5. 常見非信任資料的來源
• From the user
• URL 中的 QueryString 或 Routing
• Form Post
• From the browser
• Cookie
• Request Headers
• From any number of other locations
• 外部裝置
• Database
6. • 不要使用 DB Owner ,因為權限太
高
• 只給予適當且恰到好處的資料
• 不要使用 Select * from Table
• 資料庫、資料表、預存程序等對應且
足夠的權限
• 妥善使用資料庫的 Logins 與 Users
改善- DB 權限與資料顯示
22. ASP.NET Web Form 控制項編碼
System.Web.UI 控制項 HTML Encoded 狀態
https://1drv.ms/w/s!Arq-faMowY2FiVEY63rn3r389Cox
Control Property HTML Encoded
BasePartialCachingControl AppRelativeTemplateSourceDirectory FALSE
Control AppRelativeTemplateSourceDirectory FALSE
DataSourceControl AppRelativeTemplateSourceDirectory FALSE
HierarchicalDataSourceControl AppRelativeTemplateSourceDirectory FALSE
HtmlControls.HtmlAnchor HRef FALSE
HtmlControls.HtmlAnchor Name TRUE
HtmlControls.HtmlAnchor Target TRUE
23. • 預設已經支援client XSS
• <p>@("<i>Hihi</i>")</p>
• <p>@Html.Label("<i>Hihi</i>")</p>
• @Html.Raw() 可以輸出未經 HTML 編碼的內容
• <p>@Html.Raw("<i>Hihi</i>")</p>
• 如果需要輸出@,可以考慮@("@")
• <p>@Html.Label("<i>Hihi</i>")</p>
ASP.NET Web MVC
25. • 預設啟用
• ASP.NET Web Form
• 整個網站設定,可以從 Web Config 設定
• 單一頁面設定,可以從各 Web Form Page 設定
• 單一控制設定,可以從各 Control 設定
• ASP.NET 4.5 之後支援
• <pages validateRequest="false">
• <asp:Label runat="server" ID="SearchTerm"
ValidateRequestMode="Disabled"/>
• var searchTerm = Request.Unvalidated.QueryString["q"];
改善: requestValidation
26. • ASP.NET MVC 沒有 requestValidation
• Controller 用 [ValidateInput(false)] 過濾
• Model 用 [AllowHtml]
改善: ValidateInput 與 AllowHtml
Part II (3 hr, 100 pages)
Ch.3 - .NET 安全開發 - Data Validation(45 mins)
Ch.4 - .NET 安全開發 - Authentication & Session Management(45 mins)
Ch.5 - .NET 安全開發 - .NET Framework Security(45 mins)
Ch.6 - .NET 安全開發 - .NET Core and ASP.NET Core Framework Security(45 mins)
DB Owner => READ, WRITE, UPDATE, DELETE 全部的資料表與資料庫
http://localhost:8001/Product.aspx?ProductSubCategoryId=1 or 1=1
http://localhost:8001/Product.aspx?ProductSubCategoryId=(select+top+1%5bCardNumber%5d+from+CreditCard)
(select name from sysobjects whe)
The search term was never intended to be markup, only ever data
XSS attacks are possible because the app allows an XSS payload to break out of the data context and change the markup context
To mitigate the risk of XSS, we want to make sure the search term appears on the screen exactly as it was entered
So how do we write markup to display “<i>Lager</i>” on the screen? <i>Lager</i>
DB Owner => READ, WRITE, UPDATE, DELETE 全部的資料表與資料庫
http://localhost:8001/Product.aspx?ProductSubCategoryId=1 or 1=1
http://localhost:8001/Product.aspx?ProductSubCategoryId=(select+top+1%5bCardNumber%5d+from+CreditCard)
(select name from sysobjects whe)
What’s wrong with this?
URLs are often shared (social media, email)
URLs are also often logged (proxies, web server logs)
URLs are retrievable from browser history
UseCookies為預設選項
透過此方法,除非有人能取得你的請求標頭(header) 才能將cookie 資料讀出
看一個新的專案看一下DEMO
*切換資料連線到以建立的資料庫
Fixed forms timeout 是一個較好的處理
用戶名稱又被成為natural key, 網站隨處可見,很容易取得的PK
Step 1.建立空的專案,但加入資料夾和核心參考的部分勾選『MVC』。
Step 2.
安裝Microsoft.Owin.Host.SystemWeb、Microsoft.Owin.Security.Cookies兩個套件。
Step 3.
Startup.cs
public void Configuration(IAppBuilder app) { app.UseCookieAuthentication(new CookieAuthenticationOptions { //識別的Cookie名稱 AuthenticationType = "AuthorizeDemoCookie", //無權限時導頁 LoginPath = new PathString("/Home/index") }); }
Step 4.
建立驗證資料的Action
[HttpPost] public ActionResult Login(string account,string password) { LoginService service = new LoginService(); //驗證登入資訊是否有對應之使用者 var userInfo = service.GetUser(account, password); if (userInfo == null) { //如無對應使用者導頁 return RedirectToAction("Signup"); } //儲存使用者資訊 ClaimsIdentity identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, userInfo.Name), new Claim("Id", userInfo.Id), new Claim(ClaimTypes.Role, userInfo.Group) }, "AuthorizeDemoCookie"); Request.GetOwinContext().Authentication.SignIn(identity); //通過驗證者導頁 return RedirectToAction("IndexPro"); }
Step5
[AllowAnonymous] //不須授權 public ActionResult Signup() { return View(); } [Authorize] //有授權即可進入 public ActionResult MemberIndex() { return View(); } [Authorize(Roles = "Payer")] //有授權且為指定角色才可進入 public ActionResult IndexPro() { return View(); }
https://dotblogs.com.tw/oldnick/2017/12/22/authorize
Authenticated sessions are persisted via cookies The cookie is sent with every request to the domain
The attacking site recreates a legitimately formed request to the target site Although the request has a malicious payload (query string parameters or post data)
The victim’s browser is tricked into issuing the request For all intents and purposes, the target website views it as a legitimate request
會產生兩種 tokens 至兩處:
Form body
Cookie
會產生兩種 tokens 至兩處:
Form body
Cookie
透過 referrer checking 限制跨網站請求
禁用 HTTP GET 於有風險的頁面
驗證請求 IP 與屬於當前瀏覽頁的主機內
Configuring custom errors and tracing
Keeping packages current with NuGet
Encrypting sensitive data in the web.config
Using config transforms to keep the web.config secure
Enabling retail mode on the server
維護套件可升級性,並時常透過NuGet進行更新
Encryption is a reversible process For password storage, it usually involved a single private key to both encrypt and decrypt (symmetric encryption)
Hashing is a one-way process The ciphertext of a hashed password cannot be un-hashed
A hash is a keyless, one-way, deterministic algorithm Every time the same algorithm is used on the same password it produces the same result