12 Securing web applications with ASP.NET Core Identity
This chapter covers
- How to use ASP.NET Core Identity for authentication and authorization
- How to use scaffolding to tweak the ASP.NET Core Identity UI
- How to configure password options such as minimum length and number of special characters
- How to restrict access to pages to certain users or roles
- How to implement two-factor authentication (2FA)
- How to allow users to log into an application with a third-party account
At the end of 2011, Microsoft released the MS11-100 security advisory (which basically means: number 100 in 2011, which is quite a lot actually). The title of the document, available at https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-100, sounds pretty dramatic: “Vulnerabilities in .NET Framework Could Allow Elevation of Privilege”. And indeed, dramatic it was. In early October of that year, security researchers found a security vulnerability in the built-in ASP.NET user management features. Basically, it was possible to log into an application as an arbitrary user.
The writeup of the security researchers (https://sec-consult.com/vulnerability-lab/advisory/microsoft-aspnet-forms-authentication-bypass-1/) is an interesting read. According to their description of events, they asked Microsoft six weeks after reporting the vulnerability about a status update; according to the case manager, an update was expected for February or March, so four to six months after reporting the issue.