Web Site Security for ASP.NET
Don’t give security threats the green light into your organization. We are launching a blog series featuring a variety of topics relating to web site security, types of security breaches that may occur and how to mitigate those breaches. Follow Superior Consulting Services and visit our website to catch up on the latest security installment.
Website security requirements have consistently grown over the past 15 to 20 years as more hackers discover new ways to penetrate security defenses. For that reason, a nonprofit foundation, called OWASP, was established to aid in the defense of the constant barrage of penetration attempts.
What is OWASP?
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led, open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
- Tools and Resources
- Community and Networking
- Education & Training
For nearly two decades, corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work.
In essence, OWASP provides resources for web developers to aid in the defense against website hacking. The OWASP foundation provides general, and sometimes specific, information about the types of security breaches discovered and methods to employ to prevent successful attacks of these types in your environment.
OWASP Top 10
A list of the top 10 most common and most threatening security attacks is maintained by the OWASP foundation. It is updated yearly to stay current with the present World Wide Web universe. The latest list as of this writing is for the year 2021 and is as follows:
Broken Access Control A system administrator usually manages the application’s access control rules and the granting of permissions. Broken access control is a critical security vulnerability in which attackers can perform any action (access, modify, delete) outside of an application’s intended permissions.
Cryptographic Failures a cryptographic failure is a security failure that occurs when a third-party entity (apps, web pages, different websites) exposes sensitive data.
Injection HTML Injection also known as Cross Site Scripting. It is a security vulnerability that allows an attacker to inject HTML code into web pages that are viewed by other users.
Insecure Design is a new category for 2021, with a focus on risks related to design flaws. Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” Insecure design is not the source for all other Top 10 risk categories. There is a difference between insecure design and insecure implementation.
Security Misconfiguration Security misconfiguration occurs when security settings are not adequately defined in the configuration process or maintained and deployed with default settings. This might impact any layer of the application stack, cloud or network.
Vulnerable and Outdated Components Vulnerable and outdated components often introduce security issues unknown to developers, making them soft targets for hackers looking to exploit a vulnerable system.
Identification and Authentication Failures Confirmation of the user’s identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application: Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
Software and Data Integrity Failures Software and data integrity failures encompass a broad category of application security threats that occur when the application’s code and infrastructure are exposed to unauthorized changes that lead to a system-wide compromise.
Security Logging and Monitoring Failures While logs are meant to offer granular details, an improper logging mechanism restricts issue resolution and mitigating security attacks. This is often because, without efficiently administered logging, it is difficult to track down and debug errors, understand user behavior, or even know if your system is functioning correctly.
Server-Side Request Forgery A Server-Side Request Forgery (SSRF) attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs. URLs can be manipulated, either by replacing them with new ones or by tampering with URL path traversal.
Tools to Detect Security Weakness
To know which of the myriad of security breaches to protect against, you need to know how your website is vulnerable. There are tools that are essentially free to use that will simulate an attack against your website and report any vulnerabilities that are discovered. This process is called pentesting which stands for penetration testing.
Pentesting is carried out as if the tester is a malicious external attacker. The goal is to break into the system and either steal data or carry out some sort of denial-of-service attack. Pentesting is also used to test defense mechanisms, verify response plans, and confirm security policy adherence.
One of the most useful tools for pentesting is called ZAP (Zed Attack Proxy). ZAP is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
Wireshark was one of the most popular free and open-source Windows pentesting tools in 2021.
It enables you to analyze network protocols and network traffic at a micro level. Using this pentest tool for Windows, you know what is going on in your organization’s network by capturing the network packets, decrypting them and viewing the actual content.
Nmap, which stands for Network Mapper, is another very popular Windows penetration testing tool that is used for information gathering.
Nmap can be used at the information gathering stage. It enables you to get insights into the host IP address, all hosts on the network and the services they offer, the server software and version numbers they run, among other network information that is important for penetration testing. Nmap also comes built-in with firewall evasion and spoofing features.
Software Risk Mitigation for ASP.NET
Once all the attack issues have been gathered using your tool of choice, it is time to make changes to your website to reduce its vulnerability to cyber-attacks.
Our next blog will discuss steps that can be taken to mitigate the risk of web site security penetration. The types of prevention techniques will vary depending on the type of attack that is being prevented and will consist of a mix of code, configuration, and IIS settings.
It will answer the questions:
- What are the most common security issues discovered in web sites?
- Request headers – what are they and what are their contents?
- What is Content Security Policy (CSP) and its role in web site security?
- What are some resolutions and how do you mitigation the security issues?
Get FREE OWASP Assessment