1. Adam Getchell (acgetchell@ucdavis.edu)
Scott Kirkland (srkirkland@ucdavis.edu)
Alan Lai (anlai@ucdavis.edu)
College of Agricultural & Environmental Sciences
Dean’s Office
IT Security Symposium
June 20-22, 2007
2. Introductions
Not experts, just offering experience gained from .NET
programs we’ve done
Goal is practical advice, based on principles and “code
smells1”, rather than exact code one is supposed to
apply to every programs (though reusable code is
good)
This (mostly) works for us – it may not work for you.
Use what works for your team, but remember:
Good Software = Secure Software
3. OWASP Top 10 20072
1. Cross Site Scripting (XSS)
2. SQL Injection
3. Malicious File Execution (via Remote File Inclusion)
4. Insecure Direct Object Reference
5. Cross Site Request Forgery (CSRF)
6. Information Leakage and Improper Error Handling
7. Broken Authentication and Session Management
8. Insecure Cryptographic Storage
9. Insecure Communications
10. Failure to Restrict URL Access
4. XSS
Cross site scripting is the most prevalent/pernicious web
application security issue. XSS flaws occur whenever an
application takes data that originated from a user and
sends it to a web browser without first validating or
encoding that content.
XSS types:
1. Reflected – displaying user supplied (hostile) data directly
2. Stored – storing user supplied (hostile) data and displaying
(e.g. CMS, blogs, forums)
3. DOM Injection – Manipulating JavaScript directly on the
page, including using XmlHttpRequest (basis of AJAX) to
get around same source origination policies to forward
users to hostile sites, etc.
5. SQL Injection Attacks
SQL Injection Attacks: Easy, Common, Dangerous.
Definition: Injection occurs when user-supplied data
is sent to an interpreter as part of a command or query.
Attackers trick the interpreter into executing
unintended commands via supplying specially crafted
data.
7. SQL Injection Attacks
Protection:
Use Input Validation – Check for length, type, sytax,
etc.
Use Stored Procedures or at least strongly typed
parameterized queries.
Don’t show detailed error messages.
8. SQL Injection Attacks
Parameterized Queries:
SqlCommand command = new SqlCommand();
command.CommandText = "SELECT user_id FROM
user_data WHERE user_name = @user_name";
command.Parameters.AddWithValue("@user_name",
txtUserName.Text);
9. Input Validation
.NET makes it easy to validate input controls using the
<asp:xxxValidator> controls.
ASP.NET Validators (except for the customValidator)
validate controls once using client side JavaScript and
again on the server side (protecting you from clients
who turn off JavaScript).
10. .NET Validation Tips
An Empty Control will pass every validation test except for
the RequiredFieldValidator
Ex: If you want to make sure a string is not empty and
matches a regular expression (like an Email address),
you must use both a RequiredFieldValidator and a
RegularExpressionValidator.
The CompareValidator can do much more than comparing
two controls.
Leave the ControlToValidate propery blank, use the
Type, Operator and ValueToCompare properties.
Operators: dataTypeCheck, Equal, NotEqual,
GreaterThan, GreaterThanEqual, LessThan,
LessThanEqual
Types: Currency, Date, Double, Integer, String
11. .NET CompareValidator Examples
The value entered should convert to an integer greater
than one
<asp:CompareValidator ID="val"
runat="server" Type="integer"
ValueToCompare="1"
Operator="greaterThan“ />
12. .NET CompareValidator Examples
The value entered should convert to a DateTime
<asp:CompareValidator ID="val"
runat="server" Type="date"
Operator="dataTypeCheck" />
13. Parsing Objects
int age = 0;
if (int.TryParse(textBoxAge.Text, out age))
{
// Success in parsing string to int
}
else // Was not able to parse string
{
// Handle error
}
14. Microsoft Enterprise Library [9]
What is it?
