Security best practices for Web application development in Dotnet

Security Best Practices

Web Application Development Security Best Practices

The following are some of the security best practices that can be followed while developing web applications

Cross Site Request Forgery (CSRF) Prevention

  • CSRF is possible if the authenticity is checked only based on the cookie.

  • To avoid this, developers we can adopt the Synchronizer Token Pattern (random “challenge” tokens that are associated with the user’s current session). These challenge tokens are then inserted within the HTML forms and links associated with sensitive server-side operations.

  • When a form is submitted, the form token is also validated along with cookie to safeguard against CSRF attacks.

  • Many mature frameworks already have easy ways to mitigate CSRF. For example dotnet core has the Antiforgery middleware by default in all forms rendered via MVC or razor pages (https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-7.0)

Brute-force attack prevention in forms like login pages

  • A brute force attack uses a trial-and-error approach to guess login info, credentials, and encryption keys. The attacker submits combinations of usernames and passwords until they finally guess correctly

  • Account lockout feature can be implemented to mitigate brute force attack. For example, user can be locked out for the next 15 minutes if incorrect credentials are entered for more than 5 times. Many mature web development frameworks offer easy ways to implement this. ASP.NET Core Identity framework implements account lockout by default and can configured easily (https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-7.0&tabs=visual-studio)

  • CAPTCHA can be added in forms to avoid scripts and bots to attempt brute force attacks on forms

Host on HTTPS for apps deployed in un-trusted networks like Internet

  • HTTPS encrypts the data between server and client. Data can be decrypted only the server since it has the private key.

  • This helps in preventing man-in-the-middle attacks in applications hosted in untrusted networks like the internet

  • HTTPS can be easily implemented in major hosting platforms like IIS, Nginx, apache with an SSL certificate

Prevent server information disclosure

  • Configure web server to hide headers like “Server”, “X-Powered-By” which can disclose the server technology versions.
    For example, “url-rewrite” module of IIS can be used to overwrite the response headers and hide the server details

  • Create custom error pages to hide stack-traces, server version etc., so that the server details, version and source code can be prevented from exposure. Many established frameworks like ASP.Net, Spring can easily implement this.

Two Factor Authentication (2FA)

Turning on 2FA forces users to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device. After successfully completing that challenge, user usually has the option to categorize the device as trusted, which means that 2FA requests should be relatively rare on the devices used regularly.

2FA can be a combination of at least two of the following elements:

  • “Something you know,” such as a password or PIN

  • “Something you are,” such as a fingerprint or other biometric ID

  • “Something you have,” such as a trusted smartphone that can generate or receive confirmation codes, or a hardware-based security device

For the most part, the two-factor authentication systems you see in place today use the first item (your password) and the last item (your smartphone). Smartphones have become ubiquitous, making them ideal security devices.

2FA can be implemented easily in established frameworks like ASP.Net (https://learn.microsoft.com/en-us/aspnet/core/security/authentication/mfa?view=aspnetcore-7.0). TOTP based authentication is one of the common implementations of 2FA that uses authenticator apps for users to complete the 2FA challenge. SMS or email-based tokens can also be used 2FA implementation

User Input Validation

  • Validating user inputs before processing or logging reduces the attack surface substantially

  • Many attack tactics take advantage of improper input validation

  • Ensure cleaning of the user inputs before processing or logging at the server. User input validation can be done at both at front-end and back-end. JavaScript libraries like jQuery and jQuery-validation can be used to easily implement front-end user input validation

Prevent SQL Injection

  • SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via webpage inputs and this input can break the security of the web application.

  • Preventing SQL injection is essential to ensure the security and integrity of the application data and infrastructure.

  • SQL injection can be easily mitigated by many of the databases like PostgreSQL, MySQL, Oracle by using parameterised queries instead of directly substituting user inputs as a string in the SQL commands.

  • Many established web server frameworks like ASP.Net use ORM (Object Relational Mapper) like Entity Framework (https://learn.microsoft.com/en-us/ef/ef6/modeling/code-first/workflows/new-database) to mitigate SQL injection effectively

Relevant Security Headers

  • Sending proper security headers can help browsers to understand the security requirements of the web application and enforce better security in user experience.

