Friday, 25 November 2016

Securely Hardening your ASP.Net MVC Application

Security Misconfiguration or go live with defaults lead to exposing many vulnerabilities to any application.  This is common to your ASP.Net MVC application as well.

Following are the steps you can take to hardening the MVC application.

Securing cookies using httponly attribute 

Cookies set by the server can be read by JavaScript. So These JS could be malicious and do have the potential of redirecting your cookies into different domains. All the cookies do not need to access by client side. Hence is it better to prevent it by using the httponly attribute 

This is how you can set it in the Web Config

<system.web>
    <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" xdt:Transform="Replace" />
</system.web>

It is always better to enforce this in the back end code as well. As follows.

Response.Cookies.Add(new HttpCookie("ApplicationCookie")
    {
      Value = "SomeValuerelatedToClient",
      HttpOnly = true
    });

If we add the Secure = true attribute , the cookie should be readable by the client on a secure connection , but will only be sent to the server if the connection is secure.

Implementing HSTS 

Even though we have implemented the SSL/TLS there are risks like sslstrip where someone can do a MIM attack and strip out the SSL. The HSTS ensures the communication is secured end to end. The client would not communicate unless the connection is fully SSL mode. 

In the Web.config

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Strict-Transport-Security" value="max-age=16070400; includeSubDomains" />
      </customHeaders>
    </httpProtocol>
</system.webServer> 

Removing Banners 


Banner Grabbing is one of the famous recon technology used by attackers. By default, ASP.Net MVC applications expose few details such as the .Net framework Version, MVC Version etc.. These information always give an advantage to an attacker. 



We can use following code snippet to use remove these banners 

protected void Application_PreSendRequestHeaders()
{
   Response.Headers.Remove("Server");
   Response.Headers.Remove("X-AspNet-Version");
   Response.Headers.Remove("X-AspNetMvc-Version");
}

 

To Remove the  X-POWERED-BY header , we need to remove it from the ‘HTTP Response Headers’ module in IIS.

Implement Content Security Policy headers 


A Content-Security-Policy can help tighten the level of security in the user’s browser. This can define a policy to reject any mallicious payloads such as scripts css and content forms from user's browser. A Content-Security-Policy can be added as a set of headers. 

Following is a sample code how we can implement this. Please note that this is just a sample implementation and we can improve a lot in this. 

public class ContentSecurityPolicyFilterAttribute : ActionFilterAttribute
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            var response = filterContext.HttpContext.Response;
            const string value = "default-src 'self&rsquo;&rdquo;;

            response.AddHeader("X-WebKit-CSP", value);
            response.AddHeader("X-Content-Security-Policy", value+"; options eval-script");
            response.AddHeader("Content-Security-Policy", value);
            base.OnActionExecuting(filterContext);
        }
    }

Do not use @HTML.RAW content in the Razor View 


All the @html razor attributes are enable automatic encoding of html and JS content from the Razor View engine. The Raw dosent. 



No comments:

Post a Comment