SecureDefaults
SecureDefaults is a NuGet package that changes asp.net projects to use a more secure default configuration.
Installing this package is the first step (of many) to passing an OWASP based security review.
Some of the config options listed below are the same as the machine level defaults. However due to the way that web.config inheritance works they may not be the default for your application when deployed. Security options important to your app should be noted in your config files.
SecureDefaults.AspNet
customErrors
<customErrors mode="RemoteOnly" defaultRedirect="~/GenericError.html" />
In release mode
<customErrors mode="On" defaultRedirect="~/GenericError.html" />
When custom errors are off the an error page containing debug information will be displayed to users. Even when it is on the standard error page will identify the site as an asp.net one. Having the mode on and a custom error page will also prevent attacks such as the padding oracle vulnerablity.
enableVersionHeader
<httpRuntime enableVersionHeader="false" />
Removes the "X-AspNet-Version" custom response header. Exposes site technology and version.
httpOnlyCookies
<httpCookies httpOnlyCookies="true" />
Prevents cookie access via client side scripts and XSS flaws Reference. If a specific cookie is needed in javascript set HttpCookie.HttpOnly = false on that object.
encoderType
(Net40)
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" />
(Net45)
<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
The default asp.net html encoder uses a blacklist to encode any characters that are know to cause problems. The AntiXss encoder uses a whitelist to allow a range of characters and anything else gets encoded. It is more likely to provide protection if a XSS character combination is found in the future, and some security reviews require white lists.
viewStateEncryption and enableViewStateMac
<pages viewStateEncryptionMode="Always" enableViewStateMac="true" />
Web forms viewstate contains control properties that by default can be viewed by users as it is just a base64 string. Nothing private should ever be put into viewstate but information leakage can occur because developers are just setting control properties without consideration of where those values end up being stored. Encryption prevents client side viewing. ViewStateMac should always be enabled and as of .net 4.5.2 it can't be turned off.
Session state and Forms auth cookieless
<sessionState cookieless="UseCookies" />
<forms cookieless="UseCookies" />
Asp.net has the option of storing session tokens in the url for browsers that don't except cookies. This configuration option makes it easy for network monitoring tools to capture the url and then hijack the session. Cookies should always be used for session and authentication tokens. Reference
Session state and Forms auth name
<sessionState name="unique-name" />
<forms name="unique-name" />
Unique cookie names for session and auth prevents clashes with sites running under the same domain. Also provides a small benefit for automated attacks looking for the standard cookie names.
Forms protection
<forms protection="All" />
Ensures forms authentication cookies are encrypted and integrity checked.
Tracing - Release mode
<trace enabled="false" localOnly="true" />
Tracing exposes detailed internal information on requests, responses and logging via the trace.axd handler.
debug - Release mode
<compilation debug="true" />
Apart from introducing performance problems on production servers, the debug attribute can send detailed information to clients in the case of an error.
Custom headers
<customHeaders>
<remove name="X-Powered-By" />
<remove name="X-Frame-Options" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
Removes the "X-Powered-By" custom response header. Exposes site technology and version. Adds the "X-Frame-Options" custom response header to prevent click-jacking from other domains.
No Cache module
<modules>
<add name="SecureDefaultsNoCacheModule" type="SecureDefaults.NoCacheModule, SecureDefaults" />
</modules>
Sets the "Cache-Control", "Pragma" and "Expires" headers to not cache any html page in the browser or on proxy servers. Prevents information leakage via shared computers or cache hits. If your site has public pages that are common for everyone remove this entry and specifically add expire headers to secure or authenticated areas.
Header module
<modules>
<add name="SecureDefaultsHeaderModule" type="SecureDefaults.HeaderModule, SecureDefaults" />
</modules>
Removes the "Server" custom response header. Exposes site technology and version.
robots.txt
Prevents login pages showing up in web search results. Also has the added benefit of removing 404 response errors when web crawlers request the file and it doesn't exist. Note this file will only be used if the site is at the root of the domain.
SecureDefaults.AspNet.Mvc
App_Start\SecureDefaultsMvc.cs
Removes the "X-AspNetMvc-Version" custom response header. Exposes site technology and version.
Views cshtml modification
Adds the autocomplete="off" attribute to login and account related fields. Corrects an open redirect attack in Mvc 1 and 2 templates in AccountController.cs Reference
SecureDefaults.AspNet.Ssl
Cookies and Forms auth requireSSL
<httpCookies requireSSL="true" />
<forms requireSSL="true" />
Prevents the browser from sending session cookies over insecure channels.
Https redirect module
<modules>
<add name="SecureDefaultsSslOnly" type="SecureDefaultsSsl.SslOnlyModule, SecureDefaultsSsl" />
</modules>
Redirects all http requests to https. Although it is best to disable http altogether so that session cookies are not initially created in the clear it is often an unacceptable user experience. It is important that all security cookies are recreated on login (see below)
If the whole domain that this site will be hosted on will be https only, change the type to the following. It will set the Strict-Transport-Security header.
<modules>
<add name="SecureDefaultsSslOnly" type="SecureDefaultsSsl.DomainSslOnlyModule, SecureDefaultsSsl" />
</modules>
Security Items NOT covered by this package (not comprehensive)
- Password complexity rules, storage (never clear text or simple hashing), renewal, force change or lockout.
- SQL Injection
- Web forms default code expressions. Use the new <%: code %> and <%#: code %> html encoding syntax instead of the traditional <%= code %> syntax. Watch out for double encoding if updating old code.
- Some session management functions. Call Session.Abandon() and set new auth cookies after any privilege escalation (eg login).
- Insecure direct object references. Access permissions must be rechecked on all sub pages and function level operations.
- Third party components configuration. Review settings required to secure features coming from other companies.
- Cross-site request forgery (CSRF). Use a CSRF token such as the MVC Html.AntiForgeryToken or the ViewStateUserKey in web forms.