  • The following are some of the security headers

  • X-Frame-Options: It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages. This can help in avoiding Action spoofing (clickjacking) attacks

  • X-XSS-Protection: This header enables the Cross-site scripting (XSS) filter in the browser.

  • X-Content-Type-Options: Seeing this header will prevent the browser from interpreting files as something else than declared by the content type in the header values.

  • Content-Security-Policy: CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.

  • Enable the following headers to the application: X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security(HSTS), X-Content-Security-Policy, Access-Control-Allow-Origin, X-Download-Options

  • For more information on security headers refer https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#Content-Security-Policy

  • Appropriate security headers in the web application response headers can be easily set in established web hosting platforms. For example, response headers in IIS can be set using the ‘url-rewrite’ module.

Implement Session Expiration Timeout

Implement Appropriate Password Policy

Store Hashed passwords instead of plain text passwords

  • Passwords are one of the most sensitive data of a web application. Stealing a user’s password can pose a threat to the user’s online identity since most of the users use the same password in multiple websites. Hence the ability to reliably protect user passwords is essential to maintain the trust of the users

  • If an application database is breached, an attacker can access the passwords database table

  • To mitigate this issue, passwords can be hashed with salt and stored in database instead of storing passwords in plain text

  • Established web development frameworks like ASP.Net Core Identity implement storing of hashed passwords by default using hashing algorithms like SHA256 along with salt

Location: Mumbai, Maharashtra, India

Comments

Post a Comment

Popular posts from this blog

ClaimsPrincipal, ClaimsIdentity, Claims explained in dotnet authentication

Image
claimsprincipal_dotnet Authentication means identifying a subject (user, external application etc) ASP.Net Core Identity is a framework that uses claims based authentication to authenticate users Key concepts in Claims-based authentication Claim Claim is a statement about the subject (user) being authenticated It is a key value pair (like username=John is a claim, email=john1543@gmail.com is a claim, userId=236 is a claim) A claim can have an issuer (for example: userId=236 as per system , date of birth=1st-Jan-2006 as per Gmail ; here system and Gmail are the issuers) ClaimsIdentity ClaimsIdentity is a collection of claims of the subject (user) For example, driving license of a subject (user) can be a ClaimsIdentity that has claims like name, photo, date of birth, address etc. Passport can be a ClaimsIdentity that has claims like name, place of birth, photo, nationality, permanent address etc ClaimsIdentity also has a string property called Authenti
Read more

Implicit usings, top level statements, file scoped namespaces in dotnet

implicit usings Implicit usings = no repeated using statement in all files With implicit usings feature in a C# project, common using statements are automatically added by the compiler in all the C# files. For example using System; statement is not required to run the dotnet console application as shown below Console . WriteLine ( "Hello World!" ) ; Additional implicit usings can be declared in a C# project with global usings statements in any one of the project’s C# files as shown below. global using Ardalis . GuardClauses ; global using MediatR ; global using Project2 . Utils ; Existing implicit usings can be removed or included in the .csproj file of the C# project as shown below < ItemGroup > < Using Remove = " System.Threading.Tasks " /> < Using Include = " System.Math " /> </ ItemGroup > The implicit usings added in a C# project is based on the project type as sh
Read more

Introduction to dotnet with a simple hello world example

Image
dotnet_intro Introduction to dotnet with a simple hello world example What is dotnet Dotnet is an ecosystem or a framework that consists of languages, runtime (CLR), common language infrastructure (CLI), base class libraries (BCL) CLR is like JVM for Java applications Where can dotnet run dotnet can run on multiple operating systems like windows, linux based systems, android, macOS Why use Dotnet Using Dotnet, we can create secure, cross-platform, enterprise grade, high performance, maintainable, reusable, testable, easily hostable web applications We can exploit the rich open source .NET ecosystem that has been around for decades and still actively maintained by community and Microsoft .NET uses C# language which is best for creating readable and maintainable code. C# is evolving faster to become more powerful due to open source community thereby increasing the developer friendliness and productivity Common Dotnet Frameworks Dotnet has framewo
Read more