is there any Web Application Firewall for asp.net? [closed] - asp.net

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I want to hardening my website against simple dos/xss/sqli/etc...
but I don't want to delve into security programming for now so I want to use a ready made class or library something like "mod_security" in linux.
about a year ago I'd found a project like modsec for asp.net but right now in google I've searched too much but nothing interesting.
anyone knows anything about WAF in .net ?
regards.

You're never going to find a 'one size fits all' security package. However, a step in the right direction could be to take a look at Microsoft's Anti-XSS library and Security Runtime Engine. Both projects can be found on CodePlex.
Description:
(Anti-XSS)
AntiXSS provides a myriad of encoding
functions for user input, including
HTML, HTML attributes, XML, CSS and
JavaScript.
White Lists: AntiXSS differs from the standard .NET framework encoding
by using a white list approach. All
characters not on the white list will
be encoded using the correct rules for
the encoding type. Whilst this comes
at a performance cost AntiXSS has been
written with performance in mind.
Secure Globalization: The web is a global market place, and cross-site
scripting is a global issue. An attack
can be coded anywhere, and Anti-XSS
now protects against XSS attacks coded
in dozens of languages.
(SRE)
The Security Runtime Engine (SRE)
provides a wrapper around your
existing web sites, ensuring that
common attack vectors to not make it
to your application. Protection is
provided as standard for
Cross Site Scripting
SQL Injection
As with all web security the WPL is
part of a defense in depth strategy,
adding an extra layer to any
validation or secure coding practices
you have already adopted.

There is no WAF that will work out of the box for your specific application. You will need a lot of fine tuning to secure a web application with a WAF. In many cases it will be easier to implement the application with security in mind than making it secure with an additional layer. Using a prepared statement for a SQL statement is much easier than trying to identify and filter bad input. Usually you want to do both (defense in depth) but the use of a prepared statement is the better option if you want to rely on a single protection measure.
If you really want to try securing your application with a WAF and you are familiar with mod_security, you can use it for your ASP.NET application. You need a dedicated server that acts as a reverse proxy in front of your application. Mod_security can filter ingoing and outgoing requests there. I fetched the pros and cons from the official mod_security website concerning the reverse proxy setup for you:
Advantages
Single point of access – functions as a choke point so you consolidate applying security settings and makes management easier.
Network topology is hidden from the outside world - so it will be more difficult for attackers to enumerate your web platforms.
Increased performance – if SSL accelerators/caching used.
You can implement vulnerability filters to protect and vulnerable web server or application on the backend (IIS, Netscape, ASP, PHP, etc...).
Disadvantages
A potential traffic bottleneck if the reverse proxy can not handle the network load.
A potential point of failure - if the reverse proxy goes down it may cause a denial of service to the web applications that are behind it.
Requires changes to the network.

My product, ServerDefender VP will work out of the box with ASP.NET (you just need to let the software run in "Log Only" mode for a period of time to let it learn about the traffic coming to your site or app). This web application firewall that was new around the time the question was originally asked, but is fairly mature now.
In terms of security, ServerDefender VP protects again common threats like XSS, SQL inject, and others. It also helps achieve PCI compliance and features powerful logging and alerting functionality. What likely sets it apart from some other WAF options is it's usability and simple user-interface.

There is no WAF that will work out of the box for your specific application
Sorry to disagree.
Incapsula Cloud based WAF will provide you with an out of the box plug-and-play solution, and it will work for every platform (including, of course, asp.net). It will require no maintenance/customization on your end (this is done on a Global-level by a dedicated security team) and the initial set-up itself will take only 5 min (done via simple DNS data change).
Having said that:
This is no a part of the Free plan. So, unlike "mod_security", this will cost you a few dozen dollars a month.
On the plus side, unlike "mod_security" and other OS and/or Cloud solutions, this is a PCI compliant WAF, which says something about the level of security it provides. Alto this is especially crucial if you are thinking about handling you own transactions.
Again, on a plus side, this is a highly customizable solution that comes with easy-to-use GUI and API for high-end users with specific needs.
As an added bonus, because this is a Cloud CDN based solution, you`ll get a significant performance boost, due to Global-Proxy and CDN Caching features.

