1 / 67

.NET Security

.NET Security. By R.S. Security . What is Security ? Security in general means freedom from risk and Danger. So What does Security in Software field means?

anevay
Download Presentation

.NET Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. .NET Security By R.S

  2. Security What is Security ? Security in general means freedom from risk and Danger. So What does Security in Software field means? Software security is the effort to create a secure computing platform, designed so that agents (users or programs) can only perform actions that have been allowed . Simply put, protecting hardware and software from being misused or corrupted . As a software engineer/programmer what should I know about software security ? Risks

  3. Risks ? When Software Security is breached, what risks do I have and what is the importance of identifying these risks? Risks may vary depending on • Whether I am user working on my personal computer/laptop or I am a company employee working on my company computer. • What permissions do I have on the machine that I am working on (Admin, power user, normal user, domain user etc) • In case 1, I am risking my home computer’s integrity , my personal information, etc • Case 2, as a company Employee , I am risking everything , including my Job …… Importance : Prevent loss and misery of any kind.

  4. Software Security Breach and Nightmares in an organization • Irrespective of what an organization’s business is, security breach could potentially cause a lot of loss to the organization starting from customers to $$$. • Think about somebody hacking into an online bank where you have saved all your money and getting hold of your account. • Now the bank has to go through a lot trying to comfort its other customers who wants to end their business with them , bare the $$ loss , fire people that didn’t do their job right in providing security ,fix loop holes in the system to make it more secured etc ….

  5. What to Do ? • Alright, Software security breach doesn’t sounds good. So we decided to enforce security . • The Question is WHERE and HOW ? • Security is not a single entity , rather is a connection of several entities , like a Chain. • Remember , The strength of a Chain depends on its weakest link…. • Simple Example : A house with multiple doors. • Securing all the doors and windows is not sufficient .

  6. How much should I secure? • Securing every inch of your house of course provides closer to 100% security. • It also increases the cost of living, maintenance , stress etc. Answer is : Think if its really worth providing so much of security . Don’t have to spend $50 a month to protect your 3 month old tooth brush.

  7. Where to Start ? • Most likely from the weakest link…… • Securing an organization involves securing its networks, different applications that it uses/creates , securing the servers , databases , securing the development machines etc including securing the premise of the organization itself . • Identify and make a list of areas that easily opens the door for a malicious user . • Prioritize the list • Delegate the tasks to the individual groups responsible • Team Work ?

  8. Where do we come into play ? • Where does the software programmers role begins ? • What do we have to offer to our organization? • What are our tools ?

  9. Contd. • Our role as software engineers begins from understanding the organizations operations. • Once we know that , we have a solid ground to stand on to make suggestions on what the company needs to do to ensure security. • The suggestions could be modifying an existing application’s modules to increase security or redesigning the entire application to cope up with the current security trends. • Don’t be afraid to express yourself, you are only trying to help the company. • Always have proofs to support your claims . In other words , Don’t try to redesign the application to ensure your job security instead of the company security. • Be a Good team player. Understand your team mates and their approaches. This has a lot to do with being more efficient programmers and building trust among the team members. • If you don’t trust your team , how can you expect the company to trust you and how can you expect the end users to trust the application created by your team ????

  10. Teams Role • A software team should identify existing problems and loop holes within an existing system. • Recommend solutions for those problems. • Should undertake software projects approved by the organization • Should have a solid strategy for developing and implementing the project. • Must have knowledge of the developing trends of the platform they use. • Must have knowledge of the current security threats. • Must have the knowledge about available tools ,no matter ,whether the tool is a software/Graphics design tool to aid them in implementing their project or a security tool that will help them to secure their project. • The team must have a solid understanding of the environment where the application will be deployed. Last but not least , a software team must know what they are trying to accomplish through their project.

  11. Preparing Yourself • Learn about different kinds of threats , old or new . • Find out how those threats are put to sleep. • Learn about the software updates, what’s new in it , how it solves an existing problem/vulnerability. • Understand your platform , its pros and cons , its vulnerability in particular if any. Example : Do you know of any disadvantages of programming in C++ or C#?? C++ - Pointers C# - Ability to regenerate the entire source code from the exe file using reflection.

  12. .NET and Security • There are many technologies used to build .NET applications. To build effective application-level authentication and authorization strategies, you need to understand how to fine-tune the various security features within each product and technology area, and how to make them work together to provide an effective, defense-in-depth security strategy. • Know the available .NET tools first then learn what those tools can do for you .

  13. Contd.. • What are the typical deployment patterns adopted by .NET Web applications? • What security features are provided by the various technologies that I use to build .NET Web applications? • What gatekeepers should I be aware of and how do I use them to provide a defense-in-depth security strategy?

  14. The Design Phase • Though the requirement phase comes first, the actual role of the software programmers begins (except in special conditions) from the design phase. • With the requirements at hand , the design phase can begin . • This is when you can design your project flow, identify different objects required , their importance, functionalities , properties etc • This is also where you can identify different areas where your projects needs to be secured, possible loop holes etc… • But this is just the beginning …….

  15. Contd.. • Once after identifying required objects and areas that needs to be secured , you are ready to prepare a game plan that would help you secure your project. • What is the game plan ? • Do some research and find out if there are any current security threats that your application may fall a victim for. • Find out if there are any available solutions, updates for your hosting platform that would help you take care of the threat from the operating system level. • Make sure to have all the latest updates on your development machines. • Next , Analyze the Security tools that .NET offers.

  16. Contd.. • After analyzing the available tools carefully and in depth, pick the ones that you think will help you improve the security of your application. • Since you already know where to secure your application, this shouldn’t be a tough task. • Please keep in mind that you don’t want to do too much of anything. Just what is required to ensure security .

  17. 3 Most Important areas to Secure • As a software engineers , we should worry about the following three areas . • The Code which includes your code/class design , design documents , source control etc • The Databases used by the code (application) • The communication layer in a distributed application environment (Why ??)

  18. Creating Secured Code • Assume the architectural design is completed and presented to the programmers. This means you already know where to secure and what to secure. • Concentrate on creating secured code based on the design using the tools provided by .NET.

  19. Restrict Class and Member visibility • Restrict access to the members and methods of a class( or object). • Private, protected , internal etc • Sealed classes are safer • Seal virtual methods in derived classes which also improves performance through in lining.

  20. Sealed class Example • A Sealed Class .. public sealed class FileModifierClass { public FileModifierClass() { } } This class cannot be inherited…

  21. Sealed Method example • Only methods in derived classes can be sealed. public class ParentFileModifierClass { public FileModifierClass() { } public virtual void Modify() { } } public sealed class FileModifierClass { public FileModifierClass() { } sealed override public void Modify() { } } Classes inheriting FileModifierClass will not be able to override the Modify method.

  22. Use properties to expose fields • Using properties facilitates validating a value to be set to a field . • Permission can also be demanded for these fields. • Use Read/Write and read-Only properties to access fields. • Private fields are enforced during compile time. Code running in fully trusted environment can bypass this property using reflection and unmanaged pointers.

  23. Do Not Trust user inputs • Do not trust user input . Never!!!!! • Validate for type , length format and range • Use Regular Expressions to validate user inputs • Avoid un trusted input for file names and file paths. • If you accept file names, validate them. • Use absolute file paths where you can. • Consider constraining file I/O within your application's context.

  24. Contd…. • Use GetfullPath on a windows application. • GetFullPath performs the following checks: • It checks that the file name does not contain any invalid characters, as defined by Path.InvalidPathChars. • It checks that the file name represents a file and not another device type, such as a physical drive, a named pipe, a mail slot, or a DOS device such as LPT1, COM1, AUX, and other devices. • It checks that the combined path and file name is not too long. • It removes redundant characters such as trailing dots. • It rejects file names that use the //?/ format. • Use Request.MapPath on a server. • Note :The MapPath property potentially contains sensitive information about the hosting environment. The return value should not be displayed to users.

  25. Contd.. • Validate Input from All Sources Like QueryString, Cookies, and HTML Controls • These validation can help prevent injection attacks. • Prefer server side validation to client side validation. If required, combine the client side validation with the server side validation. • Prevent using user input for file names and path inputs.

  26. Injection Attacks • Injection attacks are attacks initiated by a user using malicious input which was not validated by the application in context. • These attacks can vary from injecting such malicious inputs into applications to change their behavior or into a database to corrupt or read sensitive data.

  27. Most common Injection Attacks • SQL injection. If you generate dynamic SQL queries based on user input, an attacker could inject malicious SQL commands that can be executed by the database. • Cross-site scripting. Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. This code is subsequently sent to an unsuspecting user's computer and executed on the browser. Because the browser downloads the script code from a trusted site, the browser has no way of determining whether the code is legitimate. • Unauthorized file access. If your code accepts input from a caller, a malicious user could potentially manipulate your code's file operations, such as accessing a file they should not access or exploiting your code by injecting bad data.

  28. Preventing Injection Attacks in ASP.NET • Simple Rule : Accept good input, reject bad input • If your application accepts user inputs, assume that ,every input is invalid and malicious and validate them n the server side. • Define valid input for every field. This means that, define the range, format length and type of the input. • Verify the input against the list of acceptable characters • HTML encode the html outputs before displaying

  29. Contd.. • Follow these steps to validate user input. • Constrain: Check for type, length , range and format . Use Asp.NET Validator on server controls. For other resources, use regular expressions. • Reject: Reject any data that failed validation • Sanitize: Change potentially malicious input to good input . Example : Allow few HTML tags ( <b> , <i>, etc) and eliminate other HTML tags. • How and where to enable request validation ? • In Machine.Config and Web.Config as follows • <pages validateRequest="true" ... /> • Confirm that you have not disabled request validation by overriding the default settings in your server's Machine.config file or your application's Web.config file.

  30. ASP.NET Validators • Text Fields :RegularExpressionValidator <form id="WebForm" method="post" runat="server"> <asp:TextBox id="txtName" runat="server"></asp:TextBox> <asp:RegularExpressionValidator id="nameRegex" runat="server" ControlToValidate="txtName" ValidationExpression="^[a-zA-Z'.\s]{1,40}$" ErrorMessage="Invalid name"> </asp:regularexpressionvalidator> </form> Regex Class : // Instance method: Regex reg = newRegex(@"^[a-zA-Z'.\s]{1,40}$"); Response.Write(reg.IsMatch(txtName.Text)); // Static method: if (!Regex.IsMatch(txtName.Text,@"^[a-zA-Z'.\s]{1,40}$")) { // Name does not match expression }

  31. Contd.. • Numeric Fields : Range Validator <asp:RangeValidator ID="RangeValidator1" Runat="server" ErrorMessage="Invalid range. Number must be between 0 and 255." ControlToValidate="rangeInput" MaximumValue="255" MinimumValue="0" Type="Integer" /> Test in your Code for range as follows (only in Framework 2.0) Int32 i; if (Int32.TryParse(txtInput.Text, out i) == false) { // Conversion failed } (Older versions of Framework , use Int32.TryParse or Convert.ToInt32 inside a try catch bolck. Catch any formatexception inside the catch block and throw an exception to the user.)

  32. CustomValidator <%@ Page Language="C#" %> <script runat="server"> void ValidateDateInFuture(object source, ServerValidateEventArgs args) { DateTime dt; // Check for valid date and that the date is in the future if ((DateTime.TryParse(args.Value, out dt) == false) || (dt <= DateTime.Today)) { args.IsValid = false; } } </script> <html> <body> <form id="form1" runat="server"> <div> <asp:Label ID="Label1" Runat="server" Text="Future Date:"></asp:Label> <asp:TextBox ID="futureDatetxt" Runat="server"></asp:TextBox> <asp:CustomValidator ID="CustomValidator1" Runat="server" ErrorMessage="Invalid date. Enter a date in the future." ControlToValidate="futureDatetxt" OnServerValidate="ValidateDateInFuture"> </asp:CustomValidator> <br /> <asp:Button ID="submitBtn" Runat="server" Text="Submit" /> </div> </form> </body> </html>

  33. Html Encode void submitBtn_Click(object sender, EventArgs e) { // Encode the string input StringBuilder sb = new StringBuilder( HttpUtility.HtmlEncode(htmlInputTxt.Text)); // Selectively allow and <i> sb.Replace("&lt;b&gt;", "<b>"); sb.Replace("&lt;/b&gt;", ""); sb.Replace("&lt;i&gt;", "<i>"); sb.Replace("&lt;/i&gt;", ""); Response.Write(sb.ToString()); }

  34. Query String Validation void Page_Load(object sender, EventArgs e) { if (!System.Text.RegularExpressions.Regex.IsMatch( Request.QueryString["Name"], @"^[a-zA-Z'.\s]{1,40}$")) Response.Write("Invalid name parameter"); else Response.Write("Name is " + Request.QueryString["Name"]); }

  35. Request.MapPath • Use the Overloaded Request.MapPath method to read file paths. Try { string mappedPath = Request.MapPath( inputPath.Text, Request.ApplicationPath, false); } catch (HttpException ex) { // Cross-application mapping attempted } The false parameter will prevent the user from using file paths that contains “..” to traverse outside your app directory. For server controls, use the Control.MapPathSecure method to retrieve the physical path . Control.MapPathSecure uses code access security and throws an HttpException if the server control does not have permissions to read the resulting mapped file. NOTE : An Applications trust level can be set to medium by an administrator if he/she wants to restrict its File I/O to its own virtual directory. <trust level=“medium”/> (Web.Config or machine.Config)

  36. Validating Urls • Use Regular expressions.. ^(?:http|https|ftp)://[a-zA-Z0-9\.\-]+(?:\:\d{1,5})?(?:[A-Za-z0-9\.\;\:\@\&\=\+\$\,\?/]|%u[0-9A-Fa-f]{4}|%[0-9A-Fa-f]{2})*$ Use HttpUtility.HtmlEncode and HttpUtility.UrlEncode( urlString ) to putput html output and URL output respectively; Note : Get yourself familiar with Regular expressions if you are planning to specialize in security oriented programming .

  37. SQL Injection • "SQL Injection" is subset of the unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises . • Is it that bad ??? • Of course . If you loose the integrity of your database, you loose everything. • If the database gets corrupted, I can guarantee that 100% of the users will be affected . This statement is not true when it comes to a corrupted client side script .

  38. SQL Injection Example • SQL injection is caused mainly by inputs that are not sanitized . Consider the following Query, “Select * from Users where Username =‘”+username.Text+”’ and Password=‘”+password.Text+”’”; What is wrong with this query and how can I inject code into this SQL statement ? Nothing wrong , untill I enter the following values for Username.Text and Password.Text, Username.Text= something’ or ‘1’=‘1’;-- Password.Text=password “Select * from Users where Username =‘”+username.Text+”’ and Password=‘”+password.Text+”’” The code generated on the fly will now look like Select * from Users where Username=‘something’ or ‘1’=‘1’;--and Password=‘password’; This condition in the statement will always result in true returning all the rows from the users table. If the inputs in the Username and password field are validated and sanitized this injection could have been prevented.

  39. Contd… • We can also inject a complete SQL statement in the fields to drop tables, insert records into the tables etc. • You can guess the table names, fields, passwords etc or any other valuable information. • Using Stored procedures necessarily don’t provide protection against SQL Injection.

  40. Data Access Tips • Do not hard code connection strings. • Consider encrypting connection strings. • Do not generate dynamic SQL queries • To help prevent SQL injection, you should validate input and use parameterized stored procedures for data access. The use of parameters (for example, SqlParameterCollection) ensures that input values are checked for type and length and values outside the range throw an exception. Parameters are also treated as safe literal values and not as executable code within the database. • Avoid stored procedures that accept a single parameter as an executable query. Instead, pass query parameters only. • Use structured exception handling to catch errors that occur during database access, and prevent them from being returned to the client. A detailed error message may reveal valuable information such as the connection string, SQL server name, or table and database naming conventions. Attackers can use this information to construct more precise attacks. • As an additional precaution, use a least privileged account to access the database, so that even if your application is compromised, the impact will be reduced.

  41. SQLParameterCollection sample using System.Data; using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection(connectionString)) { DataSet userDataset = new DataSet(); SqlDataAdapter myAdapter = new SqlDataAdapter( "LoginStoredProcedure", connection); myAdapter.SelectCommand.CommandType = CommandType.StoredProcedure; myAdapter.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11); myAdapter.SelectCommand.Parameters["@au_id"].Value = SSN.Text; myAdapter.Fill(userDataset); }

  42. SQlParameters with Dynamic SQL using System.Data; using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection(connectionString)) { DataSet userDataset = new DataSet(); SqlDataAdapter myDataAdapter = new SqlDataAdapter( "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", connection); myDataAdapter.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11); myDataAdapter.SelectCommand.Parameters["@au_id"].Value = SSN.Text; myDataAdapter.Fill(userDataset); }

  43. Exceptions • Please keep in mind not to give any valuable information when you throw exceptions to the user . Prefer giving a generic error rather than returning the exception stack which would actually let the malicious user guess more about your database. • Example: In this specific scenario , if submitting the form with the injected code return a server error , it Indicates your query is malformed. But this gives away the truth that you are constructing your query on the fly which would encourage a malicious user to keep on trying with his attacks until he finds something useful.

  44. Authentication • Forms Authentication : Cookie based authentication system where username and password are stored in XML/Text file or in the database. • Passport authentication : Single Authentication point through Microsoft. • Windows Authentication: Authentication mode that uses local/domain windows users . Web.Config file is used to tells the web application which mode of authentication should be used.

  45. Forms Authentication • Prefer Membership providers over custom authentication. • Communication through SSL should be preferred while using Forms authentication. • Use strong passwords. • Encrypt username passwords in the user store. • Do not persist cookies

  46. Membership Providers • ActiveDirectoryMembershipProvider • SqlMembershipProvider

  47. ActiveDirectoryMembershipProvider • ActiveDirectoryMembershipProvider: Uses Microsoft Active Directory directory service to maintain user information .Used in Intranet applications. To use this provider , first, configure the forms authentication using the web.config as follows. <authentication mode="Forms"> <forms loginUrl="Login.aspx" protection="All" timeout="30" name="AppNameCookie" path="/FormsAuth" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseCookies" enableCrossAppRedirects="false"/> </authentication> <authorization> <deny users="?" /> <allow users="*" /> </authorization>

  48. Contd… (Step 2) • Configure the ActiveDirectoryMembershipProvider as follows , <connectionStrings> <add name="ADConnectionString" connectionString= "LDAP://domain.testing.com/CN=Users,DC=domain,DC=testing,DC=com" /> </connectionStrings> <system.web> ... <membership defaultProvider="MembershipADProvider"> <providers> <add name="MembershipADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" connectionUsername="<domainName>\administrator" connectionPassword="password"/> </providers> </membership> ... </system.web> LDAP : LightWeight Directory Access protocol . LDAP Connectionstring Format : LDAP://server/userdn/ Server ; name or IP address of the server using the directory Userdn is the unique name of the active directory user store.

  49. Creating Users • Using Website administration tool (ASP.NET configuration) in visual Studio 2005 toolbar. • CreateUserWizard Control on a web page. • Membership API (to create users programmatically) . Membership.CreateUser("UserName@DomainName", "P@ssw0rd", "userName@emailAddress");

  50. Authenticating Users • Using Login Control in ASP.NET 2.0 (uses membership providers by default without writing any additional code) • Custom login page : call Membership.validateUser to authenticate users. if (Membership.ValidateUser(userName.Text, password.Text)) { if (Request.QueryString["ReturnUrl"] != null) { FormsAuthentication.RedirectFromLoginPage(userName.Text, false); );//false to prevent creating persistant cookies } else { FormsAuthentication.SetAuthCookie(userName.Text, false } } else { Response.Write("Invalid UserID and Password"); }

More Related