Professional Documents
Culture Documents
Semestrial Report on
Semester: V
Module: ?
ECTS: 10
Verified: ?
Team number: ?
Team Members:
Cavcaliuc Nina
Fistic Cristofor
Gurduza Vasile
Popov Eliodor
Turcanu Ana
Chișinău, 2020
Table of Contents
Abstract .................................................................................................................................
1. Introduction .......................................................................................................................
2.1. The Aim of the Platform. The Necessity for Security .........................................
2
6.2.4. Front-end .............................................................................................
7. Conclusions .....................................................................................................................
References ....................................................................................................................
Appendices ......................................................................................................................
3
Abstract
This report is made for academic purposes and is intended to document the project under
which a secure software application has been developed. The project was made during the 5th
semester of Software Engineering, under the Department of Software Engineering and
Automatics at the Technical University of Moldova, and was supervised by prof. Bulai Rodica
and Ion Gandrabura, employee at “Amdaris” SRL. In this report is described an application
that was develop for solving a problem in local community and the whole process of
development of the application. A special aspect that was highlighted during the development
of the application was security and in this report, it is also described what was done to make
application to have a high level of security.
4
1. Introduction
Software security is an aspect of application development, which should not be avoided
if the intent is to keep integrity and provide functionality. Software security is a process that is
created, designed and tested during the pre-deployment phase. Security means not only
implementing the most suitable securing mechanisms, but also, creating code that is easier to
protect.
For large enterprises, a single gap in the security of an application can mean a
tremendous loss. For example, the well-known Sony Pictures was attacked with a simple SQL
injection by a hacker group, in 2011, which resulted in the exposure of personal data of over 1
million accounts, including passwords, electronic mail and home addresses, and birth dates. In
2017, HBO, a large broadcasting company was hacked, resulting in the release of a screenplay
episode of a not yet broadcasted TV series. The hacker gained access to financial documents,
as well as contact and confidential information of the actors and the film crew.
The examples above show how much of an impact has security on the integrity of
software. It is favorable to implement it from scratch at the designing stage, since it is better to
prevent malicious attacks than to treat them subsequently.
In the present report, the following two initiatives are tackled: the development of a
software application based on a problem, which has to be validated by potential users through
open survey, and eventually, the implementation of security over the created platform during
the pre-deployment phase. The application will be conceptualized and validated in the Problem
Formulation chapter. In the following chapter the planning of the research for the project will
be documented. The next chapters will deal with the exploration of the theoretical context of
the problem, data collection and analysis of data. The final chapter will describe the solutions
and approaches that were developed for this project, related to the intent of the application but
also, related to the security of it.
5
2. Problem Formulation
This chapter will describe the problem that is going to be tackled and solved by the
platform. The necessity for securing the application will be proven, along with formulating the
problem statement. Subsequently, the process of validating the problem will be described in
the last section of this chapter, in order to prove its actuality.
Imagine this scenario: You are student or a professor and you’re doing a research for
getting a degree. You are just about to discover some very important matter which your work
is related to. However, you still need to see one more specific book you know about, in order
to be sure of your discovery. This book is very rare, it does not sell in your country. You are
interested to find out who owns this book, regardless of where they live, and ask them to buy
it or borrow it, in order for you to be able to complete your thesis. How can you easily do that?
Or this: You decided to renew your personal at-home library and you own a large
amount of books that you do not need anymore. You decided to sell or donate them to anyone
interested, as quickly as possible. A Facebook group will not help you, because you’re looking
for a wider target of clients, regardless of where they live in the world. What is the perfect
solution to your problem?
There are lots of people in and outside our country who own books that they either do
not need anymore or would like to profitably share them out. The intended web application
aims to solve the problem mentioned above. It would give any regular user the possibility of
putting their books up for sale, rent or give them away for free. Also, the same user would be
6
able to order any book found on the website and directly contact the owner for details and
specifications. Chatting with clients and owners would also be possible on the platform
directly. Means of payment would not be provided by the platform, since it is not intended to
be an online shop, but much rather an online community useful to find the product you need
from other members. The mailing of the products and money transfer are done through
particular ways which both parties (the client and the owner) agree on (which may differ from
case to case), and the risks these involve are assumed by every user. Moreover, it aims to be
straight-forward and easy to use, quick and efficient, and secure.
Security is an essential part of this application, since it would not be ready for
deployment without it. Securing the application is beneficial, or even essential for application
administrators as well as for the users. Not only is it implemented in order to prevent malicious
attacks that could destroy or malfunction, but also, in order to protect users’ personal data. In
order to keep integrity and provide functionality, the step of securing the application should
not be skipped, or the loss might be irreversible. The platform needs to be protected from
outside attacks, such as injecting foreign data into the database, or gaining unauthorized access
to prohibited data. For example, if a registered user sends the URL of the website to another
person, that person should not be able to view the page in the same way a registered user would,
until he registers himself, too. This is a measure that needs to be taken in order to protect the
platform and the personal data on it. Thus, the necessity for security is exists and is rising, in a
time where it has to keep up with the latest types of software invasions. Later in this report, the
top invasions related to the platform will be discussed and analyzed.
Today, the acts of lending and getting pre-owned books are done sporadically, through
social media website groups and acquaintances. There isn’t a unified platform where people
from anywhere in the world, who have such interest in giving and getting books could connect
7
with each other. Selling, borrowing or giving books away would serve as a benefit to the
owners, as well as other book readers, who would have the possibility to get rare copies of their
books of interest and also, get them for less money or, sometimes, even for free.
This is the problem statement that was deductively derived from analyzing the field of
interest. In order for it to be the base of the application, the next step is to prove its actuality.
This validation is described in the next section.
For the validation of the problem, a survey was done where a hundred people have been
asked if this is the case for them too, mainly: “Do you own books that you would like to sell,
donate or give away and/or have you ever needed a book that you could not find in local book
shops?”. According to the acquired data, 83% of interviewees said that they do have books at
home that they wouldn’t mind giving away and/or they did experience needing a book and not
being able to find it in local book shops. Respectively, 17% of the people who were questioned
answered “No”. Moreover, many of the ones who answered affirmatively agreed that they do
not know how to reach a wide target of clients when in need to sell a book, since the only way
that came in mind was Facebook groups and other social media promotion.
This social study helped to prove the actuality of the problem. The solution for it is the
base for the intended application, an online library system which allows users to get in contact
in order to exchange reading material.
8
3. Research Planning
This chapter wi’ll document planning from what resources the data is received and what
method of analysis will be used to obtain more information needed to make our application
better for users’ experience and for applying a high level of security.
First, what existing solution are out there, that have the serve the same purpose, that of
managing books? The most known are dedicated groups on Facebook in which people sell or
try to find a book. The method that is going to be used in order to analyze this group will be
users activity in group, how often posts are published in this group and how fast people find
what they need. Other methods of analyses will be to obtain access to documents that describe
how many people didn’t find a book that they needed and how many of them agree with prices
from library and how many of the will like to buy a book from other people. This type if
information can be taken from libraries because they make this type of analysis of market.
her data that needs to be collect is about the vulnerabilities of a web application and we
need this data to know what is needed to be improved for making a high level of security in
our application. For obtaining this information, an analysis of the top vulnerabilities of web
application is going to be made. Other method of obtaining information of such sorts is to
secure is to analysis information about frameworks that used and technologies to know what
vulnerabilities they have. Also, an analysis of data about the types of attacks that are made on
web application, needs to be done, in order to have information what needs to be secure and
what is the priority for solving each vulnerabilities. Finally, the analysis of different models of
9
developing and maintain a secure web application has to be done. For this it is needed to read
some models that were written by different specialists and to find out what is better for our
application and for our software environment. This way applying this model on our web
application will get the application a high level of security.
10
4. Theoretical Problem Context
Applications are the primary tools that allow people to communicate, access, process
and transform information. Although it is not a standalone security requirement, its increasing
risk to cause denial of service attacks makes it a highly important one.
Web application security refers to the protection of both browser endpoints, and the
APIs they connect to, against attack from Magecart/form jacking-style attacks, malicious
browser extensions, banking trojans, Malvertisements, and other cyber security threats. When
addressed properly - including JavaScript protection, threat detection and limiting API
connections to known good sites, along with defensive measures that can shut down web app
functionality in the event of an attack - effective web application security enables customers to
detect and protect against active threats, protecting businesses and consumers from data
breaches and financial losses.
Application security risks are pervasive and can pose a direct threat to business
availability. Although it is not a standalone security requirement, its increasing risk to cause
denial of service attacks makes it a highly important one. Applications are the primary tools
that allow people to communicate, access, process and transform information. How can
businesses reduce security risks around these applications? There are three front-line
approaches: Better training, more rigorous testing, and more stringent policies and procedures.
While these techniques can offer a first layer of protection, time-to-market pressures
often interfere with such approaches being followed. Too often the “It won’t happen to me”
mentality remains in place until a breach occurs that exposes known vulnerabilities.
11
A threat - is an agent that may want to or certainly can result in harm to the target
organization. Threats include organized crime, spyware, malware, adware companies, and
disgruntled internal employees who start attacking their employer. A threat is something that
may or may not happen, but if happens it has the potential to cause serious damage.
Risk - is defined as the potential for loss or damage when a threat exploits a
vulnerability. Risk is where threat and vulnerability overlap. That is, we get a risk when our
systems have a vulnerability that a given threat can attack. Computer security risks can be
created by malware that can infect your computer and put system and organization in a huge
damage. Risk can also be defined as follows:
12
The STRIDE model was developed by Microsoft in order to help security engineers
understand and classify all possible threats on a server. The name of this model is an acronym
for the six main types of threats: [1]
1. Spoofing
2. Tampering
3. Repudiation
4. Information disclosure
5. Denial of service
6. Escalation of privileges
Spoofing
Most security systems rely on the identification and authentication of users. Spoofing
attacks consist in using another user credentials without their knowledge. Typical spoofing
threats target weak authentication mechanisms, for instance those using simple passwords, like
a simple 4 digits number, or those using personal information that can be easily found, like date
or place of birth.
Tampering
Only authorized users should be able to modify a system or the data it uses. If an attacker
is able to tamper with it, it can have some consequences on the usage of the system itself, for
instance if the attacker can add or remove some functional elements, or on the purpose of the
system, for instance if important data is destroyed or modified.
Repudiation
13
Attackers often want to hide their malicious activity, to avoid being detected and
blocked. They might therefore try to repudiate actions they have performed, for instance by
erasing them from the logs, or by spoofing the credentials of another user.
Information disclosure
Many systems contain confidential information, and attackers often aim at getting hold
of it. There are numerous examples of data breaches in the recent years.
Denial of service
Escalation of privilege
Once a user is identified on a system, they usually have some sort of privileges, i.e.,
they are authorized to perform some actions, but not necessarily all of them. An attacker might
therefore try to acquire additional privileges, for instance by spoofing a user with higher
privileges, or by tampering the system to change their own privileges.
STRIDE is a model of threats, used to help reason and find threats to a system. It is
used in conjunction with a model of the target system that can be constructed in parallel. This
includes a full breakdown of processes, data stores, data flows and trust boundaries. Today it
is often used by security experts to help answer the question "what can go wrong in this system
we're working on?"
14
Each threat is a violation of a desirable property for a system:
Security has become a very important aspect of software development lately, but not
everyone is aware of ways to write secure code. You may think, "my team of developers is
very experienced/skilled/efficient, they can write 100% secure code," but if you follow the
news you are aware that even bigshot websites are regularly brought down or have their user
data compromised. Your website should be well-prepared to avoid such attacks by following
these guidelines by OWASP.
The OWASP Top 10 is a standard awareness document for developers and web application
security. It represents a broad consensus about the most critical security risks to web
15
applications. Companies should adopt this document and start the process of ensuring that their
web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective
first step towards changing the software development culture within your organization into one
that produces more secure code.
16
5. Data and Data Analysis
This chapter tracks the data analysis of the data collected from different sources to make
our application better and to understand what needs users of our application. Also, analysis of
the application environment to prepare better for users' interaction is described. Another type
of data analyzed here is the security problems that can occur in the application, which is shown
in the risk analysis to know what are the vulnerabilities in the web application and in the used
software environment.
Just like the problem being validated, the idea for this solution needs validation as well.
Thus, a different survey has been done, where 110 people have been interviewed with the
following question: “Would you use a platform to either sell, lend and donate your books, or
to find a desired reading material that may be anywhere in the world?”. This time, 76%
answered “Yes”, 22% answered “No”, while 2% held back.
Since the majority of people confirmed the necessity for such a platform, the designing
and development phases of the solutions are the next ones to be tackled.
17
5.2. Risk Analysis
This chapter describes the research that was done for finding information about the risks and
vulnerabilities of the solution, in order to be able to analyze them later in this chapter. The risk analysis
is a great way to understand the priority of each risk and the way of solving it.
This application is a web platform because it has to be used by as many users is possible.
After analyzing users from different social networks that search for books, we understand that
every day are at least ten requests of finding a book. In this group are a lot of people in the
most popular group are around 200000 of people so this prove that many people are interesting
in a selling a book or borrow or exchange. We analysis that type of book are and that type of
publisher exist for adding then in our database of application. We analysis what information
is important for user to know when he what to borrow a book or buy a book so we will do this
information to be available for books that will be in our website so if you want to sell you book
on our website you will ned to give this information to us.
Lot of ASP.NET MVC developers are great in delivery, writing high performance code
and so on. But when it comes to security there is no planning done. When we talk about web
application, security is a major concern. So we will run through 10 points which will help us
to make our MVC code secure.
18
8. Improper Authorization
9. Do not use components with Known Vulnerabilities
10. Version Discloser
1.Cross-site Scripting (XSS) - is an attack in which malicious scripts is injected via input
fields this attack is most common and allows an attacker to steal credentials and valuable data
that can lead to a big security breach.
In this attack attacker visits a website and tries to execute a malicious scripts in form
comment box. Now if website has not checked for Malicious code then the code can get
executed on the server causing damage.
Sanitizing user input: This is helpful to prevent XSS attack on site that allows HTML
markup as input. It means that encode the HTML that is stored. The Razor engine automatically
19
encode all the inputs so that the script part which adds as any field is never executed. The using
@ directive, we can apply encoding rule to the variable.
