Phosphor Short guide to hardening Websites and Services
Prepared for the Phosphor team by Mathew Peachey
Read the OWASP Top 10 - This is an industry recognised standard that outlines the 10 most common web vulnerabilities and suggests best practices to avoid them. Pay attention to the code for each item (A1 - A10) as some security scanner reports reference them.
Basic Authorization and Authentication
If you're logged into the site as a specific user, you should not be able to edit the URL and view someone else's data. If I'm logged in as User ID 123 and my profile page is at http://testsite.local/users/123 If I edit the URL to http://testsite.local/users/124 I should not see anyone else's data.
Similarly, if we're hosting documents (pdf's, etc) on the site and the documents are sensitive, I should not be able to navigate directly to the document URL and download it unless I am logged in as a user who has permission to view this. Sensitive document downloads should be wrapped in an MVC controller that checks for authorization.
CSRF Protections
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Cross Site Request Forgery is when an attacker manipulates a user into accessing a URL hosted on another site that then triggers a request to the target site.
The fix is simple, anywhere you have a form (either using an explicit <form> tag or with Html.BeginForm) ensure that you have @Html.AntiForgeryToken() somewhere inside. This will generate a unique, random number that the server verifies that it issued before accepting the form data.
SQL Injection
https://www.owasp.org/index.php/SQL_Injection
We're generally resistant to this kind of attack, since Entity Framework is pretty good at protecting against it. Quick and dirty test is to go through the test site putting single quotes into search and form fields and seeing what happens. If something breaks, that's probably an indication that there's a vulnerability somewhere. OWASP has a far better outline of the problem and fixes for it here.
Defaults for project setup:
If using HTTPS, then use secure cookies
<system.web>
<httpCookies requireSSL="true" />
</system.web>
Disable autocomplete on "sensitive" fields
I believe this to be largely rubbish, since modern browsers ignore it, but if a client raises the issue we need to fix it. Resolve by adding autocomplete="off" attribute to username and password fields in html. My default stance is to leave this one as is and fix it if someone complains.
@Html.TextBoxFor(m => m.Username, new {
autocomplete="off" })
@Html.PasswordFor(m => m.Password, new { autocomplete="off"
})
Disable embedding
Add the following to the Global.asax
protected void Application_BeginRequest(object sender,
EventArgs e) {
HttpContext.Current.Response.AddHeader("x-frame-options",
"SAMEORIGIN");
}
Remove info headers
Add the following to the Global.asax:
protected void
Application_PreSendRequestHeaders() {
Response.Headers.Remove("Server");
}
Update the web.config with the following setting if not already present:
<system.web>
<httpRuntime targetFramework="4.5.2"
enableVersionHeader="false" />
<system.web>
<system.webServer>
<httpProtocol>
<customHeaders>
<remove
name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>