Security Considerations in ASP.NET Web Forms
- 8 minutes to read
This document describes how to avoid possible security risks when you deploy an ASP.NET Web Forms application that contains the Web Dashboard.
Data Connection Security
The Web Dashboard needs data connection parameters to get data from certain data sources or to display existing dashboards (for instance, created in the WinForms Designer or in code):
- Users can create data sources based on predefined data connections in the UI, or you can add predefined data sources in code. For example, DashboardSqlDataSource and DashboardOlapDataSource can require a user name and password.
- The Web Dashboard control automatically checks whether dashboards contain data connection parameters. If so, the dashboard will not be loaded and an error message will be displayed. In this case, remove all connection parameters from the dashboard definition and keep only a connection name.
To avoid data leaks, use one of the following techniques to pass connection parameters safely:
Create a data connection provider. For this, implement the IDataSourceWizardConnectionStringsProvider interface and pass the created provider to the ASPxDashboard.SetConnectionStringsProvider / DashboardConfigurator.SetConnectionStringsProvider method. See the following topic for details: Register Default Data Connections.
Add a connection string to the connectionStrings section in the Web.config file. Note that the Web Dashboard control does not expose connection strings from Web.config by default. Pass the ConfigFileConnectionStringsProvider instance as the ASPxDashboard.SetConnectionStringsProvider / DashboardConfigurator.SetConnectionStringsProvider method’s parameter to allow creating new data sources based on connection strings from the Web.config file.
A code snippet for ASP.NET Web Forms (if you use the
ASPxDashboardControl‘s API):using DevExpress.DataAccess.Web; // ... ASPxDashboard1.SetConnectionStringsProvider(new ConfigFileConnectionStringsProvider());A code snippet for ASP.NET Web Forms (if you use the
DashboardConfigurator‘s API):If the predefined data source is added in code, handle the ASPxDashboard.ConfigureDataConnection / DashboardConfigurator.ConfigureDataConnection event to specify connection parameters at runtime.
Note
If necessary, you can disable the connection parameter validation using the DashboardConfigurator.PassCredentials property. This property is introduced to prevent passing confidential information to the client side. If this property is enabled, the dashboard will be displayed regardless of whether it contains user credentials. However, we do not recommend you to use this approach in production for security reasons.
KB Article - How to protect parameters used to establish a connection to data
Database Security
Enable Custom SQL
The Data Source Wizard allows users to construct SQL queries only in the built-in Query Builder by default. Queries constructed in the Query Builder are guaranteed to be safe because they can contain only a SELECT statement.
Users cannot edit SQL queries in the Query Builder (the default setting). Refer to the following article for information on how to enable users to edit SQL Queries in the UI: Custom SQL Queries. Custom SQL queries are validated before their execution. Please make sure to apply a secure SQL validation that prevents harmful request execution.
We recommend that you utilize the access control functionality of your database management system to achieve the highest level of database security.
Restrict Access to Unauthorized Assemblies
You cannot load custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) (the default setting).
To permit a user to load a specific assembly, handle the DashboardConfigurator.CustomAssemblyLoading event. An unauthorized attempt to load a custom assembly will result in a CustomAssemblyLoadingProhibitedException.
Restrict Access to External Data Resources
The Dashboard Control gets data from resources stored on the disk or on the Internet. We recommend that you specify access settings for data resources (Excel, Extract, and JSON data sources).
Use the AccessSettings class to explicitly allow the path to the data file. To accomplish this, configure rules in the DataResources property to restrict file system access to the specified folders. You can call the SetRules(IAccessRule[]) method when the application starts to specify rules before a dashboard control sets its rules. The SetRules(IAccessRule[]) method can be called only once at the application startup. Otherwise, the method will raise an exception. Alternatively, you can use the TrySetRules(IAccessRule[]) method, which does not raise an exception.
Data Source Access Rights
These examples show how to configure the Dashboard control so that it loads data in a multi-user environment. You can identify a user in the current session and select which underlying data source is available for this user.
Working Mode Access Rights
The Web Dashboard can act as a designer or viewer. The following modes are available:
- Designer
- The Web Dashboard works as a designer and allows users to create, edit, and save dashboards. In this mode, the control loads the extensions required to design dashboards. Users can access the Data Source Wizard , preview underlying data, and modify dashboards from storage. The requests from the dashboard backend server can be sent to third-party resources. A user can also switch the control to
Viewermode. This is the default mode. - Viewer
- The Web Dashboard works as a viewer and displays dashboards to users. In this mode, the control also loads the extensions required to design dashboards. A user can switch the control to
Designermode. - ViewerOnly
- The Web Dashboard does not load the extensions required to design dashboards. Users cannot switch to
DesignerorViewermodes on the client. This mode affects only the Web Dashboard’s UI and does not affect server settings.
: The Web Dashboard does not load the extensions required to design dashboards. Users cannot switch to Designer or Viewer modes on the client.
Warning
The working mode does not influence the server settings. Initially, the server works at the ClientTrustLevel.Full trust level. Verify the trust level and specify which actions a client can initiate on the server.
Set the Restricted mode to protect dashboards stored on a server.
A list below describes the Web Dashboard’s specifics when it operates in the Restricted mode:
Only dashboards stored in dashboard storage can be processed on the client. The designer mode does not work.
Calling the IEditableDashboardStorage.AddDashboard and IDashboardStorage.SaveDashboard methods leads to an exception.
Information about data sources contained in a dashboard xml definition is not passed to the client when you request a dashboard xml file.
The available ways depend on the server-side API you use in your ASP.NET Web Forms application.
ASPxDashboardControl API
For Web Forms in default mode (ASPxDashboard control’s API is used), set working mode to ViewerOnly. This automatically sets the control to Restricted mode.
DashboardConfigurator API
For Web Forms that used DashboardConfigurator, Viewer and ViewerOnly modes do not influence the server. The server works as ClientTrustLevel.Full.
Use one of the following ways to prevent inadvertent or unauthorized modifications to dashboards stored on the server:
- Handle the DashboardConfigurator.VerifyClientTrustLevel event and set e.ClientTrustLevel to Restricted mode.
- Derive a custom dashboard controller from RestrictedDashboardController instead of
DashboardController.
Dashboard Access Rights
The Web Dashboard allows users to open, modify, and create new dashboards. If you want to specify different access rights for different users, do one of the following:
If you use another storage type, check the access rights when you handle the following events:
If you use custom dashboard storage (IDashboardStorage or IEditableDashboardStorage), add the verification in the implemented class.
Use Http Handlers
For the ASP.NET Web Forms Dashboard control to work correctly when the UseDashboardConfigurator property is set to true, register the ASPxHttpHandlerModule in the Web.config file as a module for resource processing and as a handler for data processing.
The ASPxHttpHandlerModule is automatically registered in this file in the following cases:
When you create an application with the Web Forms Dashboard control using DevExpress project templates.
When you have the Web Dashboard in ASP.NET Web Forms markup and switch to the Design tab in Visual Studio.
You can register a new ASPxHttpHandlerModule that should process requests with the DXDD.axd path as a handler in two sections:
- system.web/httpHandlers
- system.webServer/handlers for IIS7 and newer versions in integrated mode.
<system.web>
...
<httpHandlers>
...
<add type="DevExpress.Web.ASPxHttpHandlerModule, DevExpress.Web.v18.2, Version=18.2.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="DXDD.axd" validate="false" />
</httpHandlers>
</system.web>
<system.webServer>
...
<handlers>
...
<add type="DevExpress.Web.ASPxHttpHandlerModule, DevExpress.Web.v18.2, Version=18.2.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="DXDD.axd" name="WebDashboardHandler" preCondition="integratedMode" />
</handlers>
</system.webServer>
All users (including unauthorized) can get access to a dashboard control handler by default. You can limit the access by adding authorization to a dashboard control handler and deny access for all unauthorized users.
<system.web>
...
<authorization>
<deny verbs="DXDD.axd" users="?" />
</authorization>
</system.web>
Prevent Cross-Site Request Forgery (CSRF)
Cross-site request forgery (also known as XSRF or CSRF) is a type of malicious exploit of a website where unauthorized commands are submitted from a trusted user. To prevent cross-site request forgery (CSRF) attacks on your web application, use a custom dashboard controller and apply anti-forgery request validation. See the following examples for implementation details:
Cache Security
When Web Dashboard performs data-related operations in client data processing mode, data from a data source can be cached. The Web Dashboard control uses a single cache. The use of separate DashboardConfigurator instances does not create separated caches. Create a custom parameter to specify a different cache for different user roles:
DashboardConfigurator.Default.CustomParameters += (s, e) => {
e.Parameters.Add(new Parameter("UserRole", typeof(string), System.Web.Security.Roles.GetRolesForUser()));
};
See the following topic for more information: ASP.NET Web Forms Dashboard Control - Manage an In-Memory Data Cache.