1

As per the increasing security threats, my site needs extreme care in terms of security in all aspects. I know asp.net has built in some security measures (Anti-forgery token, cross-site scripting, authentication, roles), but that is just not enough.

I need a tool to test all possible security threats (Brute-force attacks, .... IP location, browser info ... ) and a framework (open source is better) that handles all these concerns and let you build upon.

EDIT So to narrow a bit, my primary concern is protecting the "login" page from all possible threats.

Help is highly appreciated !

P.S. If someone can not answer, please skip the question and spare the comments and negative votes. Thanks.

Jalal El-Shaer
  • 14,502
  • 8
  • 45
  • 51
  • You'll need to be quite specific with exactly what you're after - the realm of security is huge and there are many tools (most of them non .NET) that can be used to test for certain types of exploits. – Russ Cam Feb 21 '11 at 08:57
  • @Russ Great what don't you start sharing those tools ... !? – Jalal El-Shaer Feb 21 '11 at 09:05
  • @jalchr - depending on what it is you want to defend against, some tools may include jBroFuzz and Spike for fuzzing, metasploit for penetration testing, CAT.NET for analysing code for possible vulnerabilities, Anti-XSS / Web Protection library for whilte-list approach against XSS vulnerabilities. The list is almost endless. If you could better explain what particular vulnerabilites you are concerned about, we might be able to recommend some specific tools. – Russ Cam Feb 21 '11 at 09:57
  • @jalchr - have a look through the tools listed at OWASP. here are the .NET ones - http://www.owasp.org/index.php/Category:OWASP_.NET_Project – Russ Cam Feb 21 '11 at 10:00
  • I just can't believe that the asp.net community does have an open source project fighting these daily attacks/concens. !!! – Jalal El-Shaer Feb 21 '11 at 13:50
  • @Jalchr every attact is not the same. There are different project fighting different attacks. There is no automatic solution for everything that fits everything. – Aristos Feb 21 '11 at 15:56
  • what on the login page are you looking to protect against? XSR attacks? – Russ Cam Feb 21 '11 at 17:51

3 Answers3

2

In terms of security it sounds like your building a pretty serious system.

When I build apps I first analyze the usage if I know the end client and they operate behind a firewall I first restrict access to the site via ip address.

Always use SSL certificates for sensitive parts of your site.

If the site is public facing use microsoft forms authentication, but split the security elements out into a separate db so no accidental amends can happen on the schema that may affect security.

Make sure that any client side validation is also repeated on the server side, client side validation is their to save round trips but someone can spoof your site.

Make sure you set a limit on the number of times a password can be tried before it locks out.

Enforce a strong password policy thru the .net membership provider.

Make sure you encrypt any important variables passed to javascript.

Don't do any of this stuff: -

//sql injection string sql = "select * from Test where userid = '" + textbox1.text "'"

The best starting point to testing you whole server for security vulnerabilities is below: -

http://www.microsoft.com/en-us/download/confirmation.aspx?id=573

Regards

Steve

histeve
  • 21
  • 3
1

I think that a general defence approche is what you must think of. With that I mean that you must "seal your server" and not only the web pages. In the server side you need first to change the default ports, use a firewall to block port scanning and to monitor critical ports to not get out/in.

Now from the web/page side I know at least one tool from google that can help you with some attacts.

http://google-gruyere.appspot.com/

a second article about sql injection

http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks

From programs I know the iMperva that is more close to what you search for

http://www.imperva.com/products/wsc_threatradar.html

I am sure that there are more...

Also take some time and read the

Can some hacker steal the cookie from a user and login with that name on a web site?

How serious is this new ASP.NET security vulnerability and how can I workaround it?

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150
1

Use the built in ASP.net membership system. It was designed by security professionals and is thoroughly tested and robust. If you use it properly, you have very little to worry about. It has a lot of built in features such as logging failed login attempts which would probably benefit you.

Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
  • Thanks but that's not enough. Logging a failed login means nothing to hackers. – Jalal El-Shaer Feb 21 '11 at 13:49
  • @jal, you might need to be more specific then about exactly what attacks you want to protect against. The question of how to protect your login page the best way possible, the answer is to use the membership system because it is designed excellently and securely. This covers the majority of security concerns I can think of. – Tom Gullen Feb 21 '11 at 13:51