Reusable source-code components implementing best practices and
providing proven solutions to common problems. Can be integrated
into applications and extended/customized
Caching Application Block
Cryptography Application Block
Data Access Application Block
Exception Handling Application Block
Logging Application Block
Policy Injection Application Block
Security Application Block
Validation Application Block
15. Validation Application Block
Ex: Nullable Phone Number
[IgnoreNulls()]
[RegexValidator(@"(((d{3}) ?)|(d{3}-
))?d{3}-d{4}",
MessageTemplate="Phone number must be properly
formatted")]
public virtual string HRPhone
{
get { return _HRPhone; }
set { _HRPhone = value; }
}
16. Validation Application Block
Ex: Non-Null Email Address between 7 and 150 chars.
[NotNullValidator()]
[StringLengthValidator(7, RangeBoundaryType.Inclusive,
150, RangeBoundaryType.Inclusive,
MessageTemplate = "Email address must be from 7 to 150
characters")]
[RegexValidator(@"w+([-+.']w+)*@w+([-.]w+)*.w+([-
.]w+)*",
MessageTemplate = "Email must be properly formatted")]
public virtual string HREmail
{
get { return _HREmail; }
set { _HREmail = value; }
}
17. Validation Application Block
Ex: Non-Null String between 1 and 100 chars.
[NotNullValidator()]
[StringLengthValidator(1, 100)]
public virtual string PositionTitle
{
get { return _PositionTitle; }
set { _PositionTitle = value;}
}
18. Validation Application Block
Ex: Nullable DateTime between now and next month.
[IgnoreNulls()]
[DateTimeRangeValidator(DateTime.Now,
DateTime.Now.AddMonths(1))]
public virtual DateTime? DatePosted
{
get { return _DatePosted; }
set { _DatePosted = value; }
}
19. Validation Application Block
public static class ValidateBO<T>
{
public static bool isValid(T obj)
{
return Validation.Validate<T>(obj).IsValid;
}
public static ValidationResults GetValidationResults(T obj)
{
return Validation.Validate<T>(obj);
}
public static string GetValidationResultsAsString(T obj)
{
StringBuilder ErrorString = new StringBuilder();
foreach (ValidationResult r in GetValidationResults(obj))
{
ErrorString.AppendLine(string.Format("{0}, {1}", r.Key, r.Message));
}
return ErrorString.ToString();
}
}
21. File Upload/Download -- No direct
file access
Don’t allow direct URL access to stored (user supplied)
files.
Potential Issues:
Remote Code Execution
Unauthorized File Access
22. File Upload/Download -- No direct
file access
Protection
Obscure Filenames: Store files as a hash or partial
reference
Use a proxy class to retrieve files on behalf of a user
Check user permissions on retrieval
Return the file as a binary stream (application/octet-stream)
23. File Upload/Download -- No direct
file access
File fileToDownload = GetFile();
System.IO.FileInfo file = new System.IO.FileInfo(FilePath +
fileToDownload.HashedFileName);
if (file.Exists)
{
Response.Clear();
//Control the name that they see
Response.ContentType = "application/octet-stream";
Response.AddHeader("Content-Disposition", "attachment;filename=" +
HttpUtility.UrlEncode(fileToDownload.FileName));
Response.AddHeader("Content-Length", file.Length.ToString());
//Response.TransmitFile(path + FileID.ToString());
Response.TransmitFile(file.FullName);
Response.End();
}
24. Insecure Direct Object Reference
“A direct object reference occurs when a developer exposes a reference to an
internal implementation object, such as a file, directory, database record, or
key as a URL or form parameter”
Without access control checks such as authorization and parameter checking,
very easy to abuse/manipulate systems.
Ex: (can you spot the flaws)
<select name="language"><option
value="fr">Français</option></select> … require_once
($_REQUEST['language’]."lang.php");
And, assuming no SQL injection is possible, what is wrong with the following?
int cartID = Integer.parseInt( request.getParameter(
"cartID" ) ); String query = "SELECT * FROM table WHERE
cartID=" + cartID;
25. Direct Object Reference
countermeasures
Avoid use of object references whenever possible, such
as primary keys or filenames
Validate any private object references extensively (e.g.
RegEx’s)
Verify authorization to all referenced objects
It’s the web – Assume a user will access any published
URL, don’t assume they’ll follow links to get there
But see more on CSRF!
