With the every new .Net Core Update, Microsoft proved the fact that .Net Core is the most powerful, versatile & complete framework available for developing Powerful Web, Desktop, Mobile & Cloud-based Applications. Unlike Desktop or Mobile Application, Web Application runs on a publicly available address that’s one of the reasons that Security of Web Application is more important. Although Asp.Net Core is developed with the best security practices, still there are some Vulnerabilities we need to fill before & after launching our Asp.Net Core Application.
In this Article, we’ll see some Security Holes in an Asp.Net Core Web Application & their possible solutions. Let’s start by list down some of the Important points for Securing our .Net Core Application.
- Make your Login more secure
- Always submit sensitive data using Encryption
- Don’t forget to clear Cookies when logout
- Always use SSL
- Never keep sensitive data in clear form in your Database
- Audit Trails or Logging is also Important
- Never display original Technical error to the End-User
- Cross-Site Scripting (XSS)
- Try to Hide your .Net Core Version
- Cross-Site Request Forgery (CSRF)
- LINQ can protect from SQL Injection
- Streams Deserialization can be tempered
- Always keep your Framework & Libraries Updated
1. Make your Login more secure
Login Page is like a door for any Application. Consider an Application like Admin Panel, If an unauthorized person gets access to your application, he can control the whole system. So, your first step always should be to make your Login secure.
Here’re some Tips to secure the entry point of your Application.
Use Complex Login Credentials
Never use Usernames Like
admin & Passwords like 12345 or your name. Anyone can judge it & bots will be able to judge such types of credentials even in a shorter time than human.
Secure Your Login from Brute Force attacks
Brute Force Attacks are the most common type of Attacks that use different algorithms & try different Username or Passwords combinations to guess the login credentials. Also, so many login attempts can busy your server which can cause Denial of service (DoS) & downtime for the actual users of your Application.
Brute Force Attacks takes less time to guess simple Usernames & passwords but they can also guess complex combinations by trying every possibility.
So, How to Secure our Asp.Net Application from Brute Force Attacks?
Here’re some Tips to prevent Brute Force:
- Use Captcha on your Login Page because bots cannot fill Captcha.
- Block IP temporary after some failed login attempts.
- Avoid using common usernames like
userbecause Brute Force Algorithms maintain a database & try common usernames & passwords first.
- Make your password really difficult to guess by including Alphabets(A-Z & a-z), Digits(0-9) & Special Characters(!, @, ., #, $, %, ^, &,* and more).
How to Implement the above Suggestions?
Above Suggestions are looking really difficult to implement for beginners Asp.Net Core developers but don’t worry, there is a great Library(HackerSpray) is available which will do the Job for you to secure you from Brute Force Attacks. Just simple configuration is required.
Always use .Net Core Identity Feature
Asp.Net Core has many built-in libraries & tools to secure your applications. Authorization is also one of the great implementations by Microsoft which provides us with a complete Login & Signup setup following the best security practices.
2. Always submit sensitive data using Encryption
Never send your sensitive data like password or credit card credentials in the actual form to the server for validation. Hackers can steal your data by sniffing it before sending to the server.
Always use a Hashing algorithm like md5 or SHA256 for Password & Encryption algorithm like AES or DES on Client Side. e.g. using jQuery
3. Don’t forget to clear Cookies when logout
On login in an Asp.Net Core application, we keep some necessary data in Sessions for keeping user login until he logs out. In some apps, we set Session timeouts & sometimes we do not set Session timeout when user tick a checkbox on the login page that he wants to keep login.
At the same time, AspNetCore.Session cookie is added to the browser for keeping record of the Logged in user.
So, when we logout, we also need to remove the Cookies created by our application in the user’s browser because a Hacker can use that info for unauthorized login. This is also called a Session Fixation attack.
4. Always use SSL
SSL stands for Secure Socket Layer. It makes the communication between Client & Server Side Encrypted using a very strong Key.
So, in your Starup.cs of your Asp.Net Core Application, you can set to always use Secure Policy for Cookies.
5. Never keep sensitive data in clear form in your Database
Almost every web application must have a Database for storing users data, most of the times Hackers attack Server for stealing users’ data. So Let say that you have stored the credentials of your users, like Passwords & Payment methods detail in your database in clear form. So anyone who gets unauthorized access to your Database can misuse users’ data.
So, always keep your sensitive data using Hashing or Encryption in your Database.
6. Audit Trails or Logging is also Important
Audit Trails or Activity Logging is really important to be aware of what’s going on your Application. If someone is getting many failed login attempts then Admin must receive an Email about these failed login attempts.
let say a User creates new user or change the Roles of an Existing user, each & every activity should be logged in your Asp.net Core Application.
7. Never display original Technical error to the End User
Some Exceptions can disclose important information about our application or sometimes It can even show a few lines of code to the end-user. Attackers are smart guys, they can use the information provided by our exception to crack the security of our Application.
So, before deploying your application in production mode, make sure that you have set your Custom Error page for all kinds of Exceptions & have done proper Error Logging in your Application.
8. Cross-Site Scripting (XSS)
In XSS Attacks, Hackers submit malicious scripts via Input Fields for stealing user’s credentials & other Important Data.
I have found the below Image on Cloudflare’s article about XSS. This will help you to understand XSS easily.
So, How to Secure our Asp.Net Core Application from Cross-Site Scripting Attacks?
you can secure your web application by following these Tips:
- Use Regular Expressions on both Client & Server Side & only store validated data in your Database.
- HTML Encoding with Razor helps such scripts to execute.
- XXS can also be done using URL Encoding, So validate & Encode URL parameters using UrlEncoder.
Here’s a great Article by Microsoft for Securing our app from XSS.