:::: MENU ::::

Monday, October 26, 2009

5 of the most common mistakes developers make when they manipulate the web.config file.

1. Custom Errors Disabled

When you disable custom errors as shown below, ASP.NET provides a detailed error message to clients by default.

Vulnerable configuration:

<configuration>

<system.web>

<customErrors mode="Off">

Secure configuration:

<configuration>

<system.web>

<customErrors mode="RemoteOnly">

In itself, knowing the source of an error may not seem like a risk to application security, but consider this: the more information a hacker can gather about a Web site, the more likely it is that he will be able to successfully attack it. An error message can be a gold mine of information to an attacker. A default ASP.NET error message lists the specific versions of ASP.NET and the .NET framework which are being used by the Web server, as well as the type of exception that was thrown. Just knowing which Web-based applications are used (in this case ASP.NET) compromises application security by telling the attacker that the server is running a relatively recent version of Microsoft Windows and that Microsoft Internet Information Server (IIS) 6.0 or later is being used as the Web server. The type of exception thrown may also help the attacker to profile Web-based applications; for example, if a "SqlException" is thrown, then the attacker knows that the application is using some version of Microsoft SQL Server.

You can build up application security to prevent such information leakage by modifying the mode attribute of the <customErrors> element to "On" or "RemoteOnly." This setting instructs Web-based applications to display a nondescript, generic error message when an unhandled exception is generated. Another way to circumvent this application security issue is to redirect the user to a new page when errors occur by setting the "defaultRedirect" attribute of the <customErrors> element. This approach can provide even better application security because the default generic error page still gives away too much information about the system (namely, that it's using a Web.config file, which reveals that the server is running ASP.NET).

2. Leaving Tracing Enabled in Web-Based Applications

The trace feature of ASP.NET is one of the most useful tools that you can use to ensure application security by debugging and profiling your Web-based applications. Unfortunately, it is also one of the most useful tools that a hacker can use to attack your Web-based applications if it is left enabled in a production environment.

Vulnerable configuration:

<configuration>

<system.web>

<trace enabled="true" localOnly="false">

Secure configuration:

<configuration>

<system.web>

<trace enabled="false" localOnly="true">

When the <trace> element is enabled for remote users of Web-based applications (localOnly="false"), any user can view an incredibly detailed list of recent requests to the application simply by browsing to the page "trace.axd." If a detailed exception message is like a gold mine to a hacker looking to circumvent application security, a trace log is like Fort Knox! A trace log presents a wealth of information: the .NET and ASP.NET versions that the server is running; a complete trace of all the page methods that the request caused, including their times of execution; the session state and application state keys; the request and response cookies; the complete set of request headers, form variables, and QueryString variables; and finally the complete set of server variables.

A hacker looking for a way around application security would obviously find the form variable histories useful because these might include email addresses that could be harvested and sold to spammers, IDs and passwords that could be used to impersonate the user, or credit card and bank account numbers. Even the most innocent-looking piece of data in the trace collection can be dangerous in the wrong hands. For example, the "APPL_PHYSICAL_PATH" server variable, which contains the physical path of Web-based applications on the server, could help an attacker perform directory traversal attacks against the system.

The best way to prevent a hacker from obtaining trace data from Web-based applications is to disable the trace viewer completely by setting the "enabled" attribute of the <trace> element to "false." If you have to have the trace viewer enabled, either to debug or to profile your application, then be sure to set the "localOnly" attribute of the <trace> element to "true." That allows users to access the trace viewer only from the Web server and disables viewing it from any remote machine, increasing your application security.

3. Debugging Enabled

Deploying Web-based applications in debug mode is a very common mistake. Virtually all Web-based applications require some debugging. Visual Studio 2005 will even automatically modify the Web.config file to allow debugging when you start to debug your application. And, since deploying ASP.NET applications is as simple as copying the files from the development folder into the deployment folder, it's easy to see how development configuration settings can accidentally make it into production, compromising application security.

