Tuesday, June 8, 2021

Setting samesite:strict in pre .Net 4.7.2 versions to fix CSRF

CSRF is a type of web security attack where the attacker site loaded side by side with our web application and attacker site making HTTP requests to our application as the signed-in user. This happens when our authentication mechanism is based on cookies and is accessible to the attacker's site. When the attacker site postback or make HTTP GET call, the cookie is transmitted to our web application and it identifies as a valid user.

How to fix it?

There are 2 ways to my understanding.

Traditional (Pre SPA - Single Page Application)

This method relies upon one more security measure on the top of the authentication cookie. That is normally called as RequestVerificationToken. Below is the working 

  1. When the page is served to the client, the server will inject an encrypted token in a hidden field
  2. The client fills data in the form. Then perform submit operation.
  3. The incoming POST request is validated by the server for the hidden field. If that field is not available or not able to decrypt using the key in hand, reject the request.
Now think about the attacker's site posting back, that request has the cookie but not the hidden field. This is because the attacker site cannot access the DOM of our web application.

SPA

SPA model doesn't use page-level postback. Instead, it sends and receives data in AJAX requests. The web application's static assets (HTML, JS & CSS) normally loaded during the first time of application load. It may even be served from a CDN. We cannot use the RequestVerificationToken via the hidden field here as the page is not posted back when we do operations.

Here we have another way. It is nothing but fixing the original problem. Blocking the browser not to send the auth cookie when a request is made from another web page, usually the attacker's site. In order to tell the browser not to share cookies, we can use the Same-Site flag on the authentication cookie. This should be done by the server at the time of initial login. The value should be set to same-site: strict.

Now we are going to see how to set the same-site flag to strict in ASP.Net. 

Setting Same-Site to Strict in ASP.Net

If we are using the latest version of .Net starting from 4.7.2, it is easy as below code snippet.

Tuesday, May 18, 2021

PowerShell to check if private key is there in certificate

This is a small tip that can be considered as a continuation of an older post.  That was about validating the X509 certificate using PowerShell. As we all know, PowerShell is the way to execute almost anything in production, where using any other software is prohibited. 

The new problem encountered was that the certificate is there but no private key. When we use that certificate to obtain the Azure AAD token it fails. Below goes the snippet to check. 

Tuesday, May 4, 2021

Uncomment section in XML file using C#.Net

Requirement 

As part of the installation, some XML fragments (eg: <authentication>) need to be uncommented in web.config file based on the environment,. This can be done either via PowerShell or C#.Net as this has to be triggered from MSI installation. Never during the runtime of the application.

Alternatives

We can either do string-based detection and replace it. Or use XML parser of .Net. Since the string parser is complex, let us stick with the .Net library to replace it.

Solution

The below code snippets is replacing the commented <authentication> tag in XML with its uncommented version.