1

I want to hardening my website against simple dos/xss/sqli/etc... but I don't want to delve into security programming for now so I want to use a ready made class or library something like "mod_security" in linux.

about a year ago I'd found a project like modsec for asp.net but right now in google I've searched too much but nothing interesting.

anyone knows anything about WAF in .net ?

regards.

neuro
  • 14,948
  • 3
  • 36
  • 59
Vahid Hashemi
  • 5,182
  • 10
  • 58
  • 88
  • You cannot get good security for free; you need to work for it. Use parameters and escape HTML output. – SLaks May 12 '11 at 19:40
  • 1
    Yes there is being developed here www.asp-waf.com, also does web stats, not intentionally I think but you get a database with violations and passed requests – Walter Verhoeven Jan 16 '20 at 07:23

4 Answers4

5

You're never going to find a 'one size fits all' security package. However, a step in the right direction could be to take a look at Microsoft's Anti-XSS library and Security Runtime Engine. Both projects can be found on CodePlex.

Description:

(Anti-XSS)

AntiXSS provides a myriad of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.

White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind. Secure Globalization: The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.

(SRE)

The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard for

  • Cross Site Scripting
  • SQL Injection

As with all web security the WPL is part of a defense in depth strategy, adding an extra layer to any validation or secure coding practices you have already adopted.

John Bledsoe
  • 17,142
  • 5
  • 42
  • 59
keyboardP
  • 68,824
  • 13
  • 156
  • 205
2

There is no WAF that will work out of the box for your specific application. You will need a lot of fine tuning to secure a web application with a WAF. In many cases it will be easier to implement the application with security in mind than making it secure with an additional layer. Using a prepared statement for a SQL statement is much easier than trying to identify and filter bad input. Usually you want to do both (defense in depth) but the use of a prepared statement is the better option if you want to rely on a single protection measure.

If you really want to try securing your application with a WAF and you are familiar with mod_security, you can use it for your ASP.NET application. You need a dedicated server that acts as a reverse proxy in front of your application. Mod_security can filter ingoing and outgoing requests there. I fetched the pros and cons from the official mod_security website concerning the reverse proxy setup for you:

Advantages

  • Single point of access – functions as a choke point so you consolidate applying security settings and makes management easier.
  • Network topology is hidden from the outside world - so it will be more difficult for attackers to enumerate your web platforms.
  • Increased performance – if SSL accelerators/caching used.
  • You can implement vulnerability filters to protect and vulnerable web server or application on the backend (IIS, Netscape, ASP, PHP, etc...).

Disadvantages

  • A potential traffic bottleneck if the reverse proxy can not handle the network load.
  • A potential point of failure - if the reverse proxy goes down it may cause a denial of service to the web applications that are behind it.
  • Requires changes to the network.
Demento
  • 4,039
  • 3
  • 26
  • 36
0

My product, ServerDefender VP will work out of the box with ASP.NET (you just need to let the software run in "Log Only" mode for a period of time to let it learn about the traffic coming to your site or app). This web application firewall that was new around the time the question was originally asked, but is fairly mature now.

In terms of security, ServerDefender VP protects again common threats like XSS, SQL inject, and others. It also helps achieve PCI compliance and features powerful logging and alerting functionality. What likely sets it apart from some other WAF options is it's usability and simple user-interface.

Bhargav Rao
  • 50,140
  • 28
  • 121
  • 140
Port80 Software
  • 1
  • 1
  • 5
    http://stackoverflow.com/help/behavior: "you *must* disclose your affiliation in your answers" – qerub Feb 10 '14 at 12:43
-1

There is no WAF that will work out of the box for your specific application

Sorry to disagree.

Incapsula Cloud based WAF will provide you with an out of the box plug-and-play solution, and it will work for every platform (including, of course, asp.net). It will require no maintenance/customization on your end (this is done on a Global-level by a dedicated security team) and the initial set-up itself will take only 5 min (done via simple DNS data change).

Having said that:

  1. This is no a part of the Free plan. So, unlike "mod_security", this will cost you a few dozen dollars a month.

  2. On the plus side, unlike "mod_security" and other OS and/or Cloud solutions, this is a PCI compliant WAF, which says something about the level of security it provides. Alto this is especially crucial if you are thinking about handling you own transactions.

  3. Again, on a plus side, this is a highly customizable solution that comes with easy-to-use GUI and API for high-end users with specific needs.

  4. As an added bonus, because this is a Cloud CDN based solution, you`ll get a significant performance boost, due to Global-Proxy and CDN Caching features.

Igal Zeifman
  • 1,146
  • 7
  • 8