|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Overview of Web Application Security Threats
If unknown users can access your Web application, the odds are almost certain that malicious users will try to gain unauthorized access to your application. Servers that are accessible to the public on the Internet are constantly probed for vulnerabilities. Therefore, it is recommended that you take precautions and build security into all of your Web applications.
More detailed information about best practices for writing secure code and securing applications can be found in the book "Writing Secure Code" by Michael Howard and David LeBlanc, or through the guidance provided by Microsoft Patterns and Practices.
Implementing security is only part of the solution. Another important part is vigilance. Even if your system has many security safeguards, you need to watch it closely in these ways:
Monitor your system's event logs. Watch for repeated attempts to log into your system or for excessive requests being made against your Web server.
Continually keep your application server up to date with the latest security updates for Microsoft Windows and Internet Information Services (IIS), as well as any updates for Microsoft SQL Server or other data sources that your application might use.
An important part of developing a more secure application is to understand the threats to it. Microsoft has developed a way to categorize threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege (STRIDE). The sections below briefly describe these threats and how they apply to Web applications.
To spoof is to impersonate a user or process in an unauthorized way. At its simplest, spoofing can mean typing in a different user's credentials. A malicious uses might also change the contents of a cookie to pretend that he or she is a different user or that the cookie comes from a different server.
In general, you can help prevent spoofing by using stringent authentication. Any time someone requests access to non-public information, be sure they are who they say they are. You can also help defend against spoofing by keeping credential information safe. For example, do not keep a password or other sensitive information in a cookie, where a malicious user can easily find or modify it.
Tampering means changing or deleting a resource without authorization. One example is defacing a Web page, where the malicious user gets into your site and changes files. An indirect way to tamper is by using a script exploit. A malicious user manages to get code (script) to execute by masking it as user input from a page or as a link.
A primary defense against tampering is to use Windows security to lock down files, directories, and other Windows resources. The application should also run with minimum privileges. You help guard against script exploits by not trusting any information that comes from a user or even from a database. Whenever you get information from an untrusted source, take steps to be sure it does not contain any executable code.
A repudiation threat involves carrying out a transaction in such a way that there is no proof after the fact of the principals involved in the transaction. In a Web application, this can mean impersonating an innocent user's credentials. You can help guard against repudiation by using stringent authentication. In addition, use the logging features of Windows to keep an audit trail of any activity on the server.
Information disclosure simply means stealing or revealing information that is supposed to be private. A typical example is stealing passwords, but information disclosure can involve access to any file or resource on the server.
The best defense against information disclosure is to have no information to disclose. For example, if you avoid storing passwords, malicious users cannot steal them. An alternative to storing passwords is to store only a hash of the password. When a user presents credentials, you can hash the user's password and compare only the hashes of the two. If you do store sensitive information, use Windows security to help secure it. As always, you should use authentication to help ensure that only authorized users can access restricted information. If you must expose sensitive information, it is recommended that you encrypt the information when stored and use Secure Sockets Layer (SSL) to encrypt the information when sent to and from the browser.
Denial of Service
A denial of service attack is to deliberately cause an application to be less available than it should be. A typical example is to overload a Web application so that it cannot serve ordinary users. Alternatively, malicious users might try to simply crash your server.
IIS enables you to throttle applications, which means that it limits the number of requests it will serve. You might be able to deny access to users or IP addresses known to be malicious. Keeping your applications online is a matter of running robust code. You should test your application thoroughly and respond appropriately to error conditions wherever possible.
Elevation of Privilege
An elevation of privilege attack is to use malicious means to get more permissions than normally assigned. For example, in a successful elevation-of-privilege attack, a malicious user manages to get administrative privileges to your Web server, giving himself or herself access to any data on the server as well as control over server capabilities.
To help protect against elevation of privilege, run the application in a least-privilege context if practical. For example, it is recommended that you do not run ASP.NET applications as the SYSTEM (administrative) user.