Excellent white paper on “.NET Developer's Guide to Identity“ . This white paper by Keith Brown explains different authentication ,authorization mechanisms, talks abt federated identity,ADFS, security in WCF ..and lot more..This is a kind a boon for developers ..as all material is available at single place !!
MS Windows Cardspace Home -
http://msdn.microsoft.com/winfx/reference/infocard/default.aspx
Infocard blog(s):
http://blogs.msdn.com/andyhar/archive/2005/11/22/495649.aspx
Articles:
..will fill up the post as I read more info.. !!
Following are some of the materials explaing security enhancements in .NET framework 2.0
http://blogs.msdn.com/shawnfa/archive/2005/08/24/455581.aspx
http://msdn.microsoft.com/msdnmag/issues/06/00/SecurityBriefs/default.aspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGPractices0001.asp
Security Practises in ASP.NET 2.0
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGPractices0001.asp
Following are the main areas to look for security code review:
- SQL injection
- CSS
- Data Access
- Input/Data Validation
- Authentication
- Authorization
- Sensitive data
- Unsafe code
- Unmanaged code
- Hard-coded secrets
- Poor error handling
- Web.config
- CAS
- Cryptography
- Undocumented public interfaces
- Thread Racing problems
For details look into Security Engineering Explained by MS Patterns and Practises !!
One click attack normally occurs when attacker creates a prefilled web page(.htm or .aspx) with view state. The view state is generated from a previously created page. ex. shopping cart page with say 50 items. The attacker then lures unsususpecting user to browse the page and causing the page to be sent to server where view state is valid.
To prevent this kind of attack in .NET, use Page.ViewStateUserKey in Page_Init event with unique value per user such as username or configured in web.config.
We have heard of Cross-Site Scripting attack....basically two types of cross site scripting is normally explained everywhere.. Non-Persistent CSS - which normally occurs when the input is directly echoed on the browser which causes the script in the input to execute. This script can steal the cookie using document.cookie and may post the values to attacker's site. Persistent CSS occurs when the input (from querystring, form variables) is stored in the database and later retrieved to display it on webpage causing the script to execute.
If we can use document.cookie so why not we use document object itself !! DOM based attack works on this principle..If our code uses document.url or document.location.href etc..these can be exploited using this technique.
In .NET, we can use requestValidate=True as page directive to prevent from such kind of attack. However this can also be bypassed, so also use HtmlEncode, UrlEncode to tightly filter input and write output urls. Also, a great library called IOSEC is available which goes further to filter malicious input.
For more info abt CSS:
http://www.webappsec.org/projects/articles/071105.shtml
http://crypto.stanford.edu/cs155/CSS.pdf
http://www.owasp.org/index.php/Category:OWASP_Project