Application Security Part 1 Threat Defense In Client Server Applications With .NET


Published on

This presentation grew out of my experience with testing client-server applications (web, disconnected thin client, etc.) for security issues. The knowledge was gained through research and experience. I gave the presentation to the Cedar Rapids .NET User Group ( in 2006.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Application Security Part 1 Threat Defense In Client Server Applications With .NET

    1. 1. Application Security Part 1 – Threat Defense in Client/Server Applications Presented by Greg Sohl © 2006, Gregory M. Sohl
    2. 2. Application Security? <ul><li>Not Physical Security </li></ul><ul><li>Not Network Security </li></ul><ul><li>Not Just Protocol Security (i.e. SSL / HTTPS) </li></ul><ul><li>Not CAS – at least not directly </li></ul><ul><li>Coding Practices and Techniques </li></ul>
    3. 3. Who are the Attackers? <ul><li>Disgruntled staff or developers </li></ul><ul><li>“ Drive by” attacks, such as side effects or direct consequences of a virus, worm or Trojan attack </li></ul><ul><li>Motivated criminal attackers, such as organized crime </li></ul><ul><li>Criminal attackers without motive against your organization, such as defacers </li></ul><ul><li>Script kiddies </li></ul>
    4. 4. Application Security – Part 1 <ul><li>Tonight’s Focus – Protecting against common application attacks </li></ul><ul><ul><li>Threat Modeling </li></ul></ul><ul><ul><li>Types of Attacks </li></ul></ul><ul><ul><li>Defenses against Attacks </li></ul></ul><ul><ul><li>Tools and Resources </li></ul></ul>
    5. 5. Threat Modeling <ul><li>Identifying points of your application that are subject to attack </li></ul><ul><ul><li>Create overview of the application architecture </li></ul></ul><ul><ul><ul><li>Document Trust Boundaries </li></ul></ul></ul><ul><ul><li>Identify the assets that need protecting </li></ul></ul><ul><ul><li>Document the application entry points </li></ul></ul><ul><ul><li>Document the application’s trust levels </li></ul></ul><ul><ul><li>Decompose the application with DFDs </li></ul></ul><ul><ul><li>Identify and Rank Threats </li></ul></ul><ul><ul><ul><li>Build an attack tree for each threat </li></ul></ul></ul>
    6. 6. Trust Boundaries
    7. 7. Threat Modeling – Classify Threats <ul><li>STRIDE - </li></ul><ul><li>Spoofing identity </li></ul><ul><li>Tampering with data </li></ul><ul><li>Repudiation </li></ul><ul><li>Information disclosure </li></ul><ul><li>Denial of service </li></ul><ul><li>Elevation of privilege </li></ul>
    8. 8. Threat Modeling – Ranking Threats <ul><li>DREAD – Threat ranking </li></ul><ul><li>Damage Potential </li></ul><ul><ul><li>How great is the damage if the vulnerability is exploited? </li></ul></ul><ul><li>Reproducibility </li></ul><ul><ul><li>How easy is it to reproduce the attack? </li></ul></ul><ul><li>Exploitability </li></ul><ul><ul><li>How easy is it to launch an attack? </li></ul></ul><ul><li>Affected Users </li></ul><ul><ul><li>As a rough percentage, how many users are affected? </li></ul></ul><ul><li>Discoverability </li></ul><ul><ul><li>How easy is it to find the vulnerability? </li></ul></ul>
    9. 9. Threat Modeling Tool
    10. 10. Common Application Attacks <ul><li>Authentication Attacks </li></ul><ul><li>Buffer Overruns </li></ul><ul><li>Circumvention of expected logic flow </li></ul><ul><li>Cross-Site Scripting (XSS) </li></ul><ul><li>Denial of Service </li></ul><ul><li>HTML Injection </li></ul><ul><li>Input Manipulation Attacks </li></ul><ul><li>LDAP Injection </li></ul><ul><li>Message Replay </li></ul><ul><li>Repudiation </li></ul><ul><li>SQL Injection </li></ul>
