The form authentication ticket is used to tell the ASP.NET application who you are. Thus, the ticket is the building block of Forms Authentication’s security. The ticket is encrypted and signed using the “machineKey” configuration element of the server’s Machine.config file. ASP.NET 2.0 uses the decryptionKey and the new decryption attribute of the machineKey element to encrypt forms authentication tickets.

Objective

The decryption attribute lets you specify the encryption algorithm to use. ASP.NET 1.1 and 1.0 use 3DES encryption, which is not configurable. Tampering with the ticket value is determined by a failure to decrypt the ticket on the server. As a result, the user will be redirected to the logon page.
Learn about Network Enumeration

Scenario

To be a secure programmer, you must know how to protect your code and make it secure against vulnerabilities. To provide security to form your authentication ticket you must know the authentication and authorization processes.

.NET Authentication and Authorization

Secure Programming Exercises / .NET Authentication and Authorization contains the following Exercises:

  • Securing Forms Authentication Tickets
  • Securing Hash Generation
  • Securing Encryption Using AES
  • Securing Forms Authentication Cookies using SSL
  • Securing Form Authentication Credentials
  • Preventing Session Hijacking Using Cookieless Authentication
  • Securing the Authentication Token Using Sliding Expiration
  • Avoiding Forms Authentication Cookies from Persisting Using the DisplayRememberMe Property
  • Avoiding Forms Authentication Cookies from Persisting Using RedirectFromLoginPage Method
  • Avoiding Forms Authentication Cookies from Persisting Using the SetAuthCookie Method
  • Avoiding Forms Authentication Cookies from Persisting Using the GetRedirectUrl Method
  • Avoiding Forms Authentication Cookies Persistience Using the FormsAuthenticationTicket Constructor
  • Securing Passwords with minRequiredPasswordLength
  • Securing Passwords with minRequiredNonalphanumericCharacters
  • Securing Passwords with passwordStrengthRegularExpression
  • Restricting Number of Failed Logon Attempts
  • Securing the Application by Using Absolute URLs for Navigation
  • Securing Applications from Authorization Bypass Attacks
  • Creating Separate Folders for Secure Pages in the Application
  • Validating Passwords on the CreateUserWizard Control Using Regular Expressions

The Virtual Private Cloud for this Lab set utilizes:


Secure Programming Exercises are available as part of the following subscription:

CEHproductimage
Each subscription provides 6 months access to 68 Different Exercises. Each exercise contains a Scenario, Objectives, and individual step by step tasks to guide the user through all steps necessary to complete the exercise. The Secure Programming Exercises are designed to give the user an ultimate hands-on experience. Each exercise category above has it’s own Virtual Private Cloud that comes preconfigured with Vulnerable websites, Victim Machines, and the environment is LOADED with tools. Included in your network share are all the supporting tools required to practice in the Cyber Range / Lab environment.

Lab exercises are included for:

  • Input Validation and Output Encoding
  • .NET Authentication and Authorization
  • Secure Session and State Management
  • .NET Cryptography
  • .NET Error Handling, Auditing, and Logging
  • .NET Secure File Handling
  • .NET Configuration Management and Secure Code Review
Price: $199
Add to Cart
View Cart