Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Mar 3, 2013

Some important ASP.NET 4.5 security improvements

The .NET 4.5 framework was released a couple of months ago and it included several improvements in the security area. To benefit from these improvements you need to do a few changes to you application's configuration file. The documentation is a bit scattered over MSDN and MSFT blogs, I figured I'd collect them here for easy reference.

The ASP.NET team published a nice article on What's New in ASP.NET 4.5 and Visual Studio 2012. There you'll learn that:
  • There are changes to the ASP.NET request validation, it now supports deferred (lazy) validation, as well as giving the option to fetch data unvalidated.
  • The AntiXSS library is included in the framework.
However, there's no mention of two other important changes:
To take advantage of these new bits you'll have to do a bit of configuration, we'll get into that right away.

Switching to 4.5
While retargeting a couple of MVC applications to the new framework version, I learned that it's not enough to install the 4.5 framework and change the "Target framework" accordingly. You'll find that a comment appears in the web.config file:

<!--
    For a description of web.config changes for .NET 4.5 see http://go.microsoft.com/fwlink/?LinkId=235367.

    The following attributes can be set on the <httpRuntime> tag.

      <system.Web>

        <httpRuntime targetFramework="4.5" />

      </system.Web>
  -->
It's important that you set the targetFramework in your configuration file, else your application will run in "4.0" mode. Levi Broderick explains the effect of setting this attribute in: All about <httpRuntime targetFramework>.

Enabling AntiXss
You'd want to set the AntiXss library as the default encoder — that can easily be done in the httpRuntime configuration element:
<httpRuntime targetFramework="4.5" encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Note that there can be side effects to this, as AntiXSS takes a white list approach to encoding. That means that there may be characters that weren't encoded before, that will be encoded by AntiXSS.

Request validation
Lazy validation was introduced in ASP.NET 4.5, I just did some testing on it and it seems that lazy validation is the enabled regardless of how you set the "requestValidationMode", after you've installed the 4.5 framework. However, if you need access to any request parameters unvalidated, you'll need to set the validation mode to "4.5", as such:

<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />

This will give you access to the unvalidated collections of parameters, e.g.:
Request.Unvalidated.QueryString["lastName"];

This is a much better approach than disabling request validation altogether. But use it with care, as always you should throroughly validate the input.

Cryptographic improvements
You read Cryptographic Improvements in ASP.NET 4.5 right? If not, do it now. Seriously!

WIF 4.5
WIF is now part of the framework — that meant some breaking changes. It shouldn't take to much time to upgrade though,  particularly if you're concerned with RP's. There's a great article on MSDN with Guidelines for Migrating an Application Built Using WIF 3.5 to WIF 4.5.

There's two apparent changes I'd like to point out. First, you no longer need to set the "requestValidationMode" to "2.0" to cope with the request validation exceptions on the SignInResponseMessage's posted from an STS. WIF 4.5 plays nicely with the 4.5 request validation. Second, WIF now includes a MachineKeySessionSecurityTokenHandler which encrypts and MAC's WIF cookies based on the machine key. You'll find everything you need to set it up in: WIF and Web Farms.

And that's it. ASP.NET 4.5 includes several nifty security features, put them to use ASAP!

59 comments:

  1. Replies
    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from Dot Net Training in Chennai. or learn thru ASP.NET Essential Training Online . Nowadays Dot Net has tons of job opportunities on various vertical industry.
      or Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry.

      Delete
  2. Thank you so much for sharing this blog.Now i know ASP.NET 4.5 security improvements & how do handle this.Keep it up.
    Dot Net Training in Chennai
    Android Training in Chennai

    ReplyDelete
  3. Nice information about security update in .Net 4.5 My sincere Thanks for sharing this post and please countinue to share this kind of post
    Dot Net Training in Chennai

    ReplyDelete
  4. Thank you for everything you have done and share with me.




    goldenslot

    goldenslot

    goldenslot

    ReplyDelete
  5. This magnificent piece of writing is genuinely above and beyond.
    paypal hack

    ReplyDelete
  6. Truly the best blog I have ever received such information before, thanks to this.
    สมัคร maxbet
    goldenslot
    สูตรบาคาร่า

    ReplyDelete
  7. This is cool post and i appreciate to peruse this post. your blog is incredible and you have great staff in your blog. decent sharing keep it up.
    siber güvenlik

    ReplyDelete
  8. เว็บไซต์แทงบอลออนไลน์ที่เป็นระบบสากลประเทศนอกแต่ผู้ที่เป็นตัวแทนคือคนไทย ประเทศเดียวกับคุณสามารถให้คุณได้สื่อสารกันได้เข้าใจกันมากขึ้นไงล่ะ ไม่ว่าจะทำปรึกษาอะไรก็มีความเป็นกันเองกันสุดๆ

    นับว่าเป็นเว็บไซต์ที่มีการบริการที่ดีเป็นเลิศสุดๆ และเพียงเท่านั้นก็จะไม่พอล่ะซิเพราะเว็บไซต์เรายังคอยมีโปรโมชั่นพิเศษที่คอยมอบให้คุณกันตั้งแต่ก้าวแรกที่เข้ามาในเว็บไซต์กันเลย และรับโบนัสฟรี

    ReplyDelete
  9. แทงบอล ออนไลน์ ​พนันบอลออนไลน์ มั่นคง ปลอดภัย มีออฟฟิศจริง โอนเงิน ฝากถอน ฉับไว ภายใน 5 นาที

    ReplyDelete
  10. All Online Assignment help is a web portal where students get help in making assignments for all the subjects, with the help of our experts. You will get 100% plagiarism free assignment. Expert’s consultation is also available for students. If they have any query they can contact with our experts anytime.

    ReplyDelete
  11. you can go through AllAssignmentHelp.com reviews. It will help you to know about the services, and it will help you to know whether that site is reliable or not. This is a way of understanding the opinion of users, and it helps the website to maintain its functionality and reliability.

    ReplyDelete
  12. Amazing article. Your blog helped me to improve myself in many ways thanks for sharing this kind of wonderful informative blogs in live. I have bookmarked more article from this website. Such a nice blog you are providing ! Kindly Visit Us @ Best Travels in Madurai | Tours and Travels in Madurai | Madurai Travels

    ReplyDelete
  13. Good Post and useful content. Thanks for sharing this with us. Get the Best .Net Training in Bangalore from TIB Academy

    ReplyDelete
  14. เว็บบอลออนไลน์ ​พนันบอลออนไลน์ คุณภาพเป็นอันดับ 1 ของไทยและเอเชียที่ดีที่สุดในขณะนี้ อีกทั้งยังมีคาสิโนออนไลน์ เว็บตรง สามารถเล่นได้ทั้งบนมือถือและคอมพิวเตอร์

    ReplyDelete
  15. Get the Best .net training in Bangalore from TI Academy with experienced professionals. Visit TIB Academy now.

    ReplyDelete
  16. the content you provide about the .Net is good to read for freshers and also the link you given here is provides more information. it help me to get the ideas about .Net..Net Training in Chennai

    ReplyDelete
  17. You are searching for reliable Digital Marketing Services to endorse your brand with unique methods, like search engines, websites and mobile then we recommend you Proper digital marketing Dubai strategies can convert visitors into clients.

    ReplyDelete
  18. This is a nice blog. Thanks for sharing this useful information.
    https://uaetechnician.ae/mac-data-recovery

    ReplyDelete
  19. 90minup ข่าวกีฬา ฟุตบอล ผลบอล วิเคราะห์บอล พรีเมียร์ลีก ฟุตบอลไทย
    ข่าวกีฬา
    ข่าวฟุตบอล
    ฟุตบอลไทย
    ฟุตบอล
    วิเคราะห์บอล
    ผลบอล
    90minup

    ReplyDelete
  20. Crazykrush App is the best options for you. With this fastest growing dating app, you can easily connect with the tons of others singles and also try to find somebody to chat and date with them.

    ReplyDelete
  21. Thanks for sharing such a wonderful information. Web Solution Winner - The World's Most Successful Blog.

    ReplyDelete
  22. In the Ludo game described above, each player individually tries to get the best score; in the “Plus” version, however, the players directly compete with each other

    ReplyDelete
  23. Tweakbox apk is application installer for iOS contraptions, yet it can moreover wear down Android devices by downloading the APK record if it. After that Android customer can in like manner tweak box download iOS App store or Cydia applications on their Android devices.

    ReplyDelete
  24. Finding the perfect dream partner without delay is not a big deal anymore as crazy krush dating app allows users to chat and meet if both the sender or receiver like each other in the app. Register Now and find your perfect match in-app crazy krush.

    ReplyDelete
  25. Helping Globe: (HG) is om way to an international software package support supplier and, has been providing competent software package support service packages to international organizations and freelance software package vendors

    ReplyDelete
  26. Simple, clear and genuine one!
    Thanks so much for such an awesome explanation.Your search for great deals and
    flipkart coupon savings ends here.

    ReplyDelete
  27. Free dating apps for android CrazyKresh, it’s free and latest it also allows users to chat and meet if both the sender or receiver like each other in the app. Register Now and find your perfect match.

    ReplyDelete
  28. This is an awesome post thank you for sharing this interesting post,

    Email Support Number USA

    ReplyDelete
  29. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.data science course in dubai

    ReplyDelete
  30. I was just browsing through the internet looking for some information and came across your blog. I am impressed by the information that you have on this blog. It shows how well you understand this subject. Bookmarked this page, will come back for more.data science course in dubai

    ReplyDelete
  31. Great post, thanks for updating about improvements of security in netframework.

    Data Science Courses Bangalore

    ReplyDelete
  32. Packers and Movers Hyderabad Give Certified and Verified Service Providers, Cheap and Best ###Office Relocation Charges, ***Home Shifting, ✔✔✔Goods Insurance worth Rs. 10,000, Assurance for Local and Domestic House Shifting. Safe and Reliable Household Shifting Services in Hyderabad with Reasonable Packers and Movers Price Quotation @ Packers And Movers Hyderabad

    ReplyDelete

  33. Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written.

    Data Science Course

    ReplyDelete
  34. Let’s Play ludo with unlimited video calling and audio chat. If you are a game lover and love to chat & video call with your opponent while playing the game, you will love this 3D gaming app. What are you waiting for? Just download Ludo Chat™ app and enjoy more fun of board game with video calling, audio chat & 3D background.

    ReplyDelete
  35. Cool stuff you have and you keep overhaul every one of us
    Data Science Course in Pune

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts