Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • ASP.NET Core 5 Secure Coding Cookbook
  • Toc
  • feedback
ASP.NET Core 5 Secure Coding Cookbook

ASP.NET Core 5 Secure Coding Cookbook

By : Roman Canlas
5 (6)
close
ASP.NET Core 5 Secure Coding Cookbook

ASP.NET Core 5 Secure Coding Cookbook

5 (6)
By: Roman Canlas

Overview of this book

ASP.NET Core developers are often presented with security test results showing the vulnerabilities found in their web apps. While the report may provide some high-level fix suggestions, it does not specify the exact steps that you need to take to resolve or fix weaknesses discovered by these tests. In ASP.NET Secure Coding Cookbook, you’ll start by learning the fundamental concepts of secure coding and then gradually progress to identifying common web app vulnerabilities in code. As you progress, you’ll cover recipes for fixing security misconfigurations in ASP.NET Core web apps. The book further demonstrates how you can resolve different types of Cross-Site Scripting. A dedicated section also takes you through fixing miscellaneous vulnerabilities that are no longer in the OWASP Top 10 list. This book features a recipe-style format, with each recipe containing sample unsecure code that presents the problem and corresponding solutions to eliminate the security bug. You’ll be able to follow along with each step of the exercise and use the accompanying sample ASP.NET Core solution to practice writing secure code. By the end of this book, you’ll be able to identify unsecure code causing different security flaws in ASP.NET Core web apps and you’ll have gained hands-on experience in removing vulnerabilities and security defects from your code.
Table of Contents (15 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Sections
Get in touch
Share Your Thoughts
1
Chapter 1: Secure Coding Fundamentals
Chapter 1: Secure Coding Fundamentals
Technical requirements
Input validation
Enabling whitelist validation using validation attributes
Whitelist validation using the FluentValidation library
Syntactic and semantic validation
Input sanitization
Input sanitization using the HTMLSanitizer library
Output encoding
Output encoding using HtmlEncoder
Output encoding using UrlEncoder
Output encoding using JavascriptEncoder
Protecting sensitive data using the Data Protection API
Free Chapter
2
Chapter 2: Injection Flaws
chevron up
Chapter 2: Injection Flaws
Technical requirements
What is SQL injection?
Fixing SQL injection with Entity Framework
Fixing SQL injection in ADO.NET
Fixing NoSQL injection
Fixing command injection
Fixing LDAP injection
Fixing XPath injection
3
Chapter 3: Broken Authentication
Chapter 3: Broken Authentication
Technical requirements
Fixing the incorrect restrictions of excessive authentication attempts
Fixing insufficiently protected credentials
Fixing user enumeration
Fixing weak password requirements
Fixing insufficient session expiration
4
Chapter 4: Sensitive Data Exposure
Chapter 4: Sensitive Data Exposure
Technical requirements
Fixing insufficient protection of data in transit
Fix missing HSTS headers
Fixing weak protocols
Fixing hardcoded cryptographic keys
Disabling caching for critical web pages
5
Chapter 5: XML External Entities
Chapter 5: XML External Entities
Technical requirements
Enabling XML validation
Fixing XXE injection with XmlDocument
Fixing XXE injection with XmlTextReader
Fixing XXE injection with LINQ to XML
6
Chapter 6: Broken Access Control
Chapter 6: Broken Access Control
Technical requirements
Fixing IDOR
Fixing improper authorization
Fixing missing access control
Fixing open redirect vulnerabilities
7
Chapter 7: Security Misconfiguration
Chapter 7: Security Misconfiguration
Technical requirements
Disabling debugging features in non-development environments
Fixing disabled security features
Disabling unnecessary features
Fixing information exposure through an error message
Fixing information exposure through insecure cookies
8
Chapter 8: Cross-Site Scripting
Chapter 8: Cross-Site Scripting
Technical requirements
Fixing reflected XSS
Fixing stored/persistent XSS
Fixing DOM XSS
9
Chapter 9: Insecure Deserialization
Chapter 9: Insecure Deserialization
Technical requirements
Fixing unsafe deserialization
Fixing the use of insecure deserializers
Fixing untrusted data deserialization
10
Chapter 10: Using Components with Known Vulnerabilities
Chapter 10: Using Components with Known Vulnerabilities
Technical requirements
Fixing the use of a vulnerable third-party JavaScript library
Fixing the use of a vulnerable NuGet package
Fixing the use of a library hosted from an untrusted source
11
Chapter 11: Insufficient Logging and Monitoring
Chapter 11: Insufficient Logging and Monitoring
Technical requirements
Fixing insufficient logging of exceptions
Fixing insufficient logging of DB transactions
Fixing excessive information logging
Fixing a lack of security monitoring
12
Chapter 12: Miscellaneous Vulnerabilities
Chapter 12: Miscellaneous Vulnerabilities
Technical requirements
Fixing the disabled anti-Cross-Site Request Forgery protection
Preventing Server-Side Request Forgery
Preventing log injection
Preventing HTTP response splitting
Preventing clickjacking
Fixing insufficient randomness
13
Chapter 13: Best Practices
Chapter 13: Best Practices
Technical requirements
Proper exception handling
Using security-related cookie attributes
Using a Content Security Policy
Fixing leftover debug code
Why subscribe?
14
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Fixing SQL injection with Entity Framework

Entity Framework Core (EF Core) is a popular Object-Relational Mapping (ORM) framework of choice for ASP.NET Core developers. This framework is cross-platform, and its ease of use allows developers to instantly model and query data into objects. Nevertheless, ORM frameworks such as EF Core can still be misused.