26. Code Access Security
Identify Permissions your application requires using
Permission Calculator (Permcalc.exe)
Choose an appropriate trust level with required
permissions, or better yet, create a custom trust level
with only the permissions needed by the application
Configure the ASP.NET application to use
27. Code Access Security
Declarative Code Security Checks
Check by Role, User or Authenticated
In the System.Security.Permissions namespace.
Throws a System.Security.SecurityException.
[PrincipalPermission(
SecurityAction.Demand,
Role="Admin")]
private void secureOperation() { }
28. Custom Permissions
Copy the Medium trust policy file, web_MediumTrust.conf,
located in
%windir%Microsoft.NETFramework{version}CONFIG to a
file located in your application directory
Add RegistryPermission to <SecurityClass> in
Web_CustomTrust.config:
<SecurityClass Name="RegistryPermission"
Description="System.Security.Permissions.Regis
tryPermission,
mscorlib, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"/>
29. Custom Permissions
Add new <trustLevel> element to the <securityPolicy> section of the Web.config file to define new
level called “Custom” associated with custom policy file
<location allowOverride="true">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal" />
<trustLevel name="High" policyFile="web_hightrust.config" />
<trustLevel name="Medium" policyFile="web_mediumtrust.config" />
<trustLevel name="Low" policyFile="web_lowtrust.config" />
<trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
<trustLevel name="Custom" policyFile="web_CustomTrust.config" />
</securityPolicy>
<trust level="Full" originUrl="" />
</system.web>
</location>
30. Custom Permissions
Add RegistryPermission to <SecurityClass> in
Web_CustomTrust.config:
<SecurityClass Name="RegistryPermission"
Description="System.Security.Permissions.R
egistryPermission,
mscorlib, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"/>
31. Custom Permissions
Refer to web_CustomTrust.config in your application’s web.config:
...
<location allowOverride="true">
<system.web>
<securityPolicy>
<trustLevel name="Custom"
policyFile="web_CustomTrust.config" />
</securityPolicy>
<trust level="Custom" originUrl="" />
</system.web>
</location>
...
32. Code Signing
Sign common necessary files with private key to
emplace in the Global Assembly Cache
33. Example of Signing Enterprise
Library
Signing Enterprise Library 3.0 is easier than ever!
Strong-Naming Guidance Package (included in
download)
Generates Key Pair files
Places keys into each project (each application block has
its own project )
All you have to do is build
34. CSRF
Cross site request forger forces a logged-on browser to send a request to a
vulnerable web app, which performs chosen actions on behalf of the victim.
Example:
<img src="http://www.example.com/logout.php">
Changed to:
<img
src="http://www.example.com/transfer.do?frmAcct=document.fo
rm.frmAcct& toAcct=4345754&toSWIFTid=434343&amt=3434.43">
Note the use of Direct Object access, but done in the context of
the user!
(Hence my own preference to not use URL-based object
references)
35. Information Leakage and Improper
Error Handling
In a production environment, always set customErrors
to “On” or “RemoteOnly” in the web.config file.
You can set a generic error page to be displayed when an
uncaught error is raised, and specific error pages when
certain status codes appear (403/404/etc).
36. Information Leakage and Improper
Error Handling
Using Global.asax to handle and log uncaught exceptions
globally
void Application_Error(object sender, EventArgs e)
{
Exception baseException =
Server.GetLastError().GetBaseException();
//Handle Error: Log and Redirect to Error Page
}
37. Information Leakage and Improper
Error Handling
Overriding System.UI.Web.Page to handle
and log uncaught exceptions globally
public class ApplicationPage : System.Web.UI.Page
{
public ApplicationPage() { }
protected override void OnError(EventArgs e)
{
Exception baseException = Server.GetLastError().GetBaseException();
//Handle Error: Log and Redirect to Error Page
base.OnError(e);
}
}
38. Error Handling / Logging
Logging of errors
Writing errors to database
Emailing errors
Writing to the event log
When reporting errors be sure to get any inner
exceptions, not just the outer most exception
40. GridView DataKeys
Use DataKeys to store primary key fields without
displaying them to the user.