Encoding the URL: Many applications use Query String to transfer the data from one page
to another page. The XSS attack can be possible on query string data due to it is not encoded.
Using UrlEncode and UrlDecode method of Microsoft.AspNetCore.WebUtilities class, we can
encode and decode the URL with ASp.net code 2.0 and above version.
Input Validation: Some time HTML character does make sense for user input. we can put
the validation (client and server-side both) that prevent the malicious data that harming a
website.
2.Cross-Site Request Forgery (CSRF) - it also is known as Session riding and pronounced
as XSRF. In this method of attack, attacker copies forge as a trusted source and send the data
to the site. The site processes this information believe that this is coming from a trusted source.
This kind of attack can be destroying both client relation and business. The example of CSRF
is unauthorized fund transfers, data theft etc.
Mostly this is done through creating a forged site and it internally hits the genuine site and
by using already established user session, an attacker is done some malicious activity. For
example, a user is transferring fund from one account to another account and trusted connection
established between the user and bank site. At the same time user click on malicious like from
junked email (that sent by the attacker). Because of the secure session is established between
user and bank site, the attacker uses this connection and does some malicious activity such as
fund transfer. However, it is vulnerability at the server (web application) side, not an end-user
side.
20
A CSRF vulnerability allows an attacker to force a validated and logged in user to
perform actions without their consent or unknowingly.
Example:
Using tag helper "asp-anti forgery", we can enable/disable anti-forgery for the page.
If this tag helper value is set to "true", it means that it enables the anti-forgery for this page.
And using ValidateAntiForgeryToken attribute, we can check whether the token is valid or not
21
at server side (controller / action method). It also can be ignored by using
“IgnoreAntiforgeryToken” attribute.
3.SQL Injection - this attack is one of the most dangerous attacks it is ranked 1 in top 10
Vulnerabilities by OWASP2013 [Open Web Application Security Project]. SQL injection
attack can give valuable data to the attacker that can lead to a big security breach and can also
take full access to the database server.
In SQL Injection attacker always try to enter malicious SQL statement which will get
executed in the database and return unwanted data to the attacker.
22
Use Parameterized Query or stored procedure using the parameterized query or stored
procedure, we can prevent SQL injection. It is better to use a stored procedure instead of an
inline query. If you want to use inline query, we must use a parameterized query to prevent our
application from SQL Injection.
Use any O/RM (Object-relational mapping) such as Entity Framework O/RM maps
SQL object such as a table, view to our domain object such as class. Most of the ORM is to
generate a parameterized query internally to fetch the record from the database.
4.Do the Proper Error Handling - sometimes, we are not doing proper error handling.
So, some of the sensitive information is exposed in term of error such as database object name
(table, stored procedure etc.), file location, etc. This kind of information can be used by
attacker/hacker to do an attack on the web site.
In this kind of attack the attacker intercepts form data which is submitted by end User and
changes values and sends the modified data to the server. So for such kind of scenarios
developers do put proper validations in place but when these validations display error lot of
information of the server is revealed.
23
Fig. 5.2.1.5. Error Handling
It can be prevented by using creating a custom error page that will display when an error
occurred, or we can write the code to do custom error handling. In the first solution, we need
to create a page that has a generic message and it needs to be configured Configure method of
startup class.
24
Alternatively, we can write some custom code to do exception handling such as try-catch
block, exception handler or exception filter.
5.Enforce SSL and use HSTS - SSL enables us to establish an encrypted connection
between a web server and a browser. It ensures that all the data transmitted between the web
server (application) and browser are encrypted and not change during the transition. To secure
our application, we can use HTTPS (HyperText Transfer Protocol Secure) protocol. There are
many advantages using HTTPS such trust, verified data, Integrity of Data, etc.
ASP.net Core 2.1 and later version enable us to create an application that configured over
HTTPS. We can also configure HTTPS with ASP.net Core before the .NET core framework
1.1 but it was some difficult to configure. There is an option available to configure our web
application over HTTPS when we are creating a web application with Visual Studio. In the
template of a web application, HTTPS is enabling for the application.
25
Fig. 5.2.1.7. Configure HTTPS with ASP.net Core
It is a web security policy that protects our web application from downgrade protocol
attacks and cookie hijacking. It forces webserver to communicate over an HTTPS connection.
It always rejects insecure connections. The Asp.net core templet by default adds HSTS
middleware. It is not recommended to use in the development environment as a browser is
cache the HSTS header.
There are a couple of options available that can be overridden to configure HSTS.
Following are the options:
6.XXE (XML External Entities) attack - XXE (XML External Entity) attack is possible
on the application that parses XML input. The possible reason for this attack is XML input
contains the reference of the external entity which weakly configured in the XML parser. It
may happen due to the disclosure of confidential data, SSRF (server-side request forgery), port
scanning by the hacker where the application (XML parser) hosted, denial of service (Dos),
etc. Hacker / Attacker can use XML to cause a Denial of Service attack by injecting entities
within entities. This type of attack refers to “Billion Laughs Attack”. As a result, the system
required more resource to complete the task and due to high utilization server may crash.
