Preventing Page Review after Logout with Forms Authentication

My latest ASP Alliance article has been published today:

Preventing Page Review after Logout with Forms Authentication

The inclusion of Forms Authentication in the .NET Framework has been a significant benefit to developers securing web-based applications. While pages can be secured server-side, local caching by browsers and proxy servers may allow a user to review information even after they have logged out. In some cases, this may present a risk to the user’s confidential information. This article discusses three HTTP headers that can be used to prevent local caching of web pages, adding some protection to the user’s data.

Read more:

Cross Site Scripting (XSS) Attacks, SQL Injection and ASP.NET

“The biggest challenge to developing secure applications is that most programmers don’t know they’re writing insecure applications. Let’s look at a simple example, a forum-type application. However, any application that displays data entered by a user is a potential target.“ –Brad McCabe, XSS Happens

For an introduction to securing ASP.NET sites, check out Dino Esposito’s article “Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks“.

Dino summarizes the most common types of Web attacks and describes how Web developers can use built-in features of ASP.NET to increase security.

Perhaps one of the most dangerous and overlooked attacks is the SQL Injection attack.  It’s very easy to overlook how an attacker can exploit seemingly harmless SQL code, especially if a developer’s experience and understanding of SQL is less than expert.  There are a number of articles available, including:

Stop SQL Injection Attacks Before They Stop You (MSDN Magazine, Sep 2004)
This article discusses:

  • How SQL injection attacks work
  • Testing for vulnerabilities
  • Validating user input
  • Using .NET features to prevent attacks
  • Importance of handling exceptions

Preventing SQL Injection Attacks

Keep your code secure against intruders. In this article we provide examples of SQL injection attacks and how you can write code to prevent them. Stop people from getting information from your database.

Are you still vulnerable to a SQL Injection attack?

SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems!
Despite being remarkably simple to protect against, there are an astonishing number of production systems connected to the Internet “fixed” the problem by hiding error data from the users but were left vulnerable to this type of attack!

Advanced SQL Injection In SQL Server Applications

This document discusses in detail the common ‘SQL injection’ technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be ‘injected’ into the application and addresses some of the data validation and database lockdown issues that are related to this class of attack. The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications.

(more) Advanced SQL Injection

This paper addresses the subject of SQL Injection in a Microsoft SQL Server/IIS/Active Server Pages environment, but most of the techniques discussed have equivalents in other database environments. It should be viewed as a “follow up”, or perhaps an appendix, to the previous paper, “Advanced SQL Injection”.

The paper covers in more detail some of the points described in its predecessor, providing examples to clarify areas where the previous paper was perhaps unclear. An effective method for privilege escalation is described that makes use of the openrowset function to scan a network. A novel method for extracting information in the absence of ‘helpful’ error messages is described; the use of time delays as a transmission channel. Finally, a number of miscellaneous observations and useful hints are provided, collated from responses to the original paper, and various conversations around the subject of SQL injection in a SQL Server environment.  

One method to prevent SQL injection attacks is to use parameterized SQL queries.  This technique can be used for Access as well as SQL Server, and any other DB system that supports parameterized queries.  The example below demonstrates .NET with SQL Server, but the underlying examples should be easily adapatbale to whatever system you’re using.

Using parameterized SQL queries

Save yourself from SQL injection attacks and other nasty problems by passing along data in parameters.

The Curse and Blessing of Dynamic SQL

In this article I will discuss the of use dynamic SQL in stored procedures in MS SQL Server, and I will show that this is a powerful feature that you should use with care. I first discuss why we use stored procedures at all, before I explain the feature as such. I then look at the conflicts between the virtues of stored procedures and the effects of dynamic SQL. I also point to the common security issue known as SQL injection. I then move on to suggest some good coding practices. I conclude by reviewing a number of cases where dynamic SQL often is suggested as a solution, both where dynamic SQL is the way to go, and where it is a poor choice. For the latter cases, I suggest alternative strategies.

Dynamic Search Conditions in T-SQL

This article details the ways to use dynamic SQL in a stored procedure for searching Sql Server databases.  Written by a Microsoft MVP, there are a few topics that will be over the head of beginnning SQL programmers, but this is still an important read.  This is a follow-up to “The Curse and Blessing of Dynamic SQL“.

It is important to have a full understanding of all the risks that your web application faces.  For this, Microsoft has released a guide for developers and administrators.  You can purchase the guide from Amazon by clicking the links below, or click this link to download for free from Microsoft.

cover Improving Web Application Security: Threats And Countermeasures
This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient.
cover Web Applications (Hacking Exposed)
This work covers all major Web applications platforms and focuses on vulnerabilities across different programming languages, including PHP, ASP, Perl, JavaScript and Java. It includes examples of security attacks and countermeasures in Web application software.
cover Hacking Exposed: Network Security Secrets & Solutions, Fourth Edition (Hacking Exposed)
This text unveils the methods hackers use to break into systems, networks, and software, and suggest steps administrators can take to secure their computers at the different layers. The fourth edition covers the latest hacking methods and adds a chapter on 802.11 wireless networks. The DVD-ROM contains a video presentation with PowerPoint slides.

