Web Security practical testing resources - asp.net

I have some basic knowledge about web security that I have gained through years of experience. Now I am interested in extending my knowledge and gaining a deeper understanding on how the exploit of common vulnerabilities (XSS, SQL Injection, etc.) is accomplished.
Can any of you point out some resources that...
Explain technically the most common vulnerabilities in web sites
Explain some less frequent (or less noticed) but possible vulnerabilities
Give you a vulnerable test site and guide you (preferably step-by-tep) through the process of exploiting its vulnerabilities
If possible, I would like these resources to be focused on ASP.NET WebForms and MVC.
Note: I don't need to test a specific application, I want resources that allow me to better understand how this security flaws are created in web sites and how they are exploited by malicious users.
EDIT:
I also found this great resource on Google Code University that explains everything in a really understandable, cheesy, way.

You should read following series:
OWASP Top 10 for .NET developers
(and it ends with free ebook).

you have a demo site:WebGoat, (for download)
and also you can use the site: 'Hack this site'.
they also may have video answers for the exercises.

Related

Tool for Scanning Website for Vulnerabilities

I've seen several questions on SO about this, but none of them quite fit what i'm looking for. I've got an ASP.NET Site on my machine that i recently finished, but i'm a little worried about Security. I'm pretty sure I've managed it pretty well, but there's always an offchance i've missed something.
So, I'm looking for a tool that meets the following reqs
Scans a locally hosted (as in, on the same machine as the tool) website for vulnerabilities
Can be installed (i.e, no web based stuff)
(elaborating on #1)... tests ASP.NET (Web Forms, but MVC would be nice too) for SQL or XSS problems. (I figure XSS is hard to test, but SQL injection should be easier to find)
Thanks! Lemme know if i'm not specific enough or if this is better suited for Webmasters SE.
There are a few scanning tools around, some of which are open source, which is nice. The exploits you are talking about are technology agnostic - any app could suffer from them regardless of whether it's .net, java, ruby, etc. This makes testing for them slightly easier. Also, SQL injection and XSS bugs are usually application specific, which makes automagically testing for them harder.
The best thing you can do is not be worried about security, but take specific steps to address issues. Security should always be designed into your application. So carry out a code review on your app. Look for specific things.
Do you have any in-line SQL? Do you modify it any way? Are you using parameters?
Are you escaping any user input before you use it?
The above 2 steps will eliminate most SQL injection/XSS bugs. There are other issues to do with your server setup. Vulnerability scanning tools usually know most of these and can test for them.

What does website scalability consist of?

What do people consider scalability? I've always hear people talk about writing scalable apps. But as a developer, I've never really saw any pointers/tips in an article that normal developers dont know. Such as caching db calls, etc. Mostly what I see are options that are configured by system admins or anyone dealing directly with the servers.
So my question is, from a developers perspective, do we really have much effect on a website's scalability? If so, could we be pointed towards articles that aids us on the .net framework. (ASP.NET MVC)
Also, do we have to write our apps differently if we were to accommodate adding new hardware, such as another webserver. (or is it the same app, but more instance of it?)
You can maybe gather some input from here on SO:
What does scalability mean to you?
Engineering scalability into an application
Design Patterns (or techniques) for Scalability

GOOD tutorial(s) for learning the ASP.Net security/authentication framework

Through a lot of sticking my head in the sand, reinventing the wheel and general stubbornness, I've managed to go all this time (years) avoiding learning the built-in ASP.Net support for web application authentication, users and roles. Part of the reason is that rolling my own originally seemed like less work than getting my head around all the different layers of optional abstraction provided by the ASP.Net security framework and as such I came up with a nice library that worked fine for me.
I'm now trying to go back to using as much of the built in functionality of ASP.Net (MVC2/3, not WebForms) as possible, as I've found that the more non-standard functionality you build into an application, the harder it is for other developers to pick up your code and work with it.
The web is thick with half-tutorials, badly explained articles and information that excludes important beneath-the-hood information about the ASP.Net security framework.
Are there any good tutorials that rip the lid off ASP.Net security and show you how to use it and how it all works without trying to push you through wizards and specific provider models without understanding all of the options and their pros and cons?
This is a 18 part series articles from Scott Mitchell.
It's a very deep explanation of all the features that regards Authentication, Authorization and Membership providers in asp.net. I did never found a better source on this from the same author.
MSDN is the best for ripping the lid off: http://msdn.microsoft.com/en-us/library/ff647070.aspx

Developing a website for 3 mln. users: SharePoint OR pure ASP.NET?

