Tuesday, December 30, 2008

Create a Random Password

Some times we need to create a random password policy in our website, After some research create a class that will create a random password .We are using System.Security.Cryptography namespace in this class.

public static string CreateRandomPassword(int PasswordLength)


String _allowedChars = "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ23456789";
Byte[] randomBytes = new Byte[PasswordLength];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
char[] chars = new char[PasswordLength];
int allowedCharCount = _allowedChars.Length;
for (int i = 0; i < PasswordLength; i++)
chars[i] = _allowedChars[(int)randomBytes[i] % allowedCharCount];
return new string(chars);

You can use this class as a random password generator,This is best practice to create a password policy in your application.
For more detail about System.Security.Cryptography do not forgot to knock msdn.


Sunday, December 28, 2008

What is a IL(Intermediate Language)

(IL)Intermediate Language is also known as MSIL (Microsoft Intermediate Language) or CIL
(Common Intermediate Language). All .NET source code is compiled to IL. This IL is then
converted to machine code at the point where the software is installed, or at run-time by a Just-In-Time (JIT) compiler.
Microsoft Intermediate Language (MSIL) is a platform independent language that gets compiled into platform dependent executable file or dynamic link library. It means .NET compiler can generate code written using any supported languages and finally convert it to the required machine code depending on the target machine.
The main advantages of IL are:

1. IL isn't dependent on any language and there is a possibility to create applications with modules that were written using different .NET compatible
2. Platform independence - IL can be compiled to different platforms or operating systems.

A detail example is available here.


Friday, December 26, 2008

What is SQL Injection

Today I want to show you detail of SQL Injection in a simple definition SQL Injection is "An attack technique used to exploit web sites by altering back end SQL statements through manipulating application input."
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.
This are some special character in the SQL statement.
1) (;) The semicolon (;) denotes the end of one query and the start of another.
2) (--)The double hyphen (--) indicates that the rest of the current line is a comment and should be ignored.
3) (/*Some Thing Here*/) Comment delimiters. Text between /* and */ is not evaluated by the server.
4) (') Character data string delimiter.

Now how this will happen, this is important to know.
1)Suppose your page code display search record according to the user name
string userName="shakti"
SELECT * FROM TABLE1 WHERE NAME = '" + userName + "';"
This SQL code is designed to pull up the records of a specified username from its table of users. Now I am changing userName variable value one by one and check the result;
However, assume that the user enters the following:
string userName="shakti'; DROP TABLE TABLE1"
now SQL become
Now the result of above query in first select record according to the search criteria and then It will delete the table from the database,therefore, you must validate all user input and carefully review code that executes constructed SQL commands in the server that you are using.
Preventing SQL Injection
To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parametrized statements must be used (preferred), or user input must be carefully escaped or filtered.
This article is based on the SQL Security that you must implement in your website.
  • It is best to use stored procedure or parametrized statements.
  • Never build Transact-SQL statements directly from user input.
  • Input data must be in correct format.
  • The “sa” account or other privileged accounts that are members of the “sysadmin” or “db_owner” roles are not used for application logins.
  • Connection string must be encrypted and must be stored in a secure location.
  • Try to use multi layer project,based on business logic and other security classes.
SQL Injection Attack Example
String query = “SELECT * FROM users WHERE USERNAME= ‘“ + name + “’ PASSWORD= ‘“ + password + “’”

Enter user name: 1’ OR ‘1’ = ‘1
Enter password: 1’ OR ‘1’ = ‘1
SELECT name FROM users WHERE name = ‘1’ OR ‘1’=‘1’ password = ‘1’ OR ‘1’=‘1’
What above query does ,it return a row means user is able to access our security issue without login.Seems interesting.

For security above code must be in c#
using (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))
myCommand.Parameters.AddWithValue("@username", user);
myCommand.Parameters.AddWithValue("@password", pass);

SqlDataReader myReader = myCommand.ExecuteReader())
If you want to learn more about SQL Injection then please knock MSDN.


SQL Server Security

Here is the list of SQL Server security issue that you must know in your project, please read this basic point carefully and implement in your project for making a secure website.
a) SQL Injection security
  1. Input data must be in correct format.
  2. We must use stored procedure in our database, if we are not using stored procedure then we must safe parameter of SQL commands
  3. We must use four stored procedure for a table insert, update, delete and read.
b) Authentication
  1. The “sa” account or other privileged accounts that are members of the “sysadmin” or “db_owner” roles are not used for application logins.
  2. Strong password required for authentication.
  3. Connection string must be encrypted and must be stored in a secure location

c) Authorization
  1. We must use business logic layer or tire architecture in our application for security purpose.
  2. For multiple queries we must use commit and rollback transaction.
e) Configuration management
  1. Windows authentication is used to avoid credential management.
f) Sensitive Data
  1. Security of sensitive data in necessary that include password and other things.
g) Error Handling
  1. Proper error handing is necessary in the stored procedure.
For more security detail please knock MSDN.


ASP.NET Basic Security

ASP.NET Basic security we will implement in our website.Every one want to know about security issue in ASP.NET web application, here I am showing basic security that you must know before working any website.
I am going to filter this point according to priority basic.
a) Design Issue
  1. Proper validation for numeric, alphanumeric, date time, maximum length and other search filed.
  2. Absolute URLs must be used.
  3. Our all input parameter will be validated.
  4. Query strings with server secrets are hashed.
  5. Required filed required, if field are necessary in database. There must be a proper treatment of null values.
  6. Web control user control
b) Coding part
  1. Documentation of session and view state is necessary for using in near future.
  2. SQL parameters are used in data access code to validate length and type of data and to help prevent SQL injection.
  3. Passwords are not being stored in the session directly
  4. Strong password policies are implemented for authentication.
  5. Connection strings are encrypted by using Aspnet_setreg.exe.
  6. Proper error handling is necessary.
  7. Proper try catch block necessary, not necessary to every where.
  8. View state is protected using message authentication codes (MACs).
c) Data Store
  1. We will not store our sensitive data in cookies, hidden form fields, or query strings.
  2. Session and view state object must be use in proper format, NULL value checking is necessary
d) Before Publish part
  1. Compilation debug=false at sever side.
  2. We need to set a default, page in the IIS.
  3. For IIS Web permissions are configured. Bin directory does not have Read, Write, or Directory browsing permissions. Execute permissions are set to none. Authentication settings are removed (so that all access is denied).
  4. Proper read write permission required according to the users.
  5. Error handling page required, Generic error pages with harmless messages are returned to the client.
If you want to know detail security detail of ASP.NET then please knock MSDN


Copyright 2009 All Rights Reserved Shakti Singh Dulawat