Your SlideShare is downloading. ×
Securing .Net Hosted Services
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing .Net Hosted Services


Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 2. IntroductionMyself◦ Education◦ Professional experienceProject◦ .Net Hosted Services◦ WCF◦ Web API◦ Data Services◦ OWASP◦ Top Ten◦ How it applies to hosted servicesBRETT NEMEC
  • 3. Windows CommunicationFoundationPart of the .Net framework◦ System.ServiceModel namespace◦ Introduced in version 3.0The Service Model◦ Service oriented◦ Interoperable◦ Automatic configuration◦ Follows security standards◦ Supports multiple transports and encodings◦ ExtensibleSecurity◦ SOAP◦ Message integrity◦ Authentication on service and client◦ Integration with existing technologyBRETT NEMEC
  • 4. BRETT NEMECHostWASASP.NETWindows ServiceService ModelServicesEndpointsContractsOperationsMessagingHTTP TCP QueuesTransportSecurityMessageSecurityXML orBinarySerialization
  • 5. MVC Web APIFormerly part of WCFASP.NET MVC 4◦ Model-View-Controller pattern◦ RESTful architecture◦ CRUDSecurity◦ Integration with existingtechnology◦ Authentication◦ Attributes◦ HttpGet◦ HttpPost◦ AuthorizeBRETT NEMEC
  • 6. Using the Authorize attributeBRETT NEMEC
  • 7. Data ServicesModel driven architecture◦ Object Relational Mapping◦ Entity FrameworkOdata◦ Open Data ProtocolData owner has more control over dataCloud◦ Introduces added risk due to foreign environments◦ Data owner can have less controlBRETT NEMEC
  • 8. OWASPStands for Open Web Application Security ProjectNot for profit organizationDedicated to web security◦ Helps raise awareness of trends in security threatsSupport for most popular web technologies◦ Java◦ C/C++◦ .Net◦ PHPTop ten security risks of 2013BRETT NEMEC
  • 9. OWASP Top Ten SecurityRisks of 2013 RCA1 – InjectionA2 – Broken authenticationand session managementA3 – Cross-site scripting (XSS)A4 – Insecure direct objectreferencesA5 – SecuritymisconfigurationsA6 – Sensitive data exposureA7 – Missing functional levelaccess controlA8 – Cross-site request forgery(CSRF)A9 – Using known vulnerablecomponentsA10 – Unvalidated redirectsand forwardsBRETT NEMEC
  • 10. A1 - InjectionSQL Injection◦ Example◦ WCF method: GetPersonByName(string name), where name = “‟ or „1‟ = „1”◦ Executes SQL◦ var query = “select * from Person where name = „” + p1 + “‟”;◦ Resolves to “select * from Person where name = „‟ or „1‟ = „1‟”◦ One of the the most prominent classes of input validation errors◦ Don’t use command interpreters◦ Use a parameterized interface◦ var query = “select * from Person where name = @name”;◦ Entity Framework v5◦ ORM◦ SQL is generated behind the scenes◦ Model driven◦ Linq to SQLBRETT NEMEC
  • 11. A2 – Broken authenticationand session managementWCF is stateless by default◦ Stateful session can be enabled in configurationMessage Authentication◦ Certificate authentication over transport security◦ Satisfies Level 1 requirements of the OWASP Application Security VerificationStandard (ASVS)◦ Section V2, all pages and resources must be authenticated except those thatare public◦ Certificate authentication pre-authenticates the client◦ Authorize attribute is used for business authentication, while client isauthenticated to the serviceBRETT NEMEC
  • 12. A3 – Cross-site scripting(XSS)WCF is not directly vulnerable to XSS◦ Messages are XML based, not URLsImplement custom input/output parameter inspectors◦ IParameterInspector interfaceBRETT NEMEC
  • 13. A4 – Insecure direct objectreferencesAuthorize attribute◦ Using role-based authentication◦ When a message is sent to an endpoint, service calls custom role providerfor the requested operation◦ Example:[Authorize(“Administrators”)]public void GetAllUsers();BRETT NEMEC
  • 14. A5 – SecuritymisconfigurationsDon’t expose metadata◦ Can be turned on for debugging in configuration◦ App.config or web.config, using the system.serviceModel element◦ Must be disabled for production◦ Custom web pageBRETT NEMEC
  • 15. A6 – Sensitive dataexposureStore sensitive data in it’s encrypted formPasswords◦ Don’t actually store the password, store a hash◦ Random salt (256 bytes)◦ RSA Pseudo random number generator◦ SHA-256(Salt + Password) = Salted Password Hash◦ Every time user changes the password, a new salt is used◦ Database table has two columns, allows for one way validation◦ PasswordSalt, non-sensitive◦ PasswordHash◦ Timeout after specified number of failed attempts◦ Stops brute force attacksBRETT NEMEC
  • 16. A7 – Missing functionallevel access controlRelated to A4, Insecure Direct Object ReferencesWCF by default is stateless◦ If using default, sessions are not of concern◦ If using sessions, control with OperationContract◦ IsInitiating property◦ IsTerminating propertyWindows Identity Foundation◦ Supports federated claims based security◦ Authorized claim sets◦ Used similarly as role-based authorizationBRETT NEMEC
  • 17. A8 – Cross-site requestforgery (CSRF)WCF is message based, not as much of a riskIt is possible to implement controls for this riskWindows Identity Foundation◦ If implemented, service is already using a Security Token Service (STS)◦ STS processes user validation request◦ Provides a claim-set for the user◦ When the user sends a message request to the service, the claim-set isprovided as a token, STS evaluates the tokenBRETT NEMEC
  • 18. A9 – Using knownvulnerable componentsDon’t use components that are untested or source is unknownMost controls and tools are already part of the .Net framework◦ Entity Framework v5◦ Tight integration with existing Microsoft .Net technologies◦ Beta versions are not a good ideaOWASP ESAPI for .Net◦ Website states it’s not suitable for production use◦ Good reason not to use itBRETT NEMEC
  • 19. A10 – Unvalidated redirectsand forwardsRedirects and forwards should be avoidedWCF not at risk like web applications are◦ Sometimes parameters can contain the target page◦ IParameterInspector custom inspectorBRETT NEMEC
  • 20. ReviewWindows Communication FoundationASP.NET MVC Web APIOWASPTop Ten projectBRETT NEMEC