RESTful API & Web Application Security Tips from Experience

Important points for Securing our .Net Core Application.

1. Make your Login more secure
2. Always submit sensitive data using Encryption
3. Don’t forget to clear Cookies when logout
4. Always use SSL
5. Never keep sensitive data in clear form in your Database
6. Audit Trails or Logging is also Important
7. Never display original Technical error to the End-User
8. Cross-Site Scripting (XSS)
9. Try to Hide your .Net Core Version
10. Cross-Site Request Forgery (CSRF)
11. LINQ can protect from SQL Injection
12. Streams Deserialization can be tempered
13. Always keep your Framework & Libraries Updated

1. Make your Login more secure :

Use complex login credentials ( userid & password ) always. Brute Force Attacks takes less time to guess simple Usernames & passwords but they can also guess complex combinations by trying every possibility can cause Denial of service (DoS) & downtime for the actual users of your Application.

Tips to prevent Brute Force:

• Use Captcha on your Login Page because bots cannot fill Captcha.
• Block IP temporary after some failed login attempts.
• Avoid using common usernames like admin or user because Brute Force Algorithms maintain a database & try common usernames & passwords first.
• Make your password really difficult to guess by including Alphabets(A-Z & a-z), Digits(0–9) & Special Characters(!, @, ., #, $, %, ^, &,* and more).

There is a great Library(HackerSpray) available which will do the Job for you to secure you from Brute Force Attacks. Just simple configuration is required.

Always use .Net Core IDENTITY feature like Authorization is also one of the great implementations by Microsoft which provides us with a complete Login & Signup setup following the best security practices.

2. Always submit sensitive data using Encryption :

Never send your sensitive data like password or credit card credentials in the actual form to the server for validation. Hackers can steal your data by sniffing it before sending to the server.

ASP.NET Core provides a protection API that helps us to encrypt data using Encryption and Hashing technique, additionally for encryption, key is created and maintain by system itself so outside interference get blocked and data get more secured.

Always use a Hashing algorithm like md5 or SHA256 for Password & Encryption algorithm like AES or DES on Client Side. e.g. using jQuery

3. Don’t forget to clear Cookies when logout:

On login in an Asp.Net Core application, we keep some necessary data in Sessions for keeping user login until he logs out. In some apps, we set Session timeouts & sometimes we do not set Session timeout when user tick a checkbox on the login page that he wants to keep login. At the same time, AspNetCore.Session cookie is added to the browser for keeping record of the Logged in user.

So, when we logout, we also need to remove the Cookies created by our application in the user’s browser because a Hacker can use that info for unauthorized login. This is also called a Session Fixation attack.

4. Always use SSL :

SSL stands for Secure Socket Layer. It makes the communication between Client & Server Side Encrypted using a very strong Key. So, in your Starup.cs of your Asp.Net Core Application, you can set to always use Secure Policy for Cookies.

5. Never keep sensitive data in clear form in your Database :

most every web application must have a Database for storing users data, most of the times Hackers attack Server for stealing users’ data. So Let say that you have stored the credentials of your users, like Passwords & Payment methods detail in your database in clear form. So anyone who gets unauthorized access to your Database can misuse users’ data.

So, always keep your sensitive data using Hashing or Encryption in your Database.

6. Audit Trails or Logging is also Important :

Audit Trails or Activity Logging is really important to be aware of what’s going on your Application. If someone is getting many failed login attempts then Admin must receive an Email about these failed login attempts. let say a User creates new user or change the Roles of an Existing user, each & every activity should be logged in your Asp.net Core Application.

7. Never display original Technical error to the End-User :

Some Exceptions can disclose important information about our application or sometimes It can even show a few lines of code to the end-user. Attackers are smart guys, they can use the information provided by our exception to crack the security of our Application.

So, before deploying your application in production mode, make sure that you have set your Custom Error page for all kinds of Exceptions & have done proper Error Logging in your Application.

8. Cross-Site Scripting (XSS):

In XSS Attacks, Hackers submit malicious scripts via Input Fields for stealing user’s credentials & other Important Data.

Let say that we have an Add product Form in our Application. Attacker Add a new product & in the product description field, he simply inserts a JavaScript snippet. When our application will display that product on the product page with description, Hackers malicious script will also run & he’ll get data for what he planned.

you can secure your web application from XSS by following these Tips:

• Use Regular Expressions on both Client & Server Side & only store validated data in your Database.
• HTML Encoding with Razor helps such scripts to execute.
• XXS can also be done using URL Encoding, So validate & Encode URL parameters using UrlEncoder.

9. Try to Hide your .Net Core Version:

In every HTTP response from the server that we receive in return of our request sent from a browser, there’s always the version information in which application is developed. Such information makes the Attacker’s Job easier by saving time & targeting the specific .Net Version.

So, It’s necessary to throw more hurdles for Hackers & make it more difficult for him by hiding .Net Framework Version Information.

Here’s how to Hide .Net Core Version:

• Remove X-Powered-By from your Response header.
• NWebsec.AspNetCore.Middleware is a great Library for Securing headers.
• Set AddServerHeader = false for removing Server: Kestrel header.

You can remove X-Powered-By using this simple snippet in your web.config

10. Cross-Site Request Forgery (CSRF):

asp-antiforgery="true"generates an anti-forgery token & [ValidateAntiForgeryToken] validates on the server-side that if the Token is valid or not & secure us from Cross-Site Request Forgery.

11. LINQ can protect from SQL Injection:

In this technique, the Attacker put some condition or special characters in the input field which cause to change the execution of the whole query.

Here’s an example to understand what is SQL Injection.

How to secure our Asp.Net Core Application from SQL Injections?

Here’re some Tips:

• Use Entity Framework Core.
• Always use parameterized queries.
• Must Validate your Inputs on Server Side.
• Use Stored Procedures.

12. Streams Deserialization can be tempered:

Deserialization is the reverse of Serialization, which is the process of converting an object into streams of bytes. Serialization is always done on our server end for transferring or storing objects but we deserialize the data received in our application from different sources.

So, we can receive some harmful streams.

To protect our applications from such Attackers, we need to verify our data before & after deserialization.

13. Always keep your Framework & Libraries Updated:

Always keep your Framework & Libraries used in your project Updated. Never use outdated Libraries in your Project because Hackers keeps finding the Vulnerabilities in Frameworks & Libraries.

Check for updates for the NuGet packages used in your project & keep all packages updated.

Conclusion

In this article, i tried to make our application secure by following the best security practices.

.Net Core is considered to be one of the most secure Framework but still we have to keep an eye on the activities on our application & take quick action in case of any malicious activity.

Has this article been useful to you? please share extensively, we also welcome feedback on content you would like us to cover .