1 / 46

Securing MVC.NET Web Applications

Securing MVC.NET Web Applications. Andrew Wilson. 오 안녕하세요 !!! !. Senior Software Consultant Obsessed security guy OWASP co-lead Long walks on the beach desert Drinking IPA in the rain. Overview. Microsoft SDL Introduction to OWASP OWASP Projects Top 10 Security problems

miles
Download Presentation

Securing MVC.NET Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing MVC.NET Web Applications Andrew Wilson

  2. 오 안녕하세요!!!! • Senior Software Consultant • Obsessed security guy • OWASP co-lead • Long walks on the beach desert • Drinking IPA in the rain

  3. Overview • Microsoft SDL • Introduction to OWASP • OWASP Projects • Top 10 Security problems • Microsoft Framework Security Components • Summary • Further Reading

  4. Brief Rant • Lists are generic, your problems aren’t • Narrows the field of vision • Simple face on a complex problem • Top 10 gets you started in the right direction • Secure development processes gets you the rest the way

  5. Brief Review of SDL • Defined security process from MS • History lesson of what worked and didn’t • Low cost of entry (free) • You need a Secure Development Lifecycle • It might be too big for your needs

  6. Tools • WebScarab is free, and hence awesome • Burp Suite is free, and also awesome • Burp Suite Pro is not free, but it’s the most awesomest of them all.

  7. Introduction to OWASP • Focused on improving security of applications • OWASP Projects Include: • Developer & Tester Guides • SAMM (Software Assurance Maturity Model) • OWASP Tools • WebScarab, Live CD, WebGoat, ESAPI

  8. OWASP Top 10

  9. Injection Attacks

  10. Account: SKU: Account: SKU: Injection Attacks Illustrated "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 DB Table   HTTP response   SQL query HTTP request Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Billing Human Resrcs Application Layer APPLICATIONATTACK 1. Application presents a form to the attacker Custom Code 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query App Server Web Server 4. Database runs query containing attack and sends encrypted results back to application Hardened OS Network Layer 5. Application decrypts data as normal and sends results to the user Firewall Firewall

  11. Pop Quiz! • Q: Is .NET a compiled language or is it an interpreted one? • A: Yes!

  12. Injection Defense • This is the single hardest problem in web security. Data. • Common Approaches include: • White Listing • Black Listing • Encoding • Once you identify something is wrong… What do you do next?

  13. Injection Vectors • Html input data • Javascript itself • Reflection attacks are injection based (because they attack the reflection / interrupter) • XML attacks against web services • JIT attacks (what the world?) • LDAP & SQL

  14. MS-AntiXSS

  15. XSS Attacks

  16. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code XSS Illustrated 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile 2 Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie

  17. Defense • Encoding your variables • Built in XSS defensive bits in MVC.net • Anti-XSS library • What are the attack vectors? • Cookies • Url • Querystring • Post Variables • HTTP Request Headers • JSON / XML payloads

  18. Broken Auth & Session Management

  19. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Broken Auth Illustrated 1 User sends credentials www.boi.com?JSESSIONID=9FA1DB9EA... Site uses URL rewriting (i.e., put session in URL) 2 3 User clicks on a link to http://www.hacker.com in a forum Hacker checks referer logs on www.hacker.com and finds user’s JSESSIONID 4 Hacker uses JSESSIONID and takes over victim’s account

  20. Defense (Bad news) • ASP.NET has no built in countermeasures • RegenerateExpiredSessionId doesn’t work the way you’d expect • MS has no plans to fix this (yet)

  21. Defense • Set your web.config to not allow sessions to be stored for cookieless browsers. • Set your sessions data ONLY in secure pages • Password reset is mostly a logical bug • Be wary of relationships that can be faked • Regenerate Login once logged in • Don’t leak the sessionId (if possible)

  22. Insecure Direct Object Reference

  23. Direct Object Reference Illustrated • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information https://www.onlinebank.com/user?acct=6065

  24. Defense • Rutroh! This is how MVC is structured! • Don’t bind to ID’s that can be enumerated? • Accept it as loss? • Rewrite the URIs! (IIS) • Secure the URIs!

  25. CSRF Attacks

  26. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code CSRF Illustrated Attacker sets the trap on some website on the internet(or simply via an e-mail) 1 Application with CSRF vulnerability Hidden <img> tag contains attack against vulnerable site While logged into vulnerable site,victim views attacker site 2 3 Vulnerable site sees legitimate request from victim and performs the action requested <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site

  27. Defense • Protect valuable actions with CAPTCHA • Validation of Headers (Weak-Sauce) • Expire session, offer logout options • New JSON exposure • Protect the website with CSRF Tokens • Built into MVC.NET • Implementation is more difficult than it seems

  28. Security Misconfigurations

  29. Security Misconfig Illustrated Database Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code App Configuration Development Framework App Server QA Servers Web Server Hardened OS Insider Test Servers Source Control

  30. Defense • Cassini is a LIAR, do not trust it! • ASP.NET won’t serve particular types of files by default: • DON’T RENAME THEM! Web.config.bak WILL be served! • Don’t allow directory browsing • Don’t let developers know secure connection strings to production if you can avoid it.

  31. Insecure Cryptographic Storage

  32. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Insecure Cryptographic Storage Illustrated Victim enters credit card number in form 1 Log files Malicious insider steals 4 million credit card numbers 4 2 Error handler logs CC details because merchant gateway is unavailable 3 Logs are accessible to all members of IT staff for debugging purposes

  33. Defense • Are you encrypting sensitive information w/ SQL Server 2008? • Are you storing sensitive information in places you ought not to? Logs, emails, etc.. • What are you encrypting in the database

  34. URL Access

  35. Failure to Restrict URL Access Illustrated • Attacker notices the URL indicates his role /user/getAccounts • He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts • Attacker views more accounts than just their own

  36. Defense • Use [Authorization] headers where appropriate • Use Web.Config <sections> where appropriate • Consider using Role filters and [Permission.Demand] attributes over features • Consider: Who owns this, who can maintain it, how high up the chain can they call? • Don’t forget all your super rad JSON stuff! • Service calls need security love too!

  37. Insufficient Transport Layer Protection

  38. Insufficient Transport Layer Protection Illustrated Business Partners External Victim Backend Systems Custom Code Employees 2 1 External attacker steals credentials and data off network Internal attacker steals credentials and data from internal network External Attacker Internal Attacker

  39. Defense • Use awesome certificates (aka, 3rd party verified, non-expired) • Set them UP CORRECTLY (validate) • Insecure landing page • Don’t use redirects, use HTTPS only • Insecure Content Attacks • Use Strong encryption

  40. Unvalidated Redirects & Forwards

  41. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Unvalidated Redirect Illustrated 1 Attacker sends attack to victim via email or webpage From: Internal Revenue ServiceSubject: Your Unclaimed Tax RefundOur records show you have an unclaimed federal tax refund. Please click here to initiate your claim. 3 Application redirects victim to attacker’s site Victim clicks link containing unvalidated parameter 2 Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site Evil Site 4 Evil site installs malware on victim, or phish’s for private information http://www.irs.gov/taxrefund/claim.jsp?year=2006&… &dest=www.evilsite.com

  42. Defense • Don’t do that! • If you have to, use some variable to control location, not user supplied code • Be wary of Response.Redirect! The action maystill performed even if the site is redirected!

  43. Other .NET Framework Components • Monitoring / health frameworks • SecureStrings • Encryption: Built in frameworks • Data leaking: • Viewstate encryption • Errors and error handling

  44. More stuff • Awareness of what is publicly indexed • Developer comments • Robots.txt • Crossdomain.xml

  45. Summary • Out of the box, MVC.NET is the easiest defendable web application framework I have ever used. • ASP.NET comes with many built in components that can really help you out (if utilized) • Bad code can be written in any language. Don’t do that

  46. QA? • Twitter: awilsong • Blog: http://pinvoke.wordpress.com • Email: pinvoke@doublethunk.org

More Related