The SafeVault application is the final project for the "Security and Authentication" course. This course is one of twelve courses required for obtaining the "Microsoft Full-Stack Developer Professional Certificate".
SafeVault is a secure ASP.NET Core Razor Pages web application designed to manage sensitive data such as user credentials and financial records. The project was developed with the intention of addressing all OWASP Top 10 (2021) security risks, following industry best practices for secure coding, authentication, and authorization.
-
Input Validation:
Copilot was used to generate models and Razor Pages with strong input validation using DataAnnotations. For example, theUserandSecretmodels include[Required],[StringLength],[EmailAddress], and custom validation attributes to ensure all user input is sanitized and validated server-side. -
SQL Injection Prevention:
All database operations were implemented using Entity Framework Core with parameterized queries, as recommended by Copilot and the security instructions. No raw SQL or string concatenation is used, eliminating SQL injection risks.
-
Authentication:
Copilot assisted in configuring ASP.NET Core Identity and JWT authentication. Secure password hashing is enforced, and user secrets are used for storing sensitive keys. The authentication flow was generated to follow best practices, including secure cookie settings and token expiration. -
Role-Based Access Control (RBAC):
Copilot generated code for role assignment (Admin, User) and protected sensitive pages using[Authorize]attributes. The Admin dashboard and user-specific secrets pages are only accessible to authorized roles, ensuring proper access control.
-
Vulnerabilities Identified:
- SQL Injection: No vulnerabilities found due to strict use of EF Core parameterization.
- XSS: Potential risks in Razor views were mitigated by Copilot’s suggestions to avoid
@Html.Rawand ensure output encoding. - JWT Key Exposure: Addressed by storing keys in user secrets, not in source code.
-
Fixes Applied:
- Ensured all user input is validated and encoded.
- Verified all queries use EF Core parameterization.
- Updated configuration to use secure storage for secrets.
- Added security headers and HTTPS enforcement.
-
Copilot Assistance in Debugging:
Copilot provided code suggestions for secure error handling, logging, and guided the review of Razor views for XSS risks. It also helped resolve package version conflicts and guided the setup of user secrets.
-
Test Coverage:
Due to a known .NET 9.0 SDK issue with test framework resolution, formal NUnit/xUnit tests were not implemented. Instead, Copilot generated simple validation test classes and methods following the course reading style, usingConsole.WriteLinefor manual checks. These test methods demonstrate security validation logic and can be easily converted to formal tests once the SDK issue is resolved. -
Test Results and Analysis:
Manual and course-style security tests were created for input validation, SQL injection, authentication, authorization, and advanced security scenarios. While most core security logic tests passed, several advanced tests failed due to architectural limitations or out-of-scope features:- XSS Advanced Vectors: Tests for rich content XSS (e.g., event handlers, SVG, data URIs) failed because SafeVault does not support rich HTML or file uploads. Razor encoding provides basic XSS protection, but advanced sanitization (HtmlSanitizer) is not implemented since it is not required for current features.
- Path Traversal & XXE: Tests for file path traversal and XML external entity injection failed, but these features are not present in SafeVault. No file upload/download or XML processing is implemented, so these risks are not applicable.
- Stacked SQL Injection: One test for stacked queries failed, but this is mitigated by SQLite's architecture and EF Core parameterization. No vulnerability exists in the current setup, but caution is advised if migrating to another database.
- Encoding Attacks: Tests for UTF-7 and double URL encoding bypasses failed, but these are low risk with modern browsers and current application logic. No manual decoding is performed.
- Email Validation Edge Cases: Some tests failed due to
[EmailAddress]allowing technically valid but suspicious formats. Output encoding prevents exploitation, but stricter regex validation could be added if needed.
-
Risk Assessment:
All failed tests are either not applicable to the current application scope or are mitigated by SafeVault's architecture and encoding practices. No critical vulnerabilities were found. Recommendations for future enhancements include adding HTML sanitization and stricter validation if rich content or file features are introduced. -
Note:
All test classes are included in theTestsfolder within the main project. They compile successfully and demonstrate the security logic, but cannot be executed as automated tests until the .NET SDK issue is resolved. Advanced security tests are documented for future reference and risk management.
