Visual Input Security 1.0
Protect Your ASP.NET Web Sites
By Don Kiely
Security is difficult. And Web security including that for ASP.NET applications is amongst the most difficult kinds of security to get right, because, by its very nature, applications are permanently connected to the Internet. Peter Blum has risen to the challenge and released Visual Input Security 1.0 (VISE). This collection of powerful tools, validators, and support engines makes it possible for mere mortals to develop highly secure Web sites.
VISE is designed to protect your site from the various kinds of input attacks currently in vogue (including SQL injection, cross-site scripting, and tampering), as well as to help divert repeated attacks. As described in the documentation, it is built on a best practice, multi-part strategy that is designed to:
- block exceptions and diagnostic errors from getting into the hands of hackers (which they could exploit);
- log those exceptions for your own use;
- detect and block hacking attempts on every input of every page in your Web application; and
- log the hacking attempts to keep you informed.
VISE is a comprehensive product consisting of several kinds of components: a security analysis report to provide you with feedback about the security of each page, page and field validator controls that provide a variety of protection services, logging to help you monitor a site, and detection engines for SQL and script injection attacks. What is most impressive is that it demonstrates defense in depth, with a variety of tools and approaches that can add significant resilience to a site.
VISE is built on top of the company s Professional Validation and More (VAM) product, a collection of 22 validators that go well beyond those in ASP.NET. In this article I ll focus on VISE, but keep in mind that VAM provides much of the necessary infrastructure to drive the VISE security features. Also keep in mind that because VAM is priced on a per-server basis (US$100 per server for the full Level 2 package, or US$500 for a site license), your cost will be more than the VISE package alone. However, the total cost is eminently reasonable for all the features you get.
Protecting a Page
We Web developers might wish for a product that we can install and forget about while enjoying rock-solid security. But such a dream is a fantasy until the Web itself becomes more secure. Even with VISE, it takes some hard work to secure input pages. But at least with VISE, the tools and components eliminate some of the guesswork and provide a solid infrastructure for security.
For each input page in your application, you ll need to perform several steps using both ASP.NET and VISE tools. Start by converting any existing ASP.NET validation controls to VAM controls. You ll need to do a complete conversion because VAM provides an entire framework for validation that is quite different from that in ASP.NET (VAM provides a tool to automate the process, Convert Page to VAM.exe). It s a little tedious to convert each page one at a time with the tool, but it s much faster than doing it by hand. It does tasks such as add VAM @Register tags to a page and converts IsValid and Validate method calls to VAM s version.
The next step is to turn off ASP.NET 1.1 s validateRequest protections. From now on you ll be relying on VAM s much more robust version to protect your pages.
Next, add VISE s PageSecurityValidator server control to the page. This control provides most of the page-wide security protections, as well as lets you turn on and off specific kinds of protections, such as different types of scripting attack protection. You ll also use the features of this control to produce security analysis reports.
Next, run the page. The Security Analysis Report generates a report for the page automatically. Check the report. Now go back and take care of any security holes the report reveals, including adding more validation controls from both VAM and VISE to tighten security on the page.
For example, you might use the FieldSecurityValidator control on text boxes that accept data that is stored as text. Its SQLDetectionLevel property gives you control over how strict its parsing is for SQL injection. Its HTMLTagMode and HTMLTags properties give you control over the HTML tags permitted. It also has SQLCommunicationMode and ScriptCommunicationMode properties that let you control if an attack is logged and how an error is shown. When it detects an attack you can have it log everything without reporting errors to the user. You can also have it respond to severe errors by redirecting to another page. These responses are designed to let legitimate users have a pleasant experience at your site while frustrating hackers attempting to hack the site.
You can also eliminate what VISE calls safe controls from the overhead of protection. A safe control never returns unsafe data to the server, such as buttons and checkboxes. You specify safe controls by employing the PageSecurityValidator using the ThisControlIsSafe method.
Whew! That s already a lot of work, but the controls and tools in VAM and VISE have done most of the hard stuff. But now you need to keep pushing on, adding protections such as specifying character encoding for the page, checking for and protecting any querystring or cookie names not caught by the Security Analysis Report, making sure that querystring parameters don t contain sensitive information, and so on. And you can use VISE s Slow Down Manager to slow down page responses to a hacker when it detects an attack.
You can carefully hand craft Web pages all day with security firmly in mind, but it is all too easy to let little holes slip in, such as forgetting to add validation to a single control. Such a slip is all that is needed to give an attacker the opening to take control of your site. With that in mind, one of the best features of VISE is the Security Analysis Report (see Figure 1). For any page you choose to create the report, it provides a complete analysis of the routes for visual input attacks, including visible and hidden form fields, cookies, and querystrings.
Figure 1: The Security Analysis Report can provide an analysis of any Web page in your application. It examines each input control to make sure that they are protected against attacks via visible and hidden form fields, querystrings, and cookies.
Setting up a page to produce an analysis report requires a bit of painstaking instrumenting, most of which is handled by the steps required to protect a page (as previously discussed). However, VISE doesn t generate a report automatically for every page in your site. Because most sites have input on only a handful of pages, and none on the vast majority, analyzing every page would be a waste of processing cycles.
You can t have security without logging and auditing, so VISE provides the LogAndRespond engine. The engine supports logging problems and attacks to the Windows event log, a text file, e-mail, or to custom logs using your own code. It can also respond to attacks by automatically redirecting to another page or throwing an exception. Because many attacks require persistent manual or automated probing of a page, these responses can make it so hard to hack your site that hackers will look elsewhere before discovering an overlooked hole.
VAM enhances the visual development environment in various ways, and includes an assortment of tools to make it easier. One is the ASP.NET Design Mode Extender, a VS.NET add-in that provides easy access to the web.config file and file paths to your Web applications. It automatically configures an application at design time to use the enhanced design features, and provides a tool to automatically configure the application (see Figure 2).
Figure 2: The ASP.NET Design Mode Extender utility automatically appears and sets up required paths for you when you create a new ASP.NET project.
The VISE Package
Installing VISE is a moderately daunting mix of automated setups and manual actions, and the complexity is far more than doubled if you don t already have the VAM product installed. The steps are laid out in painstaking detail in PDF installation guides (with more than 30 pages for each product), including use with VS.NET and DotNet Matrix, various development scenarios, and troubleshooting. And, of course, you need to perform most of the steps on both development and production machines, as well as some of the steps for each new ASP.NET application.
Pay close attention to these documents and follow them carefully; otherwise, you ll not be happy with the results. For example, I had a hard time getting the licenses installed correctly. The instructions are clear and complete, but I simply glossed over the steps too quickly and then just couldn t see my multiple errors. The licensing scheme is not onerous, but it requires careful attention to configure.
Although I suppose more of the installation process could be automated, VISE and VAM poke into so many corners of VS.NET and ASP.NET that it would be hard to simplify the process. Besides, it proved to be a great way to familiarize myself with the many components of the products as I explored the copious documentation. However, closer integration with the templates for a new ASP.NET application would be a big timesaver.
Like any good, contemporary .NET product, VISE relies heavily on .config files to control its many options. As you can see in Figure 3, the files are heavily commented with many standard options.
Figure 3: The VISE .config files have most security features enabled, with many more already set up for use. Simply uncomment an option and you re done!
The package seems to have all the flexibility you need for use on a hosted server when you don t have admin access to all of the IIS configuration options. But you ll want to take a careful look and make sure that it will work in your environment, particularly because there is so much work in setting up VAM and VISE on a server.
The documentation in VAM and VISE is so detailed and complete, it s almost scary. There s no way I m going to ever show any of my clients the docs because that will raise the bar way too high for my own documentation. The author makes effective use of the features of the Adobe Acrobat PDF format, and includes plenty of samples, step-by-step descriptions, and some good explanations of security concepts.
It hasn t been since Dan Appleman released his first Desaware products that I remember a development tool vendor being so concerned that his customers both buy into and understand the issues in using a product. Peter Blum is quite careful to make sure that users understand exactly what his product can and cannot do to protect Web sites, and he offers plenty of educational information along the way. Security is difficult, and to tell the truth, VISE really only makes it more difficult. But VISE also dramatically increases the chances that your site will be well protected against known threats and will slow down hackers using new attacks.
Attention to Detail
One of the most impressive things about VISE is the attention to detail provided by the author. You have the maximum flexibility to adapt the product to various environments, such as the option to install the DLLs to the GAC or an application s \bin folder to accommodate deployment to hosted servers. The documentation is full of samples about how to do things in your application, and many options are included but commented out so you don t have to write the code. There are even detailed instructions about using the products in partial trust environments. And everything has the AllowPartiallyTrustedCallers attribute. Kudos to the author for enabling partially trusted development!
Dropping VISE into an ASP.NET application is not going to automatically make it secure against attacks. That s an impossible dream at this point in the Web s development. But VISE provides strong tools and feedback that make robust security possible and financially feasible for real-world applications. I highly recommend VISE for all Web developers who are serious about building secure sites.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected].
Web Site: http://www.peterblum.com
Price: US$250 (requires company s Professional Validation and More product at an additional cost)