DSPy a system for AI to Write Prompts and Do Fine Tuning
C# and ASP.NET Code and Data-Access Security
1. ASP.NET Security
Darren Sim
MVP (ASP.NET / IIS)
Member, Microsoft Developer Guidance Web Advisory Council
Director, Singapore Software Quality Testing Board (SGTQB)
3. Authentication
• Authentication in ASP.NET
– IIS authentication
– ASP.NET authentication
• ASP.NET authentication providers
– Forms, Windows, Passport, Default, and Custom
4. Forms Authentication
• Uses cookie to authenticate
• Uses session to authenticate
• Enables SSL for logon page
• Often used for personalization
6. Forms Authentication Configuration
• Enable anonymous access in IIS
• Configure <authentication> section
– Set mode to ―Forms‖
– Add the <forms> section
• Configure <authorization> section
– Deny access to anonymous user
• Create logon page
– Validate the user
– Provide authentication cookie
– Redirect the user to the requested page
7. <forms> Section Attributes
• loginUrl: unauthenticated request are redirected to this page
• name: name of the authentication cookie
• path: path of the authentication cookie
• protection: All | None | Encryption | Validation
• timeout: authentication cookie expiration time in minutes
<authentication mode="Forms">
<forms name=".ASPXAUTH“
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/" />
</authentication>
8. Forms Authentication Code
If FormsAuthentication.Authenticate(txtUserName.Value,txtUserPass.value)
Then
FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _
chkPersistCookie.Checked)
Else
Response.Redirect("logon.aspx", false)
End If
9. Windows Authentication
• Can be used in combination with Basic, NTLM, Digest, Kerberos, and
so forth
• User is authenticated by IIS
• Easiest of all
• Request flow
– Client makes request
– IIS authenticates request, forwards to ASP.NET
– Impersonation turned on?
– ASP.NET returns response to client
10. Windows Authentication Configuration
• Set mode to ―Windows‖
• Configure <authorization> section
• Example
<authentication mode=" Windows" />
<authorization>
<deny users="?" />
<allow users= "*" />
</authorization>
11. Authorization
• Process of determining whether a user is allowed to perform a
requested action
• File-based authorization
– Performed by FileAuthorizationModule
– Performs checks against Windows ACLs
• Custom – handle AuthorizeRequest event
– Application level (global.asax)
– HTTP module (implement IHttpModule)
• URL-based authorization
– Performed by UrlAuthorizationModule
– Positive and negative assertions
– Can selectively allow or deny access to URI namespaces
12. URL Authorization Configuration
• Add <authorization> section
• Add <allow> and <deny> sections
• Example - allow ―Admins‖ or ―WebUsers‖ and deny all others:
<authorization>
<allow roles="Admins" />
<allow roles="WebUsers" />
<deny users="*" />
</authorization>
13. Architecture of a Three-Tier Application
Supporting Software
App User Interface
C
User Interface L
I
Application Logic E
Database Engine N
T
Database Database API
DBMS / Database Server Application Server
Architecture of a Three-Tier Application
14. Architecture of a Four-Tier Application
Supporting Software
App User Interface
WEB WEB
User Interface
S C
Application Logic E L
Database Engine R I
V E
Database Database API E N
R T
DBMS / Database Server Application Server
Architecture of a Four-Tier Application
15. ADO .NET
ADO.NET is the database API for managed applications
(application servers) to talk to database servers (DBMS:
Database Management Systems).
a database API for managed applications;
a set of classes in .NET FCL System.Data namespace;
designed to work over the Web;
integrates effortlessly with XML;
maps very well to stateless, text-based protocol HTTP;
accesses databases through modules known as data providers
( a set of APIs that make the accesses easy to program).
16. Two Data Providers
1. The SQL Server .NET provider
interfaces to Microsoft SQL Server (7.0 or later)
all managed code
code runs faster
code not portable to other databases
2. The OLE DB .NET provider
OLE: Object Linking and Imbedding
interfaces to databases through unmanaged OLE DB
providers: SQLOLEDB for SQL Server (6.5 or
earlier), MSDAORA for Oracle and Microsoft, Jet.OLEDB.4.0 for
Microsoft Jet database engine.
code runs slower
code portable to other databases
17. The System.Data.SqlClient and System.Data.OleDb Namespaces
Classes in System.Data.SqlClient are for SQL Server .NET
using System.Data.SqlClient;
SqlConnection conn = new SqlConnection
("server=localhost;database=pubs;uid=sa;pwd=");
try { conn.Open ();
SqlCommand cmd = new SqlCommand ("select * from titles", conn);
SqlDataReader reader = cmd.ExecuteReader ();
while (reader.Read ()) Console.WriteLine (reader["title"]);
} catch (SqlException ex) {
Console.WriteLine (ex.Message);
} finally { conn.Close (); }
18. The System.Data.SqlClient and System.Data.OleDb Namespaces
Classes in System.Data.OleDb are for OLE DB .NET
using System.Data.OleDb;
OleDbConnection conn = new
OleDbConnection("provider=sqloledb;server=localhost;database=pubs;uid=sa;pwd=");
try { conn.Open ();
OleDbCommand cmd =
new OleDbCommand ("select * from titles", conn);
OleDbDataReader reader = cmd.ExecuteReader ();
while (reader.Read ()) Console.WriteLine (reader["title"]);
} catch (OleDbException ex) {
Console.WriteLine (ex.Message);
} finally { conn.Close (); }
19. Pattern of database programming
Create a connection object.
Open the connection.
Create a command object.
Execute the command.
Access the data.
Close the connection.
20. Connections, Commands, and DataReaders
Connection objects represent physical connections to a
database.
SqlConnection or OleDbConnection
Command objects represent the commands performed on
a database.
SqlCommand or OleDbCommand
DataReader objects represent the data obtained by the
commands.
SqlDataReader or OleDbDataReader
21. Connection Objects
The SqlConnection Class
The ConnectionString
SqlConnection conn = new SqlConnection ();
conn.ConnectionString =
"server=localhost;database=pubs;uid=sa;pwd=";
or
SqlConnection conn = new SqlConnection
("server=localhost;database=pubs;uid=sa;pwd=");
Errors in the connection string only throws exceptions at runtime.
22. Server
Server
Server=localhost or Server=(local) or Data Source=(local)
SQL Server permits different instances of servers to be installed on a given
machine.
server=db1 (an database server computer named ―db1‖ at the CS department
of UA)
server=hawkeyewintellect (an instance of SQL Server named Wintellect on a
remote machine named Hawkeye)
Database or Initial Catalog: database name (e.g. Pubs)
UID or User ID, Pwd: tempdb, tempdb
23. Server
Min Pool Size and Max Pool Size, the size of the connection pool (the
defaults are 0 and 100)
Integrated Security: default to false, otherwise uses Windows access tokens
for authentication.
Connect Timeout: how many seconds to wait for a connection to open
(default=15).
SqlConnection conn = new SqlConnection
("server=hawkeyewintellect;database=pubs;uid=sa;pwd=;" +
"min pool size=10;max pool size=50;connect timeout=10");
24. Exceptions and Closing Open Connections
Exceptions should never go uncaught, and open connections should always be closed
before terminating. (Calling Close on a connection that‘s not open isn‘t harmful.)
SqlConnection conn = new SqlConnection
("server=localhost;database=pubs;uid=sa;pwd="); //before try block
try {conn.Open ();
// TODO: Use the connection
}
catch (SqlException e) {
Console.WriteLine (e.Message);
// TODO: Handle the exception
}
finally { conn.Close ();}
25. Command Classes: SqlCommand and OleDbCommand.
– Encapsulate SQL commands performed on a database.
– Rely on connections established.
– Include methods to execute the commands encapsulated inside.
Example, delete a record from the Pubs database‘s ―Titles‖ table using an SQL
DELETE command:
SqlCommand cmd = new SqlCommand
("delete from titles where title_id = 'BU1032'", conn);
cmd.CommandTimeout = 10; // Allow 10 seconds, default 30.
cmd.ExecuteNonQuery (); // Execute the command
26. The ExecuteNonQuery Method
For executing DML and DDL commands: CREATE, INSERT, UPDATE,
DELETE, …
Not getting any data back.
Examples:
SqlCommand cmd = new SqlCommand
("create database MyDatabase", conn);
cmd.ExecuteNonQuery ();
SqlCommand cmd = new SqlCommand
("create table titles …", conn);
cmd.ExecuteNonQuery ();
SqlCommand cmd = new SqlCommand
("insert into titles (title_id, title, type, pubdate) " +
"values ('JP1001', 'Programming Microsoft .NET', " +
"'business', 'May 2002')", conn);
cmd.ExecuteNonQuery ();
27. The ExecuteNonQuery Method
SqlCommand cmd = new SqlCommand
("update titles set title_id = 'JP2002' " +
"where title_id = 'JP1001'", conn);
cmd.ExecuteNonQuery ();
SqlCommand cmd = new SqlCommand
("delete from titles where title_id = 'JP2002'", conn);
cmd.ExecuteNonQuery ();
28. The ExecuteScalar Method
Executes a query command and returns a single value in the
result set, such as COUNT, AVG, MIN, MAX, and SUM.