Is Dynamic SQL in Your Stored Procedures Vulnerable to SQL Injection?

We all should be familiar with the fact that concatenating user input directly into SQL statements is an open invitation to an SQL Injection attack.  Code such as
MySql = “Select * from Orders where Customer ID='” & txtCustomerId & “‘”
should be avoided.  If you need some more background information on SQL Injection attacks, I am building a reference at
.  This reference will be updated as time goes on–there are a few good references now, and I’ll post update notices to the security section of this blog.

The recommended practice for avoiding SQL Injection attacks is to use parameterized queries or stored procedures (sprocs), where user input is passed as parameters.  Since information in parameters is not treated as executable code, any SQL code conatined in the user input is rendered harmless.  Or is it?  This depends on what you do with that input inside of your sproc.

One of the common functions on a web site is querying a data store.  In advanced searches (those with more than a single input), it would be infeasible to create and mainatin an sproc for every combination of search critera.  Instead, one practice is to create an sproc that dynamically creates the SELECT statement based on the parameters passed to it.  Typically, there is an input parameter for each input on the search form, which is rendered optional by adding “=NULL” after the parameter declaration (e.g., @orderId int=NULL).  Then, the sproc uses a series of statements such as

 select @sql = @sql + ‘ AND order_id=’ + @orderId
to generate the complete SQL statement.  At the end of the sproc, the EXECUTE statement is used to query the database using the dynamically generated SQL statement.

I remember what a revolutionary concept dynamic SQL in an sproc was for me when I was learning to write SQL.  It opened up a whole new way of writing SQL code and handling advanced searches on my websites.  But did you catch the security problem in the previous SQL statement?  I didn’t at first, and in fact, I’ve been making this same security mistake for some time now.  It wasn’t until I finally listened to Kim Tripp on DotNetRocks that I realized the problem (download the show from, and fortunately I only have a few sprocs to rewrite and fix this problem.

Look carefully at the statement again.  It looks like the parameter is being used in the SQL statement, but in reality, the parameter’s value is being concatenated to the SQL statement.  The technique demonstrated above is no better than the technque we dismissed in the first paragraph.

After listening to Kim’s show, I did some digging around, and found an excellent reference on how to handle dynamic SQL in search queries at  In this article, Microsoft Sql Server MVP Erland Sommarskog details ways to use dynamic and static SQL to perform searches that have a number of possible combinations of inputs.

As Erland shows us, the correct way to use dynamic SQL in the situation I presented above is to concatenate another parameter into the SQL statement, as so:

 select @sql = @sql + ‘ AND

We then create a parameter list of these second parameters, as so:

SELECT @paramList = ‘@xorderId’

To finally execute the query, we execute a system sproc named sp_executesql.  As Erland states:

sp_executesql is a system procedure with a very special parameter list. The first parameter is a parameterized SQL statement. The second parameter is a parameter-list declaration, very similar to the parameter list to a stored procedure. And the remaining parameters are simply the parameters in that parameter-list parameter.

Our final statement would end up looking like:

EXECUTE sp_executesql @sql, @paramList, @orderId

And with this technique, our query is safe from malicious user input.  This whole process is outlined in detail in Erland’s article.

Since writing sprocs as outlined in Erland’s article can be tedious, I created a CodeSmith template that will do the work for you.  You only need to input the table you wish to query, and CodeSmith will generate a complete sproc for you.  You can then edit the sproc down, since it will include every column in the table.  You can find the template at

<update 2005-07-06: fixed DNR show link>

Free Certificates for Encrypting E-mail

Microsoft MVP Susan “The SBS Diva” Bradley gives a short overview about sending encrypted e-mails.  In her post, she says you have to purchase a digital certificate.  From some certificate authorities, you may have to do so, but Thawte offers free certificates for e-mail through their Web of Trust program.  When your certificate is issued, the name on the certificate is “Thawte Freemail Member”.  In order to have your name appear on the certificate, you need to get yourself notarized.  Basically, you meet up with a Thawte notary (I am one), who looks at two forms of identification and assigns you points.  You need 50 points to be notarized (I can assign up to 35, the maximum allowed), and then your certificates will contain your name.  There’s more information at the WOT site at

My DPAPI Example

In a recent posting to the aspnet-security group at ASP Advice, Julie Lerman asked:

Since the site is hosted on someone else’s server, I don’t believe that I can use DPAPI to encrypt the connection strings

Actually, you can, and I use DPAPI on a number of sites in shared hosting environments.  I typically use the machine store as the data protection store, rather than the user store, but that’s a personal habit when looking at the shared hosting environment.

