Application Security Testing: An Integral Part of DevOps
ASP.NET developers do not have to worry about the web application development as they are provided with a built-in web server to cater their server needs.
However, the practical truth is their application needs to be on a web server, for it needs to be served to the end user and the primary choice for ASP.NET users would be to stick with the Microsoft Web Server. The Microsoft Web Server is popularly known as Internet Information Services or IIS.
According to the popular Netcraft (An Internet Research Company) web server survey that surveys every month, IIS stands second. You can view the August 2010 survey results here. The contemporary top 5 list is shown below.
A momentary glimpse at the IIS history shows the timeline of its various versions. You can visit http://www.microsoftbob.com for the complete details on the IIS history.
- 1996 - IIS 1.0
- 1996 - IIS 2.0
- 1996 - IIS 3.0
- 1997 - IIS 4.0
- 2000 - IIS 5.0
- 2002 - IIS 5.1
- 2003 - IIS 6.0
- 2008 - IIS 7.0
- 2009 - IIS 7.5
IIS 7 presents itself with a new modular architecture and a pretty useful user-interface. It also supports better ASP.NET Integration and an integrated request processing pipeline. The entire IIS 7 is broken down into several modules functionally and allows you to interact with each module in an effective manner.
The modular approach involves an easy usage, installation and supports simple upgradable procedures. A look at the IIS 7 section under the Windows features reveals it all.
As you see, the FTP server, Web Management tools, health diagnostics and the performance features are modularized and easy to manage.
Look at the performance feature and the health and diagnostics section. They are rich and powerful.
Now let us look at the features of IIS 7 that could be handy to the ASP.NET developer community:
Creating New Websites
IIS 7 on Vista or Windows 7 now allows you to create multiple websites. The previous versions let you create multiple websites only if they are on a server version of the operating system. So testing your websites with different port numbers is now easy.
Request Processing Pipeline
The new version of IIS no longer sticks to the dual-request pipeline technique to process a request. The dual request pipeline includes the IIS and the ASP.NET pipelines.It now provides you a single and integrated Request processing pipeline to process to both ASP.NET and the IIS processing.
Configure ASP.NET Properties
Various ASP.NET properties like the Authorization, Roles etc. can be set through the ASP.NET property section in the Workspace pane (middle section) in IIS 7.
XML Driven IIS Metabase
IIS 7 is driven through an XML based metabase configuration file. If you remember, the previous versions of IIS used the binary metabase file. If any user modifies and if the modification resulted in corruption; the entire IIS would have to be reinstalled.
The current configuration file of IIS can be restored from any valid IIS 7 server, and can be restored from any previous backup. This would also restore the Websites and their Virtual Directories that were created before the backup.
This XML file is called as
ApplicationHost.Configand can be located under the
X:\Windows\System32\InetSrv\configfolder where X indicates the root drive of the machine. Take a look at it and you will be impressed with its simplicity. The websites, virtual directories, binding protocols, application hosts, caching and default documents are part of the big features that can be edited through XML.
So how does this help an ASP.NET developer?
It does by providing a similar model to the web configuration file, thereby helping the ASP.NET developer to override the default settings. Yes, you guessed it right. We are talking about AppSettings.
You can create website level app settings for all your applications and still override them in your child applications.
Create an application setting for the default web site.
Right-click in the workspace area, and choose "Add" from the context menu that appears. Give it a name and value. It would appear as below:
Now select any application under this website, and check the application settings. You would find the inherited properties under the Application Setting. Yes, you can override these in your child applications. And when you do so, the entries are added to the web configuration file of the child applications.
Compression of Dynamically Generated ContentASP.NET developers have resorted to the use of external libraries to compress the dynamically generated ASP.NET website content. With IIS 7, it is just a few clicks away. Click the Compression button under the IIS section in the workspace pane.
Enable the dynamic content compression and static content compression and reduce the bandwidth required to deliver the response thereby achieving a greater performance from your website.
IIS 7.0 Output Cache
The new output cache provided by IIS 7 that enables caching of the dynamic content from an ASP.NET application is a better alternative to the ASP.NET output cache. Additionally, the IIS 7.0 Output cache provides programmatic access to do this. You can read more about this concept from the TechNet Magazine. The link to the write-up is provided at the end of this article.
ASP.NET Features For All Content
The ASP.NET functionality like the authentication, authorization is now available to the static files too. That is, all ASP.NET functionality is applicable to all types of content. This removes the hassle of having multiple mechanisms to protect different kind of files. This is only available under the Integrated pipeline mode. As stated earlier, you can now cache the output of ASP pages in a similar fashion as your ASP.NET pages. The same rule applies to authorization, roles and all other ASP.NET features.
IIS Modules To Intersect, Modify the Request - Processing Pipeline
It is now possible to write IIS 7 Modules that can intercept and modify the request processing pipeline stages. You can now choose to do the following:
- Intercept Requests - URL Rewriting
- Modify Requests - Modifying Request header
- Filter Response
A module of IIS 7 is similar to the ISAPI filters that existed in the previous versions. It implements the
System.Web.IHttpModuleinterface. You can now extend the web server with the new modules.
Secure Applications With IIS 7 Security Features
IIS7 provides various security features that make your application less vulnerable to malicious attacks. One such example is the
ALLOW DOUBLE ESCAPINGfeature. It is a Boolean property that controls the process of a request url that contains unencoded characters. It has a value of false by default. Such requests results in HTTP 4O4 errors.
To override this behavior (if you need to), you can use the security node under the
<system.webServer> <security> <requestFiltering allowDoubleEscaping="true" /> </security> </system.webServer>
ASP.NET Debugger Extension for IIS 7
One of the MSDN Members has written a pretty useful extension for IIS 7. This provides advanced debugging features for the worker processes running managed code.
An excerpt from his blog:
"It basically does three things
- Find Debug Modules
This feature will help you scan your website content to spot modules that have been built in debug mode.
- Callstack Viewer
This feature will dump out the callstacks of all the threads in the process running managed code. It is basically a snapshot of all the managed threads in the worker process. This is helpful when you are troubleshooting worker process hangs / performance issues.
- Trace Process for Debug Events
This feature will help in tracing useful events in the worker process. For example it can display callstacks whenever an exception occurs in the process."
These features help the .NET developer to understand about the new web server from Microsoft in an elaborative manner and makes work more efficient.
You can find out more about this extension from the link provided at the end of this article.