In this recipe, we will execute a simple SQL injection to exploit the vulnerability, locate the security bug, and remediate the risk by rewriting a more secure version of the code.

Getting ready

Using Visual Studio Code, open the sample Online Banking app folder at \Chapter02\sql-injection\razor\ef\before\OnlineBankingApp\.

Testing a SQL injection

Here are the steps:

  1. Navigate to Terminal | New Terminal in the menu or simply press Ctrl + Shift + ' in Visual Studio Code.
  2. Type the following command in the terminal to build and run the sample app:
    dotnet run
  3. Open a browser and go to http://localhost:5000/FundTransfers.
  4. The browser will display the web page for searching fund transfers using keywords in the Filter By Notes field, as shown in the following screenshot:

    Ystem.

    Figure 2.1 – Fund Transfers page

    Figure 2.1 – Fund Transfers page

  5. In the Filter By Notes textbox, type C and then hit the Search button.
  6. The web page will now return one entry finding one match for the Contingency Fund note:
    Figure 2.2 – Fund Transfers search result

    Figure 2.2 – Fund Transfers search result

  7. Now try entering the SQL injection payload: %';create table tbl1(one varchar(10), two smallint);Select * from Customers where id like '1.
  8. Notice that no error was thrown on the web page:
    Figure 2.3 – Successful SQL injection

    Figure 2.3 – Successful SQL injection

  9. To confirm that the SQL injection payload was executed successfully, open the \Chapter02\sql-injection\razor\ef\before\OnlineBankingApp\OnlineBank.db SQLite database using the DB Browser for SQLite tool:
Figure 2.4 – OnlineBank.db in DB Browser for SQLite

Figure 2.4 – OnlineBank.db in DB Browser for SQLite

Notice the newly created tbl1 SQLite table

Now, let's see how to identify the SQL injection vulnerability in code that uses EF and mitigate the preceding issue by fixing this security flaw and applying a countermeasure.

How to do it…

Let's take a look at the steps for this recipe:

  1. Launch Visual Studio Code and open the starting exercise folder by typing the following command:
    code .
  2. Navigate to Terminal | New Terminal in the menu or simply press Ctrl + Shift + ' in Visual Studio Code.
  3. Type the following command in the terminal to build the sample app to confirm that there are no compilation errors:
    dotnet build
  4. Open the Pages/FundTransfers/Index.cshtml.cs file and locate the vulnerable part of the OnGetAsync method, where a dynamic query is composed:
    public async Task OnGetAsync()
{
    var fundtransfer = from f in _context.FundTransfer
        select f;
    if (!string.IsNullOrEmpty(SearchString))
    {
        fundtransfer = _context.FundTransfer.            FromSqlRaw("Select * from FundTransfer                 Where Note Like'%" + SearchString +                    "%'");
    }
    FundTransfer = await fundtransfer.ToListAsync();
}
  5. To remediate the SQL injection vulnerability, let's start by adding a reference to System.
  6. Next, change the preceding highlighted code into the following by using the FromSqlInterpolated method:
    fundtransfer = _context.FundTransfer.FromSqlInterpolated($"Select * from FundTransfer Where Note Like {"%" + SearchString + "%"}");
  7. The FromSqlInterpolated method will create a LINQ query from the interpolated string supplied.

The interpolated parameter, SearchString, will then be converted into a DbParameter object, making the code safe from SQL injection.

How it works…

The Entity Framework allows you to execute raw SQL queries using the FromSQLRaw method. However, this method is dangerous as you can supply the argument with concatenated strings with the user input, SearchString:

_context.FundTransfer.FromSqlRaw("Select * from FundTransfer Where Note Like'%" + SearchString + "%'");

Using the payload used in the SQL injection test, imagine replacing the SearchString value with the malicious string %';create table tbl1(one varchar(10), two smallint);Select * from Customers where id like '1.

With FromSqlRaw blindly concatenating the injected input, the SQL statement now reads as follows:

Select * from FundTransfer Where Note Like'%%';create table tbl1(one varchar(10), two smallint);Select * from Customers where id like '1 %'

This is a perfectly valid series of SQL statements, except that it has a dangerous command that creates a new table or, in other cases or DBMS, could turn into a remote code execution by spawning a shell.

This way of forming SQL statements is regarded as bad coding practice. To write better and secure code, use methods such as FromSqlInterpolated to help compose harmless SQL statements with parameterized values.

There's more…

Parameterization is a proven secure coding practice that will prevent SQL injection. Another way to rewrite the code in this recipe is to use the DbParameter classes.

Introduce an instance of SqLiteParameter (which is derived from DbParameter) into the code as follows:

var searchParameter =     new SqliteParameter("searchString", SearchString);
fundtransfer = _context.FundTransfer     .FromSqlRaw("Select * from FundTransfer         Where Note Like'%@searchString%'",searchParameter);

Whitelisting is also a useful technique as a means to filter user input. You will have already seen this approach discussed in detail in Chapter 1, Secure Coding Fundamentals. Whitelisting will cause ASP.NET Core web applications to only process data that is in an expected format, but this technique is not as effective as using prepared statements or parameterized queries.

End of Section 4
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete