Road Map

Introduction

Will not cover everythingHealthy level of paranoiaUse my DVD swap shop application

Security Considerations

Authentication AuthorisationSecure communication

Software + Hardware

 

The Login

Provides authenticationasterisks *********SQL injection attack

Human ProblemsA simple conversationPeople use words they can rememberSame passwords for many sites

Doctor who fan guess the password

T****S

Brute Force AttackIf the password is CC but all we know is that it is

two characters long **

AAABBABBBCCBCC

The longer the password the more time we need to crack it.

Dictionary AttacksIf you know a user name throw the dictionary at it

Countermeasures Education

Don’t use same password for all sitesAvoid passwords that could be guessedDon’t use dictionary words

Enforce rules in codeMinimum password lengthNon alpha numeric charactersExpiration dateLimit login attempts

Use a Security FrameworkAuthentication options in .NET

WindowsPassportFormsDIY

Securing Stored PasswordsUnsecured Access databaseStored in App_Data folder(Could store on another

drive/machine)Plain text password stored in the

table

Password Hashing.NET CryptographyEncryption is okHashing better

password123 IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=

Do not store the password in plain text

Adding SaltIf the passwords for John and Fred without salt

look like this...

John IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=Fred IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=

Adding salt would change the hash values like so... 

John 354rlrk8Jv7729qVOrOp0lXUv7RAsdVFred 9Wo0irC6+ylay0CJsLVtWBfbJBSn03j4gzhG

Concatenate password + email address

Validation – All Input is EvilWho do you trust?

Do you trust me not to make use of that data in some way? 

Do you trust me to write a web application that will not be compromised in any way?

Not just a matter of what people you trust but what systems do you trust?

Black list = characters we don’t allowWhite list = characters we do allow

Code Injection

Script could run when page is rendered elsewhere in application

IIS automatically disallows this

Turn Off Debug ModeBy entering bad data a hacker could crash

your program

We now KnowThe language of the application (VB.NET)The names of several parameters SwapTitle

Description etc..In the light of the above probably the names

of some fields in the database (this way the hacker may refine the SQL injection attacks.)

The remote path on the server C:\MyFiles\IMAT1604\content\Widget Swap\Widget Swap\aswap.aspx.vb

Securing the Communication Channel

Public and Private Keys

Public and Private Keys

Secure Socket Layer (SSL)The browser makes a secure HTTP request

HTTPS on port 443The server sends back a digital certificate

verifying its credentialsThe client verifies the certificate with the

issuing agency Using the public key the data is encrypted

between client and server

Open PortsPort scannersFirewallsIP FilteringTurn off unused servicesGrant Minimum Permissions to Resources