Extra protection for ASPX pages

[Legato]

When hackers infiltrate a web server they will ussually try to add XSS
script code to the admin ASPX pages to try to take over the administrator's
machine. I was thinking: why doesn't Microsoft add a hash of the ASPX code
to the assembly of the web application to prevent tampering with the ASPX
page?

Legato

 

[Patrice]

Hello,

By default there is an exception if a user entered tags in a form field. See
:
http://msdn.microsoft.com/en-us/library/ms998274.aspx

Not sure what is the exact scenario you are talking about but the problem is
not with changing the assembly but in having a page displaying non validated
data (that happens to be a script). The page itself is not changed.

 

[Legato]

Hello,

By default there is an exception if a user entered tags in a form field.
See :
http://msdn.microsoft.com/en-us/library/ms998274.aspx

Not sure what is the exact scenario you are talking about but the problem
is not with changing the assembly but in having a page displaying non
validated data (that happens to be a script). The page itself is not
changed.

If the hackers altered the ASPX code this would be detected by the
web-assembly since the hashes wouldn't match. Off course you'd lose a
valueable feature .e.g being able to quickly edit the ASPX in case there's a
bug in them, so this security feature should be optional.

Legato

 

[Patrice]

Ok the XSS attack fooled me as I don't see why an attacker would bother with
an XSS attack if he is already able to alter files stored on your server...

Form a more general point of view, some company are AFAIK doing a copy and
periodically overwrite their production site in case someone would deface
the site.

Another option would be to sign your assemblies :
http://msdn.microsoft.com/en-us/library/ms228209.aspx

 

[Legato]

Ok the XSS attack fooled me as I don't see why an attacker would bother
with an XSS attack if he is already able to alter files stored on your
server...

I didn't mention it because I thought it was obvious: the web servers are
ussually located at a hosting provider and not inside the company they're
trying to attack. However, there's a good chance that the admin pages will
be accessed by an administrator located *inside* the company network!

Form a more general point of view, some company are AFAIK doing a copy and
periodically overwrite their production site in case someone would deface
the site.

Another option would be to sign your assemblies :
http://msdn.microsoft.com/en-us/library/ms228209.aspx

Signing would indeed protect the assemblies but not the ASPX pages. That's
why I suggested adding a hash of the corresponding web pages to the
assembly.

All is just my $0.02 and maybe someone at Microsoft will pick up my idea or
debunk it.

 

[Patrice]

Signing would indeed protect the assemblies but not the ASPX pages. That's

why I suggested adding a hash of the corresponding web pages to the
assembly.

Never tried but ultimately an ASPX page generates source code and gets
compiled into an assembly. So IMO it should work if you accept to have a
precompiled site.

Try http://connect.microsoft.com/. It's likely the best place to make
suggestion about the product...