WebApp Sec mailing list archives

RE: Current Project Design, Comments?

From: Vitor Ventura <vventura () sia pt>
Date: Tue, 18 Mar 2003 17:16:08 -0000

I really don't know very well what is the viewstate objective, but in a
security audit that i've made the web app, 
would crash if I send random values in the viewstate. This means that the
application must be carefull with what comes on this variable.

-----Original Message-----
From: Michael Loll [mailto:mloll () pointetech com]
Sent: sexta-feira, 14 de Fevereiro de 2003 20:26
To: webappsec () securityfocus com
Subject: Current Project Design, Comments?

I am currently on a project designing an ASP.NET-based application for a
client.  I would welcome any comments on my security design so far.

Communication Protection
------------------------
Client Web Browser to Web Server: 128-bit SSL encryption
Web Server to Database Server: IPSec (via Windows 2000 Server)

Authentication
--------------
Client to Web Server: Custom authentication against a username/password
stored in Oracle DB.  The database actually only stores the username, a hash
of the password, and a random salt value used in the hashing process.  No
password is actually stored in the database.

Web Server to Database Server: A single identity is used to talk to the DB
server from the Web Server.  These credentials are stored on the Web Server
in encrypted form and are decrypted when needed (and stored in memory).  The
key for decryption is the password of the web account - this is all handles
via Window's data protection api.

Authorization
-------------
Client to Web Server: Subsystems of the application are protected via custom
role-based security.  Each user has a "role" and if that page is not
viewable by that role, they are redirected to a different page.

Web Server to Database Server: The trusted identity has minimum rights to
the specified tables and procedures needed to perform its duties.

Pretty standard in the web world, correct?  I am still trying to figure out
a universal way to handle SQL injections.  I garnered most of this from
Microsoft's whitepaper on secure ASP.NET applications.

--
Michael Loll
Consultant / Pointe Technology Group, Inc.
mloll () pointetech com / www.pointetech.com

* This email is my opinion and not that of my employer.

Current thread:

RE: Current Project Design, Comments?, (continued)
- RE: Current Project Design, Comments? securityarchitect (Feb 14)
- RE: Current Project Design, Comments? Logan F.D. Greenlee (Feb 14)
- RE: Current Project Design, Comments? Michael Loll (Feb 14)
  - RE: Current Project Design, Comments? Tim Aranki (Feb 14)
- RE: Current Project Design, Comments? Scott (Feb 14)
- RE: Current Project Design, Comments? Gal Rozov (Feb 17)
- RE: Current Project Design, Comments? Michael Loll (Feb 17)
  - RE: Current Project Design, Comments? TUER, DON (Feb 17)
- RE: Current Project Design, Comments? Douglas Schlenker (Feb 17)
- RE: Current Project Design, Comments? Sarbjit Singh Gill (Mar 03)
- RE: Current Project Design, Comments? Vitor Ventura (Mar 18)
  - RE: Current Project Design, Comments? alex (Mar 18)