1 / 35

Hack Proofing Your Microsoft ASP.NET Web Forms and MVC Applications

DEV333. Hack Proofing Your Microsoft ASP.NET Web Forms and MVC Applications. Adam Tuliper Software Architect - Cegedim www.secure-coding.com. The Skinny. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why?. Click to Hack.

kamala
Download Presentation

Hack Proofing Your Microsoft ASP.NET Web Forms and MVC Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DEV333 Hack Proofing Your Microsoft ASP.NET Web Forms and MVC Applications Adam Tuliper Software Architect - Cegedim www.secure-coding.com

  2. The Skinny • Describe each main attack • Demo how the attack works • Fix our poor vulnerable application! • Why Script Kiddies, Why? Click to Hack

  3. Select * from pwned SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter Tampering Information LeakageEncryption The fastest way into your systems

  4. SQL Injection - What is it? Dangerous? Network enumeration Account creating/cracking Database Copying over port 80 Data Tampering Code Download Backdoors • Control code injected into the data channel • Values are altered to create SQL commands where only data is expected • ' • ' Unexpected Input Expected Input

  5. How Is It Exploited? • URI tampering • Parameter Tampering • Cookie Tampering Set-Cookie: DefaultSearchLanguage=EN-US' union x,x,x--; path=/;

  6. How Do You Prevent It? • ALL calls are parameterized • No dynamic strings • Escape/Whitelist input. • Audit table permissions! • Use Entity Framework!! • DEMO - Permissions checker code

  7. But I Need My Dynamic SQL! • Usually not – dynamic where clauses with static SQL: WHERE CustomerId = Coalesce(@customerId, CustomerId) • Dynamic Order By using RANK • Regex/whitelist everything possible + parameterized queries • Avoid exec instead of sp_executesql because of the lack of parameter support.

  8. SQL Injection Misconceptions • I am safe if always using stored procs: FALSE • If I replace only -- and ' you are safe: FALSE • If I have an error page I’m safe: FALSE • Proper permissions will always protect me: FALSE • Parameterized queries will protect me: Potentially • Together these help make the app safER

  9. SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter Tampering Encryption / Protecting Credentials Information Leakage When CSS isn’t cool

  10. XSS – What is it? Candidate Names Included: Unauthorized Site Scripting Unofficial Site Scripting URL Parameter Script Insertion Cross Site Scripting Synthesized Scripting Fraudulent Scripting • Script injected into: • Page • Database • Cookies • Two types – reflected and persistent • Access DOM, steal cookies, send form data, and more Script Injected to Web Page User Visits Page Evil Script

  11. How Is XSS Exploited? • Page processes malicious data as script • URIs, Form Fields, Cookies, and Databases all sources of data • Tricky to catch all combinations: <DIV STYLE="width: expression(alert('XSS'));“> "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i". UTF 7 Encoding (IE6 only) +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- Without <script> tags <body onload=alert('test1')>

  12. How Do You Prevent XSS? • HtmlEncode or AttributeEncode all output: @, <%:,HtmlEncode(),HtmlAttributeEncode()Warning: <:# No dynamic attributes - <div onclick={dynamic text} > • Avoid ValidateRequest=false • WYSIWYG Editing or HTML- • Encode output before POST (Telerik, etc support this) • MVC3 - [AllowHtml] on Model Property – No [ValidateInput(false)] • ASP.Net 4 <httpRuntimeencoderType> - Use Anti-Xss

  13. Preventing XSS - Additional • Should you store data encoded? Not encoded, but sanitized. Encoding & storing can lead to double encoding: < &lt; &amp;lt; &amp;amp;let • AntiXss Sanitizer’s GetSafeHtml/GetSafeHtmlFragment • Test controls - inject script, special characters. • Audit all locationsdata is dynamically displayed ex: <%, <%# • Goodbye IE6 – Prevent yee I shall!

  14. SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter Tampering Encryption / Protecting Credentials Information Leakage Forgery makes developers unhappy : (

  15. CSRF – What Is It? • Attacker uses the fact the victim is authenticated to a website • Attacker crafts a request the user executes • Can be very simple - image tag in an email, script on a blog • Identifying the attacker can be difficult

  16. CSRF – How Is It Exploited? • Requests are generally repeatable • Image - can be embedded in an email  <imgsrc="http://host/CreateUser?JaneDoe"> • Attacked via XSS   <script src="http://host/CreateUser?JaneDoe"> <iframesrc="http://host/CreateUser?JaneDoe"> • Invisible actions via the 'Image' Objectvarfoo = new Image(); foo.src = "http://host/CreateUser?JaneDoe";

  17. CSRF – How Do You Prevent It? 1/2 • All ‘actions’ through POST only • GET requests only return data • Use Hidden Form Token • Token required on POST

  18. CSRF – How Do You Prevent It 2/2 MVC • [HttpPost] • Html.AntiForgeryToken() & [ValidateAntiForgeryToken] Web Forms • ViewStateUserKey = SessionId • Do not turn off: EnableViewStateMac=true

  19. Hi, I’m The One-Click Attack Web Forms Assumptions: • Button commands are only processed on post events? FALSE • ViewState only processed if posted? FALSE • Page.IsPostBack means there definitely been a post? FALSE • Demo

  20. SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter Tampering Encryption / Protecting Credentials Information Leakage Taking advantage of page trust

  21. Tampering Gone WILD! (What Is It?) UserId=1 UserId=59

  22. Preventing Tampering • Validate data on server • Hash key field for comparison • secure-coding.com’s [ValidateAntiModelInjectionFor()] • Web Forms – Built in protection! • EnableEventValidationprotects Hidden textbox • Protection often disabled because of validation issues • Web Farm Considerations

  23. SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter TamperingEncryption / Protecting Credentials Information Leakage Taking advantage of page trust

  24. Encryption Encrypt sensitive config settings Hash or Encrypt ALL Passwords Encrypt all sensitive private information Additional Code Demos for download aspnet_regiis.exe -pe "connectionStrings" -app "/security“ Encrypt AFTER deployment to avoid machine key issues

  25. Protecting Credentials • ALL pages use SSL • Intranet applications too! • Credentials / token usually sent on every request • httpOnly cookies prevent client script access – use always • Forms authentication requireSSL • No session info in the URI • Session Hijacking only takes one cookie value

  26. SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter TamperingEncryption / Protecting CredentialsInformation Leakage Captain – She’s sprung a leak!!!!!

  27. Information Leakage Simplest Implementation in web.config • 1. Implement <customErrors> • 2. Test various types of errors (404, 500, etc) • 3. Ensure ALL tracing is disabled • Disable all page level tracing • Search for tracing in web.config • Try accessing trace.axd

  28. All links at: http://bit.ly/mlml1B PluralSiteOnDemand Training Library – Free Trial!! OWASP: The Open Web Application Security Project Security Tools Microsoft Anti-Cross Site Scripting Library V4.0 (4.1 in beta!) Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP - 32 bit Tools / Resources

  29. Required Slide Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC. Related Content • SIM404 Hey, You! Get Off My Network! • SIM302 Lessons from HackwartsVol 1: Defense against the Dark Arts 2011 • COS374-INT Security Considerations with the Cloud • DEV356 Integrating Security Roles into Microsoft Silverlight Applications

  30. Thanks!! • Please fill out evaluations on the way out • adam.tuliper@gmail.com • CompleteDevelopment.blogspot.com • Twitter: @AdamTuliper • Free Trial http://www.pluralsight-training.net/microsoft/ • Visit me afterwards in the dev learning center – web stand

  31. Web Track Resources • http://www.asp.net/ • http://www.silverlight.net/ • http://www.microsoft.com/web/gallery/ • http://www.iis.net/ • http://weblogs.asp.net/Scottgu/ • http://www.hanselman.com/blog/

  32. Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  33. Complete an evaluation on CommNet and enter to win!

More Related