    11. 11. Authentication Attack <ul><li>Types of applications vulnerable: All requiring authentication </li></ul>
    12. 12. Authentication Attack <ul><li>Brute Force & Dictionary Attacks </li></ul><ul><ul><li>Mitigate by </li></ul></ul><ul><ul><ul><li>Require strong passwords </li></ul></ul></ul><ul><ul><ul><li>Store passwords as salted, non-reversible hashes </li></ul></ul></ul><ul><ul><ul><li>Use the new SecureString class to hold password values </li></ul></ul></ul><ul><ul><ul><li>Account lockout with multiple failed login attempts </li></ul></ul></ul><ul><ul><ul><ul><li>Don’t reveal that the account is locked out. This only assists the attacker by telling them they have guessed an account name correctly. </li></ul></ul></ul></ul><ul><ul><ul><li>Upon a failed login, do not reveal which part of a login was incorrect. </li></ul></ul></ul><ul><ul><ul><li>Utilize multi-factor authentication. </li></ul></ul></ul><ul><ul><ul><li>Keep logs of login attempts, successful and failed. Monitor logs for patterns of hacking attempts. </li></ul></ul></ul>
    13. 13. Authentication Attack <ul><li>Session Hijacking </li></ul><ul><ul><li>Types of applications vulnerable: Any utilizing Sessions keys over a communication channel </li></ul></ul><ul><ul><li>Mitigate by </li></ul></ul><ul><ul><ul><li>Using encrypted communication channel (SSL / HTTPS or encrypted TCP/IP Channel for Remoting) </li></ul></ul></ul><ul><ul><ul><li>Incorporating session timeouts at the lowest tolerable level </li></ul></ul></ul><ul><ul><ul><ul><li>Timeout attribute in the web.config <sessionstate> </li></ul></ul></ul></ul>
    14. 14. Authentication Attack <ul><li>Credential Theft </li></ul><ul><ul><li>Mitigate by </li></ul></ul><ul><ul><ul><li>Utilizing two-factor / multi-factor authentication </li></ul></ul></ul><ul><ul><ul><ul><li>However, read Bruce Schneier’s caveats at </li></ul></ul></ul></ul>
    15. 15. Authentication Attack <ul><li>Resources </li></ul><ul><li>Strong Passwords </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> Extreme example! </li></ul></ul><ul><li>How can I store passwords in a custom user database (Hashing and Salting) </li></ul><ul><ul><li> </li></ul></ul><ul><li>Secure Password Programming with .NET </li></ul><ul><ul><li> </li></ul></ul><ul><li>ASP.NET Membership API </li></ul><ul><ul><li> </li></ul></ul><ul><li>Using the New Security Controls in ASP.NET 2.0 </li></ul><ul><ul><li> </li></ul></ul><ul><li>Wikipedia on Two-Factor Authentication </li></ul><ul><ul><li> </li></ul></ul><ul><li>RSA’s SecureID (not a product endorsement – just an example of an two-factor authentication product) </li></ul><ul><ul><li> </li></ul></ul>
    16. 16. Buffer Overflow Attacks <ul><li>Types of applications vulnerable: Unmanaged </li></ul><ul><li>Mitigate by </li></ul><ul><ul><li>Use 100% Managed Code </li></ul></ul><ul><ul><li>Careful use of non-managed code when necessary </li></ul></ul>
    17. 17. Circumvention of Expected Logic Flow Attack <ul><li>Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services </li></ul><ul><li>Mitigate by </li></ul><ul><ul><li>Careful management of session / state information </li></ul></ul><ul><ul><li>Don’t trust the client </li></ul></ul><ul><ul><li>Authorize every action / transaction / message </li></ul></ul>
    18. 18. Cross Site Scripting Attack (XSS) <ul><li>Types of applications vulnerable: ASP.NET </li></ul><ul><li>Mitigate by: </li></ul><ul><ul><li>HTML Encoding or URL Encoding all text and parameter output. </li></ul></ul><ul><li>Demo </li></ul><ul><li>Resources </li></ul><ul><ul><li>Microsoft Anti-Cross Site Scripting Library V1.0 </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><ul><li>Allows only known “good” text. Encodes all other text. This contrasts with the corresponding methods in the HttpUtility class which targets known “bad” text. </li></ul></ul></ul><ul><ul><li>CERT Advisory </li></ul></ul><ul><ul><li> </li></ul></ul>
    19. 19. Exception Management <ul><li>Mitigate by: </li></ul><ul><ul><li>Standardize error handling code </li></ul></ul><ul><ul><li>ASP.NET custom error page </li></ul></ul><ul><ul><li>Last-chance exception catching </li></ul></ul><ul><ul><li>Log detailed data needed for problem diagnosis. </li></ul></ul>
    20. 20. HTML Injection Attack <ul><li>The purpose of HTML Injection is for site defacement. </li></ul><ul><ul><li>Types of applications vulnerable: ASP.NET </li></ul></ul><ul><ul><li>Mitigate by: </li></ul></ul><ul><ul><ul><li>HTML Encoding or URL Encoding all text and parameter output – same as XSS </li></ul></ul></ul>
    21. 21. Input Manipulation Attack & Trusting the Client’s Authorization <ul><li>Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services </li></ul><ul><li>Items subject to Input Manipulation </li></ul><ul><ul><li>ASP.NET ViewState </li></ul></ul><ul><ul><li>POST / GET Fields including hidden Fields </li></ul></ul><ul><ul><li>Cookies </li></ul></ul><ul><ul><li>ALL input! </li></ul></ul>
    22. 22. Input Manipulation Attack & Trusting the Client’s Authorization <ul><li>Mitigate by </li></ul><ul><ul><li>Checking Data for Validity </li></ul></ul><ul><ul><ul><li>Constrain </li></ul></ul></ul><ul><ul><ul><li>Reject </li></ul></ul></ul><ul><ul><ul><li>Sanitize </li></ul></ul></ul><ul><ul><ul><li>Centralized approach </li></ul></ul></ul>
    23. 23. Trust Boundary Chokepoints <ul><li>Use chokepoints between Trust Boundaries </li></ul><ul><li>Channel all input (and output) through the chokepoints </li></ul>
    24. 24. LDAP Injection Attack <ul><li>Types of applications vulnerable: All using LDAP server for authentication and/or authorization data </li></ul><ul><li>SPI Dynamics White Paper - </li></ul>
    25. 25. Message Replay <ul><li>Types of applications vulnerable: ASP.NET, WinForms w/ an Application Server, Web Services </li></ul><ul><li>Mitigate by </li></ul><ul><ul><li>Uniquely identifying messages with a signature. Cache messages for a period of time. Check new messages signatures against the cache and reject duplicates. </li></ul></ul><ul><li>Resources </li></ul><ul><ul><li>Implementing Message Replay Detection in WSE 3.0 </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
    26. 26. Repudiation <ul><li>Types of applications vulnerable: All </li></ul><ul><li>Mitigate by </li></ul><ul><ul><li>Strong authentication </li></ul></ul><ul><ul><li>Logging transactions with user information. </li></ul></ul><ul><ul><li>Message digital signatures </li></ul></ul><ul><li>Bad example – ARS to iSeries SPs </li></ul><ul><li>Resources </li></ul><ul><ul><li>Definition: </li></ul></ul>
    27. 27. SQL Injection Attack <ul><li>Occurs when your application uses input to construct dynamic SQL statements to access the database. </li></ul><ul><li>Types of applications vulnerable: All using SQL-based databases </li></ul>
    28. 28. SQL Injection Attack <ul><li>Mitigate by: </li></ul><ul><ul><li>Employing the principal of least privilege to database server access </li></ul></ul><ul><ul><li>Using stored procedures </li></ul></ul><ul><ul><ul><li>SqlDataAdapter myCommand = new SqlDataAdapter(&quot;AuthorLogin&quot;, conn); </li></ul></ul></ul><ul><ul><ul><li>myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; </li></ul></ul></ul><ul><ul><ul><li>SqlParameter parm = myCommand.SelectCommand.Parameters.Add(&quot;@au_id&quot;, SqlDbType.VarChar, 11); </li></ul></ul></ul><ul><ul><ul><li>parm.Value = Login.Text; </li></ul></ul></ul>
    29. 29. SQL Injection Attack <ul><li>Using parameterized queries </li></ul><ul><ul><li>SqlDataAdapter myCommand = new SqlDataAdapter( </li></ul></ul><ul><ul><li>&quot;SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id&quot;, conn); </li></ul></ul><ul><ul><li>SqlParameter parm = myCommand.SelectCommand.Parameters.Add(&quot;@au_id&quot;, </li></ul></ul><ul><ul><li>SqlDbType.VarChar, 11); </li></ul></ul><ul><ul><li>parm.Value = Login.Text; </li></ul></ul><ul><li>Escape user input used in dynamic queries </li></ul><ul><ul><li>private string SafeSqlLiteral(string inputSQL) </li></ul></ul><ul><ul><li>{ </li></ul></ul><ul><ul><li>return inputSQL.Replace(&quot;'&quot;, &quot;''&quot;); </li></ul></ul><ul><ul><li>} </li></ul></ul>
    30. 30. SQL Injection Attack <ul><li>Resources </li></ul><ul><li>SPI Dynamics Whitepaper </li></ul><ul><ul><li> </li></ul></ul><ul><li>Stop SQL Injection Attacks Before They Stop You </li></ul><ul><ul><li> </li></ul></ul><ul><li>How To: Protect From SQL Injection in ASP.NET </li></ul><ul><ul><li> </li></ul></ul><ul><li>Improving Web Application Security: Threats and Countermeasures: Chapter 14 – Building Secure Data Access </li></ul><ul><ul><li> </li></ul></ul>
    31. 31. Resources <ul><li>Organizations and Web Sites </li></ul><ul><ul><li>Open Web Application Security Project </li></ul></ul><ul><ul><ul><li> – Generally focused </li></ul></ul></ul><ul><ul><ul><li> - .NET focused but light on content </li></ul></ul></ul><ul><ul><li>SecurityFocus </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Institute for Security and Open Methodologies </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
    32. 32. Resources <ul><li>Threat Modeling </li></ul><ul><li>MSDN Patterns and Practices - Improving Web Application Security: Threats and Countermeasures </li></ul><ul><ul><li> </li></ul></ul><ul><li>MS Threat Modeling Tool </li></ul><ul><ul><li> </li></ul></ul><ul><li>MS Threat Modeling Security Home </li></ul><ul><ul><li> </li></ul></ul><ul><li>Microsoft Application Threat Modeling Blog </li></ul><ul><ul><li> </li></ul></ul><ul><li>Larry Osterman’s Blog – Security Category </li></ul><ul><ul><li> </li></ul></ul><ul><li>Threat Modeling chapter in Writing Secure Code </li></ul><ul><li>Threat Modeling chapter in The .NET Developer's Guide to Windows Security </li></ul><ul><li>OWASP Guide chapter on “THREAT RISK MODELING” </li></ul>
    33. 33. Resources <ul><li>Books and Papers </li></ul><ul><li>Writing Secure Code (Michael Howard, David LeBlanc) </li></ul><ul><ul><li> </li></ul></ul><ul><li>The .NET Developer's Guide to Windows Security (Keith Brown) </li></ul><ul><ul><li> </li></ul></ul><ul><li>OWASP Guide to Building Secure Web Applications and Web Services 2.0 </li></ul><ul><ul><li> </li></ul></ul><ul><li>OWASP Top Ten Project </li></ul><ul><ul><li> </li></ul></ul>
    34. 34. Resources <ul><li>Mailing Lists </li></ul><ul><ul><li>Penetration Testing and Web Application Security lists at </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
    35. 35. Resources <ul><li>Testing Tools </li></ul><ul><ul><li>Web and Web Services </li></ul></ul><ul><ul><ul><li>Microsoft Fiddler </li></ul></ul></ul><ul><ul><ul><li>Paros Proxy </li></ul></ul></ul><ul><ul><ul><li>TamperIE </li></ul></ul></ul><ul><ul><ul><li>SPI Dynamics (commercial tools) </li></ul></ul></ul>
    36. 36. Resources <ul><li>Web Casts </li></ul><ul><ul><li>Microsoft Digital Blackbelt Security Series </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Writing Secure Code – Threat Defense </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
    37. 37. Resources <ul><li>Blogs </li></ul><ul><ul><li>Anil John </li></ul></ul><ul><ul><li>J.D. Meier </li></ul></ul><ul><ul><ul><li>Especially enjoyable – Security approaches that don’t work </li></ul></ul></ul><ul><ul><li>.NET Security Blog </li></ul></ul><ul><ul><li>Michael Howard </li></ul></ul>
    38. 38. Resources <ul><li>Practice Applications </li></ul><ul><ul><li>OWASP </li></ul></ul><ul><ul><ul><li>WebGoat ( </li></ul></ul></ul><ul><ul><li>Maven Security </li></ul></ul><ul><ul><ul><li>WebMaven ( </li></ul></ul></ul><ul><ul><li>FoundStone </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><ul><li>HacmeBank - The Hacme Books application simulates a ‘real-world’ eCommerce bookstore. </li></ul></ul></ul><ul><ul><ul><li>HacmeBooks - Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software. Hacme Bank simulates a &quot;real-world&quot; online banking application. </li></ul></ul></ul>
    39. 39. Resources <ul><li>Other Documents and Articles </li></ul><ul><li>Writing Secure Code on MSDN </li></ul><ul><ul><li> </li></ul></ul><ul><li>patterns & practices Security Guidance for Applications Index </li></ul><ul><ul><li> </li></ul></ul><ul><li>patterns & practices Security How Tos Index </li></ul><ul><ul><li> </li></ul></ul><ul><li>Microsoft Developer Security Resource Kit </li></ul><ul><ul><li> </li></ul></ul><ul><li>Secure Coding Guidelines for the .NET Framework </li></ul><ul><ul><li> </li></ul></ul><ul><li>Visual Studio 2005 Security Features and Tools </li></ul><ul><ul><li> </li></ul></ul><ul><li>Security Enhancements in the .NET Framework 2.0 </li></ul><ul><ul><li> </li></ul></ul><ul><li>Using the New Security Controls in ASP.NET 2.0 </li></ul><ul><ul><li> </li></ul></ul><ul><li>Security Headaches? Take ASP.NET 2.0! (Keith Brown) </li></ul><ul><ul><li> </li></ul></ul><ul><li>The Trustworthy Computing Security Development Lifecycle </li></ul><ul><ul><li> </li></ul></ul><ul><li>ASP.NET Security: 8 Ways to Avoid Attack </li></ul><ul><ul><li> </li></ul></ul><ul><li>Web Service Security: Scenarios, Patterns, and Implementation Guidance: Home </li></ul><ul><ul><li> </li></ul></ul>
    40. 40. Resources <ul><li>Code Libraries </li></ul><ul><ul><li>Microsoft Anti-Cross Site Scripting Library V1.0 </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Training </li></ul><ul><ul><li>Security Training Modules (beta) </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
    41. 41. Principals <ul><li>Least Privilege </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Defense in Depth </li></ul><ul><ul><li> </li></ul></ul><ul><li>Incorporate security into your entire SDLC </li></ul><ul><li>Train your developers in secure coding practices and give them patterns to follow </li></ul><ul><li>Learn to think like an attacker </li></ul><ul><ul><li>Jack of all trades quiz </li></ul></ul>