Tuesday, July 15, 2014

Security in ASP.NET MVC

These are the points to be considered while looking at ASP.NET MVC Security
  • Authentication
  • Authorization
  • XSS
  • CSRF(Cross Site Request Forgery)   

Authentication 
When you authenticate a user, you are verifying the identity of a user. There are two authentication mechanisms in MVC : 
  • Forms Authentication  Form based authentication is providing an input form where users can enter the username and password with accompanying logic in the application needed to validate those credential. 
  1. Forms Authentication in ASP.NET relies on cookies by default. Once the user is signed in to an Application the runtime can issue a cookie on the browser. The browser will then send the cookie  with every subsequent request to the application.  
  2. SSL is required to make Forms authentications secured. If you are running the application over http anybody snooping the network can see the users credentials. 
  3. This is usually used in Internet Applications
  • Windows Authentication  : Windows Authentication is also known as integrated authentication because user components that built in to the Windows operating system are used to authenticate users 
  1. Once a user is logged in to a domain, windows can automatically authenticate them in to application. 
  2. Windows Authentication is commonly used in Intranet Apps that run inside a company's firewall  where all of the users are logged in-to a windows domain. 
  3. This is usually used in Intranet Applications
Forms Authentication 

Windows Authentication

Authorization
Lets you define what all users have access to different interfaces of the application.This can be achieved by using the Authorize Attribute. It can be defined at Controller or Action level.



Cross Site Scripting ( XSS)
In a cross site scripting attack, malicious markup and script is entered in the web pages that are viewed by other users. If proper care is not taken to filter this malicious piece of markup, the script gets stored in the system and also rendered on web pages. Depending on the script injected by the hacker it can cause damage ranging from annoying popups to stolen credentials to accessing data stored in cookies.




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)