Security Considerations
- 7 minutes to read
This document describes how to avoid possible security risks when deploying a web application containing the ASPxDashboard control or a corresponding MVC extension.
This document consists of the following sections.
- Data Connection Security
- Database Security
- Web Dashboard Working Modes
- Dashboard Access Rights
- XSS Security
- Cache Security
Data Connection Security
The Web Dashboard can use different data source types to supply dashboards with data. Certain data sources (such as DashboardSqlDataSource or DashboardOlapDataSource) require establishing a data connection using specific connection parameters. You can provide end-users with the capability to create data sources bases on predefined data connections or you can add the required predefined data sources in code. Use one of the following approaches to provide connection parameters:
Create a provider of data connections by implementing the IDataSourceWizardConnectionStringsProvider interface and pass the created provider to the DashboardConfigurator.SetConnectionStringsProvider method. See Register Default Data Connections for details.
Add the required connection string to the connectionStrings section in the Web.config file. Note that the Web Dashboard control does not expose connection strings from Web.config by default. Pass the ConfigFileConnectionStringsProvider instance as the ASPxDashboard.SetConnectionStringsProvider / DashboardConfigurator.SetConnectionStringsProvider method’s parameter to allow creating new data sources based on connection strings from the Web.config file.
A code snippet for Web Forms Dashboard:
using DevExpress.DataAccess.Web; // ... ASPxDashboard1.SetConnectionStringsProvider(new ConfigFileConnectionStringsProvider());
A code snippet for MVC Dashboard:
If the predefined data source is added in code, handle the ASPxDashboard.ConfigureDataConnection/ DashboardConfigurator.ConfigureDataConnection event to provide the required connection parameters.
Load an Existing Dashboard
You can use the Web Dashboard to display existing dashboards (created for instance, in the WinForms Designer or in code). The Web Dashboard control automatically checks whether such dashboards contain data connection parameters. If so, the dashboard will not be loaded and an error message will be displayed. In this case, remove all connection parameters from the dashboard definition and keep only a connection name. Then, provide connection parameters using the approaches described above.
Note
If necessary, you can disable the connection parameter validation using the DashboardConfigurator.PassCredentials property. This property is introduced to prevent passing confidential information to the client side. If this property is enabled, the dashboard will be displayed regardless of whether it contains user credentials. However, we do not recommend using this approach in production for security reasons.
KB Article - How to protect parameters used to establish a connection to data
Database Security
Enable Custom SQL
By default, the Data Source Wizard allows only visual construction of SQL queries using the built-in Query Builder. Queries constructed using the Query Builder can only contain a SELECT statement and are guaranteed to be safe.
Manual editing of SQL queries is considered unsafe and is disabled by default in the Web Dashboard’s UI. You can enable SQL editing at your own risk using the approach described in the following document: Custom SQL Queries
Important
Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe, as it does not prevent execution of potentially harmful requests. Before enabling this option, please make sure to apply a secure SQL validation that prevents execution of harmful requests.
It is also recommended that you utilize the access control functionality of your database management system to achieve the highest level of database security.
Restrict Access to Unauthorized Assemblies
Loading of custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) is forbidden by default.
To permit loading a specific assembly, handle the DashboardConfigurator.CustomAssemblyLoading event. An unauthorized attempt to load a custom assembly will result in a CustomAssemblyLoadingProhibitedException.
Web Dashboard Working Modes
The Web Dashboard can act as the Designer or Viewer and supports the following working modes:
Mode | Description |
---|---|
Designer | The Web Dashboard acts as a Dashboard Designer and allows end-users to create, edit and save dashboards. Note that in this case, you can switch to the Viewer mode on the client side. |
Viewer | The Web Dashboard acts as a Dashboard Viewer and allows you to display dashboards to end-users. Note that in this case, you can switch to the Designer mode on the client side. |
ViewerOnly | The Web Dashboard acts as a Dashboard Viewer without the capability to switch to the Designer mode on the client side. In this mode, the Web Dashboard does not load the extensions required for designing dashboards. |
Note that in the WorkingMode.Viewer mode dashboards from a storage can be modified from the client side using an API. Moreover, a client-side API allows you to switch from the WorkingMode.Viewer to WorkingMode.Designer mode. To protect dashboards stored on a server, do one the following:
- For Web Forms in standard mode (DashboardConfigurator is not used), set the working mode to the WorkingMode.ViewerOnly. In this mode, the Web Dashboard works as a pure viewer application and does not allow changing dashboards stored on a server.
