Professional Documents
Culture Documents
Module 5
Module 5
Authorization
Module Objectives
; y ; : | ATE
Authentication and Authorization C | AS
Authentication \ Authorization
| Authentication is the process of verifying a user's |
Authorization is the process of giving a specific rights
identity with an application by using some sort of to the
authenticated users to perform specific tasks
credentials . ) i
| For example: Administrator is an authorized person
| Authentication is always performed before and has privileges and
rights to add or delete any user
authorization account
He is John
A
= ] : ! < home.aspx
! Authentication Authorization | >
" #4 (Whoare i) (What rights
> 4 | @ you?) | you have) |W
: admin.aspx
User i
¥
Page 139
Common Attacks due to Improper User
| J NET]
Authentication and Authorization [¢ A s E
Phishing websites
Sniffing
Page 140
NET Authentication and Authorization
ns
Anonymous
Basic
Digest
Integrated Windows
Certificate
é
IF | 1IS/ASP.NET
Web Application
Authentication
Windows,
Form, Passport, None (Custom)
Authorization
Web, NTFS, and Principle Permissions
URL Authz, File Authz, .NET Roles
*
é
1IS/ASP.NET | 1IS/ASP.NET
Web Services Remoting
[ Enterprise Services
RPC Authentication
Integrity, Privacy
RPC
Authorization
ES (COM+) Roles NTFS Permissions
Authentication
Windows, SQL
Authorization
Login Permission Roles
Database
Server
Le,
‘rm
CAS
security level
7'S
ASP.NET Authentication
Page 141
ASP.NET Authentication
security architecture
All requests go through the IIS layer before they are passed to the
ASP.NET layer
The IIS layer can decide to deny access without passing the request to
the ASP.NET layer
J NET]
CASE
II
Forms Authentication
Passport Authentication
None Authentication
Windows Authentication
Federated Authentication
Web.config® = X +
version="1 "
#4 Publish =
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-
overview. html
Page 142
Forms Authentication
Client request
v
| Form authentication collects the user credentials, such us IF IS
authentication settings are set properly, the
as username and password, directly from the user and - request is
passed to ASP.NET
implements customized logic for authenticating it rs
J Auth- ®
FRG > Logon form collects user credentials
v
Authenticate credentials
“| Though form authentication mode does not use the pa
11S authentication; still, it is important to set the IIS a»
authentication setting to run the ASP.NET application enticated? or
v
Attack cookie i
v
Nok i
| For example, IIS Anonymous Access setting is enabled pri cl H
when all the incoming requests are supposed to be ASP.NET ¥ §
allowed to reach form authentication of the ASP.NET 5X
application denied
ET Vo
Allow access to
protected resources
. R : | y NET]
Forms Authentication (Cont'd) CASE
It involves 4 steps:
Web config” @ X
b= i
Webiconfig® # X
Authenticate
§ fat dk TE RT
i Vv
H —1
—
| | @ Ree! Login aspx + data - a I
asa AE RT BL Wh pe
(Web.config or
User database)
Page 143
Passport Authentication CASE
—
1.) Username and password are not configured for database or login
access
Users are willing to provide personalized content
2.4
e The site used in conjunction with other sites that use passport
authentication
=
Page 144
Custom Authentication
AS
mo LE ;
= RN
Web.config® + X Hon
4 Publish «
AuthenticationException
InvalidCredentialException
Enumerations
oe]
EE
Page 145
Windows Authentication
Test An Win
T-wE
Web.config® #8 X Home.asp
A Publish =
Pm mm mm a mt em mm em me
© The username and password
are supplied as credentials to
prove identity
1
The browser (client) sends the |
windows credentials to the :
web server in an unencrypted |
format i
1
1
1
Digest Authentication
i
i
1
i
i
1
1
i
i
i
i
i
i
i
1
i
i © Itis more secure than basic
' authentication
i
i
i
i
i
1
i
i
i
i
1
i
i
1
1
t
i
I]
| Kerberos or NTLM
i challenge/response protocols to
| authenticate the user (based on
| the client and server
i configuration)
1]
1
i
Page 146
Windows Authentication (Cont'd) CA SE
® This certificate is sent from the client to the web server where it
extracts the user's identity from the |
client certificate
Page 147
Determining an Authentication Method CA