Related

Does my program architecture make sense? AngularJS + ASP.NET Web API + SQL Server

I have been getting a bit lost in the creation of my program architecture and I want to take a step back to see if I'm approaching it correctly.
I am wondering if my setup makes sense. I'm starting to think it doesn't.
I am creating intranet applications (We were creating Internet applications, but now the scope has changed). We use an onsite Active Directory (Windows Server 2012 R2). We have a SQL Server Database.
I have been building Front End Angular applications and ASP.NET Web API's to push and pull data. I am now implementing Authentication with Auth0 and it's been a nightmare.
What kind of program architecture would you setup in this scenario?
Much Appreciated.
SQL Server + Asp.Net Web Api + Angular JS forms a perfect architecture for building Single Page Applications (SPAs). This architecture is useful for building desktop like web applications, i.e. apps that runs over web but works like desktop apps.
If you can be more specific about the problem you are facing, you will be able to get better recommendations from so.
This architecture is widely adopted in many scenarios such as SPAs. With it, you will be able to keep your front-end highly decoupled from your backend services being able to support multiple front-ends on the same set of services and run quite a few integration scenarios.
Some of the downsides of such an approach will be the extra layer of complexity added to the application (which might force you to write more tests and handle different failure scenarios that wouldn't happen otherwise, for an example) and authentication routines since you will need to authenticate two heterogeneous environments (the .NET/IIS one and the JS/Angular one).
As for the authentication pain, token-based auth schemes seem the current way to go (such as Auth0) since they let you keep and send an environment-agnostic token which will be used by different layers of your architecture.
In that sense, your architecture makes sense.
However, since you're feeling some pain in its implementation, you might want to ask yourself if you really needed all of these. When you choose an architecture, you do so trying to accomplish some specific goals (multiple front-ends? specific performance requirements? maintainability? auditability?) and the more goals you try to accommodate in your architecture the more complex will become up to a point where the pains start outweighing the benefits.
So, what were you trying to achieve in the first place?

Web Security practical testing resources

I have some basic knowledge about web security that I have gained through years of experience. Now I am interested in extending my knowledge and gaining a deeper understanding on how the exploit of common vulnerabilities (XSS, SQL Injection, etc.) is accomplished.
Can any of you point out some resources that...
Explain technically the most common vulnerabilities in web sites
Explain some less frequent (or less noticed) but possible vulnerabilities
Give you a vulnerable test site and guide you (preferably step-by-tep) through the process of exploiting its vulnerabilities
If possible, I would like these resources to be focused on ASP.NET WebForms and MVC.
Note: I don't need to test a specific application, I want resources that allow me to better understand how this security flaws are created in web sites and how they are exploited by malicious users.
EDIT:
I also found this great resource on Google Code University that explains everything in a really understandable, cheesy, way.
You should read following series:
OWASP Top 10 for .NET developers
(and it ends with free ebook).
you have a demo site:WebGoat, (for download)
and also you can use the site: 'Hack this site'.
they also may have video answers for the exercises.

asp.net secure my application so no one can transfer it and reuse it

I'm making an asp.net web application which will run locally on IIS
for a single user
I don't want this user to access my application files (in the www root ) or bring another programmer and steal my code
I just want the user to have the ability to access the website only and
stop any programmer from knowing my source code
I heard about an USB security system called "Dongle" but can it be used in a situation like this ?
any Ideas ?
thanks in advance
The website is just running code, but like anything, once the user has it they can do what they like to it, whether you like it or not. That's why there is a multi-million {currency} industry around securing applications.
You could use dongles but they're expensive and not trivial to implement. As #volleyball said, obfuscation would slow down most people from decompiling your app. without odfucation any licensing or dongles could just be patched out of your code.
Your most secure route would be to not give it to them. It's a web app, host it. This may not of course not meet your requirements.
Simon
I have never heard of a web application that uses a dongle. This is normally reserved for regular windows apps; and even then it's falling out of vogue. Generally speaking some of the more expensive software packages still use them.
However, the cost of duplicating a dongle is pretty low. Combined with the fact that getting around such security is relatively easy anyway and you have a situation in which you really shouldn't bother.
As Simon said, if it's a web app host it. Otherwise obfuscate it.
If neither of those are possible, then I'd recommend you change your licensing deal with your client to include the possibility of them going elsewhere. Perhaps for an additional charge you'll give them a non-exclusive site license permitting them to do whatever they want with the code short of selling it or giving it to another entity.
did you look at obfuscators. They do a good job at encrypting code. 99% of the time your code cannot be reverse engineered. But if someone sits on your stolen code they can reverse engineer.. In the sense that ordinary people may not obfuscate it. If the person is very intellingent, he will not reverse engineer he will write better code.

ASP.Net or WPF (C#)? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Our team is divided on this and I wanted to get some third-party opinions.
We are building an application and cannot decide if we want to use .Net WPF Desktop Application with a WCF server, or ASP.Net web app using jQuery. I thought I'd ask the question here, with some specs, and see what the pros/cons of using either side would be. I have my own favorite and feel I am biased.
Ideally we want to build the initial release of the software as fast as we can, then slow down and take time to build in the additional features/components we want later on. Above all we want the software to be fast. Users go through records all day long and delays in loading records or refreshing screens kills their productivity.
Application Details:
I'm estimating around 100 different screens for initial version, with plans for a lot of additional screens being added on later after the initial release.
We are looking to use two-way communication for reminder and event systems
Currently has to support around 100 users, although we've been told to allow for growth up to 500 users
We have multiple locations
Items to consider (maybe not initially in some cases but in future releases):
Room for additional components to be added after initial release (there are a lot of of these... perhaps work here than the initial application)
Keyboard navigation
Performance is a must
Production Speed to initial version
Low maintenance overhead
Future support
Softphone/Scanner integration
Our Developers:
We have 1 programmer who has been learning WPF the past few months and was the one who suggested we use WPF for this.
We have a 2nd programmer who is familiar with ASP.Net and who may help with the project in the future, although he will not be working on it much up until the initial release since his time is spent maintaining our current software.
There is me, who has worked with both and am comfortable in either
We have an outside company doing the project management, and they are an ASP.Net company.
We plan on hiring 1-2 others, however we need to know what direction we are going in first
Environment:
General users are on Windows 2003 server with Terminal Services. They connect using WYSE thin-clients over an RDP connection. Admin staff has their own PCs with XP or higher. Users are allowed to specify their own resolution although they are limited to using IE as the web browser.
Other locations connects to our network over a MPLS connection
Based on that, what would you choose and why?
I am especially interested in hearing from developers who have experience with both ASP.Net and WPf.
Reasons to choose WPF:
Much faster and easier development than ASP.NET and jQuery
Much easier to implement quick incremental background loading of data
Much easier to implement client-side caching of commonly used data (important for remote offices)
More efficient data transfer from server (can use advanced WCF features unavailable to web browser)
Keyboard navigation better, since you can easily define shortcuts, etc, and not be limited by browser
Maintenance overhead much better using MVVM pattern
Softphone integration easy
Reasons to choose ASP.NET and jQuery:
None that I can see
In your scenario I would definitely choose WPF.
First of all, I would sit down and write the business requirements and specifications. It really doesn't matter what tech you use - proper planning will affect your project timeline more than technology choice. This is especially true for an in-house custom built app.
As far as development, I would take the requirements and lay out the backend functionality. I would actually implement the backend in WCF, regardless of the client technology - that way you could use best of both worlds if needed (for example for phone integration you could write a stand-alone WPF app). ASP.NET with jQuery can easily use WCF services (JSON or XML version) together with desktop client.
As far as development of the client forms, this highly depends on developers experience and your future plans. I am not going to go into advantages/disadvantages of developing web software here - there are a ton of articles in the last 10 years about cloud/web based software (for example salesforce). I would rather concentrate on deliverables - what is your team most comfortable with today and in the future. There's a huge difference between WPF and web development, from development standpoint, and it requires completely different experience.
Why not consider a hybrid solution - Silverlight
With Silverlight you get most of the goodness and statefullness of WPF (with almost exactly the same XAML and code), plus you get the deployment characteristics of ASP.NET
Many people consider Silverlight the next step after ASP.NET/AJAX, and it would definitely deliver all of the benefits of WPF relevant to your scenario.
