본문 바로가기
카테고리 없음

Secure Web Pages In Web.config

opcecesquad1973 2020. 11. 26. 08:49


26 Jan 2011CPOL
Ways in which you can prevent someone from decrypting ViewState data

Introduction

The ASP.NET ViewState is a client side state management mechanism. The ViewState is stored in a hidden field with an ID __VIEWSTATE. Typically, stored ViewState information looks like:

Secure

We can secure a Web Service by using one of the following Windows authentication schemes: Integrated Windows authentication. ASP.NET redirects the unauthenticated users to a Web page that can be configured in the Web.config file. You, as a Web application developer, are supposed to develop the Web page and authenticate the user by checking. After saving your changes to Web.config, log in as a user that is not in the Administrators role and then try to visit one of the protected pages. The UrlAuthorizationModule will detect that you do not have permission to visit the requested resource; consequently, the FormsAuthenticationModule will redirect you to the login page.

Now let us look at the value. It looks likes an encrypted string. This is nothing but a Base64 encoded string, and is not an encrypted string. So it can be easily decoded.

The main reasons for using Base64 encoding are as follows:

  1. Base64 makes a string suitable for HTTP transfers
  2. It makes it a little harder to read

But people often get confused that this is an encrypted string.

https://inundensi.tistory.com/1. Let us try to decode the string using ViewState Decoder (a nice tool created by Fritz Onion).

After decoding the string, we can see the exact data that is stored inside the ViewState.

You can write a few lines of code to decode the text and you will get the actual View State information.

So here is how the ViewState works:

By default, ViewState is serialized into a Base-64 encoded string. On postback, the ViewState information is loaded and reapplied to the persisted state of the control in the control hierarchy.

Solution

There are two different ways in which you can prevent someone from decrypting ViewState data.

When we use EnableViewStateMac='True', during ViewState save, ASP.NET internally uses a hash code. This hash code is a cryptographically strong checksum. This is added with the ViewState content and stored in a hidden filed. During postback, the checksum data is verified again by ASP.NET. If there is a mismatch, the postback will be rejected. Daewoo matiz owners handbook download.

  1. You can make sure that the ViewState information is tamper-proof by using 'hash codes'. You can do this by adding EnableViewStateMAC=true in your page directive. MAC stands for 'Message Authentication Code'.
  2. The second option is to set ViewStateEncryptionMode='Always' with your page directives. This will encrypt the ViewState data. You can do this like:

ViewStateEncryptionMode has three different options that can be set:

  • Always: Encrypt the ViewState always.
  • Auto: Encrypt if a control requests for encryption. For this to happen, the control must call the Page.RegisterRequiresViewStateEncryption() method.
  • Never: Never encrypt the ViewState.

If you set ViewStateEncryptionMode='Always' and try to decode ViewState data, you will get information as shown below:

We can also enable these settings for EnableViewStateMAC and ViewStateEncryptionMode in web.config:

Note: Try to avoid ViewState encryption if it is not necessary as it can cause performance issues.

If you are a beginner to ViewState, please read my article on ViewState – Beginner’s Guide to View State.

However, today’s flight will be no routine trip. Non stop 2014 movie download utorrent.

15 Jul 2014CPOL

Router's Web Based Config Page

Introduction

The tip gives you information about how to encrypt the connection string in Web.Config to increase the security and keep the connection with the database secure. There is so much other sensitive information that can be encrypted but in this tip, I'll particularly talk about encrypting the ConnectionString in Web.Config file.

Why It Is Important?

Encrypting sensitive sections of the Web.Config is important because they are just that, sensitive. Think about production Web.Config file. It may contain all information that requires running your web application. There are often passwords for SQL database connections, SMTP server, API Keys, or other critical information. In addition to this, Web.Config files are usually treated as just another source code file, that means, any developer on the team, or more accurately anyone with access to the source code, can see what information is stored in Web.Config file.

Encrypting the Connection String

In our example, we will encrypt ConnectionString in our Web.Config file.

Before Encrypting Web.Config

If you look at the below Config file, it can be easily readable. This doesn't seem to be secure if anyone has access to your Web.Config file.

Encrypting Web.Config

  1. Open Command Prompt with Administrator privileges
  2. At the Command Prompt, enter:
  3. In case your web Config is located in 'D:ArticlesEncryptWebConfig' directory path, then enter the following to encrypt the ConnectionString:

    Use Aspnet_regiis.exe tool with the –pef option and specify the application path as shown above.

    Note: The parameter 'connectionStrings' is case sensitive.

Cannot Load Secure Web Pages

After Encrypting Web.Config

After encrypting your ConnectionStrings section, your ConnectionStrings will not be in a readable format.

Accessing Decrypted Configuration Settings

It’s very good to know that ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings. You can run your existing application by encrypting your Web.Config file and it will run perfectly without any modification to your existing code. Isn't that interesting?

Decrypting the Connection String

Is it possible to decrypt my Web.Config so that I can read it in original format?

Yes, it is possible.

Simply perform the following command to decrypt the connectionStrings element in the Web.config file.

Note: The parameter 'connectionStrings' is case sensitive.

Questions and Answers

1. You might ask me a question if Web.Config file can be encrypted and decrypted using ASPNET_REGIIS then anyone who has access to Web.Config file can decrypt the content, right?

Multiecuscan 3.6 multiecuscan 3.6.2 multiecuscan 3.2 multiecuscan 2.2. Fiat Multiecuscan v1.7+activation FoCOM, Examiner Smart. Cracked tongue vitamin deficiency.

To answer this question, I would say no, if you encrypt your Config file, then your machine would store your keys and if you copy the Config file to a different system and try to decrypt it, then you might get an error.

Pros

  1. Web.Config sensitive information is not in a readable condition (after encryption)
  2. You don't have to explicitly write code to decrypt the Web.Config file as ASP.NET automatically decrypts the configuration and processes your request

Cons

  1. You can't modify the encrypted content on the fly. It requires you to decrypt the content before editing.

Points of Interest

Web.Config encryption only takes a couple moments and provides much more security than a clear-text file. It may not be enough to thwart a hacker that has full access to your entire server.

I'm encrypting all my sensitive data stored in Web.Config after learning the concept of encryption. How about you?

History

Secure Web Pages Won't Load

  • 07/11/2014: Created
  • 07/15/2014: Updated broken link to download source code.

Web Configuration Page





티스토리툴바