J Itis performed with remote procedure call (RPC) that uses the
Security Service Provider Interface (SSP1) API of the
operating system
| Kerberos or NTLM authentication is used to authenticate clients of
the enterprise services applications
J The serviced component is included in the library application and
these library applications are included in the client
processes. This helps in recognizing the client's identity
I The service component is also included in the server application
that runs through separate processes on the server with
individual identity
Client Process
Page 148
Enterprise Services Authentication (Cont'd) C A SE
_| Authentication for the serviced component is performed by issuing
Remote Procedure Calls (RPC) at following levels:
I Default | It provides default authentication for the serviced
component |
None | It does not provide any authentication to the serviced
component
Connect | Itprovides authentication when the connection is
established [
I Call | It authenticates the serviced component at the start of each
RPC |
Packet | Itauthenticates as well as verifies all call data, whether it
is received or not
I Packet Integrity | tis used to authenticate and ensure that the
packet data are not modified during transmission [
Packet Privacy | i as well as encryption for the packet that includes
the data and the sender's identity
| The user is authenticated to the SQL server either with the help of
windows authentication (NTLM or Kerberos) or through
its built-in authentication scheme, known as SQL authentication
Page 149
Different Level of Authorization
ASP.NET Authorization
ASP.NET Authorization CA SE
File Authorization
Code-based Authorization
.NET Roles
Page 150
URL Authorization
The Web.config file shows how to grant or deny access to the user
POST.
("*"} it is default value used to denotes all verbs.
File
Edit
Build Signin
J wl
Web.config™ # X
File Authorization
| ATE
CASE
permissions
= When the user requests a particular file to read, it checks the user
account against read permissions to that file
= The ASP.NET engine by default runs under the ASP.NET user account as
impersonation is “false” in Web.config file
Page 151
y.NET]
What is Impersonation? CASE
ASP.NET impersonates the user from using attached security tokens and
verifies the rights of the user for accessing
resources as specified in the <autharization> element of
the Web.config file
Impersonation Options CA SE
Example
Impersonation is Disabled
Example
[ i nabl
Dieconconitise Home.aspx® Web.config® ® X Home.
Specific Identity {
2 Web.config® # X Hon
© Itis possible for ASP.NET to impersonate the
authentication token for specific identity
Page 152
J NET]
Delegation CASE
Code-based Authorization CA SE
Explicit Authorization
Declarative Authorization
Imperative Authorization
i B yi
| | I. J
— >
Page 153
Authorization using ASP.NET Roles € A SE
| The ASP.NET role is also used to control the access to the resource
of
the application
- 0
we
De!
Help
-
| These roles are used to manage access rules for the group of users
Web.config® ® X
. : i 3 | J NET]
Enterprise Services Authorization CASE
‘When the user tries to call method on the serviced Once the user is
authenticated, the enterprise
(1) component, the authentication process takes (2] services
interception layer accesses the COM+
place catalog to decide role membership of the client
Page 154
| A
SQL Server Authorization CASE
| ATE
Last
Page 155
ASP.NET Core Authentication
@ Token Authentication
| Twao-factor Authentication
AspNetCore.Identity € A SE
Page 156
ASP.NET Core Authentication
No Authentication
Windows Authentication
2 Google
Templates
Social Authentication
& Twitter
@ Microsoft Account
y NET}
ASE
Change Authentication
® No Authentication £2
1 Windows Authentication
Change Authentication
No Authentication
No Authentication
Windows Authentication
[ok | Conca |
Page 157
Implementing Identity on ASP.NET Core (Templates) C A $E
1
(Cont'd) spas
Change Authentication x
For applications that authenticate users with Active Directory,
Microsoft Azure
Active Directory, or Office 365.
No Authentication eye
Individual User Accounts Cloud - Single Organization hail i }
— .
Windows Authentication
Directory Access Permissions:
[
= 1 Change Authentication x
Learn more sbout third-party open source aul ©) No Authentication
Learn more
: E
Work and School Accounts © Individual User Acco uts
(Zr Work or School Accounts
indows Authenti n
Learn more about third-party open source authentication options OK |
Cancel |
Windows Authentication
| J NET)
service
Microsoft. Owin.Security.Facebook
Microsoft.Owin.Security.Google
Microsoft.Owin.Security.0Auth
Microsoft. Owin. Security. Twitter
Microsoft.Owin. Security
AadInstance™],
enant™]),
Configuration “AzureAd:
ResponseType = OpenldConnectResponseType.ldToken,
PostLogoutRedirectUri = Configuration]
“AzureAd:PostlogoutRedirectlri™]
Page 158
J-NET]
Open Source Authentication Providers CASE
ASOS
AspNet.Security.OpenldConnect.Server low-level /protocol-first OpenID
connect server framework
for ASP.NET Core and OWIN/Katana
IdentityServer4
OpenlD Connect and OAuth 2.0 framework for ASP.NET Core - officially
certified by the OpenID
Foundation and under governance of the .NET Foundation
Openlddict
Easy-to-use OpenlD Connect server for ASP.NET Core
PwdLess
| Microsoft.AspNetCore.ldentity needs to be
included in the project to use the ASP.NET
Core Identity system
method
A 2 4 Add to Source Control »
Microsoft.AspNetCore. Identity. EntityFrameworkCore Implement Identity
with Entity Framework Core
Microsoft.EntityFrameworkCore.SqlServer Implement Identity to access
relational databases, e.g., SQL Server
Microsoft. EntityFrameworkCore.inMemory Implement in memory database
provider (For testing)
Microsoft. AspNetCore. Authentication.Cookies Implement cookie-based
authentication
Page 159
ASP.NET Core Token-based Authentication
Token-based Authentication
[of
altered
[1
hitps://app.yourwebsite.com
R
Server
Browser
POST/authenticate
Usernames=....&
HTTP 200 OK
{token: “..JWT.."}
GET/api/userdetails
Authorization: Bearer....)WT...
HTTP 200 OK
Name: “userdetails”
J .NET]
CASE
8]
an J
Header. —
| eyshbGeiOillUz11 NilsInR5cCl61kpXVCI9) eylzd WIOL
tZUBvemd1ciSkaylsimpOaSI6ImMwMTgxMmQ4LTI
3MKtNGIhYS04YWQwLTK1ZTI4YjgzNzeINCIsImhO
dHABLy9zY2hIbWFzLnhtbHNvYXAub3J/nL3dzLzIwM
DUvMDUvaWRIbnRpdHkvY2xhaW1zL25hb WVpZ
VudGlmaWVyljoiZDc2MTRINZEEN2ZMyOS000Tk3ig"
ImODUtNDNkYzImMDI2NzZlliwiZXhwijoxNTExN| or
wNTQ3LCIpc3MiOilodHRwOi8ve W31cmRvbWFpbi
5jb20iLCIhdWQIOHodHRwWOIgve W91cmRvbWFpbi |
3jb20ifQ.v8YLTMTUraD7KqoHTskveg9X_zH5WdW|
cpGuHHeqYKM SiSnatire
Page 160
https://apiyourwebsite.com
Page 161
am
FocguPasmwordcshiant® 8X Home
4. dd to Source Control »
IdentityServerd Features
nm
‘a Single sign-on
i.
FE
Customizable
Page 162
Implement ASP.NET Identity with IdentityServer
Step 1
Step 2
Step 3
Step 4
Step 5
Open Visual Studio. Select File » New —> Project = .NET Core
=> ASP.NET Core Web Application and click OK
(Contd)
§ [—————
Insiatied Upoates
© identityServerd Aspetidentity
Lo PE E—
=) Options.
