Hack proofing your microsoft asp net web forms and mvc applications
Download
1 / 35

Hack Proofing Your Microsoft ASP.NET Web Forms and MVC Applications - PowerPoint PPT Presentation


  • 582 Views
  • Uploaded on

DEV333. Hack Proofing Your Microsoft ASP.NET Web Forms and MVC Applications. Adam Tuliper Software Architect - Cegedim www.secure-coding.com. The Skinny. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why?. Click to Hack.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Hack Proofing Your Microsoft ASP.NET Web Forms and MVC Applications' - avariella


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hack proofing your microsoft asp net web forms and mvc applications

DEV333

Hack Proofing Your Microsoft ASP.NET Web Forms and MVC Applications

Adam Tuliper

Software Architect - Cegedim

www.secure-coding.com


The skinny
The Skinny

  • Describe each main attack

  • Demo how the attack works

  • Fix our poor vulnerable application!

  • Why Script Kiddies, Why?

Click to Hack


Hack proofing your microsoft asp web forms and mvc applications

Select * from pwned

SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter Tampering Information LeakageEncryption

The fastest way into your systems


Sql injection what is it
SQL Injection - What is it?

Dangerous?

Network enumeration

Account creating/cracking

Database Copying over port 80

Data Tampering

Code Download

Backdoors

  • Control code injected into the data channel

  • Values are altered to create SQL commands where only data is expected

  • '

  • '

Unexpected Input

Expected Input


How is it exploited
How Is It Exploited?

  • URI tampering

  • Parameter Tampering

  • Cookie Tampering

    Set-Cookie: DefaultSearchLanguage=EN-US' union x,x,x--; path=/;


How do you prevent it
How Do You Prevent It?

  • ALL calls are parameterized

  • No dynamic strings

  • Escape/Whitelist input.

  • Audit table permissions!

  • Use Entity Framework!!

  • DEMO - Permissions checker code


But i need my dynamic sql
But I Need My Dynamic SQL!

  • Usually not – dynamic where clauses with static SQL:

    WHERE CustomerId = Coalesce(@customerId, CustomerId)

  • Dynamic Order By using RANK

  • Regex/whitelist everything possible + parameterized queries

  • Avoid exec instead of sp_executesql because of the lack of parameter support.


Sql injection misconceptions
SQL Injection Misconceptions

  • I am safe if always using stored procs: FALSE

  • If I replace only -- and ' you are safe: FALSE

  • If I have an error page I’m safe: FALSE

  • Proper permissions will always protect me: FALSE

  • Parameterized queries will protect me: Potentially

  • Together these help make the app safER


When css isn t cool

SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter Tampering Encryption / Protecting Credentials Information Leakage

When CSS isn’t cool


Xss what is it
XSS – What is it?

Candidate Names Included:

Unauthorized Site Scripting

Unofficial Site Scripting

URL Parameter Script Insertion

Cross Site Scripting

Synthesized Scripting

Fraudulent Scripting

  • Script injected into:

    • Page

    • Database

    • Cookies

  • Two types – reflected and persistent

  • Access DOM, steal cookies, send form data, and more

Script Injected to Web Page

User Visits Page

Evil Script


How is xss exploited
How Is XSS Exploited?

  • Page processes malicious data as script

  • URIs, Form Fields, Cookies, and Databases all sources of data

  • Tricky to catch all combinations:

    <DIV STYLE="width: expression(alert('XSS'));“>

    "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i".

    UTF 7 Encoding (IE6 only)

    +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

    Without <script> tags

    <body onload=alert('test1')>


How do you prevent xss
How Do You Prevent XSS?

  • HtmlEncode or AttributeEncode all output:

    @, <%:,HtmlEncode(),HtmlAttributeEncode()Warning: <:#

    No dynamic attributes - <div onclick={dynamic text} >

  • Avoid ValidateRequest=false

  • WYSIWYG Editing or HTML-

    • Encode output before POST (Telerik, etc support this)

    • MVC3 - [AllowHtml] on Model Property – No [ValidateInput(false)]

  • ASP.Net 4 <httpRuntimeencoderType> - Use Anti-Xss


Preventing xss additional
Preventing XSS - Additional

  • Should you store data encoded?

    Not encoded, but sanitized.

    Encoding & storing can lead to double encoding:

    < &lt; &amp;lt; &amp;amp;let

  • AntiXss Sanitizer’s GetSafeHtml/GetSafeHtmlFragment

  • Test controls - inject script, special characters.

  • Audit all locationsdata is dynamically displayed ex: <%, <%#

  • Goodbye IE6 – Prevent yee I shall!


Forgery makes developers unhappy

SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter Tampering Encryption / Protecting Credentials Information Leakage

Forgery makes developers unhappy : (


Csrf what is it
CSRF – What Is It?

  • Attacker uses the fact the victim is authenticated to a website

  • Attacker crafts a request the user executes

  • Can be very simple - image tag in an email, script on a blog

  • Identifying the attacker can be difficult


Csrf how is it exploited
CSRF – How Is It Exploited?

  • Requests are generally repeatable

  • Image - can be embedded in an email  <imgsrc="http://host/CreateUser?JaneDoe">

  • Attacked via XSS   <script src="http://host/CreateUser?JaneDoe">

    <iframesrc="http://host/CreateUser?JaneDoe">

  • Invisible actions via the 'Image' Objectvarfoo = new Image(); foo.src = "http://host/CreateUser?JaneDoe";


Csrf how do you prevent it 1 2
CSRF – How Do You Prevent It? 1/2

  • All ‘actions’ through POST only

  • GET requests only return data

  • Use Hidden Form Token

  • Token required on POST


Csrf how do you prevent it 2 2
CSRF – How Do You Prevent It 2/2

MVC

  • [HttpPost]

  • Html.AntiForgeryToken() & [ValidateAntiForgeryToken]

    Web Forms

  • ViewStateUserKey = SessionId

  • Do not turn off: EnableViewStateMac=true


Hi i m the one click attack
Hi, I’m The One-Click Attack

Web Forms Assumptions:

  • Button commands are only processed on post events? FALSE

  • ViewState only processed if posted? FALSE

  • Page.IsPostBack means there definitely been a post? FALSE

  • Demo


Taking advantage of page trust

SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter Tampering Encryption / Protecting Credentials Information Leakage

Taking advantage of page trust



Preventing tampering
Preventing Tampering

  • Validate data on server

  • Hash key field for comparison

    • secure-coding.com’s [ValidateAntiModelInjectionFor()]

  • Web Forms – Built in protection!

    • EnableEventValidationprotects Hidden textbox

    • Protection often disabled because of validation issues

  • Web Farm Considerations


Taking advantage of page trust1

SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter TamperingEncryption / Protecting Credentials Information Leakage

Taking advantage of page trust


Encryption
Encryption

Encrypt sensitive config settings

Hash or Encrypt ALL Passwords

Encrypt all sensitive private information

Additional Code Demos for download

aspnet_regiis.exe -pe "connectionStrings" -app "/security“

Encrypt AFTER deployment to avoid machine key issues


Protecting credentials
Protecting Credentials

  • ALL pages use SSL

  • Intranet applications too!

  • Credentials / token usually sent on every request

  • httpOnly cookies prevent client script access – use always

  • Forms authentication requireSSL

  • No session info in the URI

  • Session Hijacking only takes one cookie value


Hack proofing your microsoft asp web forms and mvc applications

SQL InjectionCross Site ScriptingCross Site Request ForgeryParameter TamperingEncryption / Protecting CredentialsInformation Leakage

Captain – She’s sprung a leak!!!!!


Information leakage
Information Leakage

Simplest Implementation in web.config

  • 1. Implement <customErrors>

  • 2. Test various types of errors (404, 500, etc)

  • 3. Ensure ALL tracing is disabled

    • Disable all page level tracing

    • Search for tracing in web.config

    • Try accessing trace.axd


Tools resources

All links at: http://bit.ly/mlml1B

PluralSiteOnDemand Training Library – Free Trial!!

OWASP: The Open Web Application Security Project

Security Tools

Microsoft Anti-Cross Site Scripting Library V4.0 (4.1 in beta!)

Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP - 32 bit

Tools / Resources


Related content

Required Slide

Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC.

Related Content

  • SIM404 Hey, You! Get Off My Network!

  • SIM302 Lessons from HackwartsVol 1: Defense against the Dark Arts 2011

  • COS374-INT Security Considerations with the Cloud

  • DEV356 Integrating Security Roles into Microsoft Silverlight Applications


Thanks
Thanks!!

  • Please fill out evaluations on the way out

  • adam.tuliper@gmail.com

  • CompleteDevelopment.blogspot.com

  • Twitter: @AdamTuliper

  • Free Trial http://www.pluralsight-training.net/microsoft/

  • Visit me afterwards in the dev learning center – web stand


Web track resources
Web Track Resources

  • http://www.asp.net/

  • http://www.silverlight.net/

  • http://www.microsoft.com/web/gallery/

  • http://www.iis.net/

  • http://weblogs.asp.net/Scottgu/

  • http://www.hanselman.com/blog/


Resources
Resources

  • Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

  • Sessions On-Demand & Community

  • Microsoft Certification & Training Resources

www.microsoft.com/teched

www.microsoft.com/learning

  • Resources for IT Professionals

  • Resources for Developers

  • http://microsoft.com/technet

  • http://microsoft.com/msdn


Hack proofing your microsoft asp web forms and mvc applications

Complete an evaluation on CommNet and enter to win!