Improving Web Application Security: Threats and Countermeasures

Partial trust Web applications are applications that do not have full trust and have a restricted set of code access permissions determined by code access security policy. As a result, partial-trust applications are limited in their ability to access secured resources and perform other privileged operations. Certain permissions are denied to partial-trust applications, so resources requiring those permissions cannot be directly accessed. Other permissions are granted in a restricted way, so resources that require those permissions might be accessible, but in a limited way. For example, a restricted FileIOPermission might specify that the application can access the file system, but only in directories beneath the application's virtual directory root.

Why Partial Trust?

By configuring a Web application or Web service for partial trust, you can restrict the application's ability to access crucial system resources or resources that belong to other Web applications. By granting only the permissions that the application requires and no more, you can build least privileged Web applications and limit damage potential should the Web application be compromised by a code injection attack.

Problems You Might Encounter

If you take an existing Web application and reconfigure it to run at a partial-trust level, you are likely to run into the following issues, unless the application is extremely limited in the resources it accesses :

• Your application is unable to call strong named assemblies that are not annotated with AllowPartiallyTrustedCallersAttribute (APTCA). Without APTCA, strong named assemblies issue a demand for full trust, which will fail when the demand reaches your partial-trust Web application. Many system assemblies only support full-trust callers . The following list shows which .NET Framework assemblies support partial-trust callers and can be called directly by partial-trust Web applications without necessitating sandboxed wrapper assemblies.

  Note	Sandboxing is discussed in detail later in this chapter.

  The following system assemblies have APTCA applied, which means that they can be called by partial-trust Web applications or any partially trusted code:

  • System.Windows.Forms.dll

  • System.Drawing.dll

  • System.dll

  • Mscorlib.dll

  • IEExecRemote.dll

  • Accessibility.dll

  • Microsoft.VisualBasic.dll

  • System.XML.dll

  • System.Web.dll

  • System.Web.Services.dll

  • System.Data.dll

  If your partial-trust application fails because it calls a strong named assembly that is not marked with APTCA, a generic SecurityException is generated. In this circumstance, the exception contains no additional information to indicate that the call failed because of a failed demand for full trust.

• Permission demands might start to fail. The configured trust level might not grant the necessary permission for your application to access a specific resource type. The following are some common scenarios where this could prove problematic :

  • Your application uses the event log or registry. Partial trust Web applications do not have the necessary permissions to access these system resources. If your code does so, a SecurityException will be generated.

  • Your application uses the ADO.NET OLE DB data provider to access a data source. The OLE DB data provider requires full-trust callers.

  • Your application calls a Web service. Partial-trust Web applications have a restricted WebPermission , which affects the ability of the application to call Web services located on remote sites.