Security In ASP.NET MVC
There are four types of Security
- CSRF(Cross Site Request Forgery)
When we authenticate a user,we are validating the uniqueness of a user. If we require to verify a user in an MVC application it is perhaps because we are constructing an application that limited permission to particular users.This is completely distinct from authorization, which is decide whether a particular person is permit to do certain action.
There are two types of authentication in MVC:
- Forms Authentication
- Windows Authentication
ASP.NET forms authentication happen after IIS authentication is finished. we can configure forms authentication by using forms element with in web.config file of our application. The default attribute values for forms authentication are shown below:
The FormsAuthentication class makes the authentication cookie automatically when SetAuthCookie() or RedirectFromLoginPage() methods are called.The value of authentication cookie needs a string way of the encrypted and signed FormsAuthenticationTicket object.
We can make the FormsAuthenticationTicket object by identify the cookie name, version of the cookie, directory path,concern date of the cookie, expiration date of the cookie, whether the cookie should be carry on, and optionally user-defined data as given below:
Now, we can encrypt this ticket by using the Encrypt method FormsAuthentication class as shown below:
Notice:To encrypt FormsAuthenticationTicket ticket put the defence attribute of the forms element to All or Encryption.
Choosing the Forms Authentication template
Open Visual Studio 2012 ultimate New Project >> Choose ASP.NET MVC4 Web Application and Click Ok
And then choose Internet Application Template which allow us to everything required for the Forms Authentication like AccountController, Views etc and then click OK.
The Authorize attribute does not really care about how we authenticate a user.We can use two types of Authentication
- Form Authentication
- Windows Authentication
All authorize attention about that the user does have an distinction and we know whom they are and it is not going to let a unknown user get in to the Index action. When we going to consider index action without authenticating it automatically transfer to Account/Logon because the user has no account in this application. So we require to register for to Logon.
Windows Authentication is also called as mixed authentication because user part that construct in to the Windows operating system are used to authenticate users.When a user is enter in to a domain, windows can automatically authenticate them in to application. Windows Authentication is widely used in Intranet Apps that run inside a company's firewall where all of the users are signed into a windows domain.It will give a single sign on experience.They logged in once in a domain and can be authenticate to several Intranet apps.
How to Authenticate using Windows Authentication?
First we require to replace a little bit in the configuration section like shown below in the web.config.
Then apply the authorize attribute to the index action
We can implement authorize filter to an independent action method or to a controller. When we implement a filter to a controller,it doing as though we had applied it to each action method in the controller class implemented the Authorize filter to the class,so all of the action methods in the Account controller are accessible only to authenticated users.
In order for windows unite authentication works.we require to enable windows authentication in IIS Express else we got the below error and this is the situation we regularly face in today’s server configuration.
Server program's same as Web services and Database services generally have characteristics turn off by default to decrease the attack surface.If we want to become Windows Authentication works we require to turn it on.
Open Document >> IISExpress >> config >> applicationhost.config file and windows authentication enable to true.
We can take authentication details like below
The authorize attribute also permit we to put some variable to enforce authorization principles.First we require to know the user is uniqueness and then we can say only the particular identities to permit accessing these actions.
Authorize attribute also permits we to particular the Roles.In Windows Authentication by default map to Windows server or groups configured in the active directory. We can set roles like shown below
In Forms Authentication .NET has a role contributor. By using these we can save, handle roles in a SqlServer database. These can be configured the application by default.The simplest way to do that is use the below button in the solution explorer
It start .NET configuration tool .This is the tool we are only working use in the local development machine.It is going to look in the web.config position and use the same application services database as that Form Authentication contributor of using that is already configured inside of there.We can add ,handle roles from here. While doing these it automatically map to db we are configured in the web.config file.
XSS(Cross Site scripting attack)
There are some particular threats we will face. One popular attack of this part is Cross Site scripting attack or XSS.In Cross scripting attack the harmful user will effort to have your website load a harmful script in to the user’s browser. It could be a harmful script, active-x control and even some harmful html. The harmful scripts can theft the cookie, Modify user settings, Download Malware, changes content. One of the worst cross site script attack is Account Hijacking; the harmful users can access the user’s identification and personal data.
This is a simple application for storing employee data.Let we are putting some html tag like We are from <em>India</em> and then save this ,.NET automatically decline this appeal to protect Cross site scripting attack(XSS) because the .NET is going to look for anything that favour the html and just decline the appeal. Actually there is no wrong with the emphasis tag but .NET is not trying to create a variation here anything that looks as html is going to be decline.
Sometimes user required to upload some html in to the server then there are always circumvents this request validation. We have to extraordinarily alert. One choice is put ValidationInput attribute to the destiny here in make action.
now we can successfully process this request
Now we can have a issue that html encoded here this is because razor is working to encode everything by default which is better. There is other defence against the cross site scripting(XSS) and we can fix that simply however the validate input false is completely deactivate the check for cross site scripting malicious html and really we only require html inside of one particular property.So we can permit html to one property using AllowHtml attribute. Also some alter require to be done, eliminate ValidateInput attribute from the generate action and also make sure that we should pass EmployeeViewModel class as action variable that means model binding will takes place will proceed the html in to that property. Also one change in the view to display the html without encoding by putting ViewData in Html.Raw helper.
And then in addition, going to save one more and show the ViewData in the same view keep html tag.
Anti XSS Library
It is also more harmful.Luckily Microsoft given a library for protect this.We can download it via nugget or Library Package Manager Console (Visual Studio>>Tools>>Library Package Manager>>Package Manager Console and type Install-Package AntiXSS and hit enter).
And this code will discard all the harmful things.
Cross Site Request Forgery (CSRF)
Cross Site Request Forgery(CSRF) is a vulnerable and exceptionally major attack.Assume a user come in to site and trying to update some data that needs authentication before they are permit to achieve update.Once the user logs in the Form Authentication your site will be sent the users browser authentication cookie and each subsequent request of the site the users browser will send that cookie along and .NET will see the user is already be authenticated. There is nothing wrong with the browser to delivered the cookie along this is how the browser and cookie works that means the user does not require to feed the username and password in each single request they make. They authenticate themselves once and the cookie will permit them to rest authenticated at least for the period of the session
What is problem of using CSRF
If the user hit some other site or strict in choosing up some html from a harful source which had bad objective ,then this harmful source can and given a form just same as a form that our application would given to the user and then if the user submit the form the call again will be authenticated because the authentication cookie be provided to the users browser infallibly travel along each request and will store the data in to the database same as we always do one we have authenticated request. Only the data in the request probably is in something user wants to submit. Someone strict the user in to moving money or editing their account. The problem here is that not simply say we require the user to be authenticated when submit some data. We also have to be checking the data that the user is submitting receiving from the user. We want to be protecting them when submitting the form from a harmful source.
To determine a CSRF We are implement the authorize attribute Edit action methods of our application.
We can store, update the records because I had already authenticated. Below is a sample record that we had stored in to the database successfully
In the developer point of view we are positively that we having authorized attribute in place for protecting harmful(malicious) user from update an Employee informations.
See would happen that we logged in as a user. Come across an interesting link in my system
May be this link will we get from an email or from other website or any other areas of internet.Now we are click the link and seen a page will up.
Now look at the data that we had stored before has changed.
How can we prevent CSRF?
Use @Html.AntiForgeryToken() inside the form tag.@Html.AntiForgeryToken() token will add a hidden input value that is distinctive to browsing session. Also delivering a matching value in a cookie to the users browser so the user has obtain this cookie and that something harmful(malicious) website would not be able to do.
Also we should put an attribute ValidateAntiForgeryToken for matching the form value and cookie value
We again going to edit our data what the harmful(malicious) user had done.Now we are click that link again and the .NET MVC thrown an exception that AntiForgeryToken is not provide or invalid.