Desasiption
ASPNET Care cost Integration foe enti Sanverd
TY
Microsoft sphieiC ere denity [+x
erway Servest (+2 20
Page 163
Implement ASP.NET Identity with IdentityServer
| J.NET]
(Cont'd) CASE
| yf NET}
(Cont'd) CASE
| Configure IdentityServer
Step 7
© Configure IdentityServer using ConfigureServices and Configure in
Startup.cs file
Page 164
Implement ASP.NET Identity with IdentityServer | o AT
; CASE
(Cont'd) A Bt:
| Create Database
| To create database
Step 8
Build Fuents
WindoveduthSample + X
Package IS Express
Browse
Click OK
@®
Page 165
| aT
Configure Windows Authentication (Cont'd) CASE
«)
File
Project B Debug Team
ndow Help
- HEP
|
rn ib smiticn Lars (85; Manages
iC Br OPE + Sn» Wedowilathample +
| @ Windowsauthsample Home
= Arias
@ Authentication
EF fae Show ih [Group i Grewp by. Ho Grsuping
3 re Tart mn Fasgonte Type ®
@ rhc i) a ~ hotbertesticn Doster
@ Ditwk Web Se 5 | € a i & AMET gancnaicn Doatiet
© WendomcahSample dkbwiicst Fompresion Dusk Ducizey Ines Poge 5
Wrdomsaniamghe A — frases HTTP 1 Chute:
- Gorumert Bowing
ry § 1
J - bis H
HTTP loggng MEME Tige Modules Haine
he 2
2 a] a
@ @ [}
Fr Sse
P, Bim
0 cor
Costu Web :
<
Page 166
| J NET]
o . 5 . 5
Configure Windows Authentication (Cont'd) C | ASE
T Enable Windows with Http.sys or WeblListener
# Windows authentication is not supported in Kestrel
@ For self-hosted scenarios on windows, implement Http.sys
# Configure the app's web host to use Http.sys with windows
authentication
| 8
4 Add to Source Control +
" . . | y NET]
Windows Authentication C A SE
Q The [Authorize] and [AllowAnonymous] attributes used in the app are
implemented based on configuration
settings of anonymous access
© ©6 0 ©
Page 167
Windows Authentication (Cont'd) C A SE
Using Microsoft.AspNetCore.Server.HttpSys
In WS, include
lisDefaults.AuthenticationScheme
in the ConfigureServices method
Fa—
Startup.cs® # X
* pili
Startup.cs® # X bund)
In Hitp.sys, include
HttpSysDefaults. Authentication
Scheme in Ty
the ConfigureServices method
Using Microsoft.AspNetCore.Server.lISIntegration
Impersonation C A SE
Q ASP.NET Core does not support impersonation feature
2] All requests are executed with application identity, using app pool
or process identity
w Use Windowsldentity.Runimpersonated to explicitly execute a request
on behalf of a user
(4] Execute a single action in a context and then close the context
Page 168
Impersonation (Cont'd)
| J NET]
CASE
Build
Project
Bros
Debug
AccouniControliercs” 8 Xap
A request is made to
tic Fil
the frecipefindex URL Stalls re
Middleware
The authentication :
Authentication
Middleware.
If authorization is
successful, the action
method executes and
generates a response
as normal
If authorization falls,
the authorize filter
returns an error to
the user and the
action is not
executed
Page 169
ASP.NET Core Authorization (Cont'd) CA SE
¥ NET]
ASP.NET Core Role-based Authorization CASE
+] =
EmployeeCentroliercs® & X a
HecountContioflencs® +X
| [= HESY
Page 170
ASP.NET Core Role Authorization Policy C A SE
Claim-based Authorization C A S E
Startup.cs® ® X
Page 171
Claim-based Authorization (Cont'd) CA SE
Col 10
1
d & Custom authorization policies fulfill more complex
authorization requirements which are beyond role or claims-based
approach
k d
| |
[2 Custom policy contains one or more requirements
L R— d
r 1
Each requirement can have one or more handlers
. d
: E i 2
more Requirements Each requirement can
N handlers
|
H — MesbershipHandler ) I
—*| validrimingHandler
| AllowInswismingPoolRequizement
|
DatecfBirthHandler I
MinimumAgeRequirement
Page 172
Custom Policy-based Authorization (Cont'd) C A SE
3)
>,
& Any of the defined handlers in the policy should be
satisfied
J NET]
Custom Policy-based Authorization (Cont'd) 4 ASE
De ; NN Requi nt Requi t
[ str smite = Plas Je | pine
Page 173
J NET]
Resource-based Authorization C A SE
CIoE®
EmployeeControlles.
pplic
=H
EmployeeControllercs” & X
Page 174
View-based Authorization C AS E
Page 175
Authentication and Authorization C
£73
AS
Http Request .
with User Change Authentication 5%
Credentials Controller with
uest (View) Authorize Filter For apphications that stere user profiles
in a SOL Server datobese. Users can register,
fe l cx sign in using their existing account for Facebook, Twitter,
Google, Microsoft, ar
No Authentication Fotis provider.
User pute rate: ®) individual User Accounts
Work And School Accounts
Windows Authentication
Response (View) Auth Filter
[ok | [cance |
ASPNET
Users{Rales
Database
4 authorization
pi
Lt
Page 176
y.NET]
MVC Authentication Filter (Cont'd) CASE
[+ I-Q HF 2
| \sehuahentication.cs® 2X
pm th A
r ,
" 2 ; n , 1 Single Sign-On Login
“I Single sign-on: Login only once and access multiple applications
Once WebApp1
I Implementing Single Sign-On by sharing forms authentication cookies
across web Applications WebApp2
| To use a common authentication ticket
WebApp3
@ Use machine level Web.config file and generate manually the
validationKey and decryptionKey values present in the
<machineKey>
element Webippa
8 Share the generated validationKey and decryptionKey across web
L applications to support Single sign-on : wehaves
User logs in using the username and password of the OpenID provider
User permits the website to use his identity
CASE
Action Filters |
Debug
HomeController.cs® + X
Employee
Page 178
Authentication and Authorization Defensive Techniques: Web Forms
Build
B-wEE = . bow EE
Web.config” # X 4 Web.conhig? # X
Page 179
| y NET]
Use Strong Hashing Algorithms to Validate Data C ASE
Pl = 8
Team Signin
oD .
Web.config® ® X Hom
4 Publish =
© MDS is a weak algorithm for hashing that creates small size hash
value # SHAL is a strong algorithm for hashing that creates large size
hash value
CASE
Authentication Data - A = E
(<]
Web.config® = Xx
A Publish
@ DES is a weak encryption algorithm that creates small size key value
© AES is a strong encryption algorithm that creates large size key
value
Page 180
| J NET]
Secure Form Authentication Cookies using SSL C ASE
Tow 7 t-te
Oe E
Webiconig* ® XH
| BRE)
L
1 Publish «
Page 181
Prevent Session Hijacking using Cookieless
Authentication
| J NET]
CASE
File Edt
Team
Help
O-a EF X
4 Publish ~ 4 Publish ~
| J NET]
using DisplayRememberMe Property < A 5 E
Page 182
Avoid Form Authentication Cookie Persistence
while using RedirectFromLoginPage Method ote 2
Vulnerable Code
Secure Code
Child
I NET]
while using SetAuthCookie Method CA SE
Vulnerable Code
Secure Code
4 Publish «
4 Publish ~
Page 183
Avoid Form Authentication Cookie Persistence C A §E
while using GetRedirectUrl Method eit re So
Vulnerable Code
Home aspres™ 8X
*
Secure Code
Second parameter of
GatRedirectUrl method should not «----
be made true to avoid persisting cookies
#4 Publish ~
Col 75
Vulnerable Code
Page 184
Avoid Form Authentication Cookie Persistence while using C A SE
FormsAuthenticationTicket Constructor (Cont'd) h rls
Secure Code
Login_Click(
p.ValidateUser(txtusername
ctusernam
Col 14
A Publish «
| AT
Secure Passwords with minRequiredPasswordLength C | ASE
Weticonfig® ® X
@ tis the default value and does not ensures a secure passward
& Itshould be set to a proper value to ensure security of
password
Page 185
Secure Passwords with
| am
minRequiredNonalphanumericCharacters ¢ AS
I Such settings may build weak passwords that can be easily breakable
| Itis recommended that strong passwords with alphanumeric characters
are build so that it can provide a proper value to
minRequiredNonalphanumericCharactexrs properties
o D-Q EF
Webiconkig® © % Wisbconhg™ % %
