A collection of web app security links with focus on ASP.NET:
OWASP – The Open Web Application Security project is a worldwide community of professionals interested in security and a good starting point for securing your web apps. Some of the topics: Vulnerability, .NET Project, Cheat sheets, .NET Security Cheat Sheet, Top 10 security risks. Troy Hunt has some great Pluralsight courses about the Top 10 issues.
Top 10 Common Web Attacks from vpnMentor. Good summary of the OWASP Top 10 – 2017 edition. A good place to start (thanks to Qusai for the tip)
ASP.NET MVC Guidance: Security, Authentication and Authorization (ASP.NET site)
Security, Authentication, and Authorization in ASP.NET Web API (MS Docs)
ASP.NET Identity – Current MS stack for authentication and authorization in ASP.NET. Check the articles on security and especially the one on deployment, passwords and the cloud.
Troy Hunt – MS MVP, blogger and security expert. I really like his stuff. Take the list of topics of his Hack Yourself First workshop as inspiration, check out his Pluralsight courses and sign up for his newsletter. Love one of his recent posts Passwords Evolved: Authentication Guidance for the Modern Era.
Ten Immutable Laws Of Security (Version 2.0) – Security philosophy 101 from Microsoft. Makes you think.
.NET Blog – General and security-related information.
My own blog entries about security.
I just tried to answer the question “How to ensure that my ASP.NET MVC 5 web app gets updated automatically when a severe security issue is found in a NuGet dependency”.
The best resources I have found on this topic:
- Windows Update will update NuGet packages only for targeted security updates
- Supported .NET version: 4.5.1. or newer
- MS .NET NuGet packages treated as part of the .NET framework
- Security update notifications are posted to .NET blog. Subscribe!
- Microsoft Update records loaded MS assemblies on a machine to identify candidates for patching.
- Apps using a vulnerable NuGet package will get served the patched Assembly via GAC Publisher Policy.
I am now more confident that using NuGet packages I get critical updates for my applications when needed when Windows Update is used.
But: I would like to see a more recent document about the treatment of Security issues in NuGet. (Pease leave a comment if you have something and I will update the post). And I would like to know why the NuGet package feed list is empty.
A video tutorial based on my learnings of ASP.NET MVC 5, ASP.NET Identity, SQL Server and Azure.
Summary: I will show you how to create a very simple web application with user authentication. Users can register, log in, create diary entries (text) and visualize their entries.
In part one we will create, test and refactor the application locally on our computer. Although the app is very simple we will touch a lot of different technologies. You will also see some issues you may experience when starting with ASP.NET MVC in Visual Studio and how to fix them.
In part two we will publish our app to the cloud (Azure). Please subscribe to get notified when part two is finished.
Visual Studio 2017 (Community Edition)
ASP.NET MVC 5
Entity Framework 6 with Code-First
LINQ to Entities
Azure App Service
Azure SQL Database
Visual Studio 2017 with the following workloads:
- ASP.NET and web development
- Azure development
- Create a new ASP.NET MVC 5 application with ASP.NET Identity
- Configure authentication (Individual user accounts) for new project
- Project folders overview
- Local database folder: App_Data
- Register user and log into our new application
- Use “Server Explorer” to show data from local database
- Change title and footer of application
- Basic HTML tags (title, footer, h1, h2, footer, div)
- Remove a View and Action Method
- Commit to source control (local GIT repository)
- Create a new ASP MVC Controller
- Create a new ASP MVC View
- User authentication and security
- Use of the [Authorize] and [AllowAnonymous] attributes
- Configure authorization/authentication by default with global filter
- Refactor our app to use global filter instead of [Authorize] attribute
- Create a model class for diary entry
- Usage of “prop” code snippet.
- Create fake data in Controller
- Display list in View
- Use of the “ViewBag”
- Create an HTML table in code
- Create a Html form using ASP.NET Identity code as template
- Razor syntax
- MVC Form @model directive
- Create a ViewModel for form-data with data validation attributes
- Use of [Required], [DisplayName] and [StringLength] attributes
- Add HttpPost Action method to Controller
- [HttpPost] and [ValidateAntiForgeryToken] attributes
- Test Action Method
- ASP.NET Identity ApplicationUser and ApplicationDbContext overview
- ASP.NET Identity tables
- Extend DiaryEntry model class for usage in DbContext
- Create foreign key property and navigation properties (Entity Framework)
- Add new DiaryEntry table to DbContext
- Create new model class from viewmodel
- Use Entity Framework to insert into DiaryEntries table
- Show result of data-model change: “Server Error in Application. The model backing the ‘ApplicationDbContext” context has changed since the database was created. Consider using Code First Migrations to update the database”
- Add Code First Migrations to update the database
- Delete SQLServer LocalDB database from App_Data folder
- Enable, create and apply migrations with Package Manager (“enable-migrations”, “add-migration”, “update-database”)
- Test adding a new diary entry to the database using our form.
- Query database with LINQ to entities query
- Redirect to GET ActionMethod after the POST with “RedirectToAction”
- Identify user experience issues
- Use source control (GIT) to access code from a previous version
- Improve navigation by adding Login-Button on homepage
- Refactor Controllers and Views to merge homepage and diary page
Part 2 (Publish our app to the cloud) still in the works. Please subscribe to my YouTube channel and blog to get notified when it’s ready!
Credits: Big thanks to John Sonmez from SimpleProgrammer. His “10 Steps to learn Anything” course not only helped me to organize my learning but also motivated me to create this tutorial!
Just imagine 2 different scenarios in a ASP.NET MVC app using ASP.NET Identity. In both cases you have an application that requires the user to be logged in.
Your authentication-default is “allow anonymous”, which is the default of the ASP.NET MVC 5 template. You create a new Action Method on a controller and forget to add the [authorize] attribute.
Resulting Issue: You have a potential security hole in your application that may remain undetected and possibly exploited.
Your global authentication-default is “requires authentication”. You create a new action method on a controller that should be accessible without authentication and forget to add the [AllowAnonymous] attribute.
Resulting issue: You try your application, can’t enter that new page and fix it. In the worst case you didn’t do your homework and a customer/user finds the bug and complains to you.
Which issue would you rather have to deal with?
I personally prefer the whitelisting approach and err on the side of caution.
See also: Enable global authentication with ASP.NET MVC and Identity
To require user authentication for all action methods on all controllers please add the
AuthorizeAttribute class to the App_Start/FilterConfig.cs file:
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
To configure an exception and allow anonymous access to an action method: Decorate it with the
public ActionResult Index()
// do stuff