What is "Form Caching Vulnerability"?
The Form Caching Vulnerability allows sensitive form fields to be cached and retrieved by another user on the same client.
CWE-525: Information Exposure Through Browser Caching
This is the first of my series on securing ASP.NET web sites. As I work through various vulnerabilities, I’ll document instructions for fellow web developers in hopes that we can help build more secure web applications. The Cookie Vulnerability falls under the common vulnerability name of "Broken Authentication and Session Management."
What is "Broken Authentication and Session Management"?
This cookie vulnerability is OWASP 2010 A3. You can read more at Top 10 2010-A3-Broken Authentication and Session Management. This threat applies to application functions related to authentication and session management not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.
The setup: Microsoft ASP.NET and AJAX Control Toolkit components
I needed to add additional dropdown options to a DropDownList web control in use by the Ajax Control Toolkit CascadingDropDown ASP.NET AJAX extender. The CascadingDropDown provided a means to get an automatic population of a set of options called by the web service. This AJAX call also passes in the parent item, so that the list items cascade (show items related to the parent control).
An example could be 2 drop down lists: Automobile Make and Automobile Model. If the user selects “Ford” from the Automobile Make drop down list, then only Ford models are listed in the Automobile Model drop down list. If the user changes the Automobile Make to “Honda”, then the items in the Automobile Model changes to show only Honda models.
I needed a way to append an “All” option to the drop down list, but I didn’t want to automatically include “All” as valid option in my Web Service. I wanted to append it on a specific form rather than as part of the data feed.
To start, you need to have a working set of CascadingDropDown web controls. I’m not to explain that set up, because you need to figure out that before you can add additional elements.
Encrypting your sensitive data in your ASP.net web.config files is a simple process that can be done two different ways. The first way is to use a command prompt to execute a command and encrypt/decrypt the XML sections. The second way is to encrypt/decrypt programmatically from within your web site.
Things you need to know before starting:
- Which system account does your ASP.NET web site run as?
This is usually “NT AuthorityNetwork Service” or “ASPNET” unless specifically configured otherwise.
- The directory where aspnet_regiis.exe is located. The default installation path is $WINDIR% Microsoft.NET Framework <versionNumber> aspnet_regiis.exe. The last folder is the version of the Framework you are using (v2, v3, v4, etc.)
In the past, I've used various open source .NET charting libraries or Flash based libraries. I've even coded my own charting libraries for some complex data visualization requirements. Today, Scott Gu blogged about the the free Microsoft Chart Controls for Microsoft .NET 3.5.
A common issue that I find myself falling into is how to sort things such as categories. I could sort them alphabetically or by child record counts, but most often my system owners (who I'm developing my web applications for) want to be able to reorder the categories to match either the process flow or priorities.
This can easily be done by adding a new field to the database record to store the sort order precedence and a new textbox on the web form to edit/add new category records. However, editing one category at a time in a web form leads to a bit of confusion since it's easy to forget whether the category should be #3 or #4. They want something more visual. And that's where the AJAX Toolkit ReorderList control comes in.
Stephen's code worked almost perfectly until I needed to use more than one "NotEqual" constraint in my route. If you attempt to use Stephen's code as such, then you'll get the error message indicated below.
My company uses a SSL Proxy for accessing internal web sites from external networks (such as the Internet). The SSL Proxy used is supplied by Juniper Networks and our networking guys have always made comments like "oh, another Juniper bug", etc.
- Use ASP.NET AJAX PopUpExtender control to provide a mouseover popup with additional content relevant to the GridView row.
- Use DynamicContextKey to pass in GridView record's unique identifier.
- Use a User Control to render the HTML response, so I don't need to build the HTML code using a StringBuilder or HtmlTextWriter.
My initial code was something similar to the below code:
If you add a new ASP.NET web site as a virtual directory/application under an existing ASP.NET web site, then you'll probably be having some problems with web.config inheritance.
Even if the sub-webapp is physically separate, just being in a virtual directory located within another webapp will result in many of the settings being inherited and messing up your sub-webapp.
The method to resolve these issues can be found over at Rick Strahl's blog entry titled "IIS/ASP.NET Settings and Virtual Directory Inheritance".
The key is adding in the web.config XML element of <location inheritInChildApplications="false"> to surround the sections of your top-level web application's web.config file.