One downside to the machine store is that anyone who has access to the same server can decrypt your application settings, unless you set an entropy value.  In my sample project, I set the entropy when the DPAPI helper is instantiated.

I mentioned I had a small project I use to encrypt connection strings using Carl Franklin’s DPAPI helper.  All I do is upload two DLLs and my ASPX to the site I’m working on, enter the connection string (or whatever), click Encrypt, and copy the output to the web.config.  When I’m done, I delete the DLLs and page so no one accidentally finds them.  You can find my little project at

To use my little project:

  1. Download and unzip Carl’s DPAPI helper from
  2. Download my dpapi example from  Unzip it to c:\inetpub\wwwroot\dpapi.
  3. Create an IIS application named dpapi (address will be http://localhost/dpapi) that points to c:\inetpub\wwwroot\dpapi. 
  4. Open the solution file in VS
  5. Add a reference to the DPAPI Helper DLL, found at <install>\DPAPIHelper\bin\DPAPIHelper.dll.  Make sure to use the dpapihelper.dll!  There is also a dpaphelper.dll (missing an ‘i’ in the name), and I’m not sure what that’s for.
  6. Recompile the project.
  7. Deploy the dpapihelper.dll and dpapi.dll to the site’s BIN folder, and dpapi.aspx to the site’s root folder.
  8. Load the dpapi.aspx page, and encrypt on!

Drop me a line or leave comments with any Q’s.

<update 2005-06-16>To use the DPAPI encrypted strings in your application, you need to include two lines of code, one is the constructor that starts “DIM dp…”, and the other is the dp.decrypt method call.  In the constructor, there is a short string passed in as a function argument.  This argument(sometimes called an “initialization vector“ or “secondary entropy“ or just “key“, I’m not 100% sure of the exact correct term so anyone works for me) has to be exactly the same in your app as in the DLL used to encrypt your strings.  Otherwise, you won’t be able to properly decrypt the information in your app.  I recommend changing the entropy if you use this example, and use a different one for each site.  Remember also to leave the DPAPIHelper.dll on your site if you plan to decrypt the encrypted values.</update>

Cool Idea To Thwart Phishing Attacks

The Wall St. Journal has an article today about one step Bank of America is taking to thwart phishing attacks:

First, the bank allows customers to “register” frequently-used machines, such as a home or office PC, with its online system. When customers use one of those computers to access the site, they are shown a picture after entering a username. If the picture matches the image the user chose when setting up the account, the customer knows they are in the right place, and then enters a password to access accounts.
When customers try to access accounts from a computer that Bank of America doesn’t recognize, the image doesn’t appear. Instead, users must answer a challenge question, like “What was your high school mascot?” The bank tracks computer IP addresses and also uses cookies to identify PCs.

The on-line article has a nice graphic that shows the UI part of the process.  It looks like if you save the cookie in your computer, you’ll go straight to the photo or challenge question, after which you can enter your passcode.  Otherwise, you’ll have an additional step of entering your user ID.

CAPTCHA Images for your website

I have a love/hate relationship with those CAPTCHA tests on websites.  I understand why, and am fascinated at just how good the human mind is at pattern resolution.  Yet, they’re additional typing.  Anything to foil a spambot I guess.

I was looking into adding a test into a project of my own, and I came across these references.  Examples of the first article are shown beneath it.

15 Seconds : Fighting Spambots with .NET and AI

This article explains how intelligent applications from Carnegie Mellon University and Berkeley researchers counter auto registration spam programs and how to build your own using ASP.NET & XML Web services.


A Generic CAPTCHA Image Tester

What’s unique here is my implementation – it’s generic enough to use in a classic ASP page, or in an ASP.NET page, it does NOT require the use of Session State, and that’s what makes it more useful. The key here is that we use an aspx page to generate the image, and we simply make our image tag’s src property point to this page.

The Code Project – CAPTCHA Image – ASP.NET

This article demonstrates how to create such an image and employ it within an ASP.NET web form.

The CAPTCHA Project Website – CMU School of Computer Science

CAPTCHA.NET is the homepage of CMU’s CAPTCHA Project

Formshield is a free .NET CAPTCHA control available at

Many thanks to Kevin Gearing!  There are some samples as well–very cool.

FormShield started out as a simple project with just one aim – to prevent automated form submission using dynamically generated images.

Not exactly a new idea – dynamically generated images requiring the user to enter the text found on the image have been around for quite a while (see, preventing automated sign-ups to free e-mail services such as HotMail and Yahoo, and automated whois lookups on domain names on sites such as Network Solutions.

Whilst some code exists on Code Project (, there didn’t however seem to be a free, easy-to-use and customisable control for ASP.NET with full designer integration that could generate the relevant images. So, looking for an excuse to delve into GDI+, FormShield was born and my idea of a ‘simple’ control was dropped…