In this article i would like to explain some security measures that you should be aware of while developing an secure ASP.NET MVC application. Here i am explaining about
- CSRF(Cross Site Request Forgery)
When you authenticate a user, you are verifying the identity of a user. If you need to verify a user in an MVC application it is probably because you are building an application that restricts access to specific users. This is completely separate from authorization, which is determining whether a specific person is allowed to do certain action.
There are two authentication mechanisms in MVC :
Form based authentication is providing an input form where users can enter the username and password with accompanying logic in the application needed to validate those credential. MVC provides a lot of infrastructure support for Forms Authentication. Forms authentication is highly customizable , you can customize everything from the sign in form, to where the credentials are stored and how those credentials are validated. Forms Authentication in ASP.NET relies on cookies by default. Once the user is signed in to an Application the runtime can issue a cookie on the browser. The browser will then send the cookie with every subsequent request to the application. ASP.NET will see the cookie and know that the user is already authenticate and does not need to sign on again. Note: word of warning , SSL is required to make Forms authentications secured. If you are running the application over http anybody snooping the network can see the users credentials.
Windows Authentication is also known as integrated authentication because user components that built in to the Windows operating system are used to authenticate users . Once a user is logged in to a domain, windows can automatically authenticate them in to application. Windows Authentication is commonly used in Intranet Apps that run inside a company's firewall where all of the users are logged in-to a windows domain. It will provide a single sign on experience.They sign on once in a domain and can be authenticate to several intranet apps. When we choose a Forms Authentication and Windows Authentication?
- If you want to build a public websites then Forms Authentication is best because it can be used outside of a windows domain.
- If you want to build an Intranet application which runs with windows identity use Windows Authentication.
How is Forms Authentication configure?
First we need to change the configuration in web.config like below
This bit of configuration tells runtime when we need
to authenticate the user redirect the browser /Account/Logon. This Account
controller and this Logon view as well as some other view allow me to register
on site. These things are provided by default in ASP.NET MVC internet template.
Everything needed for the Forms Authentications are along with this template.
Selecting the Forms
Open Visual Studio
2010 >> New Project >> Select ASP.NET MVC4 Web Application and
And then select
Internet Application Template which gives us to everything needed for the Forms
Authentication like AccountController, Views etc and then click OK.
The Authorize attribute doesn’t really care
about how we authenticate a user. We can use a Form Authentication or Windows
Authentication. All authorize cares about that the user does have an identity
and we know whom they are and it’s
not going to let a anonymous user get in to the Index action.
When we going to take an index action without authenticating it automatically
redirect to Account/Logon because the user has no account in this application.
So we need to register for to Logon.
How we are
Authenticate with Windows Authentication?
First we need to change a little
bit in the configuration section like below in the web.config file.
Then apply the authorize attribute to the index
You can apply authorize filter to an individual action method or to a
controller. When you apply a filter to a controller, it works as though you had
applied it to every action method in the controller class applied the Authorize
filter to the class, so all of the action methods in the Account controller are
available only to authenticated users.
In order for windows integrated
authentication works we need to enable
windows authentication in IIS Express else we got the below error and this is
the scenario you commonly face in today’s server configuration.
Server programs’ like
Web services and Database services typically have features turn off by default
to reduce the attack surface. If we want to become Windows Authentication works
we need to turn it on.
Go to Document >>
IISExpress >> config >> applicationhost.config file and windows
authentication enable to true.
You can take authentication details like below
The authorize attribute also
allows you to set some parameters to enforce authorization rules. First we need
to know the user’s identity and then we can say only the specific identities to
allow accessing these actions.
Authorize attribute also allows you to specify
the Roles. In Windows Authentication by default map to Windows groups on server
or groups configured in the active directory. You can put roles like below
In Forms Authentication ASP.NET has a role
provider. By using these you can store, manage roles in a SqlServer database.
These can configured in the application by default.The easiest way to do that
is use the below button in the solution explorer
It launches ASP.NET configuration tool .This is
the tool you are only going use in the local development machine. It’s going to
look in the web.config location and use the same application services database
as that Form Authentication provider of using that is already configured inside
of there. You can add , manage roles from here. While doing these it
automatically map to db we are configured in the web.config file.
There are some specific threats
we will face. One popular attack of this phase is Cross Site scripting attack
or XSS. In Cross scripting attack the malicious user will try to have your
website load a malicious script in to the user’s browser. It could be a
malicious script, active-x control and even some malicious html. The malicious
scripts can theft the cookie, Modify user settings, Download Malware, Modify
content. One of the worst cross site script attack is Account Hijacking; the
malicious users can access the user’s credentials and personal information.
Once this happen, your users become vulnerable to any
number of problems.
This is a simple application for
saving employee information. Let I am putting some html tag like I am from <em>India</em> and
then I try to save this , ASP.NET automatically reject this request to prevent
Cross site scripting attack because the ASP.NET is going to look for anything
that resembles the html and just reject the request. Actually there is no wrong
with the emphasis tag but ASP.NET is not trying to make a distinction here
anything that looks like html is going to be rejected.
Sometimes user need to upload some html in to
the server then there are always circumvents this request validation. You have
to extremely careful. One option is put ValidationInput attribute to the
destiny here in Create action.
So you can
successfully process this request
Now we can have a problem that
html encoded here this is because razor is going to encode everything by
default which is good. There is another defense against the cross site
scripting and we can fix that easily however the validate input false is
completely disabling the check for cross site scripting malicious html and
really we only need html inside of one specific property. So you can allow html
to one property using AllowHtml attribute. Also some changes need to be done,
remove ValidateInput attribute from the Create action and also make sure that
we should pass EmployeeViewModel class as action parameter that means model
binding will takes place will move the html in to that property. Also one
change in the view to show the html without encoding by putting ViewData in
And then again going
to save one more and display the ViewData in the same view contain html tag.
Anti XSS Library
Someone come to a form and enter
some script like below
It’s also more malicious. Fortunately Microsoft
provide a library for prevent this. You can download it via nugget or Library
Package Manager Console (Visual Studio>>Tools>>Library Package
Manager>>Package Manager Console and type Install-Package AntiXSS and press enter).
What I am going to do I am
putting a line of code in the below Edit action post method
And this code will
remove all the malicious things.
Cross Site Request Forgery
Cross Site Request Forgery is a
dangerous and extremely major attack. Imagine a user come in to site and trying
to update some information that requires authentication before they are allowed
to perform update. Once the user logs in the Form Authentication your site will
be sent the users browser an authentication cookie and every subsequent request
of the site the users browser will send that cookie along and ASP.NET will see
the user is already be authenticated. There is nothing wrong with the browser
to sending the cookie along this is how the browser and cookie works that means
the user doesn’t need to enter the username and password in every single
request they make. They authenticate themselves once and the cookie will allow
them to remain authenticated at least for the duration of the session
Then what is the
If the user visit some other
site or strict in picking up some html from a malicious source which had bad intention , then this malicious
source can and provide a form just like a form that our application would given
to the user and then if the user submit the form the call again will be
authenticated because the authentication
cookie be gave to the users browser always travel along every request
and will save the information in to the database like we always do one we have authenticated request. Only the information in the request
probably is in something user wants to submit. Someone strict the user in to transferring
money or editing their account. The problem here is that not simply say we need
the user to be authenticated when submit some information. We also have to be
checking the information that the user is submitting coming from a form that
our application presented to the user. We want to be preventing them when
submitting the form from a malicious source.
To demonstrate a CSRF I am
applying the authorize attribute to my two Edit action methods of my
I can save, edit the
records because I had already authenticated. Below is a sample record that I
had saved in to the database successfully
In the developer
point of view we are confident that I having authorized attribute in place for preventing
malicious user from edit an Employee details.
Watch would happen that I logged
in as a user. Come across an interesting link
in my system
May be this link will you get from an email or
from another website or some other areas of internet. Now I am going to click
the link and seen a page will up.
Now look at the
record that we had saved earlier has changed. What happen?
Look at the source code of the link
Look at the action
that form point to which has the same URL where the employee is posted. The
form contains all of the input needed for to complete the request and also at
the page loads.
How can we prevent
@Html.AntiForgeryToken() inside the form tag. This token will add a hidden
input value that is unique to browsing session. Also sending a matching value
in a cookie to the users browser so the user has accepts this cookie and that
something malicious website would not be able to do.
Also you should put an attribute
ValidateAntiForgeryToken for matching the form value and cookie value
I again going to edit my
record what the malicious user had done. Now I am going to click that link
again and the ASP.NET MVC thrown an exception that AntiForgeryToken is not
supplied or invalid.
Hope you are enjoyed
my article very well...Expecting your valuable suggestions…enjoy programming…