We need to develop quite a powerful web application for an investment bank. The bank IT would like us to build it on top of the SharePoint platform, but we would prefer to do pure ASP.NET programming.
The web-app should have the following characteristics.
1) It will be a site for bank's clients that will allow them to view their stock portfolios, get miscellaneous reports with graphs and charts, etc.
2) The web-app will also allow clients to send orders to the bank to buy stocks and perform other financial operations.
3) The number of users will be approximately 3 000 000 (total) and 20 000 at any one time.
We have never made any SharePoint programming, but as far as I know, SharePoint is primarily designed to create intranet sites for colleagues to communicate with each other and work more efficiently, to maintain a document library, etc.
However, the bank IT told us that SharePoint has in fact lots of other features that will help us make the project more efficiently - for example, it seems that SharePoint has some built-in scalability and high availability technologies.
I heard saying that SharePoint development is very tedious, that the platform cannot be very easily customized, etc.
The question is: is it better to create our web-app on pure ASP.NET and deal with scalability and other issues ourselves, or base it on SharePoint - taking into account that the web-app we need to create is non-standard and complex?
Thank you,
Mikhail.
UPDATE
In the answers, someone suggested using ASP.NET MVC. My another question is: should we use "classic" ASP.NET or ASP.NET MVC for such project (if we leave out the SharePoint option)?
Do you need document management? Do you need version management? Do you need to create "sites"? Do you need audience filtering? Do you need ECM (fancy word for CMS), Do you need collaboration stuff on your site? If your answer is no then SharePoint is not for you.
You said "We have never made any SharePoint programming" and for that reason alone I think you should not use SharePoint. You also say that your app is going to be "non-standard" and complex, another reason not to use SharePoint.
Sounds like you know ASP.NET so I would advice to stick with ASP.NET or ASP.NET MVC.
Hope this helps
The answer is simple, you should go with what you know. If you prefer to do it in ASP.NET then, that is what you should go with. Trying to learn a new technology on that size of a project will almost certainty cause you severe problems when trying to develop it. Can sharepoint scale to that number of users, probably, but you don't know how to make it do that. That is the real key.
They are correct SharePoint does have a lot of functionality out of the box, but that doesn't mean that it will make you more efficient, because you don't know all of the APIs etc. to access.
Actually, if you want to know the way to cheat. If they force you into using it, you can run ASP.NET applications under SharePoint (well kind of). You can tell SharePoint to essentially ignore a path in the site and use regular ASP.NET as a web application just like any other site does. Really, this isn't using SharePoint, but it can get you out of a bind, in the "Needs to use SharePoint to make them happy scenario".
Mayo suggested contacting MS. I have a feeling they already have a relationship with the bank and have provided some insight about the project. I would contact: http://www.mindsharp.com/ and see if they can help you out. They are a training company, but I bet that the owners would be willing to help consult, and I haven't found anyone with more knowledge on SharePoint than Todd Bleeker.
I'll not go into the merits of sharepoint, but suffice it to say that I have been developing in sharepoint since it was known as "digital dashboard" - it was just a javascript-encrusted today page for outlook. With respect to its .NET incarnations, it has taken me about 3 years to become what some might call "expert" on SharePoint 2007/MOSS.
First up, let me give you some warnings concerning the politics of these kind of jobs. As a contractor, ALL of my jobs over the last 6 years - covering shaerpoint 2003 and 2007 - WITHOUT fail, have been getting about me on site with a client who has demanded sharepoint, and a development shop with decent ASP.NET developers who have become hopelessly lost and more than likely have blown 95% of the budget on the last 5% of the project because they have embarked on writing custom extensions to the platform without fully understanding the product.
If clients, and the shops who service them, spent more time understand the product and studied it to see how they could change/streamline their business processes & requirements slightly to suit sharepoint instead of being rigid in their specs (that were ALWAYS written with next to zero real experience of the platform) and deciding to get custom development done, then more sharepoint projects would be delivered on time and on budget. Sadly, this is not the case.
So, number one: SharePoint 2007 is an excellent product, but please, for the love of jeebus, find yourselves some top gun sharepoint developers who really understands the product before you embark on this journey. If you don't, you will all go down in flames.
-Oisin
What a load of CRAP that sharepoint isn't cut out for what the op wants to use it for. Especially the "Do not get yourself wrapped up in SharePoint" comment from ChaosPandion. Maybe he thought it to difficult and gave up...
Sure SharePoint development takes some getting used to, but it is able to what is wanted by the op most definately. SharePoint is built using ASP.NET so anything you do in ASP.NET can be used / ported to SharePoint. It is not a standalone product, but a DEVELOPMENT PLATFORM. It will scale to serve that many users, using multiple WFE's (Web Front Ends) and a SQL Cluster as backend.
The question here is: is sharepoint the most suited platform for building this site? Then I would have to answer, probably not, seeing as the wanted functionality is almost all custom development. If you plan on doing web content management as well, then yes, SharePoint is definately worth looking into. Also, SharePoint takes away all (or at least most :-D) authorisation and authentication wories. It is Department of Defense certified. And if the offered out of the box security is not enough, just write an authentication provider (seeing as SharePoint uses ASP.NET's provider model).
To answer your questions:
The bank IT told us that SharePoint has in fact lots of other features that will help us make the project more efficiently - for example, it seems that SharePoint has some built-in scalability and high availability technologies.
SharePoint is farm based, to which you can add machines, having each machine perform a different task, which means either app server, index server, WFE, document conversion services., WFE's can be behind a load balancer to distribute requests. Also I want to mention the web content management again.
I heard saying that SharePoint development is very tedious, that the platform cannot be very easily customized, etc.
Like I said, SharePoint is based on ASP.NET, so it is as much customizable as ASP.NET is. You could even create an ASP.NET web site, put all UI in Controls and then use those is SharePoint, maybe even have the controls use it's own database. As for it being tedious, not really. It's just DIFFERENT and deployment / testing is not like normal deployment / testing. SharePoint uses so called solution files (.wsp files), to package up functionality and deploy it to the server. This IMHO makes it possible to deploy functionality in a very modular way. Furthermore, there are loads of cool open source projects out there that make sharepoint development much easier and also provide cool extensions to "pimp" your site and make it more fun and easy to use for end-users.
Nuff said....
SharePoint development can be tedious but I'd hardly say the platform cannot be easily customized. I recently began developing with it full time and so far, I impressed at it's flexibility and suitability for my application but my needs are quite different from what you've described.
I understand 2007 is a vast improvement over 2003 so perhaps your information is only outdated. I hear 2010 is going to again be a significant improvement.
It's your job to deliver the functionality that the customer desires. If they desire a SharePoint solution, unless there's some particular reason why SharePoint really is a weaker model, that's what you should be able to deliver. In the event that SharePoint isn't a good fit, you need to be able to explain why to the bank's satisfaction. I'm not convinced "We don't know SharePoint" is an acceptable response in this situation: the bank's inclination should, at that point, be to find someone who knows both technologies well enough to deliver a product in SharePoint or better explain why SharePoint isn't actually what they want.
UPDATE: After looking at this more I would add that I do not believe that SharePoint is for you. As I mention below SharePoint is for collaboration. If the users that come to the site require an isolated experience then SharePoint is more overhead than you need.
SharePoint is built on top of ASP.NET so you have everything that you want to do with ASP.NET in addition to what SharePoint provides. Anyone who says that it is difficult is trying to make it that way. You can deploy stand alone custom pages with 100% of your own code and it will run under sharepoint, or you can create new application pages that also contain any code you want to write, or you can simply add your own webparts that can be added to any page you choose with 100% of your own code.
Here is just one example.
Creating an Application Page in Windows SharePoint Services 3.0
What SharePoint offers on top of that is a whole different paradigm on collaboration tools. If you wish to leverage it (if not the cost on return is somewhat limited) you can build amazingly complex and integrated solutions that is build around the aggregation of data from across an enterprise.
That being said, do not go into it lightly. If deployed wrong or with a half understanding of where SharePoint excels and where it does not will result in a diaster. Unless you have the time to understand the core concepts of SharePoint I would warn against it but your client is right. If you do build it in SharePoint you get a great deal more flexibility. One right off the bat is the ability to mix authentication modes. I designed a solution that mixed custom forms authentication with an LDAP backend with Windows Authentication. Anyone could visit the same pages but your authenticated account could come from two different locations.
This is a matter of what kind of concerns you want to have in the application:
Building it to look and function your way, go with sharepoint.
Building it to have infrastructure for authentication, permissions, http/web security, scalability, backup, database maintenance PLUS getting it to look and function your way (but now way more under your control), go with a more pure .NET approach.
I would pick the one I am best at, as Kevin said above.
Edit
More about Kevins post: you can also have your application under sharepoint but with full access to the API, in my projects we do it as a normal ASP.NET application, with own masterpages and everything, but we still use the authentication, lists and doc libraries for uploads, roleassignments for permissions etc. Its a very viable hybrid.
You said,
I heard saying that SharePoint
development is very tedious, that the
platform cannot be very easily
customized, etc.
You have been misinformed about SharePoint. All SharePoint pages are ASP.NET pages. You can customize any of them, either directly, or by using Microsoft Office SharePoint Designer, which is free.
Get started at http://msdn.microsoft.com/en-us/sharepoint/default.aspx.
SharePoint is a lot of work and with that amount of users I personally (and being a SharePoint developer) wouldn't bother.
I would go down the ASP.MVC route in all honesty and not because it's new and the latest buzz technology. I would use it because it's hands down faster. This site for example is written in ASP.NET MVC and it handles all these requests per day on I think 3 servers. 2 front end and 1 database. Correct my if I'm wrong with that.
The problem with asking whether Sharepoint is easy to customize is that there's a wide range of levels of customization people are experienced with. And for some reason, most people also seem to think that whatever level they customized Sharepoint to is the extent to which anyone else would also try to customize Sharepoint.
It's hard to talk about degrees of customization in concrete terms. What is "customization" to me is wrangling with the core DAL, fighting with bugs in the CAML to SQL query optimizers, overriding the SPListItem hydration pipeline, etc. To others, "customization" might mean building some web part widgets and deploying them in a WSP. If you find that there is some impedance mismatch between your logical model and Sharepoint's working model, you will have a really hard time reconciling the two.
Welcome to the dark land of politics.
It's worth making sure that your team properly evaluate and understand any compromises that SharePoint will have you make. Asking here is a good start. Things I'd look at include:
What's the whole solution going to include? Often the administration of a site can involve as much or more development work as the front end. While the 3M+ user front end is the glamorous part it may not be the bulk of the work.
Are there reference sites for 20K+ simultaneous user SharePoint sites? Honestly? What kind of hardware did that require? Is that available?
Get a small group of experienced contractors in for a few weeks to properly estimate the work, both on ASP.NET MVC and SharePoint. Make sure they've worked on large sites. (There's plenty of contractors around at the moment!)
Also, anticipate failure. Have a fall-back option:
If the MVC technologists win out, expect heat from senior management, and possibly even a skunk-works we'll-do-it-properly-anyway project that duplicates your efforts.
If you do end up with SharePoint, listen very carefully to users throughout the development process and be prepared to create Web parts, MVC pages or whathaveyou to address problem points.
I've been in a similar situation where it turned out that there was heavy vendor influence at a very senior level. The senior team had bought into SharePoint and required it to be used for all internal systems; the OCTO (Office of the Chief Technologist) had mandated open-source technologies. It was fun to watch the fur fly in the middle.
(Our option in the end was to use a service-based architecture based on REST, which effectively booted the current version of SharePoint out of the system altogether.)
I would build this on SharePoint. It is quite suitable for big sites and many sites have already been built on it: topsharepoint.com
SharePoint (like all complex applications) does require sufficient knowledge that you do not seem to have at the moment which is a big risk in my mind. Don't listen to the nay-sayers though.. lack of knowledge is a common problem for devs dealing with SharePoint but it doesn't mean you can't make it do whatever you want.
Regardless, what other options do you have? I think the days of building completely custom CMS's have passed just as building completely custom Intranets are not cost effective anymore. There are many competitors to what they want to do with SharePoint (Umbraco, Sitecore, Sitefinity, etc) and most of them seem better than 100% custom.
So the answer might be neither ASP.NET or Sharepoint..

Best practices in building ASP.NET application

We are building an ASP.NET application (with C#.net as language) and will be hosting on Windows Server 2003 Operating System with SQL Server 2008 as database.
We are planning to implement the best practices in writing code, dividing the application into logical blocks, services etc.
Would you please guide me on this, if you have an idea?
If would be great if you could also provide a reference document or web references (If needed).
Many Thanks,
Regards,
Venkat.
This isn't what you want to hear, but your best bet might be to bring on a senior asp.net guy who has a lot of experience and put him in charge of this.
But that's an extremely broad question, Venkat. Maybe if you could narrow it down a bit more we could provide a more useful answer.
I would perhaps recommend one book called Framework Design Guidelines, which is published by Microsoft Press. It goes into a lot of best practices on writing code, naming conventions, how to design classes, etc. And there are dialogues in there between Microsoft's top language guys. Sometimes they disagree, and that's always interesting.
But that's just one piece of the puzzle. I could talk for hours about methodologies, architectural patterns, object oriented theory, seperation of concerns, etc. As stated, your question covers all that ground.

Resources