Vulnerable configuration:

<configuration>

<system.web>

<compilation debug="true">

Secure configuration:

<configuration>

<system.web>

<compilation debug="false">

Like the first two application security vulnerabilities described in this list, leaving debugging enabled is dangerous because you are providing inside information to end users who shouldn't have access to it, and who may use it to attack your Web-based applications. For example, if you have enabled debugging and disabled custom errors in your application, then any error message displayed to an end user of your Web-based applications will include not only the server information, a detailed exception message, and a stack trace, but also the actual source code of the page where the error occurred.

Unfortunately, this configuration setting isn't the only way that source code might be displayed to the user. Here's a story that illustrates why developers shouldn't concentrate solely on one type of configuration setting to improve application security. In early versions of Microsoft's ASP.NET AJAX framework, some controls would return a stack trace with source code to the client browser whenever exceptions occurred. This behavior happened whenever debugging was enabled, regardless of the custom error setting in the configuration. So, even if you properly configured your Web-based applications to display non-descriptive messages when errors occurred, you could still have unexpectedly revealed your source code to your end users if you forgot to disable debugging.

To disable debugging, set the value of the "debug" attribute of the <compilation> element to "false." This is the default value of the setting, but as we will see in part two of this article, it's safer to explicitly set the desired value rather than relying on the defaults to protect application security.

4. Cookies Accessible through Client-Side Script

In Internet Explorer 6.0, Microsoft introduced a new cookie property called "HttpOnly". While you can set the property programmatically on a per-cookie basis, you also can set it globally in the site configuration.

Vulnerable configuration:

<configuration>

<system.web>

<httpCookies httpOnlyCookies="false">

Secure configuration:

<configuration>

<system.web>

<httpCookies httpOnlyCookies="true">

Any cookie marked with this property will be accessible only from server-side code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to protect Web-based applications from Cross-Site Scripting attacks. A hacker initiates a Cross-Site Scripting (also called CSS or XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any page that accepts input from a user and echoes that input back is potentially vulnerable. For example, a login page that prompts for a user name and password and then displays "Welcome back, <username>" on a successful login may be susceptible to an XSS attack.

Message boards, forums, and wikis are also often vulnerable to application security issues. In these sites, legitimate users post their thoughts or opinions, which are then visible to all other visitors to the site. But an attacker, rather than posting about the current topic, will instead post a message such as "<script>alert(document.cookie);</script>". The message board now includes the attacker's script code in its page code-and the browser then interprets and executes it for future site visitors. Usually attackers use such script code to try to obtain the user's authentication token (usually stored in a cookie), which they could then use to impersonate the user. When cookies are marked with the "HttpOnly" property, their values are hidden from the client, so this attack will fail.

As mentioned earlier, it is possible to enable "HttpOnly" programmatically on any individual cookie by setting the "HttpOnly" property of the "HttpCookie" object to "true." However, it is easier and more reliable to configure the application to automatically enable "HttpOnly" for all cookies. To do this, set the "httpOnlyCookies" attribute of the <httpCookies> element to "true."

5. Cookieless Session State Enabled

In the initial 1.0 release of ASP.NET, you had no choice about how to transmit the session token between requests when your Web application needed to maintain session state: it was always stored in a cookie. Unfortunately, this meant that users who would not accept cookies could not use your application. So, in ASP.NET 1.1, Microsoft added support for cookieless session tokens via use of the "cookieless" setting.

Vulnerable configuration:

<configuration>

<system.web>

<sessionState cookieless="UseUri">

Secure configuration:

<configuration>

<system.web>

<sessionState cookieless="UseCookies">

Web applications configured to use cookieless session state now stored the session token in the page URLs rather than a cookie. For example, the page URL might change from

http://myserver/MyApplication/default.aspx to http://myserver/MyApplication/(123456789ABCDEFG)/default.aspx. In this case, "123456789ABCDEFG" represents the current user's session token. A different user browsing the site at the same time would receive a completely different session token, resulting in a different URL, such as http://myserver/MyApplication/(ZYXWVU987654321)/default.aspx.

While adding support for cookieless session state did improve the usability of ASP.NET Web applications for users who would not accept cookies, it also had the side effect of making those applications much more vulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hacker impersonates a legitimate user by stealing his session token. When the session token is transmitted in a cookie, and the request is made on a secure channel (that is, it uses SSL), the token is secure. However, when the session token is included as part of the URL, it is much easier for a hacker to find and steal it. By using a network monitoring tool (also known as a "sniffer") or by obtaining a recent request log, hijacking the user's session becomes a simple matter of browsing to the URL containing the stolen unique session token. The Web application has no way of knowing that this new request with session token "123456789ABCDEFG" is not coming from the original, legitimate user. It happily loads the corresponding session state and returns the response back to the hacker, who has now effectively impersonated the user.

The most effective way to prevent these session hijacking attacks is to force your Web application to use cookies to store the session token. This is accomplished by setting the "cookieless" attribute of the <sessionState> element to "UseCookies" or "false." But what about the users who do not accept cookies? Do you have to choose between making your application available to all users versus ensuring that it operates securely for all users? A compromise between the two is possible in ASP.NET 2.0. By setting the "cookieless" attribute to "AutoDetect", the application will store the session token in a cookie for users who accept them and in the URL for those who won't. This means that only the users who use cookieless tokens will still be vulnerable to session hijacking. That's often acceptable, given the alternative-that users who deny cookies wouldn't be able to use the application at all. It is ironic that many users disable cookies because of privacy concerns when doing so can actually make them more prone to attack.

More

Wednesday, October 7, 2009

Scenario: user clicks a button in your ASP.NET page and you want to disable it immediately using javascript so that the user cannot accidentally click it again. 

Originally I thought this was going to be simple by using the onclientclick property of the ASP.NET button server control but although that worked to disable the button, it did not continue with the form postback.  Eventually after quite a bit of Googling and some more failed attempts I figured out this solution:

MyButton.Attributes.Add("onclick", "this.disabled=true;" + Page.ClientScript.GetPostBackEventReference(MyButton, "").ToString());

Adding the javascript to disable the button to the onclick event by appending to the Attributes collection of the ASP.NET button control but then also calling the Post Back Event Reference for the button right after disabling the button.  That is why my original try at adding the javascript failed, adding the this.disabled=true to the onclientclick event then overwrote the call to the post back event. 

With the code above now the button onclick event will look something like this:

onclick="this.disabled=true;__doPostBack('MyContrl$MyButton','');"

The button is disabled AND then the button post back method is called.

More

 

Thursday, October 1, 2009

Seven Web Application Toolkits are available for download at the MSDN Code Gallery. These toolkits are aim to provide web developers with resources (such as project templates, controls, code samples, and documentation) in a consistent packaged format that can be consumed and put to use in a very short time so that they can evaluate the technology and determine if it's the right solution for their problem. An introduction to the toolkits is available on Channel 9, and the kits are available for download HERE.

The current kits are:

  • Web Application Toolkit for Internet Explorer 8 Extensibility [screencast]
    Today users can access rich information and services while they are browsing a site; it's not a trivial task to expose this content to the same users when they are not on that site. The goal of this Web Application Toolkit is to leverage the new features in Internet Explorer 8 (Web Slices, Accelerators and Visual Search Providers) to extend the reach of your web site and services also to those users that are not on your site. The Web Application Toolkit includes a set of ASP.NET Web Controls that you can use to take advantage of these IE new features in your own Web application.
  • Web Application Toolkit for Bing Search
    Bing is a powerful new Decision Engine designed to help consumers accomplish tasks and make faster, more informed decisions. The Bing Application Programming Interface (API) provides developers programmatic access to Bing, offering flexible options for building or enhancing your site or applications. This Web Application Toolkit shows how to take advantage of the Bing API to add search capabilities to your Web site by leveraging the various search results that the Bing API provides, including Web content, images, news and videos, among others. Through this Web Application Toolkit you will also discover how to use ASP.NET AJAX and jQuery to provide an enhanced and more interactive end user experience when using the Bing API.
  • Web Application Toolkit for REST Services [screencast]
    Many Web applications today are starting to expose data as REST service interfaces, so it can be accessed through APIs by other tiers of the application or even by other applications. A RESTful web service is a simple Web service implemented using HTTP and the principles of REST. REST Services focus on resources; each one is represented by a unique URI, and users interact with them via their URI using the HTTP uniform interface. This Web Application Toolkit shows how to easily add REST service interfaces for an existing Web application. The Web Application Toolkit includes a sample REST service, two sample client applications that access the REST services, one using simple ASP.NET Web Forms and a second Web application using AJAX to asynchronously invoke the REST service and finally a custom project template for Visual Studio to make it very easy to build new REST Services.
  • Web Application Toolkit for Mobile Web Applications [screencast]
    This Web Application Toolkit is designed to demonstrate how to extend an existing ASP.NET MVC Web application to provide access from mobile devices. To enable mobile access, the Web application should have views targeting each of the mobile devices to be supported. The MVC pattern helps you create applications that separate the different aspects of the application (input logic, business logic, and UI logic), while providing a loose coupling between these elements. This Web Application Toolkit provides a component called MobileCapableViewEngine that enables the Web application to show the appropriate view depending on the device's browser that is performing the request. It also includes a sample site that provides different views for Windows Mobile, IPhone, and Blackberry devices.
  • Web Application Toolkit for Template-Driven Email [screencast]
    This Web Application Toolkit is designed to demonstrate how to generate and send dynamic, template-based emails from a web application. There are many common scenarios where notification emails need to be sent to end users. Examples of these common scenarios may involve notifying a user of their newly created account, sending a new password in respond to a forgotten password request, or emailing an alert under specific business circumstances, such as the creation of a order. Typically the E-mails sent from a Web application scenario are formatted as HTML, include CSS stylesheets, and images and need to be generated dynamically with custom or user-specific data. This Web Application Toolkit includes samples that show how to use templates to generate these dynamic email bodies.
  • Web Application Toolkit for making Your Web Site Social [screencast]
    Adding social capabilities to your Web site allows you to attract new users, keep them on your Web site for longer and get them to come back more often. This Web Application Toolkit shows how, using a few lines of code with the Windows Live Messenger Web Toolkit, it is possible to add social capabilities to a Web site with instant messaging from a website to various client endpoints like Windows, Windows Mobile, Xbox 360 and Mac. Behind the scenes is a powerful set of UI Controls and a JavaScript library that connect your website to the Messenger Service which is used by 330 million users around the world.
  • Web Application Toolkit for FAQs [screencast]
    The majority of web sites have the need to display a list of frequently asked questions to their users. Although it's not difficult to create a simple set of FAQ pages, creating a great user experience that supports searching for FAQs, filtering, and paging, can become more difficult. Furthermore, this is often common functionality that has to be implemented repeatedly in multiple Web sites. This Web Application Toolkit is designed to provide a starting set of code including ASP.NET pages, data access logic, and database schemas, for integrating Frequently Asked Questions into your own ASP.NET MVC Web application.

 

These samples are designed to up and running in no time (seriously!), you can use these with the Microsoft Web Platform Installer. Give them a try … and if you're a professional web developer, designer, or startup, check out Microsoft WebSpark for opportunities to get visibility, support, and software at no upfront costs!

 

THE ERROR:

HTTP Error 500.19 - Internal Server Error with Error Code: 0x80070021
The requested page cannot be accessed because the related configuration data for the page is invalid.

ERROR DETAILS:

Module: RequestFilteringModule
Notification: BeginRequest
Handler: StaticFile
Error Code: 0x80070021
Config Error:
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Config File: \\?\C:\RnDInternet\web.config

152: <security>
153: <requestFiltering allowDoubleEscaping="true"/>
154: </security>

ERROR SCREEN SHOT:

More