If the Veracode state of security software reports is to be believed, 77% of web applications have at least one security vulnerability. One of the leading causes of the data breaches in this world of space-age technology is the internet exposed web apps, which makes web application security a matter of urgency.
The application layer continues to be an easy target for attackers to gain access to restricted information (which every app has, to some extent).
The impact of compromised web application security results has a far-reaching impact on the breached organization’s finances as well as the reputation.
For as long as we are connected through the internet, no matter how dexterous the web security expert in your organization is, we all have to stay vigilant and protect yourself from any web application threat looming in the cybersphere.
It is essential to understand that while designing web application such as those of ASP.NET Core, web application security should not be looked upon as an afterthought.
But to stay watchful, we have to remain informed about what we are up against.
Depending upon the level of exploitability, the ease with which the attack will be detected and the severity of the damage the attack has the potential to cause, security vulnerabilities you need to brace yourself against are:
- CROSS SITE SCRIPTING:
With the aim to manipulate the web application of the client side, the attacker injects code into a web application output. When a cyber attacker takes advantage of XSS scripts to perpetrate infectious scripts into the victim’s (users) browser, they are able to hijack the cookie sessions, redirect the users to destructive websites. The easy way of effectuating this attack is through input fields and URL. It can put a company’s reputation at stake with the user’s sensitive information vulnerable to getting exposed anytime.
- SQL INJECTION:
SQL, one of the most commonly used languages, has become an essential tool for attackers to gain access to the user’s database. While ethically SQL is used by the server to store and manage vital data, in the databases, attackers are using SQL injection attacks for their malicious intent of stealing, modifying or deleting the data. Input fields and URL interacting with the database are vulnerable to these injection attacks. They target servers with input sanitizing delinquency to get access to all their confidential information and control them as per their objective.
- SECURITY MISCONFIGURATION:
Through URL, form fields and input fields, security misconfiguration gives the attacker, easy and unauthorized access to sensitive information. Application server. Web server, database server, if not securely configured, make a path of less resistance for the attackers to access application and database information. This information can be further used to set more attacks in motion.
- INADEQUATE TRANSPORT LAYER PROTECTION:
Carelessness on behalf of the developers in designing and implementing weak algorithms, not using SSL or using invalid certificates can lead to exposing the sensitive information of the communication between the client and the server. Insufficient transport layer protection makes the data sent over the network vulnerable to getting stolen by the attacker. For example, authentication details, credit card information, etc.
- CROSS SITE REQUEST FORGERY:
A forged request from a cross-site that causes the user’s browser to perform an unwanted action, exposing their data to attackers. These attacks which are targeted via the user profile page, user accounts and business transaction page forces the logged in victim to send a forged HTTP request to the susceptible web application, and the attacker then sends a link to the user who is logged in the original website, clicking on which results in their data being stolen.
Having discussed the significance and risk associated with web application security, let us delve into how can we implement it.
While there are several ways to implement web application security, we will be focusing on ASP.NET Core Identity web application.
Why?
Because ASP.NET Core comprises of protection stack with API that helps in encryption and secure data management with cryptography. A membership system of ASP.NET Core apps, Identity adds functionality to the existing apps in which users can create an account with the stored login information in the Identity.
Implementing security using ASP.NET entails the following aspects:
- AUTHENTICATION
- AUTHORIZATION
- CONFIDENTIALITY
- INTEGRITY
While with authorization, certain roles for specific jobs are defined and allotted, and confidentiality and integrity are ensured via encryption of the channel and implementation of digital signature respectively, authentication is what fortifies a user’s Identity and authenticity.
ASP.NET allows for four types of authentication:
- Window authentication
- Passport authentication
- Custom authentication
- Form authentication
But with the advancing cybercrime technology, these authentication techniques became inefficient in providing web application security, which is when Microsoft introduced a new authentication technique, ASP.NET Core Identity.
Why implement security with ASP.NET Core Identity?
- It supports any type of external login provider to authenticate the user details, be it Facebook, Google, etc.
- It allows the implementation of custom password hashing in an IPasswordHasher interface by using UserManager APIs.
- It provides separate storage for identity information and code for security implementation.
Let’s break down implementing role-based security and user authentication through ASP.NET Core identity.
- Create a new ASP.NET Core project using the Empty project template:With Visual Studio’s latest version, create an ASP.NET Core web application by selecting empty project template
- Add the required NuGet packages:
NuGet packages are essential for ASP.NET Core Identity, ASP.NET Core, and Entity Framework Core. Empty project templates do not have a NuGet Package, which you will have to add and modify in the dependencies and tool section in the Project.json file. - Create Identity DbContext, user and role classes:
An Identity DbContext helps communicate with the local SQL server database, for which it needs the type of user and roles it is dealing with.
Additional characteristics such as full name and birthdate can be added in MyIdentity User class. Once the user and role classes are ready, create IdentityDbContext Class. - Configure application startup:
Modify Configure() methods and ConfigureService() in the Startup.cs file
Create view models required by the application. This will load the AppSettings.json file comprising of a database connection string wherein the user accounts, and other details are stored. The ConfigureServices() method will calls the AddDbContext() method to add My IdentityDbContext to the services collection and the Configure() method will call the UserIdentity() method to add ASP.NET Core Identity to the requested pipeline. - Create RegisterView and LoginView model:
These two view models will keep the data entered by the user upon registration and login and would be further used by the Account Controller to perform registration, login, and log out. - Create AccountController:
By using the functionality of the ASP.NET Core Identity, Account Controller is responsible for creating a user account and signing them in/out of the application. This is categorized into five action, 2 Register() actions, two Login() actions and one Logout() action, implemented as GET and POST.
Create Register and Login views:
- Create HomeController:
The HomeController comprises of one secured action which structures a welcome message based on current user’s name and role. - Create an Index view:
The purpose of the index view is to display the message and output the role Message properties. - Create database tables using .NET EF Core migrations commands:
Open a command prompt and in it a project root folder, issue a .NET Ef migration command to create a database table wherein ASP.NET Core Identity will store the user’s account and information.
Web application security should not be taken lightly. Minor negligence on the part of the developer, designer, or the system administrator can give, cybercriminals, easy access to all your sensitive information, weakening your organization’s financial and ethical status in the market. This is why implementing security through the latest and coherent solution available such as ASP.NET Core Identity is critical for a business be it big or small.