Wednesday, August 27, 2008

Browser Back Button Security

Sometimes, we have to work for secured project where even  browser cache can be a problematic things. Normally in ASP.Net web application, every page is cached by the web browser. So, anybody can thief potential information from the web pages using back button if the user forget to close the browser after sign-out. Sometimes its create a embarrassing situation. But we can kill the cache on the spot easily by adding the following two lines in every page’s PageLoad event which will disable the browser back button functionality in ASP.Net application :

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetAllowResponseInBrowserHistory(false);

The above two line is enough to say the browser not to cache the page. However, you can also add the following three line for better performance

Response.CacheControl = "NO-CACHE";
Response.AddHeader("Pragma", "no-cache");
Response.Expires = -1;

which is the equivalent of the following meta tag

<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE">

Also don’t forget to set authorization in configuration file. So that application will force the user to login page:


<location path="admin">
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

Enjoy Programming!

Saturday, August 23, 2008

Building ASP.NET Web Server Controls using XML and XSLT

XML(Extensible Markup Language) and XSLT(Extensible Style-sheet Language Transformations) are very popular in terms of use in programming. XML has a vast use in web application because of column flexibility and platform independence ability. Because of column flexibility, programmers can increase or decrease a column anytime without changing much code (like different types of address such as home address, office address, etc). On the other hand, XSLT can traverse XML faster which can operate with lots of XML data quickly and can give the application a dynamic layout without touching any single line of code from the code-behind. So the combination of XML and XSLT can show its own strength and beauty which can boost up our application. Normally XSLT can produce plain XML or HTML without any hassle. But in some cases, plain XML or HTML might not work rather than we might need ASP.Net server controls since they have some valuable events (click event, data binding event, data bound event, etc) and other advanced functionality like state management, input validation, etc. If we want to create our ASP.NET server controls by using XML and XSLT then we should follow some procedures. I have described those procedures with example in my article which has been published in www.aspalliance.com 

Enjoy Programming!!!

read more | digg story

SQL Injection and XSS in Classic ASP

SQL Injection and XSS(cross site scripting) is a big threat for classic asp sites in present days. Before coming ASP.Net in the market, ASP was the very popular scripting language. As a result, there are a good number of e-commerce and enterprise level project already exist using classic asp in the market. According to various source, from the very Beginning of this year, all the asp sites is the main target for SQL Injection and XSS by hackers. Since ASP.net have some built-in mechanism to sanitize input like “ValidateRequest”,”EnableEventValidation”, etc so this is quite safe position regarding XSS. Let me explain very quickly about XSS and SQL Injection:

  • SQL Injection is a technique by which hackers can execute dangerous SQL commands by taking advantage of un-sanitized input opportunities in web application.
  • Cross-Site Scripting(XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. The script code embeds itself in response data, which is sent back to an unsuspecting user. The user's browser then runs the script code. The browser has no way of recognizing that the code is not legitimate, and Microsoft Internet Explorer security zones provide no defense. Cross-site scripting attacks also work over HTTP and HTTPS (SSL) connections.

Several communities have already started a few workarounds on these issues. HP Web Security Research Group published a tool named HP Scrawlr, to find out SQL Injection vulnerabilities in web-sites. Also, Microsoft recently released source code analyzer for SQL Injection. Let me show that how we can protect our valuable site from this threat:

1. A very fast and easy way is to make a central validation system which is very similar approach of ASP.net built-in system. It will inspect all the input variables(form variable, query-string variable, cookie variable,etc) for the vulnerabilities automatically. It will protect the web site not only from SQL injection but also from XSS. Here is one of my research work, how to make such a system. In a really quick description, it will cover the following areas:

  • Sanitize all the input fields
  • How to make exception list to give the user flexibility
  • Default error page forwarding, if any problem found in input fields
  • Implement a automated reporting system while problem found with details information of inputs,IP,referrer page,etc
  • Implement a custom error page

2. Avoid disclosing database error information by using try…catch and custom error page.

3. Use escape character routines to handle special characters. For example replace the single quote(‘) by the following way:

Replace(Request.Form("txtUsername"), "'", "''")

so that any SQL injection code will be treat like a normal string and will be protect to execute.

4. Use Html encode and decode techniques to show html data. This technique will protect the site from XSS specially.

5. Use stored procedures rather than dynamic query where possible and parameterize query incase of dynamic query

6. Use a least privileged database account- only stored procedure will have the permission for update/insert and script will have only read permission

If all the above rules maintain in a site then no worry about SQL injection and XSS. But sometimes it is really very tough; like  to convert all the inline query to stored procedure. In that case, we have to implement as much as possible. The first technique will ensure that site secured from the threat and make a primary security layer. the second technique will make the site more stronger and make second security layer then the third and so on.

Reference:

http://aspalliance.com/1703_SQL_Injection_in_Classic_ASP_and_Possible_Solutions

http://en.wikipedia.org/wiki/Cross-site_scripting

http://en.wikipedia.org/wiki/Sql_injection

Enjoy Programming!

read more| digg story