Solution - If you are using "XmlTextReader" class to parse the XML, it has property
"DtdProcessing" that must be set to Prohibit or Ignore. If we have set DtdProcessing property
26
of XmlTextReader to "Prohibit", the system will throw the exception as DTD (Document Type
Definition) is identified and if we have set DtdProcessing property of XmlTextReader to
"Ignore", the system will ignore DTD specifications and continue to process the document.
After successful login in the web application, some cookies are set to the browser to
identify the user that is logged-in. These cookies are always sent to the web server with every
request. On logout, we generally remove the session but forget to remove cookies. These
cookies may be used by a hacker to do an attack on the web server. Default cookie name for
the .net core web application is “.AspNetCore.Session” and this default cookie does not specify
the domain. Using session option, we can override the cookie setting.
The solution is very simple: remove the cookies are successful logout, use secure HTTP
to secure cookies and session.
27
server and client are encrypted. There are some cookie options need to set to secure cookies
and session.
• HttpOnly: It indicates whether client-side code able to access the application cookies
or not. If it is set to Http Only Policy. Always, the client-side script is not able to access
the application cookies.
• Secure: It indicates whether cookies are transmitted using SSL (over HTTPS) only. If
it is set to true (internally), the cookies are only transmitted over SSL connection. It can
set to true by using Cookie Secure Policy. Always and Cookie Secure Policy. Same as
Request option.
• SameSite: It is the same site mode for cookies.
Using “Authorize” attribute we can turn on the authorization for any controller or
individual action method. Sometimes, due to the laziness of developers, they miss to put
authorize check of controller or action and, they bypass the authorization in the same case. It
causes the security hole in the web application. Sometimes, developers also miss putting proper
authorization for the controller or action method. For example, some of the pages can be
accessed by the unauthorized role user due to improper role-based authorization.
The solution is very straight forward, make sure authorization works as expected before
web application moves to the production environment. ASP.net core has a very rich model for
28
authorization such as Policy-based authorization, claim-based authorization, etc., we can use
these models in the complex scenario to authorization.
For the JavaScript library, there is full prove documentation that lists down all the
vulnerabilities. There is some public site, they log the vulnerabilities for the popular JavaScript
framework or plugin. For example, jQuery’s vulnerabilities are list down on the CVE website.
Solution
• Do not download any plugin or library from an untrusted source. Use trusted source
such as npm. It may reduce the chance of including a malicious or modified component.
• Do not use any untrusted library in the application.
• Always use an updated version of the library (it may fix some critical security defect in
the latest version).
• Always remove unused plugin, files, component from the application.
• Monitor the library's Vulnerabilities from the source such as NVD and CVE.
• Here, I have talked about JavaScript library, but there are many security vulnerability
incidents are a log for the server-side framework.
29
10. Version Discloser - The request and response object contains may information such
as to request method, remote address, server X-Powered-By, etc. Some of them are very
sensitive such as X-Powered-By, Server etc. They must not disclose to the end-user because
the attacker may use this information to do attack. It may possible that some framework version
may encounter security Vulnerabilities and using these Vulnerabilities, an attacker may break
our system.
As seen in above snap, we can get information such as a server, X-Powered-By and X-
source files. The Server property indicates which server is used to host application, the X-
Powered-By indicate the information about the framework and X-Source Files is only available
in debugging modules in IIS / IIS express.
Solution
Removing headers that contain sensitive information. We can remove server header by
setting up AddServerHeader to false where we configure the server. In following an example,
I have to remove server header from Kestrel server.
30
We can remove X-Powered-By header either by using web.config or from IIS setting.
31
5.2.2. Approach for Solving Vulnerabilities
Taking into account this classification, and also, trying to analyze the risks mainly on
the used technology, ASP.NET MVC, the set of the most critical vulnerabilities have been
deducted. After analyzing each solution, a custom approach had to be built in order to
personalize the solutions and make them fit the platform best.
Vulnerabilitatea Solutia
Cross-Site Scripting(XSS) Input Validation, URL Encryption
Cross-Site Request Forgery(CSRF) Using helper-label “asp-anti forgery”
SQL Injection Using Object-Relational-Mapping, such as
Entity Framework.
Improper Error Handling Creating a special error log page.
Insecure connection between web server Enforce SSL and use HSTS
and browser
XXE attack Using the property “Dtd Processing” within
the parsing class of an XML. Setting it to
‘Prohibit’ or ‘Ignore’.
32
Using Components with Known Not using libraries from untrusted resources.
Vulnerabilities Updating the library versions. Removing
components, files and unused plugins.
Version Discloser Removing headers which contain sensible
information. Encryption of personal data in
the database.
The solutions that have been identified, for each of these vulnerabilities, have been proposed
onto implementation within the working plan.
Existing solution for this problem is groups on social networks for selling and buy
books or exchange but this solution are not good because their don’t notify user then some
book that he is interested is appearing and also this don’t give you opportunity to find fast a
post if book that you want.
After analyzing the existent solutions and their approach, the solution development of the
platform started. The platform incorporates the key features that these existent solutions have
in common: the ability to buy and sell books online, but also coming up with new additional
features. Firs of all, for understanding the way of the application’s functioning, UML Use-
Case diagrams have been developed.
33
34
6.2.1. UML Use-Case diagrams
A Guest in order to use all the functionalities available for a Registered user can choose
between two options: sign up and log in. To get the registration process achieved the Guest
will have to fill the required fields like: email and password. After becoming Registered, the
user will be able to change the major part of his profile fields and to fill the optional ones.
Soon, as clicking on the button “Log out”, the status of a Guest is achieved again.
35
36
Fig. 6.2.1.2 Stocks diagram
Both the Guest and the Registered User will be able to search for a stock (for example
by introducing item’s title or owner’s location), to access the list with searched stocks (besides
having at this step two options: content sorting and filtering) and to access each stock’s details
individually.
Adding a stock (filling some compulsory and optional fields) a Registered User can be
a Book Owner. Since a stock was posted on our platform, the main functionalities like update
and delete will be available for its owner. The list with all “Incoming orders” will be accessed,
and clicking on a specific order the Book owner will be able to message the one that ordered
his item and will have the same rights on changing stock’s status as the order’s owner.
The administrator will have the possibility to create, or delete or edit the objects of
some specific classes.
37
Fig. 6.2.2.1. Database structure
38
The database that was generated after the models were built is shown in figure 6.2.2.1.
It consists of sixteen tables, and the major part of them has at least one relationship with the
other table.
One of the most important relation for our platform is AspNetUser, which contains all
the necessary data about the user, and due to the fact that there is a lot of information to keep,
the table has nine relationships.
The first relationship is through the field Location_Id from the table Location having
the multiplicity: one-to-zero/one (i.e. a user can have only one location, and a location can be
assigned to an user or to none). Besides that, this relation has a relationship with table Country
an interesting fact, is that it has a relationship with itself, because of the field ParentLocationId
(i.e. if relation has a record with the field Name that has value “Chisinau”, then the field
ParentLocationId will have value Null, but if Name=”Bacioi” then ParentLocationId will be
equal with the Id of record whose Name=”Chisinau”). The next two relationships are with
Order table, whose fields CreatedBy_Id and ModifiedBy_Id are filled with user’s id. Both of
them have the multiplicity: zero/one-to-one (i.e. a user can have many Orders, but an Order
can be owned by one user or none). The other relationships are based on the field CreatedBy_Id
from the relationship Message and on the field Owner_Id from the relationship Stock, both of
them having the same multiplicity as the previous relationships.
The Order table has two fields (Stock_Id and OrderStatus_Id) that are foreign keys for
relations Stock and OrderStatus and the existing relationships have the same multiplicity:
zero/one-to-many (i.e. an Order can be created using only a Stock and having only a
OrderStatus, but an OrderStatus and a Stock can be assigned to many other Orders). The last
relationship of table Order is with table Message, having a multiplicity one-to-many (i.e. many
Messages based only on an Order).
The table Stock has with three distinct tables (Item, ActionType, Condition) three
relationships, of the multiplicity many-to-one (i.e. one Stock can consist only from one Item,
39
ActionType and Condition, but an Item, ActionType and Condition can be part of other
Stocks).
The aforementioned multiplicity type is also characteristic for the three relationships of
the relation Item (i.e. an Item can be characterized by only an Author, a Category and a
Publisher). The other not mentioned tables were built based on the default created models.
This database is normalize in third normal form because it doesn’t have transitive
dependency and don’t have partial dependency and all condition of first form are respected.
That means that all values in columns are in atomic form and that all values stored in the same
column are from the same domain. All columns in table have unique names and the order in
which data is stored doesn’t matter for our database. This normalization help our database to
save memory and easier to update and maintain the data in database.
Create, read, update, and delete (CRUD) are the four basic functions of persistent
storage. Alternate words are sometimes used when defining the four basic functions of CRUD,
such as retrieve instead of read, modify instead of update, or destroy instead of delete. CRUD
is also sometimes used to describe user interface conventions that facilitate viewing, searching,
and changing information. Without at least these four operations, the software cannot be
considered complete. Because these operations are so fundamental, they are often documented
and described under one comprehensive heading, such as "contact management", "content
management" or "contact maintenance"
ASP.NET MVC was designed to facilitate patterns-based development practices such
as test-driven development, separation of concerns, inversion of control, and dependency
injection. The framework encourages separating the business logic layer of a web application
from its presentation layer. By dividing the application into models (M), views (V), and
40
controllers (C), ASP.NET MVC can make it easier to manage complexity in larger
applications.
With ASP.NET MVC, you work more directly with HTML and HTTP than in Web
Forms. For example, Web Forms can automatically preserve state between HTTP requests, but
you have to code that explicitly in MVC. The advantage of the MVC model is that it enables
you to take complete control over exactly what your application is doing and how it behaves
in the web environment. The disadvantage is that you have to write more code.
MVC was designed to be extensible, providing power developers the ability to
customize the framework for their application needs. In addition, the ASP.NET MVC source
code is available under an OSI license.
The MVC template creates a sample MVC 5 application that uses Bootstrap to provide
responsive design and theming features. The following illustration shows the relation in MVC.
41
ASP.NET platform is a very powerful tool with lots of ready to use features. Below is
a description of the built-in solutions used to prevent different kind of security issues in the
ReadIT application.
• SQL Injection
LINQ to SQL passes all data to the database via SQL parameters. So, although the SQL
query is composed dynamically, the values are substituted server side through parameters
safeguarding against the most common cause of SQL injection attacks.
Example:
42
var query = db.Orders.Include(m => m.Messages).Include(m => m.Stock)
x.Order.Stock.Owner.Id == currentUserId ||
x.Order.CreatedBy.Id == currentUserId))
To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called
request verification tokens.
2. The server includes two tokens in the response. One token is sent as a cookie. The other
is placed in a hidden form field. The tokens are generated randomly so that an adversary
cannot guess the values.
3. When the client submits the form, it must send both tokens back to the server. The client
sends the cookie token as a cookie, and it sends the form token inside the form data. (A
browser client automatically does this when the user submits the form.)
4. If a request does not include both tokens, the server disallows the request.
value="6fGBtLZmVBZ59oUad1Fr33BuPxANKY9q3Srr5y[...]" />
43
<input type="submit" value="Submit" />
</form>
Anti-forgery tokens work because the malicious page cannot read the user's tokens,
due to same-origin policies. Same-origin policies prevent documents hosted on two different
sites from accessing each other's content.
@using (Html.BeginForm()) {
@Html.AntiForgeryToken()
</div>
Cross Site Scripting (also referred to as XSS) is a kind of vulnerability that occurs when
some hacker injects malicious code (ideally script) inside a web page or the database. The
insertion of code takes place without the user's knowledge. XSS happens whenever a web
application allows to display user's input or input provided by any outside resources without
validating the input properly. XSS attacks enables a user to insert malicious JavaScript, HTML
and other cross-side scripting languages into a dynamic page – that is not validated.
XSS attacks are prevented by default in MVC applications. When any user inserts
malicious HTML markup and message into an MVC application, it will display an annoying
alert.
44
• Broken authentication and session management
Application functions related to authentication and session management are often not
implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or
exploit other implementation flaws to assume other users’ identities.
To avoid this, ASP.NET Identity was used. This is a system which can be used with all
ASP.NET frameworks, is knows for the ease of plugging in profile data about the user, has
persistence control, has a role provider, is claims based, supports social login providers, OWIN
integration and comes as a NuGet package.
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create
);
app.UseCookieAuthentication(new CookieAuthenticationOptions
45
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
OnValidateIdentity =
SecurityStampValidator.OnValidateIdentity<ApplicationUserManager,
ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie,
TimeSpan.FromMinutes(5));
46
// Once you check this option, your second step of verification during
the login process will be remembered on the device where you logged in from.
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRemember
BrowserCookie);
These references do not bring a direct security issue because, by itself, it reveals only
the format/pattern used for the object identifier. However, it brings, depending on the
format/pattern in place, a capacity for the attacker to mount a enumeration attack in order to
try to probe access to the associated objects.
In order to prevent it, the team has implemented Route Access Control and Data Access
Control, with the help of [Authorize] attributes inside the specific controllers.
[HttpPost]
[ValidateAntiForgeryToken]
[Authorize]
47
if (ModelState.IsValid)
...
Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the
application, frameworks, application server, web server, database server, and platform. All
these settings should be defined, implemented, and maintained as many are not shipped with
secure defaults. This includes keeping all software up to date, including all code libraries used
by the application.
48
In order to successfully exploit an application, someone needs to start building a picture
of how the thing is put together. The more pieces of information they gain, the clearer the
picture of the application structure is and the more empowered they become to start actually
doing some damage. Application errors with stack traces can display such information. That’s
why a custom error handling method was implemented in the application.
First of all, all the errors are logged in a different database created just for errors. List
of errors is also available from the web, only to the users with admin privileges. This was done
with the help of ELMAH error logging facility.
Also, custom error pages were implemented for different error types.
49
In production, debug mode should also be set to false to avoid slowness and security
issues. Maximum HTTP request size is also limited to 12 MB to avoid giving unlimited server
resources to a specific user.
For all the cryptographic operations ReadIT is using the AES algorithm with a 256 bits
key. For the user passwords, ASP.NET Identity hashing is used, along with a Security Stamp.
50
• Enforcing SSL and HTTPS
HTTP Strict Transport Security (HSTS) is a web server directive that informs user
agents and web browsers how to handle its connection through a response header sent at the
very beginning and back to the browser. This sets the Strict-Transport-Security policy field
parameter. It forces those connections over HTTPS encryption, disregarding any script's call
to load any resource in that domain over HTTP.
51
• Version discloser
A running a web server usually shows the world what type of server it is, its version
number, and the operating system. This information is available in header fields and can be
acquired using a web browser to make a simple HTTP request to any web application. It is
often called the web server banner and is ignored by most people with the exception of
malicious ones.
Attackers can perform banner grabbing using even simple TCP tools like Telnet or
Netcat. Then they launch targeted attacks against the web server and version. In addition, if a
particular web server version is known to be vulnerable to a specific exploit, the attacker would
just need to use that exploit as part of their assault on the target web server.
This is why the team has decided to limit the information provided by the IIS.
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
MvcHandler.DisableMvcResponseHeader = true;
52
Response.Headers.Remove("Server"); //Remove Server Header
We make in our application to have two factor authorization this will give extra security.
For this you give user to choose he can obtain a random generate code on email or like an SMS
text on mobile this type of authorization makes more harder to get access to user account and
we need always to have a device or an app that we receive a new code every time so this make
a high level of security for users account.
7. Conclusions
Taking everything into account, it may be concluded that this report serves as a useful
tool for consolidating the conceptual functional and process architecture of the online book
53
management system as well as an important documentation of the securing process. Taking the
steps to develop a secure application, resulted into a platform that is ready for deployment.
First of all, the initial problem was decided upon and validated, through a social survey,
which demonstrated the fact that the need and importance of such a platform is high. After
analyzing the already existent book management service providing solutions, the core
functionalities for the project were clearly established. In order to come up with a better and
improved product, the deficiencies of such websites were identified and possible personalized
solutions were found. The focus of the report was to establish the key vulnerabilities of a
platform that uses the given technology and analyze the solutions that are linked to each and
every one. The top ten vulnerabilities of a ASP.NET MVC application have been established,
and their documented solutions have been studied. This step helped develop custom solutions
for each and every vulnerability that would satisfy and would fit the platform the best. That led
to the development phase, where these solutions were implemented and, eventually tested, to
ensure a well-working and functional product.
On the whole, the intended ReadIT web application solves a social problem while
providing a high level of security. The end product is protected against the most common
malicious attacks and it itself protects the personal data of any user. If there was one more step
left, that would be the UI design, but by far not as detrimental as implementing security over
an application.
54
References
[1]- https://docs.microsoft.com/en-us/previous-
versions/commerceserver/ee823878(v=cs.20)?redirectedfrom=MSDN
[2] - https://en.wikipedia.org/wiki/STRIDE_(security)
[3]- https://hackertarget.com/xss-tutorial/
[4]- https://www.itprotoday.com/web-development/owasp-top-10-project-security-
vulnerabilities-aspnet
[5]- https://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/
[6]- https://www.veracode.com/security/insecure-crypto
[7]- https://www.troyhunt.com/owasp-top-10-for-net-developers-part-6/
[8]- https://lockmedown.com/secure-from-insecure-direct-object-reference/
[9]- http://www.dotnet-programming.com/post/2015/04/12/How-to-Handle-Cross-Site-
Scripting-in-ASPNET-MVC-Application.aspx
[10]- Web Application Vulnerabilities: Detect, Exploit, Prevent 1st Edition by Steven
Kapinos
[11]- Pro ASP.NET Web API Security, Securing ASP.NET Web API by Lakshmiraghavan,
Badrinarayanan
55
Appendices
Appendix A
The interaction between team members over the course of developing the present project has
been efficient. Everyone participated actively in the development of the end product and had
their own input.
Decisions were taken in group, through open vote, taking into account the mentors opinion
upon the situation. The meetings took place every other day, and lasted for about 3 hours.
Outside of the meetings, work was divided and each fulfilled their task remotely. At the
meetings started with discussions upon the work done and the final adjustments could be
pushed to the master branch.
At the university, the meetings with the TUM mentor took place every week, and consisted of
discussions upon the way of improving security over the application. The mentor’s input was
studied and implemented into the project in the next meetings at the partner company.
56
Appendix B
57
08.11.2019 15:00-18:00 Amdaris 5/5 Encrypting chat
messages
13.11.2019 15:00-18:00 Amdaris 5/5 Encrypting chat
messages
15.11.2019 15:00-17:30 Amdaris 4/5 Length of the
password;
Encrypting
phone number
58