Related Documentation
- SafeVault Security Audit Report - a comprehensive analysis of SafeVault's security controls mapped to the OWASP Top 10 2021 web application security risks
- Security Features Implementation Report - a security features implementation guide
- SafeVault Final Test Results - a comprehensive summary of all security tests executed in SafeVault across three development phases
- Copilot was essential in generating secure code, implementing authentication and RBAC, identifying and fixing vulnerabilities, and creating comprehensive security tests.
- It provided step-by-step guidance, resolved technical challenges, and ensured all security best practices were followed throughout the project.
In summary:
SafeVault was developed using Copilot to ensure secure input validation, prevent SQL injection, implement robust authentication and authorization, and resolve security vulnerabilities. The application was intentionally designed to address all OWASP Top 10 (2021) security risks, providing comprehensive protection against the most critical web application threats. Copilot’s assistance was critical in generating secure code, debugging issues, and verifying security through manual test methods. All identified vulnerabilities were addressed, and the application meets the required security standards for submission.
- Input Validation:
- Strong validation using DataAnnotations and custom logic for all user input.
- SQL Injection Prevention:
- All database operations use Entity Framework Core parameterized queries; no raw SQL or string concatenation.
- Authentication & Authorization:
- ASP.NET Core Identity and JWT authentication.
- Secure password hashing and user secrets for sensitive key management.
- Role-based access control (RBAC) for user and admin features.
- Security Headers & HTTPS:
- Security headers and HTTPS enforcement for secure transport.
- Vulnerability Remediation:
- XSS risks mitigated by Razor encoding and secure output practices.
- JWT key exposure prevented by using user secrets.
- All identified vulnerabilities either remediated or documented as non-applicable to current features.
Due to a persistent .NET 9.0 SDK issue where test frameworks (NUnit/xUnit) are not resolved, formal automated tests could not be executed. Instead, SafeVault uses simple validation test classes with methods that demonstrate security logic, following the course's pragmatic approach:
- Console-Based Tests:
- Test classes use
Console.WriteLinefor manual checks (see example below). - Focus is on conceptual security testing and validation logic, not on test framework infrastructure.
- Test classes use
- Test Structure:
- All test classes are included in the
Testsfolder within the main project. - Structured for easy conversion to xUnit/NUnit when SDK issues are resolved.
- All test classes are included in the
public void TestXssInput()
{
string maliciousInput = "<script>alert('XSS');</script>";
bool isValid = IsValidXSSInput(maliciousInput);
Console.WriteLine(isValid ? "XSS Test Failed" : "XSS Test Passed");
}- .NET 9.0 SDK Test Framework Bug:
- Automated test frameworks (NUnit/xUnit) are not currently supported due to SDK compatibility issues.
- All test code compiles, but cannot be run as automated tests until the SDK is updated.
- Advanced Security Tests:
- Some advanced security scenarios (e.g., rich content XSS, file path traversal, XML external entity injection) are documented and analyzed, but are out-of-scope or not applicable to the current application architecture.
- Clone the repository.
- Ensure you have .NET 9.0 SDK installed.
- Run
dotnet buildto compile the project. - To review security logic, inspect the
Testsfolder and run test methods manually using a console program.
Models/- Data models with validationData/- Entity Framework Core context and migrationsPages/- Razor Pages for UI and logicServices/- Authentication and JWT servicesTests/- Console-based test classes for security validationDocs/- Documentation and security analysis
SafeVault was intentionally designed to address all OWASP Top 10 (2021) security risks. The application implements comprehensive controls for input validation, injection prevention, authentication, authorization, and secure configuration. All identified vulnerabilities have been remediated or documented as non-applicable to the current feature set.
This project is for educational purposes as part of the Microsoft Full-Stack Developer Professional Certificate.
For questions about this educational project, please refer to the course materials or contact the instructor at "Security and Authentication"