Do the changes made in ASP .NET,
from version 1.X to 2.0, improve
Written by Johan Gille
Department of Computer and Systems Sciences
Royal Institute of Technology
This thesis corresponds to 20 weeks of full – time work.
The problem, from a security perspective, with every Web application is that they are made
available to the public via the World Wide Web (WWW). The biggest challenge for a Web platform
development company is to make security countermeasures as easy as possible for Web
application developers to implement. This is exactly what Microsoft have tried to achieve with its
new release of Microsoft .NET (2.0).
The thesis is created to be as good and simple as possible. The basic idea is to divide all the most
common Web application vulnerabilities into categories and then systematically tackle them one
by one. By doing this you get a really good overview of each category’s main threats and its
ASP .NET countermeasure in both version 1.X and 2.0.
To summarize the changes, made from ASP .NET 1.X to ASP .NET 2.0, you can say that they
have “patched” most of the shortcomings in ASP .NET 1.X, such as the HttpOnly cookie attribute,
AES encryption is now available for forms authentication and it’s now possible to encrypt parts
of .config files. The biggest change though is the prebuilt features, such as auditing and logging,
authentication and authorization. The reason why they are prebuilt is to increase productivity,
which in turn, indirectly, increases security. The idea is very good from a security perspective, if
you intend to start from scratch and have no intention of implementing anything by your self, but
if you already have a database you’ve to rewrite some of the chosen provider’s code or create a
provider of your own.
The only thing that I really miss, from a security perspective, is a default implementation