SqlCommand cmd = new SqlCommand
("select min (price) from titles", conn);
decimal amount = (decimal) cmd.ExecuteScalar ();
Console.WriteLine ("ExecuteScalar returned {0:c}", amount);
29. The ExecuteScalar Method
Another common use for ExecuteScalar is to retrieve BLOBs
(binary large objects) from databases.
For example, retrieving an image from the ―Logo‖ field of the
Pubs database‘s ―Pub_info‖ table and encapsulates it in a
bitmap:
use System.IO;
use System.Drawing;
use System.Data.SqlClient;
SqlCommand cmd = new SqlCommand
("select logo from pub_info where pub_id='0736'", conn);
byte[] blob = (byte[]) cmd.ExecuteScalar ();
stream.Write (blob, 0, blob.Length);
Bitmap bitmap = new Bitmap (stream);
stream.Close ();
30. Write a BLOB to a database.
FileStream stream = new FileStream("Logo.jpg", FileMode.Open);
byte[] blob = new byte[stream.Length];
stream.Read (blob, 0, (int) stream.Length);
stream.Close ();
SqlCommand cmd = new SqlCommand
("insert into pub_info (pub_id, logo) values ('9937', @logo)", conn);
cmd.Parameters.Add ("@logo", blob);
cmd.ExecuteNonQuery ();
31. The ExecuteReader Method
For performing database queries and obtain the results as quickly and
efficiently as possible.
Returns a DataReader object.
Pulls back only the data to be ―Read‖ by the DataReader not all
records satisfying the query condition.
SqlCommand cmd = new SqlCommand ("select * from titles", conn);
SqlDataReader reader = cmd.ExecuteReader ();
while (reader.Read ()) Console.WriteLine (reader["title"]);
Each call to ―Read‖ returns one row from the result set.
It uses a property indexer to extract the value of the record‘s ―title‖ field.
Fields can be referenced by name or by numeric index (0-based).
32. DataReader
Reads data.
Reads schema (meta data) .
Stream-based access to the results of database queries.
Fast and efficient.
Read-only and forward-only.
Closing a DataReader: reader.Close( )
does NOT close the connection, only frees it for others
to use.
D-E-F-E-N-S-I-V-E P-R-O-G-R-A-M-M-I-N-G.
33. DataSets
Set-based Database Accesses
capture an entire query in memory
support backward and forward traversal
edit data and propagate the changes back to the
database.
34. DataSet, DataTable and DataAdapter
.NET supports set-based database accesses through three
classes:
DataSet: equivalent of an in-memory database.
It consists of a collection of DataTables.
DataTables are created by a DataAdapter (SqlDataAdapter and
OleDbDataAdapter).
DataSet doesn‘t interact with databases directly. DataAdapter
reads the physical data sources and fills DataTables and DataSets
35. DataSets vs. DataReaders
To simply query a database and read through the records one at a time
until you find the one you‘re looking for, then DataReader is the right tool.
DataReaders (1) retrieve only the data that you actually use, and (2) they
don‘t consume memory by not storing every record that you read, but (3)
they can‘t iterate backward.
To use all the query results and to iterate backward and forward
through a result set, or to cache the result set in memory, use a DataSet.
Many controls that support DataSets are perfectly capable of binding to
DataReaders.
36. DataGrid (GUI)
• DataGrid is an ASP control for displaying datasets.
• Database displaying procedure:
– Use DataAdapter to get data from the database.
– Fill the data into a DataSet
– Bind the DataSet to a DataGrid
– Select the fields (columns) to be displayed and their header texts.
38. Example:
DataAdapter, DataSet and DataGrid (GUI)
void Page_Load (Object sender, EventArgs e)
{
if (!IsPostBack) {
string ConnectString =
ConfigurationSettings.AppSettings["connectString"];
MySqlDataAdapter adapter = new MySqlDataAdapter
("select * from titles where price != 0", ConnectString);
DataSet ds = new DataSet ();
adapter.Fill (ds);
MyDataGrid.DataSource = ds;
MyDataGrid.DataBind ();//Bind data to GUI
}
}
39. Transaction Commands
A transaction is a logical unit of operations grouped together.
If one of the operations fails, the others will fail (or be rolled back).
Distributed transactions — transactions that span two or more
databases.
The .NET Framework supports distributed transactions.
The .NET supports local transactions (one database):
40. Transacted Commands
// Start a local transaction
trans = conn.BeginTransaction (IsolationLevel.Serializable);
// Create and initialize a SqlCommand object
SqlCommand cmd = new SqlCommand ();
cmd.Connection = conn;
cmd.Transaction = trans;
// Debit $1,000 from account 1111
cmd.CommandText = "update accounts set balance = " +
"balance - 1000 where account_id = '1111'";
cmd.ExecuteNonQuery ();
// Credit $1,000 to account 2222
cmd.CommandText = "update accounts set balance = " +
"balance + 1000 where account_id = '2222'";
cmd.ExecuteNonQuery ();
// Commit the transaction (commit changes)
trans.Commit ();
41. Transacted Commands
IsolationLevel.Serializable locks down the records while
they‘re updated so that they can‘t be read or written.
Committing the transaction writes the changes to the
database.
42. Uses DataGrid to represent a DataSet in XML
DataSet ds = new DataSet ();
ds.ReadXml (Server.MapPath ("Bonuses.xml"));
MyDataGrid.DataSource = ds;
43. SQL Injection
• How Web pages works?
• INPUT rendered from Textbox Web Control
• Query String
• Use values concat a SQL command
– Search knowledge base
– Paged results
– Look for specific record
• User credentials
44. What really exists!
• DON‘T LIKE
– More comfort for the user
string sql = "select * from KB where
content like '" + search.Text + "'
• Hacker types: %
string sql = "select * from KB where
content like '%'
• User authentication!
45. SQL Injection Attack
• Developer concate SQL statements
string sql = "select * from Users where
user ='" + User.Text + "'
and pwd='" + Password.Text + "'"
• Hacker types: ‗ or 1=1 --‗
string sql = "select * from Users where
user =' ' or 1=1 --' and pwd=''"
• Result is the first database entry
– Maybe the Admin
46. SQL Injection Attack
• Take over control
• User types: ; xp_cmdshell 'format c: /q /yes '; drop database myDB; --
select * from tabelle where id=1;
xp_cmdshell 'format c: /q /yes ';
drop database myDB; --
• Result: Hacker can do everything
– SQL process runs with system privileges
47. SQL Injection Attack
• Never use ―sa‖
– Default blank password
– Hacker knows a lot about sa
– Trusted Security
– Application user
• Only with needed access rights
• Storing Connection Strings
– Web.Config
• Hashed not clear text
– error case source code is often visible
48. Best Solution
• Use parameterized Select
sql = "select * from Users where
user = @user and pwd = @pwd";
SqlCommand cmd = new SqlCommand(sql,con);
cmd.Parameters.Add("@user",User.Text);
cmd.Parameters.Add("@pwd",Password.Text);
• Use Stored Procedures
• Cookie & URL Injection
49. Cross site-scripting
• User Input is stored in Database
• Database content is presented
• Injection of
– HTML code
– JScript code
• A different denial of service
<script>
• Redirect the user to dialer page
<script language=Jscript>
window.navigate('net.htm');</script>
50. Cross site-scripting
• Don‘t trust the user
– Use validators controls
– Use regexp
• Remove: < > " ' % ; ) ( & + -
– Check for the length
– Use Server.HtmlEncode
• .NET 1.1
– Default no HTML code in Textboxes
– Page Attribut ValidateRequest =false
51. HTTP Harvesting
• Database driven websites
• Display result based on
– Text Input, Querystring, Cookie
• Special type of SQL query language
• Datagrid list with detail link
– Detail.aspx?id=1
• Session attaching+ pagelink
• Email address for spammer
52. Prevent HTTP harvesting
• Encrypt querystrings
• Combine user input with textboxes
• Use Jscript to write the data
• Draw the data
– System.drawing
• Monitor the web usage
• Third party review
53. Canonicalization
• Character Sets URL, Querystring, Filename
– %20=― ―
• IP Address as decimal
• Compare values
– HTMLDecode
54. Architecture
• Operation System
– Reduce the rights of accounts
• Never use Admin Rights
– Switch of unused services and ports
• Web Farm
– Use ipsec to encrypt traffic
• Between SQL Server and Web Application
• Session Management
– IP restrictions
• Change common used things
– Directories, users, path
55.
56.
57.
58. Page Title
Subhead
• Copy: Consed te commodipit, velismo digniam iure ver iriure ea core
do odipsum velisci elissim velendreet lummodiamet, qui enisl utpate
feuisl eniam nibh eui eugue dolumsandre enim alis nonsequat alit
loborpero dit laore molore vel iure
• Copy: Consed te commodipit, velismo digniam iure ver iriure ea core
do odipsum velisci elissim velendreet lummodiamet, qui enisl utpate
feuisl eniam nibh eui eugue dolumsandre enim alis nonsequat alit
loborpero dit laore molore vel iure