achieve this (as well as how to integrate features like ASP.NET role based authorization with...(read more)

Common Gotcha: Don't forget to when adding providers

ScottGu's Blog — Tue, 21 Nov 2006 07:22:47 GMT

Recently I've helped a few people out who were having an issue with how they had added new Membership, Role, and Profile providers within their web.config file. If you are ever going to add a provider declaration within your web.config file, please read-on to learn how to avoid a common gotcha. Symptom: You want to configure ASP.NET 2.0 to store your Membership/Role Management/Profile data within a remote SQL database. To accomplish this you first use the aspnet_regsql.exe utility to provision the appropriate schema within the database. Rather than override the "LocalSqlServer" connection string within your web.config file, you decide to register a new provider within your web.config file like below (note: the following registration has a bug...(read more)

Tip/Trick: Source/Documentation for Simple ASP.NET 2.0 SQL Providers Published

ScottGu's Blog — Fri, 13 Oct 2006 21:36:56 GMT

One of the most popular features in ASP.NET 2.0 was the introduction of the "provider model" for the built-in ASP.NET Application Service APIs. The provider model ensures that the storage/implementation for services like Membership, Roles, Profiles, Health Monitoring, Session State, and Site Navigation is extensible, and it allows a developer to easily plug-in alternative implementations if they want. Earlier this year I blogged about how we shipped the source code for the built-in ASP.NET 2.0 Providers on MSDN , and published 130+ pages of really good documentation that walksthrough their implementation and behavior. If you are looking to adapt the existing providers (which are pretty feature rich and in-depth), then you'll find these whitepapers...(read more)

Tip/Trick: Adding Authorization Rules to Business and Data Layers using PrincipalPermissionAttributes

ScottGu's Blog — Wed, 04 Oct 2006 08:50:07 GMT

Earlier this summer I posted two tutorials on using Windows Authentication with ASP.NET: Enabling Window Authentication within an Intranet ASP.NET Web Application and Implementing Role Based Security within ASP.NET using Windows Authentication and SQL Server . I also linked to Scott Mitchell's great ASP.NET 2.0 Security, Membership and Roles Tutorials that cover how to use Forms Authentication and the new Membership/Roles APIs in ASP.NET for Internet based web applications. These tutorials covers how to implement authentication on your site, which is the process of identifying who an incoming user is. They also demonstrate how to implement role based management on your site, which allows you to logically group individual users into higher-level...(read more)

Tip/Trick: Guard Against SQL Injection Attacks

ScottGu's Blog — Sat, 30 Sep 2006 09:11:03 GMT

SQL Injection attacks are really nasty security vulnerabilities, and something all web developers (regardless of platform, technology or data layer) need to make sure they understand and protect themselves against. Unfortunately developers too often neglect putting focused time on this - and leave their applications (and worse their customers) extremely vulnerable. Michael Sutton recently published a very sobering post about just how widespread this issue is on the public web. He built a C# client application that uses the Google Search API to look for sites vulnerable to SQL Injection Attacks. The steps to achieve this were simple: Look for sites that have querystring values (example: search for URLs with "id=" in the URL) Send a request to...(read more)

Tip/Trick: Patterns and Practices Guidance Explorer for .NET and ASP.NET

ScottGu's Blog — Wed, 27 Sep 2006 22:16:52 GMT

I blogged about the cool new .NET and ASP.NET Guidance Explorer that the Microsoft Patterns and Practices Team has been working on back in June. Since then the team has been hard at work and recently moved the project to be hosted on CodePlex. You can visit and join the project here . All source code for the Guidance Explorer UI (which is of course built using .NET and Windows Forms) can also now be downloaded for free from the CodePlex project site. The Guidance Explorer provides a database of recommendations and best practices for ASP.NET, ADO.NET, and the .NET Framework that you can easily filter and search. Particularly useful are some of the checklists you can easily follow for performance and security best practices prior to deployment...(read more)

Tip/Trick: Show Detailed ASP.NET Error Messages to Developers (and only to Developers)

ScottGu's Blog — Sat, 12 Aug 2006 10:58:00 GMT

Problem: You are developing/maintaining an ASP.NET web-site, and would like the ability to conditionally show/hide runtime error messages depending on who the user visiting the site is. For a normal user visiting the site you want to be able to display a friendly error message like this when a runtime error occurs: But when someone within the “developers” security role of your application remotely accesses the site you want to instead show a more detailed exception stack trace error message about the problem without having to change any configuration data: The below post describes how to use ASP.NET’s role-based security architecture in conjunction with the Global.asax Application_Error event handler to enable this. You can...(read more)

My ASP.NET 2.0 Tips, Tricks, Recipes and Gotchas "Highlights Page"

ScottGu's Blog — Tue, 01 Aug 2006 23:32:00 GMT

Several people have sent me email lately asking for a suggested short-list of my best/favorite past blog posts to read (I’ve done 200 posts over the last 12 months and apparently it takes too long to read them all <g>). I’ve put together a summary page of ASP.NET 2.0 Tips, Tricks, Recipes and Gotchas that you can check out here . It currently contains links to 37 posts that I’ve done in the past that I think are interesting and worth spending sometime to read. I’ve organized the list by area topic (UI, Data, Security, Visual Studio, etc). My goal is to post at least 1-2 new/original ASP.NET Tips/Tricks/Recipes to my blog each week going forward. I’ll also make sure to update the summary page above as I add...(read more)

Recipe: Implementing Role Based Security with ASP.NET using Windows Authentication and SQL Server

ScottGu's Blog — Sun, 23 Jul 2006 21:32:00 GMT

Problem You are building an Intranet expense report application for your organization, and want to enable role-based authentication and authorization capabilities within it. Specifically, you want to create logical roles called “approvers”, “auditors”, and “administrators” for the application, and grant/deny end-users access to functionality within the application based on whether they are in these roles. Because your application is an Intranet solution, you want to use Windows Authentication to login the users accessing the application (avoiding them having to manually login). However, because the roles you want to define are specific to your application, you do not want to define or store them within your...(read more)

Remote Membership/Roles Management of ASP.NET 2.0 Applications

ScottGu's Blog — Tue, 18 Jul 2006 08:58:00 GMT

Peter Kellner recently published parts 3 and 4 of his popular how-to series on building a custom remote security management application for ASP.NET 2.0's Membership and Roles feature. Part 3 covers Ajax enabling it with Atlas, and Part 4 covers adding personalization support with profiles. You can find the entire series on MSDN here: ASP.NET 2.0 Member/Role Management, Part 1: Security and Configuration Overview ASP.NET 2.0 Member/Role Management, Part 2: Implementation ASP.NET 2.0 Member/Role Management, Part 3: AJAX Enhancements with Microsoft Atlas ASP.NET 2.0 Member/Role Management, Part 4: Adding Personalization with Profiles to the ObjectDataSource For more ASP.NET 2.0 Security Resources, please also check out my ASP.NET 2.0 Security...(read more)