pTools White Papers: An analysis of the security features of ASP.NET by Peter Breen
ABSTRACT
Web applications are employed for a wide range of every-day tasks. A growing number of these Web applications offer functionalities that carry huge potential security risks. In response to this, bodies such as the OWASP have been established to raise awareness and provide recommendations for improving Web application security. According to the OWASP, the most threatening kinds of attacks on a Web application’s environment result from vulnerabilities in the application itself.
This paper analyses– ASP.NET – to determine its effectiveness in preventing today’s top ten most critical Web application vulnerabilities, as described by the OWASP. These vulnerabilities include cross-site scripting, injection flaws, broken authentication and session management, insecure cryptographic storage and cross-site request forgery. All ten vulnerabilities are covered in detail.
The security features ASP.NET offers are first detailed and are then manifested in a test Web application. This application is then analysed for its effectiveness in precluding each Web application vulnerability type. Guidelines and recommendations published by the OWASP are used as the basis of this analysis. For each vulnerability type, areas of the test application that may be vulnerable to the threat are identified, protection mechanisms are described, tests are carried out and observations are made.
To further analyse ASP.NET, its security features are compared to the relevant features of a similar technology namely Java EE.
Resulting from this analysis, conclusions are drawn quantifying the ability of ASP.NET to aid in the prevention of Web application vulnerabilities. To aid in this quantification, a set of metrics are defined to rate the framework’s effectiveness in protecting against a particular vulnerability. Ratings are then determined using these metrics for each OWASP vulnerability type. These ratings are used to draw conclusions for the analysis.
> Download Request>>