| Am
CASE
| nas Col 18
https://www.ocpsoft.org/tutorials/regular-expressions/password-
regular-expression/
Page 186
Restrict Number of Failed Logon Attempts CASE
| This will lock out the account after exceeding failed logon attempts
“J This can be set by using the maxInvalidPasswordAttempts and
passwordAttemptWindow properties of the membership
provider (in the Web.config file)
Webconfig® & X
# This large value will give the attacker more chances to try attacks
® This values should be as small as possible to minimize the
attacker's attempts
| Whenever the code redirects to the secure page from the page that is
in the public area, such as aLogin page of the
application, it should use the absolute path of the secure page for
redirecting it, rather than the relative path
I The relative path may give direct access to the restricted area of
the application
Secure Code
Debug
A Publish =
Page 187
Secure Applications from Authorization Bypass
| y NET]
Attacks C A Ss E
¥
& This method should not be used whenever page is need to
redirect to secure page ® This method should be used whenever page is
need to redirect to secure page
ServerTransfer Response.Redirect
Request
Page 188
Create Separate Folder for Secure Pages in
CASE
Application CASE
Vulnerable Code
Web.config® + X 5 . Web.config® + X
Conform Password:
Email:
Security Question:
Security Answer:
| J NET]
CASE
Vulnerable Code
Registerasp® ® X
Secure Code
4 Publish «
Page 190
| J-NET]
CASE
NET)
CASE
Property
RequireDigit
RequiredLength
RequireNonAlphanumeric
RequireUppercase
RequireLowercase
ReguiredUniqueChars
Default
Page 191
Configure Identity Services: Password Policy
(Cont'd)
ject
EF
Debug Team
bP] Debug
| J NET]
CASE
Page 192
J NET]
> E
| J NET]
Configure Identity User Validation Settings CASE
Page 193
Configure Application's Cookie Settings C A SE
CookieAuthentication Options
| fi fieh + Tr
cookie completes its half expiration time cid
slidingExpiration
ReturnUriParameter +
middleware on altering 401 status code to a 302
| J NET]
Configure Identity Services: Cookie Settings C ASE
Debug
*y
Page 194
Enforce SSL € A
To prevent the very first request, submit the domain in the HSTS
Preload List of the browser
Page 195
Authentication and Authorization Defensive Techniques: MVC
Implement AllowXRequestsEveryXSecondsAttribute to |
EE : ~
Implementing AllowXRequestsEveryXSecondsAttribute restricts the user
from using the action after repeating a action for
a specified time within a specified duration
Page 196
MVC Page Access Control: Custom Security Filter A SE
1
1
1
1
1
1
1
1
1
1
1
1
1
i
i © Add the filter to an individual action
1
1
1
1
1
1
1
1
1
i © Implement the filter globally
1
1
1
1
{3
Securities” 2X
Ay My
Page 197
| NET]
Page Access Control: Third-party Libraries CASE
Example
_I Implementing control-level
protection in the views
enables a user to display a
Page 198
Implement Control-level Protection (Cont'd) C A SE
| | Implementing control-level protection using security filters will
decide if controller action should display results based on
accessibility |
tFilter OnResultEx
ecuting method
J NET]
Implement Account Lockout C ASE
await UserManager.AccessFailedAsync(user.Id);
Page 199
Implement Account Lockout (Cont'd) C A SE
Vulnerable Code
Secure Code
Ché 1 Publish =
OT
Globalasaxcs® @ X
Page 200
Implement AllowAnonymous Action Filter CA SE
Note:
# Do not implement security using route constraint
# Security decisions should be done at the controller level
J NET]
Implement AllowAnonymous Action Filter (Cont'd) CA SE
B®
Registen()
b
1 Add to Source Control
Page 201
Module Summary C A
Back to Contents
Page 202