Query Parameter SSL

URL contain a sensitive query parameter and stored in the browser history. Web application may be configured log the URL of all request. So, result is sensitive parameter is saved in the log.

Fix:

The solution to this problem requires two steps:

· If necessary then pass sensitive data. Once a user is authenticated with a session ID limited lifetime.

· Use non-persistent, session level cookies to hold session IDs and other private data.

The advantage of using session level cookies to carry this information:

· They are not stored in the browsers history or on the disk

· They are usually not stored in server logs

· They are not passed to embedded resources such as images or javascript libraries

. They only apply to the domain and path for which they were issued

Security terms Salt, Nonce, Rainbow

Salt

A new salt (form of encryption) is randomly generated for each password. Setting a salt and a password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.

Nonce

Nonce is an arbitrary number used only once in a cryptographic communication. It is a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.

Rainbow

A rainbow table is a precomputed table. This table use for reversing cryptographic hash function, usually for cracking password hashes. Tables using for recover a plaintext password up to a certain length consisting of a limited set of characters. It take less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash.

Viewstate user key & Double submit cookie

CSRF Attack protection to all pages that inherit from the site.master page.

1. All web form pages data modification use the site.master page.

2. Al request data modification use Viewstste.

3. Website must be free from XSS vulnerabilities.

By using Microsoft . Net Protection Library

private const string AntiXsrfTokenKey = "__AntiXsrfToken";

private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";

private string _antiXsrfTokenValue;

protected void Page_Init(object sender, EventArgs e)

{

// The code below helps to protect against XSRF attacks

var requestCookie = Request.Cookies[AntiXsrfTokenKey];

Guid requestCookieGuidValue;

if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))

{

// Use the Anti-XSRF token from the cookie

_antiXsrfTokenValue = requestCookie.Value;

Page.ViewStateUserKey = _antiXsrfTokenValue;

}

else

{

// Generate a new Anti-XSRF token and save to the cookie

_antiXsrfTokenValue = Guid.NewGuid().ToString("N");

Page.ViewStateUserKey = _antiXsrfTokenValue;

var responseCookie = new HttpCookie(AntiXsrfTokenKey)

{

HttpOnly = true,

Value = _antiXsrfTokenValue

};

if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)

{

responseCookie.Secure = true;

}

Response.Cookies.Set(responseCookie);

}

Page.PreLoad += master_Page_PreLoad;

}

Anti-CSRF and AJAX

The Form token is make problem for AJAX request, Ajax is send the JASON data not a HTML form because of this form token not be validated in this form. So, the solution is send the token in a custom header in HTTP. Code use Razor syntax to generate the token, and add token in AJAX request. This token is generated by calling AntiForgery.GetTokens.

string cookieToken, formToken;

    Antiery.GetTokens(null, out cookieToken, out formToken);

    var responseCookie = new HttpCookie("__AJAXAntiXsrfToken")

    {

        HttpOnly = true,

        Value = cookieToken

    };

    if(FormsAuthentication.RequireSSL && HttpContext.Current.Request.IsSecureConnection)

    {

        responseCookie.Secure = true;

    }

    HttpContext.Current.Response.Cookies.Set(responseCookie);

    return formToken;

AntiForgery.Validate method validate the tokens and throws an exception if the tokens are not valid.

void ValidateRequestHeader(HttpRequestMessage request)

{

    string cookieToken = "";

    string formToken = "";

    IEnumerable<string> tokenHeaders;

    if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))

    {

        string[] tokens = tokenHeaders.First().Split(':');

        if (tokens.Length == 2)

        {

            cookieToken = tokens[0].Trim();

            formToken = tokens[1].Trim();

        }

    }

    AntiForgery.Validate(cookieToken, formToken);

}