WPF is the way to go, without a doubt. I agree with all that #Ray Burns has said.
Because:
You will get a richer, slicker, faster application.
It will be easier to build1.
Softphone/Scanner (i.e. hardware) integration is going to require browser plugins etc. and this can be a nightmare with a browser based application.
Keyboard navigation is still better with native applications.
IME Maintenance is easier with WPF applications.
Definitely use WCF to provide the backend via The Entity Framework, see The Entity Framework In Layered Architectures. You can do have a better integration with the backend in a native application because it can be called inline - no need for callbacks or ajax. I've built components for WPF that are linked via EF to the business logic to provide aware controls for simple stuff like validation. It's stunningly good to drop a customer name field onto a form and it just works.
To add additional components you need to build it with a proper well thought out plugin architecture. This is the same in both environments. I've got some thoughts on this I jotted down in my journal entitled Designing a plugin architecture for an application
When building a WPF application you will be writing in one language (e.g. C#) + markup (XAML). When building asp.net you endup with two languages + markup, as you always have to code some Javascript.
So, based on your requirements it has be to WPF / WCF (EF). A web based application will be a lot more work, more complexity, and not be as nice.
About 12 months ago I was fortunate enough to be given a free hand to choose the technology for a new application. I spent almost a month evaluating all of the options and came to the conclusion that it had to be C#, WPF, Entity Framework. After writing the application I can confirm that it was the right choice...
1. It will still be easier even if your programmers have to learn WPF first. WPF is much better thought out, great and lovely. very lovely. It just works right.
Hi
I think The question at issue is Windows-application or Web application(WPF for win-app VS asp for web-app), Which one is better for you and your project?. In this case your platform is network and your program must work on the net. so for this usage Web-app is better but there are a lot points existing which can make decisions hard. Network platform has great challenge.(according to my personal experience)
Working with web-app by asp.net is nearly hard. you must try to handle many thing's for web-app(request time, session management, even poor UI in comparison to WPF, j-query, etc ). Remember this is not as easy as simple web site.
But win-app is good for network with this condition: "local network"(mpls is almost the same). Absolutely developing win-app is easier than web-app ("At least number of users expert in net-program developing"). for this case WPF has many good things(UI , command, etc) also has many challenging point(like multi-threading and lack of expert developer in this field ) . I'm rather with wpf than asp but decisions is yours
And chalk point to good thing Silverlight but if you want to use this you must look at prism framework : http://compositewpf.codeplex.com/
I have recently developed a project separately with asp and silverlight(prism framework). developing silver-light version is too hard and takes more time than asp.net version but at the end SL-ver have great look nothing else!
Burns pointed to good issues about wpf. also consider Artemiy's post. your environment conditions is same for both of them. WPF/ASP can work with scanner and soft-phone cuz the base of both is on C# and .net library
Finally what ever your decisions is you must hire advance developer at least develop one business-app for the network platform.
Is your app a desktop app or web app.
If Desktop wpf is best.
If web based asp.net is best.
Don't front load your development with your get it up quick scenario. That never works well and results in a sloppy deployment. Take your time, cover all the steps (Business Requirements, System Design, Program Design, Code, TEST and TEST some more, Deployment)
Some points to be made for ASP.NET:
The pool of ASP.NET developers is much larger then the pool of WPF developers.
Which means you can probably find qualified ASP.NET developers easier.
ASP.NET is probably more future proof, chances of WPF getting large changes and being hard to port to later versions is probably larger.
Also keep in mind that the focus of MS seems to be on Silverlight so there might be a consolidation down the road which makes WPF obsolete.
More mature eco system of ASP.NET makes for more out of the box solutions to use to solve problems.
With multiple locations you might be able to skip a few layers and go directly to a website?

