Hosting Provided By

RE: Current Project Design, Comments?

From: Vitor Ventura <vventura(at)sia.pt>
Date: Tue Mar 18 2003 - 12:16:08 EST

I really don't know very well what is the viewstate objective, but in a security audit that i've made the web app, would crash if I send random values in the viewstate. This means that the application must be carefull with what comes on this variable.

-----Original Message-----

From: Michael Loll [mailto:mloll@pointetech.com] Sent: sexta-feira, 14 de Fevereiro de 2003 20:26 To: webappsec@securityfocus.com
Subject: Current Project Design, Comments?

I am currently on a project designing an ASP.NET-based application for a client. I would welcome any comments on my security design so far.

Communication Protection

Client Web Browser to Web Server: 128-bit SSL encryption Web Server to Database Server: IPSec (via Windows 2000 Server)

Authentication

Client to Web Server: Custom authentication against a username/password stored in Oracle DB. The database actually only stores the username, a hash of the password, and a random salt value used in the hashing process. No password is actually stored in the database.

Web Server to Database Server: A single identity is used to talk to the DB server from the Web Server. These credentials are stored on the Web Server in encrypted form and are decrypted when needed (and stored in memory). The key for decryption is the password of the web account - this is all handles via Window's data protection api.

Authorization

Client to Web Server: Subsystems of the application are protected via custom role-based security. Each user has a "role" and if that page is not viewable by that role, they are redirected to a different page.

Web Server to Database Server: The trusted identity has minimum rights to the specified tables and procedures needed to perform its duties.

Do you need help?

Pretty standard in the web world, correct? I am still trying to figure out a universal way to handle SQL injections. I garnered most of this from Microsoft's whitepaper on secure ASP.NET applications.

--

Michael Loll
Consultant / Pointe Technology Group, Inc. mloll@pointetech.com / www.pointetech.com work: 301-306-4400 x4441 / cell: 240-603-7372 / fax: 301-306-4421

This email is my opinion and not that of my employer.

Received on Tue Mar 18 12:58:24 2003

This message: [ Message body ]
Next message: alex(at)netWindows.org: "RE: Current Project Design, Comments?"
Previous message: Dave Aitel: "Re: Spike"
Maybe in reply to: Michael Loll: "Current Project Design, Comments?"
Next in thread: alex(at)netWindows.org: "RE: Current Project Design, Comments?"
Reply: alex(at)netWindows.org: "RE: Current Project Design, Comments?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT