Improving Web Application Security: Threats and Countermeasures

Introduction

Table 1: Primary Technologies Addressed by This Guide

Table 2: Newsgroups

Fast Track How To Implement the Guidance

Table 1: Network Security Elements

Table 2: Application Vulnerability Categories

Table 3: SecurityChecklist

Table 4: RACIChart

Chapter 1: Web Application Security Fundamentals

Table 1.1: Network Component Categories

Table 1.2: Rationale for Host Configuration Categories

Table 1.3: Application Vulnerability Categories

Table 1.4: Summary of Core Security Principles

Chapter 2: Threats and Countermeasures

Table 2.1: STRIDE Threats and Countermeasures

Table 2.2: Threats by Application Vulnerability Category

Chapter 3: Threat Modeling

Table 3.1: Implementation Technologies

Table 3.2: Creating a Security Profile

Table 3.3: Code Injection Attack Pattern

Table 3.4: Threat 1

Table 3.5: Threat 2

Table 3.6: Thread Rating Table

Table 3.7: DREAD rating

Table 3.8: Threat 1

Chapter 4: Design Guidelines for Secure Web Applications

Table 4.1: Web Application Vulnerabilities and Potential Problem Due to Bad Design

Table 4.2: Design Guidelines for Your Application

Chapter 5: Architecture and Design Review for Security

Table 5.1: Common Input Validation Vulnerabilities

Table 5.2: Common Authentication Vulnerabilities

Table 5.3: Common Authorization Vulnerabilities

Table 5.4: Common Configuration Management Vulnerabilities

Table 5.5: Common Vulnerabilities with Handling Sensitive Data

Table 5.6: Common Session Management Vulnerabilities

Table 5.7: Common Cryptography Vulnerabilities

Table 5.8: Common Parameter Manipulation Vulnerabilities

Table 5.9: Common Exception Management Vulnerabilities

Table 5.10: Common Auditing and Logging Vulnerabilities

Chapter 6: .NET Security Overview

Table 6.1: Principal and Identity Objects Per Authentication Type

Table 6.2: Permission Types Within the System.Security.Permissions Namespace

Chapter 7: Building Secure Assemblies

Table 7.1: A Comparison of Strong Names and Authenticode Signatures

Chapter 8: Code Access Security in Practice

Table 8.1: Secure Resources and Associated Permissions

Table 8.2: Privileged Operations and Associated Permissions

Chapter 9: Using Code Access Security with ASP.NET

Table 9.1: Restrictions Imposed by the ASP.NET Trust Levels

Table 9.2: ASP.NET Code Access Security Policy Substitution Parameters

Table 9.3: Default ASP.NET Policy Permissions and Trust Levels

Chapter 10: Building Secure ASP.NET Pages and Controls

Table 10.1: Options for Constraining and Sanitizing Data

Table 10.2: Useful Regular Expression Fields

Chapter 11: Building Secure Serviced Components

Table 11.1: Impersonation Levels

Chapter 12: Building Secure Web Services

Table 12.1: XSD Schema Element Examples

Chapter 14: Building Secure Data Access

Table 14.1: Code Access Security Permissions Required by ADO.NET Data Providers

Chapter 15: Securing Your Network

Table 15.1: Commonly Used ICMP Messages

Table 15.2: Source Addresses That Should be Filtered

Table 15.3: Snapshot of a Secure Network

Chapter 16: Securing Your Web Server

Table 16.1: IIS Installation Defaults

Table 16.2: NET Framework Installation Defaults

Table 16.3: Password Policy Default and Recommended Settings

Table 16.4: Snapshot of a Secure Web Server

Table 16.5: Security Notification Services

Table 16.6: Industry Security Notification Services

Chapter 17: Securing Your Application Server

Table 17.1: Enterprise Services Components

Table 17.2: NET Framework Enterprise Services Tools and Configuration Settings

Table 17.3: Enterprise Services Application Authentication Levels

Chapter 18: Securing Your Database Server

Table 18.1: SQL Server Installation Defaults

Table 18.2: Items Not to Install During Custom Installation

Table 18.3: Password Policy Default and Recommended Settings

Table 18.4: NTFS Permissions for SQL Server Service Account

Table 18.5: Snapshot of a Secure Database Server

Table 18.6: Security Notification Services

Table 18.7: Industry Security Notification Services

Chapter 19: Securing Your ASP.NET Application and Web Services

Table 19.1: Configuration File Locations

Table 19.2: Applying Configuration Settings

Table 19.3: Required NTFS Permissions for ASP.NET Process Accounts

Table 19.4: Snapshot of a Secure ASP.NET Application Configuration

Chapter 20: Hosting Multiple Web Applications

Table 20.1: Application Isolation Features for Windows 2000 and Windows Server 2003

Table 20.2: Components of the Windows 2000 ASP.NET Architecture

Table 20.3: Components of the Windows Server 2003 ASP.NET Architecture

Chapter 21: Code Review

Table 21.1: Possible Sources of Input

Table 21.2: Character Representation

Table 21.3: Dangerous Permissions

Chapter 22: Deployment Review

Table 22.1: Source Addresses that Should Be Filtered

How To: Harden the TCP/IP Stack

Table 1: Recommended Values

Table 2: Recommended Values

Table 3: Recommended Values

Table 4: Recommended Values

Table 5: Recommended Values

How To: Secure Your Developer Workstation

Table 6: Configuration: Categories