ASP.NET web application security

Security is a vital factor for any web application. At first we need to understand what types of security issues arise in Web-based applications. We must also understand the basic strategies are used to protect the application and system. Unless attackers can hack our websites, stealing sensitive data or information from the websites, sending high traffic to websites, viruses, worms and Trojan horses can attack our sites.
As a professional web application developer it is mandatory to follow some tricks in order to make the application more secure. This article provides an introduction to security in Web applications or how to secure web applications?

ASP.NET Web Application Security Tips
If we follow the following technique then our ASP.NET applications will be more secured. Some of them are given bellow:

Prevent Cross Site Scripting (XSS)
Cross Site Scripting or JavaScript Injection is a one kind of attack where the attacker generates malicious JavaScript, VBScript, ActiveX, HTML, or Flash code and injects it to damage the application or gather information from the application. Normally attacker use Input Box/ Text Box.

We can prevent this by writing a simple code in Tag of web.config file.

 <system.web>
    <pages validateRequest="true"/>
</system.web>

Then if somebody tries to inject some scripting code then system will display alert message [A potentially dangerous request…]

We can also do this by HTML encoding. The code for HTML encoding is:

Server.HtmlEncode(TextBoxName.Text)

Prevent SQL Injection
SQL Injection is a one kind of attack where the attacker generates malicious code and send into SQL query to access database or system. The following steps prevent SQL injection:

  • Use stored procedure (SP)
  • Re-validate data in stored procedures.
  • Use parameterized query
  • Use ORM tools (LINQ, NHybernet, LINQ to Entities)
  • Use regular expression to discard input string
  • Encrypt sensitive data
  • Check unwanted character, words (–, ;,  insert, delete, update) in query
  • Access the database using an account with the least privileges necessary
  • Install the database using an account with the least privileges necessary
  • Ensure that error messages give nothing away about the internal architecture of the application or the database

Encrypt Connection String in web.config File
Never ever keep a clear plain connection string in the web.config file. Its risk is very high. To secure a connection string we need to follow the following steps:

Go to Visual Studio command prompt in the “C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\” path.
Install ASP.NET using the aspnet_regiis –I command.
Encrypt Web.Config connection atrings using below command:

aspnet_regiis -pef “connectionStrings” path
“path” is the path of the physical folder where web.config resides (e.g., aspnet_regiis -pef “connectionStrings” D:\Apps\NewBeeWebsite).

You will get the message “Encrypting configuration section… Succeeded!”.

Run the following commands:
aspnet_regiis -pa “NetFrameworkConfigurationKey” “ASPNET”
aspnet_regiis -pa “NetFrameworkConfigurationKey” “NETWORK SERVICE”
spnet_regiis -pa “NetFrameworkConfigurationKey” “NT AUTHORITY\NETWORK SERVICE”
Restart IIS.

If it is not possible to encrypt connection string then please at list encrypt the password in web.config file

<connectionStrings>
   <add name="ConStr" connectionString="Data Source=.;Initial Catalog=Test;Persist Security Info=True;User ID=sa;Password=***********"
        providerName="System.Data.SqlClient"/>
</connectionStrings>

Always Set a Custom Error Page
Don’t s show actual error message to end users. Because this will help users to understands the semantics of your code and flow. Better Enable the custom error page option in the web.config file and design a customize file to display error.

<customErrors mode="On" defaultRedirect="ErrorPage.aspx"/>

For any application level exception, it is a good practice to display a custom error page.

Encrypt Sensitive Data
Always encrypt sensitive data like password. Never store password directly in database. Generate fix length hash code and then store.

Use Session instead of Cookies
Always try to use session instead of cookies when it is possible. For emergency case store data in cookies in encrypted format. Never store password in cookies.

Use Proper Validations

  • Use validation for html control
  • Don’t give permission to upload exe, .dll, script file
  • Set the input box max length according to database column max length

Miscellaneous
Disable applications trace and debug mode false. Try to use less hidden filed in the application.

That’s all about security tips to protect your website from hackers. Hope you are now capable to develop a secure asp.net application which will also increase the performance of the application.

Comments

  1. Reply

  2. Reply

  3. By Jonh

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *