developing secure web applications
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (182.54 KB, 12 trang )
Developing Secure Web
Applications
Delivery Guide
Course Number: 2300A
Part Number: X08-91681
Released: 06/2002
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2002 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail,
JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and
Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Course Number: 2300A
Part Number: X08-91681
Released: 06/2002
Developing Secure Web Applications
iii
Contents
Introduction
Course Materials ......................................................................................................2
Prerequisites.............................................................................................................3
Course Outline .........................................................................................................5
Setup ........................................................................................................................7
Lab Scenario ............................................................................................................9
Microsoft Official Curriculum ...............................................................................11
Microsoft Certified Professional Program .............................................................12
Facilities.................................................................................................................15
Module 1: Introduction to Web Security
Overview..................................................................................................................1
Lesson: Why Build Secure Web Applications? .......................................................2
Lesson: Using the STRIDE Model to Determine Threats......................................17
Lesson: Implementing Security: An Overview......................................................26
Review ...................................................................................................................38
Module 2: Planning for Web Application Security
Overview..................................................................................................................1
Lesson: A Design Process for Building Secure Web Applications..........................2
Review ...................................................................................................................22
Module 3: Validating User Input
Overview..................................................................................................................1
Lesson: User Input ...................................................................................................2
Lesson: Types of User Input Attacks.......................................................................8
Lesson: Performing Validation ..............................................................................23
Lesson: Revealing As Little Information As Possible to Users .............................38
Review ...................................................................................................................46
Lab 3: Verifying User Input...................................................................................48
Module 4: Internet Information Services Authentication
Overview..................................................................................................................1
Lesson: Introduction to Web Client Authentication ................................................3
Lesson: Configuring Access Permissions for a Web Server..................................16
Lesson: Selecting a Secure Client Authentication Method....................................25
Lesson: Running Services As an Authenticated User............................................45
Review ...................................................................................................................54
Lab 4: Authentication and Access Control ............................................................56
Module 5: Securing Web Pages
Overview..................................................................................................................1
Lesson: ASP Forms-Based Authentication..............................................................2
Lesson: .NET Code Access and Role-Based Security .............................................9
Lesson: Overview of ASP.NET Authentication Methods .....................................16
Lesson: Working with Windows-Based Authentication in ASP.NET...................30
Lesson: Working with ASP.NET Forms-Based Authentication............................37
Review ...................................................................................................................55
Lab 5: Securing Web Pages ...................................................................................57
iv
Developing Secure Web Applications
Module 6: Securing File System Data
Overview................................................................................................................. 1
Lesson: Overview of Securing Files ....................................................................... 2
Lesson: Windows Access Control .......................................................................... 6
Lesson: Creating ACLs Programmatically ........................................................... 19
Lesson: Protecting ASP.NET Web Application Files........................................... 27
Review .................................................................................................................. 38
Lab 6: Securing Files with ACLs.......................................................................... 39
Module 7: Securing Microsoft SQL Server
Overview................................................................................................................. 1
Lesson: SQL Server Connections and Security ...................................................... 2
Lesson: SQL Server Role-Based Security ............................................................ 15
Lesson: Securing SQL Server Communication .................................................... 32
Lesson: Preventing SQL Injection Attacks ........................................................... 36
Review .................................................................................................................. 46
Lab 7: Securing Microsoft SQL Server Data ........................................................ 48
Module 8: Protecting Communication Privacy and Data Integrity
Overview................................................................................................................. 1
Lesson: Introduction to Cryptography .................................................................... 3
Lesson: Working with Digital Certificates............................................................ 15
Lab 8.1: Obtaining a Server Certificate ................................................................ 35
Lesson: Using the Secure Sockets Layer/Transport Layer Security Protocols ..... 39
Lesson: Using Internet Protocol Security ............................................................. 58
Review .................................................................................................................. 63
Lab 8.2: Protecting Communication Privacy and Data Integrity .......................... 65
Course Evaluation ................................................................................................. 76
Module 9: Encrypting, Hashing, and Signing Data
Overview................................................................................................................. 1
Lesson: Encryption and Digital Signing Libraries .................................................. 2
Lesson: Using CAPICOM ...................................................................................... 9
Lesson: Using the System.Security.Cryptography Namespace to Hash Data....... 21
Lab 9: Hashing Data ............................................................................................. 26
Lesson: Using the System.Security.Cryptography Namespace to Encrypt and
Sign Data............................................................................................................... 42
Review .................................................................................................................. 62
Module 10: Testing Web Applications for Security
Overview................................................................................................................. 1
Lesson: Testing Security in a Web Application...................................................... 2
Lesson: Creating a Security Test Plan .................................................................... 7
Lesson: Performing Security Testing.................................................................... 17
Review .................................................................................................................. 20
Lab 10: Test Cases for Security Testing ............................................................... 22
Course Evaluation ................................................................................................. 31
Appendix: Isolated Storage
Developing Secure Web Applications
v
About This Course
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Description
This course teaches developers the knowledge and skills that are required to
build Web applications by using secure coding techniques and the security
mechanisms that are provided in Microsoft® Windows® 2000, Internet
Information Services (IIS), and Microsoft SQL Server™ 2000. Students will
learn how to identify Web application security vulnerabilities and choose the
appropriate security methods to protect against these vulnerabilities. Students
will also get hands-on experience in creating secure Web applications by using
Active Server Pages (ASP) and Microsoft ASP.NET.
Audience
This course is intended for individuals who are responsible for the design and
development of Web applications. These individuals typically have three to five
years of experience in developing or designing distributed Web applications.
Actual job roles and titles will vary throughout the technology industry, and
may include, but may not be limited to, Web developers and solutions
architects.
Student prerequisites
This course requires that students meet the following prerequisites:
!
Familiarity with N-tier application architecture
!
Experience in developing or designing Web applications
!
Experience with one of the following programming languages:
ã Microsoft Visual Basicđ
ã C#
ã Microsoft Visual Basic .NET
!
Experience in writing server-side and client-side scripts by using one or
both of the following technologies:
• ASP
• ASP.NET
!
Familiarity with both of the following Microsoft products and technologies
is recommended:
• SQL Server 2000
• IIS
vi
Developing Secure Web Applications
Course objectives
After completing this course, students will be able to:
!
Define the basic principals of, and motivations for, Web security.
!
Perform a threat analysis on Web-accessible assets.
!
Secure their Web applications by validating user input.
!
Select the best IIS authentication method for a given set of requirements.
!
Implement forms-based authentication in both ASP and ASP.NET Web
applications.
!
Protect file system data by using the features that are available in
Windows 2000.
!
Use the SQL Server security model and Microsoft ADO.NET to protect a
Web application against attacks.
!
Protect the portions of a Web application that require private
communications by using Secure Sockets Layer (SSL) security.
!
Use the CAPICOM cryptographic library and the
System.Security.Cryptography namespace to encrypt, hash, and sign data.
!
Employ a structured approach to testing for Web application security.
Developing Secure Web Applications
Course Timing
The following schedule is an estimate of the course timing. Your timing may
vary.
Day 1
Start
End
Module
8:30
9:00
Introduction
9:00
10:15
Module 1: Introduction to Web Security
10:15
10:30
Break
10:30
11:30
Module 2: Planning for Web Application Security
11:30
12:30
Lunch
12:30
2:00
Module 3: Validating User Input
2:00
2:15
Break
2:15
2:45
Lab 3: Verifying User Input
2:45
4:00
Module 4: Internet Information Services Authentication
4:00
4:15
Break
4:15
4:45
Lab 4: Authentication and Access Control
Day 2
Start
End
Module
8:30
8:45
Day 1 review
8:45
10:00
Module 5: Securing Web Pages
10:00
10:30
Lab 5: Securing Web Pages
10:30
10:45
Break
10:45
12:15
Module 6: Securing File System Data
12:15
1:15
Lunch
1:15
1:45
Lab 6: Securing Files with ACLs
1:45
3:00
Module 7: Securing Microsoft SQL Server
3:00
3:15
Break
3:15
3:45
Lab 7: Securing Microsoft SQL Server Data
vii
viii
Developing Secure Web Applications
Day 3
Start
End
Module
8:30
8:45
Day 2 review
8:45
9:45
Module 8: Protecting Communication Privacy and Data Integrity
9:45
10:00
Lab 8.1: Obtaining a Server Certificate
10:00
11:00
Module 8: Protecting Communication Privacy and Data Integrity
(continued)
11:00
11:15
Lab 8.2: Protecting Communication Privacy and Data Integrity
11:15
11:30
Break
11:30
12:45
Module 9: Encrypting, Hashing, and Signing Data
12:45
1:45
Lunch
1:45
2:45
Lab 9: Hashing Data
2:45
3:00
Break
3:00
3:45
Module 10: Testing Web Applications for Security
3:45
4:15
Lab 10: Test Cases for Security Testing
Developing Secure Web Applications
ix
Trainer Materials Compact Disc Contents
The Trainer Materials compact disc contains the following files and folders:
!
Autorun.exe. When the compact disc is inserted into the compact disc drive,
or when you double-click the Autorun.exe file, this file opens the compact
disc and allows you to browse the Student Materials or Trainer Materials
compact disc.
!
Autorun.inf. When the compact disc is inserted into the compact disc drive,
this file opens Autorun.exe.
!
Default.htm. This file opens the Trainer Materials Web page.
!
Readme.txt. This file explains how to install the software for viewing the
Trainer Materials compact disc and its contents and how to open the Trainer
Materials Web page.
!
2300A_MS.doc. This file is the Manual Classroom Setup Guide. It contains
the steps for manually setting up the classroom computers.
!
Powerpnt. This folder contains the Microsoft PowerPoint® slides that are
used in this course.
!
Pptview. This folder contains the Microsoft PowerPoint Viewer 97, which
can be used to display the PowerPoint slides if Microsoft PowerPoint 2002
is not available. Do not use this version in the classroom.
!
Setup. This folder contains the files that install the course and related
software to computers in a classroom setting.
!
StudentCD. This folder contains the Web page that provides students with
links to resources pertaining to this course, including additional reading,
review and lab answers, lab files, multimedia presentations, and courserelated Web sites.
!
Tools. This folder contains files and utilities used to complete the setup of
the instructor computer.
!
Webfiles. This folder contains the files that are required to view the course
Web page. To open the Web page, open Windows Explorer, and in the root
directory of the compact disc, double-click Default.htm or Autorun.exe.
x
Developing Secure Web Applications
Student Materials Compact Disc Contents
The Student Materials compact disc contains the following files and folders:
!
Autorun.exe. When the compact disc is inserted into the CD-ROM drive, or
when you double-click the Autorun.exe file, this file opens the compact
disc and allows you to browse the Student Materials compact disc.
!
Autorun.inf. When the compact disc is inserted into the compact disc drive,
this file opens Autorun.exe.
!
Default.htm. This file opens the Student Materials Web page. It provides
you with resources pertaining to this course, including additional reading,
review and lab answers, lab files, multimedia presentations, and courserelated Web sites.
!
Readme.txt. This file explains how to install the software for viewing the
Student Materials compact disc and its contents and how to open the
Student Materials Web page.
!
2300A_MS.doc. This file is the Manual Classroom Setup Guide. It contains
a description of classroom requirements, classroom setup instructions, and
the classroom configuration.
!
Democode. This folder contains demonstration code.
!
Flash. This folder contains the installer for the Macromedia Flash 5.0
browser plug-in.
!
Fonts. This folder contains fonts that may be required to view Microsoft
Word documents that are included with this course.
!
Labfiles. This folder contains files that are used in the hands-on labs. These
files may be used to prepare the student computers for the hands-on labs.
!
Media. This folder contains files that are used in multimedia presentations
for this course.
!
Mplayer. This folder contains the setup file to install Microsoft
Windows Media™ Player.
!
Practices. This folder contains files that are used in the hands-on practices.
!
Webfiles. This folder contains the files that are required to view the course
Web page. To open the Web page, open Windows Explorer, and in the root
directory of the compact disc, double-click Default.htm or Autorun.exe.
!
Wordview. This folder contains the Microsoft Word Viewer that is used to
view any Word document (.doc) files that are included on the compact disc.
Developing Secure Web Applications
xi
Document Conventions
The following conventions are used in course materials to distinguish elements
of the text.
Convention
Use
Bold
Represents commands, command options, and syntax that must
be typed exactly as shown. It also indicates commands on menus
and buttons, dialog box titles and options, and icon and menu
names.
Italic
In syntax statements or descriptive text, indicates argument
names or placeholders for variable information. Italic is also
used for introducing new terms, for book titles, and for emphasis
in the text.
Title Capitals
Indicate domain names, user names, computer names, directory
names, and folder and file names, except when specifically
referring to case-sensitive names. Unless otherwise indicated,
you can use lowercase letters when you type a directory name or
file name in a dialog box or at a command prompt.
ALL CAPITALS
Indicate the names of keys, key sequences, and key
combinations — for example, ALT+SPACEBAR.
monospace
Represents code samples or examples of screen text.
[]
In syntax statements, enclose optional items. For example,
[filename] in command syntax indicates that you can choose to
type a file name with the command. Type only the information
within the brackets, not the brackets themselves.
{}
In syntax statements, enclose required items. Type only the
information within the braces, not the braces themselves.
|
In syntax statements, separates an either/or choice.
!
Indicates a procedure with sequential steps.
...
In syntax statements, specifies that the preceding item may be
repeated.
.
.
.
Represents an omitted portion of a code sample.
THIS PAGE INTENTIONALLY LEFT BLANK
