CS296N Web Development 2: ASP.NET             
                                

Web Security

Topics by week
1. Intro to course and Identity
6. Load Testing and Performance
2. Authentication and Authorization 7. Creating a Web Service
3. Claims and Third Party Authentication
8. Consuming a Web Service, Async / Await
4. Web Security
9. Docker Containers
5. Midterm, Bootstrap and Front-End Libraries 10.  Microservices

Contents


Introduction

  • Quiz?

Review


Testing with ZAP

OWASP Zed Attack Proxy Project

1) Start your web app project in Visual Studio
2) In your browser, log in to your web app as a member (not an admin).
3) Run a passive scan in ZAP.

Result of passive scan of BookInfo2

High priority Path Traversal (2)
High priority Remote OS Command Injection
High poriority SQL Injection

Medium priority X-Frame-Options Header Not Set (5)
Medium priority Application Error Disclosure (5)
Medium priority Cookie No HttpOnly Flag (6)

Low priority Web Browser XSS Protection Not Enabled (7)
Low priority X-Content-Type-Options Header Missing (9)

Result of Active Scan

Medium priority   X-Frame-Options Header Not Set (17)
Low priority Web Browser XSS Protection Not Enabled (18)

Low priority X-Content-Type-Options Header Missing (20)

Discussion of Alerts

X-Frame-Options Header Not Set

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. (Clickjacking - Wikipedia)

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Set X-FRAME OPTIONS in ASP.NET Core

Combating ClickJacking With X-Frame-Options

Resources

Tutorials

OWASP ZAP


Conclusion

  • Review lab due dates on Moodle
  • Next time we will...