Transcript slides - WordPress.com

Securing MVC.NET Web
Applications
Andrew Wilson
오 안녕하세요!!!!
•
•
•
•
•
Senior Software Consultant
Obsessed security guy
OWASP co-lead
Long walks on the beach desert
Drinking IPA in the rain
Overview
• Microsoft SDL
• Introduction to OWASP
– OWASP Projects
– Top 10 Security problems
• Microsoft Framework Security Components
• Summary
• Further Reading
Brief Rant
•
•
•
•
•
Lists are generic, your problems aren’t
Narrows the field of vision
Simple face on a complex problem
Top 10 gets you started in the right direction
Secure development processes gets you the
rest the way
Brief Review of SDL
•
•
•
•
•
Defined security process from MS
History lesson of what worked and didn’t
Low cost of entry (free)
You need a Secure Development Lifecycle
It might be too big for your needs
Tools
• WebScarab is free, and hence awesome
• Burp Suite is free, and also awesome
• Burp Suite Pro is not free, but it’s the most
awesomest of them all.
Introduction to OWASP
• Focused on improving security of applications
• OWASP Projects Include:
– Developer & Tester Guides
– SAMM (Software Assurance Maturity Model)
• OWASP Tools
– WebScarab, Live CD, WebGoat, ESAPI
OWASP Top 10
Injection Attacks
Injection means…
• Tricking an application into including unintended commands in the data sent to
an interpreter
Interpreters…
• Take strings and interpret them as commands
• SQL, OS Shell, LDAP, XPath, Hibernate, etc…
SQL injection is still quite common
• Many applications still susceptible (really don’t know why)
• Even though it’s usually very simple to avoid
Typical Impact
• Usually severe. Entire database can usually be read or modified
• May also allow full database schema, or account access, or even OS level access
ATTACK


Billing
Directories

Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
3. Application forwards attack to
the database in a SQL query
App Server
Web Server
Firewall
Hardened OS
Firewall
DB Table

"SELECT * FROM
Account Summary
Account:
accounts WHERE
SKU:
acct=‘’
OR 1=1-Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
’"
1. Application presents a form to
the attacker
2. Attacker sends an attack in the
form data
Custom Code
Network Layer
Human Resrcs

Web Services
Databases
HTTP
SQL
response
query

HTTP
request
APPLICATION
Legacy Systems
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
Administration
Transactions
Accounts
Finance
Application Layer
Injection Attacks Illustrated
4. Database runs query containing
attack and sends encrypted results
back to application
5. Application decrypts data as
normal and sends results to the
user
Pop Quiz!
• Q: Is .NET a compiled language or is it an
interpreted one?
• A: Yes!
Injection Defense
• This is the single hardest problem in web
security. Data.
• Common Approaches include:
– White Listing
– Black Listing
– Encoding
• Once you identify something is wrong… What
do you do next?
Injection Vectors
• Html input data
• Javascript itself
• Reflection attacks are injection based
(because they attack the reflection /
interrupter)
• XML attacks against web services
• JIT attacks (what the world?)
• LDAP & SQL
MS-AntiXSS
Encoding Method
Should Be Used If …
Example/Pattern
HtmlEncode
Untrusted input is used in HTML output
except when assigning to an HTML
attribute.
<a
href="http://www.contoso.com">Click
Here [Untrusted input]</a>
HtmlAttributeEncode
Untrusted input is used as an HTML
attribute
<hr noshade size=[Untrusted input]>
Untrusted input is used within a JavaScript
context
<script type="text/javascript"> …
[Untrusted input]
…
</script>
Untrusted input is used in a URL (such as a
value in a querystring)
<a
href="http://search.msn.com/results.
aspx?q=[Untrusted-input]">Click
Here!</a>
VisualBasicScriptEncode
Untrusted input is used within a Visual
Basic Script context
<script type="text/vbscript"
language="vbscript"> …
[Untrusted input]
…
</script>
XmlEncode
Untrusted input is used in XML output,
except when assigning to an XML attribute
<xml_tag>[Untrusted
input]</xml_tag>
XmlAttributeEncode
Untrusted input is used as an XML
attribute
<xml_tag attribute=[Untrusted
input]>Some Text</xml_tag>
JavaScriptEncode
UrlEncode
XSS Attacks
Occurs any time…
• Raw data from attacker is sent to an innocent user’s browser
Raw data…
• Stored in database
• Reflected from web input (form field, hidden field, URL, etc…)
• Sent directly into rich JavaScript client
Virtually every web application has this problem
• Try this in your browser – javascript:alert(document.cookie)
Typical Impact
• Steal user’s session, steal sensitive data, rewrite web page, redirect user to
phishing or malware site
• Most Severe: Install XSS proxy which allows attacker to observe and direct all
user’s behavior on vulnerable site and force user to other sites
Victim views page – sees attacker profile
Custom Code
Script runs inside victim’s
browser with full access to
the DOM and cookies
3
Script silently sends attacker Victim’s session cookie
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
2
Administration
Transactions
Attacker enters a
malicious script into a web
page that stores the data
on the server
Application with
stored XSS
vulnerability
Accounts
Finance
1
XSS
Illustrated
Attacker sets the trap – update my profile
Defense
•
•
•
•
Encoding your variables
Built in XSS defensive bits in MVC.net
Anti-XSS library
What are the attack vectors?
–
–
–
–
–
–
Cookies
Url
Querystring
Post Variables
HTTP Request Headers
JSON / XML payloads
Broken Auth & Session Management
HTTP is a “stateless” protocol
• Means credentials have to go with every request
• Should use SSL for everything requiring authentication
Session management flaws
• SESSION ID used to track state since HTTP doesn’t
• and it is just as good as credentials to an attacker
• SESSION ID is typically exposed on the network, in browser, in logs, …
Beware the side-doors
• Change my password, remember my password, forgot my password, secret
question, logout, email address, etc…
Typical Impact
• User accounts compromised or user sessions hijacked
www.boi.com?JSESSIONID=9FA1DB9EA...
Site uses URL rewriting
(i.e., put session in URL)
3
2
Custom Code
User clicks on a link to http://www.hacker.com in
a forum
Hacker checks referer logs on www.hacker.com
and finds user’s JSESSIONID
Hacker uses JSESSIONID and
takes over victim’s account
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
User sends credentials
Accounts
Finance
1
Administration
Transactions
Broken Auth Illustrated
4
Defense (Bad news)
• ASP.NET has no built in countermeasures
• RegenerateExpiredSessionId doesn’t work the
way you’d expect
• MS has no plans to fix this (yet)
Defense
• Set your web.config to not allow sessions to
be stored for cookieless browsers.
• Set your sessions data ONLY in secure pages
• Password reset is mostly a logical bug
• Be wary of relationships that can be faked
• Regenerate Login once logged in
• Don’t leak the sessionId (if possible)
Insecure Direct Object Reference
How do you protect access to your data?
• This is part of enforcing proper “Authorization”, along with
A7 – Failure to Restrict URL Access
A common mistake …
•
•
•
•
•
Only listing the ‘authorized’ objects for the current user, or
Hiding the object references in hidden fields
… and then not enforcing these restrictions on the server side
This is called presentation layer access control, and doesn’t work
Attacker simply tampers with parameter value
Typical Impact
• Users are able to access unauthorized files or data
Direct Object Reference Illustrated
https://www.onlinebank.com/user?acct=6065
• Attacker notices his acct
parameter is 6065
?acct=6065
• He modifies it to a nearby
number
?acct=6066
• Attacker views the victim’s
account information
Defense
•
•
•
•
•
Rutroh! This is how MVC is structured!
Don’t bind to ID’s that can be enumerated?
Accept it as loss?
Rewrite the URIs! (IIS)
Secure the URIs!
CSRF Attacks
Cross Site Request Forgery
• An attack where the victim’s browser is tricked into issuing a command to a
vulnerable web application
• Vulnerability is caused by browsers automatically including user authentication
data (session ID, IP address, Windows domain credentials, …) with each request
Imagine…
• What if a hacker could steer your mouse and get you to click on links in your
online banking application?
• What could they make you do?
Typical Impact
• Initiate transactions (transfer funds, logout user, close account)
• Access sensitive data
• Change account details
CSRF Illustrated
While logged into vulnerable site,
victim views attacker site
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
2
Administration
Transactions
Hidden <img> tag
contains attack against
vulnerable site
Application with CSRF
vulnerability
Accounts
Finance
1
Attacker sets the trap on some website on the internet
(or simply via an e-mail)
Custom Code
3
<img> tag loaded by
browser – sends GET
request (including
credentials) to vulnerable
site
Vulnerable site sees
legitimate request from
victim and performs the
action requested
Defense
•
•
•
•
•
Protect valuable actions with CAPTCHA
Validation of Headers (Weak-Sauce)
Expire session, offer logout options
New JSON exposure
Protect the website with CSRF Tokens
– Built into MVC.NET
– Implementation is more difficult than it seems
Security Misconfigurations
Web applications rely on a secure foundation
• Everywhere from the OS up through the App Server
• Don’t forget all the libraries you are using!!
Is your source code a secret?
• Think of all the places your source code goes
• Security should not require secret source code
CM must extend to all parts of the application
• All credentials should change in production
Typical Impact
• Install backdoor through missing OS or server patch
• XSS flaw exploits due to missing application framework patches
• Unauthorized access to default accounts, application functionality or data, or
unused but accessible functionality due to poor server configuration
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
Administration
Transactions
Accounts
Finance
Security Misconfig Illustrated
Database
Custom Code
App Configuration
Framework
Development
App Server
QA Servers
Web Server
Insider
Hardened OS
Test Servers
Source Control
Defense
• Cassini is a LIAR, do not trust it!
• ASP.NET won’t serve particular types of files
by default:
– DON’T RENAME THEM! Web.config.bak WILL be
served!
– Don’t allow directory browsing
• Don’t let developers know secure connection
strings to production if you can avoid it.
Insecure Cryptographic Storage
Storing sensitive data insecurely
• Failure to identify all sensitive data
• Failure to identify all the places that this sensitive data gets stored
• Databases, files, directories, log files, backups, etc.
• Failure to properly protect this data in every location
Typical Impact
• Attackers access or modify confidential or private information
• e.g, credit cards, health care records, financial data (yours or your customers)
• Attackers extract secrets to use in additional attacks
• Company embarrassment, customer dissatisfaction, and loss of trust
• Expense of cleaning up the incident, such as forensics, sending apology
letters, reissuing thousands of credit cards, providing identity theft insurance
• Business gets sued and/or fined
1
Victim enters credit card
number in form
Accounts
Finance
Administration
Transactions
Communication
Knowledge
Mgmt
E-Commerce
Bus. Functions
Insecure Cryptographic Storage
Illustrated
Custom Code
4
Log files
Malicious insider
steals 4 million credit
card numbers
Logs are accessible to all
members of IT staff for
debugging purposes
Error handler logs CC
details because merchant
gateway is unavailable
3
2
Defense
• Are you encrypting sensitive information w/
SQL Server 2008?
• Are you storing sensitive information in places
you ought not to? Logs, emails, etc..
• What are you encrypting in the database
URL Access
How do you protect access to URLs (pages)?
• This is part of enforcing proper “authorization”, along with
A4 – Insecure Direct Object References
A common mistake …
• Displaying only authorized links and menu choices
• This is called presentation layer access control, and doesn’t work
• Attacker simply forges direct access to ‘unauthorized’ pages
Typical Impact
• Attackers invoke functions and services they’re not authorized for
• Access other user’s accounts and data
• Perform privileged actions
Failure to Restrict URL Access
Illustrated
h ttp s ://w w w .o n lin e b a n k .c o m /u s er/g e tA c c o u n ts
• Attacker notices the URL
indicates his role
/user/getAccounts
• He modifies it to another
directory (role)
/admin/getAccounts, or
/manager/getAccounts
• Attacker views more
accounts than just their
own
Defense
• Use [Authorization] headers where appropriate
• Use Web.Config <sections> where appropriate
• Consider using Role filters and
[Permission.Demand] attributes over features
• Consider: Who owns this, who can maintain it,
how high up the chain can they call?
• Don’t forget all your super rad JSON stuff!
• Service calls need security love too!
Insufficient Transport Layer Protection
Transmitting sensitive data insecurely
• Failure to identify all sensitive data
• Failure to identify all the places that this sensitive data is sent
• On the web, to backend databases, to business partners, internal communications
• Failure to properly protect this data in every location
Typical Impact
• Attackers access or modify confidential or private information
• e.g, credit cards, health care records, financial data (yours or your customers)
• Attackers extract secrets to use in additional attacks
• Company embarrassment, customer dissatisfaction, and loss of trust
• Expense of cleaning up the incident
• Business gets sued and/or fined
Insufficient Transport Layer Protection
Illustrated
Business Partners
External Victim
Custom Code
1
External attacker
steals credentials
and data off
network
External Attacker
Backend Systems
2
Employees
Internal attacker
steals credentials and
data from internal
network
Internal Attacker
Defense
• Use awesome certificates (aka, 3rd party
verified, non-expired)
• Set them UP CORRECTLY (validate)
• Insecure landing page
• Don’t use redirects, use HTTPS only
• Insecure Content Attacks
• Use Strong encryption
Unvalidated Redirects & Forwards
Web application redirects are very common
• And frequently include user supplied parameters in the destination URL
• If they aren’t validated, attacker can send victim to a site of their choice
Forwards (aka Transfer in .NET) are common too
• They internally send the request to a new page in the same application
• Sometimes parameters define the target page
• If not validated, attacker may be able to use unvalidated forward to
bypass authentication or authorization checks
Typical Impact
• Redirect victim to phishing or malware site
• Attacker’s request is forwarded past security checks, allowing
unauthorized function or data access
Unvalidated Redirect Illustrated
Attacker sends attack to victim via email or webpage
Bus. Functions
E-Commerce
Knowledge Mgmt
Communication
Transactions
Victim clicks link containing unvalidated parameter
Application redirects
victim to attacker’s site
Administration
2
3
Finance
From: Internal Revenue Service
Subject: Your Unclaimed Tax Refund
Our records show you have an
unclaimed federal tax refund. Please
click here to initiate your claim.
Accounts
1
Custom Code
Request sent to vulnerable
site, including attacker’s
destination site as parameter.
Redirect sends victim to
attacker site
http://www.irs.gov/taxrefund/claim.jsp?year=2006
& … &dest=www.evilsite.com
Evil Site
4
Evil site installs malware on
victim, or phish’s for private
information
Defense
• Don’t do that!
• If you have to, use some variable to control
location, not user supplied code
• Be wary of Response.Redirect! The action may
still performed even if the site is redirected!
Other .NET Framework Components
•
•
•
•
Monitoring / health frameworks
SecureStrings
Encryption: Built in frameworks
Data leaking:
– Viewstate encryption
– Errors and error handling
More stuff
•
•
•
•
Awareness of what is publicly indexed
Developer comments
Robots.txt
Crossdomain.xml
Summary
• Out of the box, MVC.NET is the easiest
defendable web application framework I have
ever used.
• ASP.NET comes with many built in
components that can really help you out (if
utilized)
• Bad code can be written in any language.
Don’t do that
QA?
• Twitter: awilsong
• Blog: http://pinvoke.wordpress.com
• Email: [email protected]