With the every new .NET Update, Microsoft proved the fact that .NET is the most powerful, versatile & complete framework available for developing Powerful Web, Desktop, Mobile & Cloud-based Applications. Unlike Desktop or Mobile Application, Web Application runs on a publicly available address that’s one of the reasons that Security of Web Application is more important. Although Asp.Net Core is developed with the best security practices, still there are some Vulnerabilities we need to fill before & after launching our ASP.NET Application.
In this Article, we’ll see some Security Holes in an ASP.NET Web Application & their possible solutions. Let’s start by list down some of the Important points for Securing our .NET Application.
Login Page is like a door for any Application. Consider an Application like Admin Panel, If an unauthorized person gets access to your application, he can control the whole system. So, your first step always should be to make your Login secure.
Here’re some Tips to secure the entry point of your Application.
Never use Usernames Like admin & Passwords like 12345 or your name. Anyone can judge it & bots will be able to judge such types of credentials even in a shorter time than human.
Brute Force Attacks are the most common type of Attacks that use different algorithms & try different Username or Passwords combinations to guess the login credentials. Also, so many login attempts can busy your server which can cause Denial of service (DoS) & downtime for the actual users of your Application.
Brute Force Attacks takes less time to guess simple Usernames & passwords but they can also guess complex combinations by trying every possibility.
So, How to Secure our Asp.Net Application from Brute Force Attacks?
Here’re some Tips to prevent Brute Force:
UseCaptcha on your Login Page because bots cannot fill Captcha.
Block IP temporary after some failed login attempts.
Avoid using common usernames like admin or user because Brute Force Algorithms maintain a database & try common usernames & passwords first.
Make your password really difficult to guess by including Alphabets(A-Z & a-z), Digits(0-9) & Special Characters(!, @, ., #, $, %, ^, &,* and more).
How to Implement the above Suggestions?
Above Suggestions are looking really difficult to implement for beginners Asp.Net Core developers but don’t worry, there is a great Library(HackerSpray) is available which will do the Job for you to secure you from Brute Force Attacks. Just simple configuration is required.
Asp.Net Core has many built-in libraries & tools to secure your applications. Authorization is also one of the great implementations by Microsoft which provides us with a complete Login & Signup setup following the best security practices.
Never send your sensitive data like password or credit card credentials in the actual form to the server for validation. Hackers can steal your data by sniffing it before sending to the server.
Always use a Hashing algorithm like md5 or SHA256 for Password & Encryption algorithm like AES or DES on Client Side. e.g. using jQuery
On login in an Asp.Net Core application, we keep some necessary data in Sessions for keeping user login until he logs out. In some apps, we set Session timeouts & sometimes we do not set Session timeout when user tick a checkbox on the login page that he wants to keep login.
At the same time, AspNetCore.Session cookie is added to the browser for keeping record of the Logged in user.
So, when we logout, we also need to remove the Cookies created by our application in the user’s browser because a Hacker can use that info for unauthorized login. This is also called a Session Fixation attack.
Almost every web application must have a Database for storing users data, most of the times Hackers attack Server for stealing users’ data. So Let say that you have stored the credentials of your users, like Passwords & Payment methods detail in your database in clear form. So anyone who gets unauthorized access to your Database can misuse users’ data.
So, always keep your sensitive data using Hashing or Encryption in your Database.
Audit Trails or Activity Logging is really important to be aware of what’s going on your Application. If someone is getting many failed login attempts then Admin must receive an Email about these failed login attempts.
let say a User creates new user or change the Roles of an Existing user, each & every activity should be logged in your Asp.net Core Application.
Some Exceptions can disclose important information about our application or sometimes It can even show a few lines of code to the end-user. Attackers are smart guys, they can use the information provided by our exception to crack the security of our Application.
So, before deploying your application in production mode, make sure that you have set your Custom Error page for all kinds of Exceptions & have done proper Error Logging in your Application.
In XSS Attacks, Hackers submit malicious scripts via Input Fields for stealing user’s credentials & other Important Data.
Let say that we have an Add product Form in our Application. Attacker Add a new product & in the product description field, he simply inserts a JavaScript snippet. When our application will display that product on the product page with description, Hackers malicious script will also run & he’ll get data for what he planned.
I have found the below Image on Cloudflare’s article about XSS. This will help you to understand XSS easily.
So, How to Secure our Asp.Net Core Application from Cross-Site Scripting Attacks?
you can secure your web application by following these Tips:
Use Regular Expressions on both Client & Server Side & only store validated data in your Database. HTML Encoding with Razor helps such scripts to execute. XXS can also be done using URL Encoding, So validate & Encode URL parameters using UrlEncoder. Here’s a great Article by Microsoft for Securing our app from XSS.
In every HTTP response from the server that we receive in return of our request sent from a browser, there’s always the version information in which application is developed. Such information makes the Attacker’s Job easier by saving time & targeting the specific .Net Version.
So, It’s necessary to throw more hurdles for Hackers & make it more difficult for him by hiding .Net Framework Version Information.
Here’s how to Hide .Net Core Version:
Remove X-Powered-By from your Response header.
NWebsec.AspNetCore.Middleware is a great Library for Securing headers.
Set AddServerHeader = false for removing Server: Kestrel header.
You can remove X-Powered-By using this simple snippet in your
[ValidateAntiForgeryToken] Attribute in your .Net Core Web APIs & might be possible that you have seen this Code asp-antiforgery=“true” in your cshtml File as well.
First, understand the CSRF then we’ll try to understand the purpose of the above tag & attribute.
Let say you are using the e-banking facility of your bank account for sending some money to your friend & suddenly you receive a link on FaceBook from a lady with a beautiful Display Picture. When you open that link It asks you to click here to earn $1000. You just click & because you are logged in & authorized to use your e-banking, that malicious link runs the script & send money from your account to Hacker’s Account.
The Below Image will help you to understand CSRF.
How to Secure your Application from CSRF?
asp-antiforgery=“true”generates an anti-forgery token & [ValidateAntiForgeryToken] validates on the server-side that if the Token is valid or not & secure us from Cross-Site Request Forgery.
Deserialization is the reverse of Serialization, which is the process of converting an object into streams of bytes. Serialization is always done on our server end for transferring or storing objects but we deserialize the data received in our application from different sources.
So, we can receive some harmful streams.
To protect our applications from such Attackers, we need to verify our data before & after deserialization.
Always keep your Framework & Libraries used in your project Updated. Never use outdated Libraries in your Project because Hackers keeps finding the Vulnerabilities in Frameworks & Libraries.
Check for updates for the NuGet packages used in your project & keep all packages updated.
Conclusion
Nothing is 100% secure, we have to make our application secure by following the best security practices. Although .Net Core is considered to be one of the most secure Framework but still we have to keep an eye on the activities on our application & take quick action in case of any malicious activity.
Thank you for reading my Article, I hope it will help you to make your Asp.Net Core app more secure.
I’ll be happy If you would like to give your Feedback in the comment section below.
I'm passionate about learning new technologies as well as mentoring and helping others get started with their programming career. This blog is my way of giving back to the Community.