POSTing to the web in Clarion [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I'm developing a RESTful API for a client. The problem is, he's using a rather obscure language called Clarion. It's proprietary and closed, and the docs are not freely available online.
Whenever we discuss passing data from his code to mine, and back again, he starts talking about "ftp file uploads" and direct server-to-server SQL. Needless to say, these ideas bring back visions of the bad old days. I have done some googling, and I can't find any evidence that this language is capable of creating HTTP Post requests at all, let alone using SSL encryption to protect them from prying eyes.
I'm looking for advice specific enough that I can guide him through implementing his end of the bargain. I specifically want to avoid trying to pass XML requests as files via FTP, or by writing them to the disk and calling some script. It should go without saying, but I'm also not interested in running proprietary clarion server code or DLLs on my server.
Is Clarion capable of generating POST requests? Is XML hard to generate in Clarion? Is there a simpler/easier to use format my client may have more sucess with? None of the data is more complex than key/value pairs.
I'm coding in python, but I can deserialize any reasonable data format if there's some way to get the data to my server.
I feel your pain. Communicating between systems can be a major pain. Good news though is that Clarion can do TCP/IP, and XML (with a little help) so there's nothing that should hold your Clarion colleague back.
In the interests of full disclosure I should point out that I'm biased here - I'm about to recommend that the Clarion guy use tools I created - nevertheless there are thousands of Clarion programmers out there using them, and they provide the answer to your question, so please forgive me. Ignore if you like.
In Clarion there are a couple of tools that make TCP/IP communications easy and that enable the use of SSL. The one I make is called NetTalk (http://www.capesoft.com/accessories/netsp.htm).
There is also XML support inside the Clarion box, although it's unnecessarily cumbersome so there are at least 2 xml products he can use - iqXML (which is free) and xFiles (http://www.capesoft.com/accessories/xfilessp.htm) which is designed to be super fast.
Using NetTalk & xFiles together it's trivial to create SOAP servers or clients. (Or plain HTTP servers and clients as you prefer.) There are a LOT of folk doing just this, so there's absolutely no excuse for using shared files, or FTP'ing requests around. I recommend you gently point your Clarion friend in the right direction.
If you'd like to run this question past other Clarion developers then try http://faq.clarionmag.com/ (which is using the StackOverflow engine.) There are also lots of programmers active on the NNTP protocol (news) at news.softvelocity.com (comp.lang.clarion and others).
Cheers
Bruce
Instead of trying to accomplish more in this obscure language, I'd go with the approach that you hinted upon: using the file system as a hand-over mechanism.
Have his code output files to a given folder; then, have a daemon, written in a "normal" language, monitor that folder regularly (cron job, etc). When a new file shows up, upload it through HTTPS / other "normal" means to your other server to do the task.
This approach follows the "localize the crap" philosophy - if you can't get rid of crap, at least make sure that it's "borders" are well defined.
Information wants to be free. The language may be proprietary and closed, but the documentation is published online:
http://www.softvelocity.com/clarion/pdf/LanguageReferenceManual.pdf
Looks like a Windows 3.1 vintage report generating language which has the ability to talk DDE/OLE (!), but seems to have no external communication features other than that.
So no, Clarion cannot do POST requests (except via a third party custom control / DDE conversation). Using the file system might be a safe way to proceed: it keeps the client in familiar territory, and is the easiest to debug. However, if two way communication is required, you might need to blow the dust off the manuals and go the DDE route. It really depends on the exact requirements (e.g. is the program batch or interactive?), but page 935 (Appendix A) in the 1158 page manual is where to start looking!
I came in very late to this post, for I only had Stack Overflow account set today. However, I would like to comment on Bruces answer.
Bruce runs a 3rd party Clarion add on maker company and will always suggest the use of their products. Altough they're really fine an work very well, I can't help pointing that there are standard, open tools for about anything that needs to be done.
For example, the programmer could use "curl" http://curl.haxx.se/ to communicate with a web server from a program. Not only a Clarion program, but any program. Aside from that, Clarion does have access to all the Windows API, and it is just a matter of writing the code, so, sockets, http, mci and whatever are at any programmer's reach.
Need to send e-mail from a program that apparently doesn't have access to smtp functions? use "Blat"! - blat.net
Want to download some file from a web site? wget - gnu.org/software/wget
These are all command line interfaces. And I suggest the ones who don't know what "interface" means, to go get a look at The Free Dictionary - tfd.com/interface
Regards

Resources