Home.NETASP.NETContact
ASP.NET
A Complete Guide to Secure your ASP.NET Web Application & API
Shehryar Khan
Shehryar Khan
July 18, 2022
6 min

Table Of Contents

01
Make your Login more secure
02
Always submit sensitive data using Encryption
03
Don’t forget to clear Cookies when logout
04
Always use SSL
05
Never keep sensitive data in clear form in your Database
06
Audit Trails or Logging is also Important
07
Never display original Technical error to the End User
08
Cross-Site Scripting (XSS)
09
Try to Hide your .Net Version
10
Cross-Site Request Forgery
11
LINQ can protect from SQL Injection
12
Streams Deserialization can be tempered
13
Always keep your Framework & Libraries Updated

With the every new .NET Update, Microsoft proved the fact that .NET is the most powerful, versatile & complete framework available for developing Powerful Web, Desktop, Mobile & Cloud-based Applications. Unlike Desktop or Mobile Application, Web Application runs on a publicly available address that’s one of the reasons that Security of Web Application is more important. Although Asp.Net Core is developed with the best security practices, still there are some Vulnerabilities we need to fill before & after launching our ASP.NET Application.

In this Article, we’ll see some Security Holes in an ASP.NET Web Application & their possible solutions. Let’s start by list down some of the Important points for Securing our .NET Application.

Make your Login more secure

Login Page is like a door for any Application. Consider an Application like Admin Panel, If an unauthorized person gets access to your application, he can control the whole system. So, your first step always should be to make your Login secure.

security dotnet 1

Here’re some Tips to secure the entry point of your Application.

Use Complex Login Credentials

Never use Usernames Like admin & Passwords like 12345 or your name. Anyone can judge it & bots will be able to judge such types of credentials even in a shorter time than human.

Secure Your Login from Brute Force attacks

Brute Force Attacks are the most common type of Attacks that use different algorithms & try different Username or Passwords combinations to guess the login credentials. Also, so many login attempts can busy your server which can cause Denial of service (DoS) & downtime for the actual users of your Application.

Brute Force Attacks takes less time to guess simple Usernames & passwords but they can also guess complex combinations by trying every possibility.

So, How to Secure our Asp.Net Application from Brute Force Attacks?

Here’re some Tips to prevent Brute Force:

  • Use Captcha on your Login Page because bots cannot fill Captcha.
  • Block IP temporary after some failed login attempts.
  • Avoid using common usernames like admin or user because Brute Force Algorithms maintain a database & try common usernames & passwords first.
  • Make your password really difficult to guess by including Alphabets(A-Z & a-z), Digits(0-9) & Special Characters(!, @, ., #, $, %, ^, &,* and more).

How to Implement the above Suggestions?

Above Suggestions are looking really difficult to implement for beginners Asp.Net Core developers but don’t worry, there is a great Library(HackerSpray) is available which will do the Job for you to secure you from Brute Force Attacks. Just simple configuration is required.

Always use .Net Core Identity Feature

Asp.Net Core has many built-in libraries & tools to secure your applications. Authorization is also one of the great implementations by Microsoft which provides us with a complete Login & Signup setup following the best security practices.

Always submit sensitive data using Encryption

Never send your sensitive data like password or credit card credentials in the actual form to the server for validation. Hackers can steal your data by sniffing it before sending to the server.

Always use a Hashing algorithm like md5 or SHA256 for Password & Encryption algorithm like AES or DES on Client Side. e.g. using jQuery

security dotnet 2

Don’t forget to clear Cookies when logout

On login in an Asp.Net Core application, we keep some necessary data in Sessions for keeping user login until he logs out. In some apps, we set Session timeouts & sometimes we do not set Session timeout when user tick a checkbox on the login page that he wants to keep login.

At the same time, AspNetCore.Session cookie is added to the browser for keeping record of the Logged in user.

security dotnet 3

So, when we logout, we also need to remove the Cookies created by our application in the user’s browser because a Hacker can use that info for unauthorized login. This is also called a Session Fixation attack.

Always use SSL

SSL stands for Secure Socket Layer. It makes the communication between Client & Server Side Encrypted using a very strong Key.

So, in your Starup.cs of your Asp.Net Core Application, you can set to always use Secure Policy for Cookies.

security dotnet 4

Never keep sensitive data in clear form in your Database

Almost every web application must have a Database for storing users data, most of the times Hackers attack Server for stealing users’ data. So Let say that you have stored the credentials of your users, like Passwords & Payment methods detail in your database in clear form. So anyone who gets unauthorized access to your Database can misuse users’ data.

So, always keep your sensitive data using Hashing or Encryption in your Database.

Audit Trails or Logging is also Important

Audit Trails or Activity Logging is really important to be aware of what’s going on your Application. If someone is getting many failed login attempts then Admin must receive an Email about these failed login attempts.

let say a User creates new user or change the Roles of an Existing user, each & every activity should be logged in your Asp.net Core Application.

security dotnet 6

Never display original Technical error to the End User

Some Exceptions can disclose important information about our application or sometimes It can even show a few lines of code to the end-user. Attackers are smart guys, they can use the information provided by our exception to crack the security of our Application.

So, before deploying your application in production mode, make sure that you have set your Custom Error page for all kinds of Exceptions & have done proper Error Logging in your Application.

security dotnet 7

Cross-Site Scripting (XSS)

In XSS Attacks, Hackers submit malicious scripts via Input Fields for stealing user’s credentials & other Important Data.

Let say that we have an Add product Form in our Application. Attacker Add a new product & in the product description field, he simply inserts a JavaScript snippet. When our application will display that product on the product page with description, Hackers malicious script will also run & he’ll get data for what he planned.

I have found the below Image on Cloudflare’s article about XSS. This will help you to understand XSS easily.

security dotnet 8

So, How to Secure our Asp.Net Core Application from Cross-Site Scripting Attacks?

you can secure your web application by following these Tips:

Use Regular Expressions on both Client & Server Side & only store validated data in your Database. HTML Encoding with Razor helps such scripts to execute. XXS can also be done using URL Encoding, So validate & Encode URL parameters using UrlEncoder. Here’s a great Article by Microsoft for Securing our app from XSS.

Try to Hide your .Net Version

In every HTTP response from the server that we receive in return of our request sent from a browser, there’s always the version information in which application is developed. Such information makes the Attacker’s Job easier by saving time & targeting the specific .Net Version.

So, It’s necessary to throw more hurdles for Hackers & make it more difficult for him by hiding .Net Framework Version Information.

Here’s how to Hide .Net Core Version:

  • Remove X-Powered-By from your Response header.
  • NWebsec.AspNetCore.Middleware is a great Library for Securing headers.
  • Set AddServerHeader = false for removing Server: Kestrel header.

You can remove X-Powered-By using this simple snippet in your web.config

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

Cross-Site Request Forgery

Do you know the purpose of [ValidateAntiForgeryToken] Attribute in your .Net Core Web APIs & might be possible that you have seen this Code asp-antiforgery=“true” in your cshtml File as well.

First, understand the CSRF then we’ll try to understand the purpose of the above tag & attribute.

Let say you are using the e-banking facility of your bank account for sending some money to your friend & suddenly you receive a link on FaceBook from a lady with a beautiful Display Picture. When you open that link It asks you to click here to earn $1000. You just click & because you are logged in & authorized to use your e-banking, that malicious link runs the script & send money from your account to Hacker’s Account.

The Below Image will help you to understand CSRF.

security dotnet 10

How to Secure your Application from CSRF?

asp-antiforgery=“true”generates an anti-forgery token & [ValidateAntiForgeryToken] validates on the server-side that if the Token is valid or not & secure us from Cross-Site Request Forgery.

LINQ can protect from SQL Injection

SQL Injections are one of the most commonly used tricks to harm users’ data from years.

In this technique, the Attacker put some condition or special characters in the input field which cause to change the execution of the whole query.

Here’s an example to understand what is SQL Injection.

security dotnet 11

How to secure our Asp.Net Core Application from SQL Injections?

Here’re some Tips:

  • Use Entity Framework Core.
  • Always use parameterized queries.
  • Must Validate your Inputs on Server Side.
  • Use Stored Procedures.

Streams Deserialization can be tempered

Deserialization is the reverse of Serialization, which is the process of converting an object into streams of bytes. Serialization is always done on our server end for transferring or storing objects but we deserialize the data received in our application from different sources.

security dotnet 12

So, we can receive some harmful streams.

To protect our applications from such Attackers, we need to verify our data before & after deserialization.

Always keep your Framework & Libraries Updated

Always keep your Framework & Libraries used in your project Updated. Never use outdated Libraries in your Project because Hackers keeps finding the Vulnerabilities in Frameworks & Libraries.

Check for updates for the NuGet packages used in your project & keep all packages updated.

security dotnet 13

Conclusion

Nothing is 100% secure, we have to make our application secure by following the best security practices. Although .Net Core is considered to be one of the most secure Framework but still we have to keep an eye on the activities on our application & take quick action in case of any malicious activity.

Thank you for reading my Article, I hope it will help you to make your Asp.Net Core app more secure.

I’ll be happy If you would like to give your Feedback in the comment section below.

Related Articles:

Future of .NET

Best Windows Hosting to Host an ASP.NET Application


Tags

#qrcode#csharp
Shehryar Khan

Shehryar Khan

Full-Stack .NET Developer

I'm passionate about learning new technologies as well as mentoring and helping others get started with their programming career. This blog is my way of giving back to the Community.

Expertise

.NET
ASP.NET
React

Social Media

instagramtwitterwebsite

Related Posts

QR Code
Generate QR Code using ASP.NET – C#
July 15, 2022
1 min
© 2022, All Rights Reserved.

Quick Links

Advertise with usContact Us

Social Media