- For MVC, ASP.NET Core, and Web Forms that used DashboardConfigurator, the ViewerOnly and Viewer modes do not influence on the server side and the server works as ClientTrustLevel.Full. If the working mode is set to WorkingMode.Viewer / WorkingMode.ViewerOnly and you use the DashboardConfigurator‘s server-side API, handle the DashboardConfigurator.VerifyClientTrustLevel event to verify the trust level used to specify which actions a client can initiate to execute them on a server side.
A list below describes the Web Dashboard’s specifics when it operates in the ClientTrustLevel.Restricted mode:
Only dashboards stored in a dashboard storage can be processed on the client. The designer mode does not work.
Calling the IEditableDashboardStorage.AddDashboard and IDashboardStorage.SaveDashboard methods leads to an exception.
Information about data sources containing in a dashboard xml definition is not passed to the client when you request a dashboard xml file.
Dashboard Access Rights
The Web Dashboard allows end-users to open, modify and create new dashboards. If you want to specify different access rights for different users, do one of the following:
- If you are using a custom dashboard storage (IDashboardStorage or IEditableDashboardStorage), perform the required verification in the implemented class.
If you are using another storage type, check the access rights when handling the following events:
See also: How to save dashboards created by end-users to a DataSet
Use Http Handlers
For DevExpress Web Forms Dashboard control to work correctly, when the UseDashboardConfigurator property is set to true, the ASPxHttpHandlerModule should be registered in the Web.config file as a module for resource processing and as a handler for data processing.
The ASPxHttpHandlerModule is automatically registered in this file in the following cases:
When you create an application with the Web Forms Dashboard control using DevExpress project templates.
When you have the Web Dashboard in ASP.NET WebForms markup and switch to the Design tab in Visual Studio.
You can register a new ASPxHttpHandlerModule that should process requests with the DXDD.axd path as a handler in two sections:
- system.web/httpHandlers
- system.webServer/handlers for IIS7 and newer versions in integrated mode.
<system.web>
...
<httpHandlers>
...
<add type="DevExpress.Web.ASPxHttpHandlerModule, DevExpress.Web.v18.2, Version=18.2.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="DXDD.axd" validate="false" />
</httpHandlers>
</system.web>
<system.webServer>
...
<handlers>
...
<add type="DevExpress.Web.ASPxHttpHandlerModule, DevExpress.Web.v18.2, Version=18.2.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="DXDD.axd" name="WebDashboardHandler" preCondition="integratedMode" />
</handlers>
</system.webServer>
All users (including unauthorized) can get access to a dashboard control handler by default. You can limit the access by adding authorization to a dashboard control handler and deny access for all unauthorized users.
<system.web>
...
<authorization>
<deny verbs="DXDD.axd" users="?" />
</authorization>
</system.web>
XSS Security
To prevent HTML-injection, which is one of the most common types of XSS attack, make sure that the ASPxWebControl.EncodeHtml property is enabled for the ASPxDashboard control. If you are using the ASP.NET MVC Dashboard extension, check the SettingsBase.EncodeHtml flag for the DashboardExtensionSettings object.
Cache Security
When Web Dashboard performs data-related operations in client data processing mode, data from a data source can be cached. Create a custom parameter to specify a different cache for different user roles.
DashboardConfigurator.Default.CustomParameters += (s, e) => {
e.Parameters.Add(new Parameter("UserRole", typeof(string), System.Web.Security.Roles.GetRolesForUser()));
};