Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe, Inc. In this post, Taras will take a look at the authentication and authorization security features built into the ASP.NET MVC framework.
Implementing authentication and authorization mechanisms into a web application with a powerful ASP.NET Identity system has become a trivial task. The ASP.NET system was originally created to satisfy membership requirements, covering Forms Authentication with a SQL Server database for user names, passwords and profile data. It now includes a more substantial range of web application data storage options.
One of the advantages of the ASP.NET system is its two-folded usage: it may be either added to an existing project or configured during the creation of an application. ASP.NET Identity libraries are available
Eric Johnson is an instructor with the SANS Institute for DEV544: Secure Coding in .NET: Developing Defensible Applications, and an information security engineer at a financial institution, where he is responsible for secure code review assessments of Internet facing web applications. Eric has spent nine years working in software development with over five years focusing on ASP .NET web application security. His experience includes software development, secure code review, risk assessment, static source code analysis, and security research. Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University. He currently holds the CISSP and GSSP-.NET certifications and is located in Las Vegas, NV.
The .NET 4.0 & 4.5 frameworks introduced new syntax shortcuts to HTML encode dynamic ...
James Jardine is a senior security consultant at Secure Ideas and the founder of Jardine Software. James has spent over twelve years working in software development with over seven years focusing on application security. His experience includes penetration testing, secure development lifecycle creation, vulnerability management, code review, and training. He has worked with mobile, web, and Windows development with the Microsoft .NET framework. James is a mentor for the Air Force Association's Cyber Patriot competition. He currently holds the GSSP-NET, CSSLP, MCAD, and MCSD certifications and is located in Jacksonville, Florida.
This is the second in a series of interviews with appsec experts about threat modeling.
1. Threat Modeling is supposed to be one of the most effective and fundamental practices in secure software development. But a lot of teams that are trying to do secure development ...
ASP.Net Forms Authentication is a great way to authenticate users for the application. Microsoft has done a really good job at implementing this to make it simple and straightforward for developers. Forms Authentication allows for a user to enter their user name / password combination for an application and have that validated against a backend data source. There are some built in providers to help make this a pretty seamless and painless process for developers. The basic workflow for forms authentication is:
- User attempts to access a resource (details.aspx).
- Server requires the user to be authenticated and redirects the user to the login page (login.aspx).
- User enters user name and password and submits these to the server.
- Server Validates the credentials and if valid, creates an authentication cookie (most common) and sends it back to the user.
- With valid cookie, user no longer needs to enter a user ...
It was recently announced that there is a vulnerability in ASP.Net Forms Authentication. The vulnerability allows an attacker to assume the identity of another user within the application without the need to know the victim's password. This is a critical vulnerability as it could allow users to execute commands they do not have access to. There are a few requirements that are needed for an application to be vulnerable:
The application must be using Forms Authentication to perform the authentication of each user.
The application must allow the user to control their user name.
The attacker must know, or be able to guess, the username of an existing user.
This vulnerability allows an attacker to impersonate another valid user in the system by tricking the system into creating the forms authentication ticket for the wrong user. Here is how the attack would work:
- The attacker knows the user name of a valid user of the application.
- The ...