Note: The DataKeyNames property must be set for the
automatic updating and deleting features of the
GridView control to work.
42. Broken Authentication/Session
Management
Account credentials and session tokens are not often
properly protected. Attackers compromise passwords,
keys, or authentication tokens to assume other users
identities.
43. Role Provider
The fundamental job of a role provider is to interface
with data sources containing role data mapping users
to roles, and to provide methods for creating roles,
deleting roles, adding users to roles, and so on.
Given a user name, the role manager relies on the role
provider to determine whether what role or roles the
user belongs to.
44. Role Provider
public abstract class RoleProvider : ProviderBase
{
// Abstract properties
public abstract string ApplicationName { get; set; }
// Abstract methods
public abstract bool IsUserInRole(string username,
string roleName);
public abstract string[] GetRolesForUser(string username);
public abstract void CreateRole(string roleName);
public abstract bool DeleteRole(string roleName,
bool throwOnPopulatedRole);
public abstract bool RoleExists(string roleName);
public abstract void AddUsersToRoles(string[] usernames,
string[] roleNames);
public abstract void RemoveUsersFromRoles(string[] usernames,
string[] roleNames);
public abstract string[] GetUsersInRole(string roleName);
public abstract string[] GetAllRoles();
public abstract string[] FindUsersInRole(string roleName,
string usernameToMatch);
}
48. Encrypting the Web.config
Why use the Web.Config?
Centrally store sensitive information (passwords,
connection strings, etc.)
Why encrypt?
Sensitive information in plain text is no good
Password
49. Encrypting the Web.Config
Methods
Programmatic Encryption
Requires manual encryption and decryption in code
Changes to legacy programs required
Encrypting using Machine Keys (RSA Keys)
Performs on the fly decryption
No changes to code necessary
50. Encrypting the Web.Config
Changes to make to the web.config :
<configProtectedData>
<providers>
<add keyContainerName="CustomKeys"
useMachineContainer="true"
description="Uses RsaCryptoServiceProvider to
encrypt and decrypt"
name="CustomProvider"
type="System.Configuration.RsaProtectedConfigurationPr
ovider, System.Configuration, Version=2.0.0.0,
Cultural=neutral,
PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</configProtectedData>
51. Encrypting the Web.Config
How? (Using machine key method)
Use tool called aspnet_regiis.exe
1. Add necessary lines to the web.config
2. Import / create machine key
3. Encrypt desired section (appSettings or
connectionStrings)
52. Insecure Communications
Use SSL
Purchase Certs at IT Secuity site:
http://security.ucdavis.edu/
Or you can use selfcert.exe or OpenSSH to create your
own certificates
No excuse!
53. Secure SQL server access
Use Windows Authentication
Mixed mode uses trivially crackable encryption
Unicode password XOR’d with byte value 0xA5! [4]
Recommend local Windows password rather than
Domain account
Associate with Application Pool
Keep separate accounts for separate App Pools
Development vs. Production
Sensitive vs. Non-sensitive
54. Other SQL Server practices
Strong password to ‘sa’ account, even when not in mixed mode
Prevent brute force attacks
Yes, SQL Server 2005 has an ‘sa’ account
Use Firewall to only allow certain servers to talk to particular ports
Don’t give generic access to 1433 and 1434
Lots of attacks that do not require authentication
Check for backdoors
Audit startup procedures (sp_MSRepl_startup)
Audit commonly run procedures (sp_help, sp_password)
Administrator Xstatus (2218 allows Admin login with no password)
Use SQL Server 2005 if possible
Reduced attack surface
Table and column encryption [6]
55. But …
All that can change next year. So what principles stay in common?
Software Engineering - A systematic approach to the analysis, design,
implementation and maintenance of software3
Software Development Life Cycle
Security is a process
Maintainable, auditable, provably correct code
Architecture
Separation of concerns into functional, independent, minimally coupled layers
Service Oriented Architecture
Infrastructure
Separation of concerns into functional, independent, minimally coupled tiers
Deployment, maintenance, upgrade, and retirement handled separately from
programming/development
56. Software Engineering
Team Foundation Server with Visual Studio Team System
Source control and code check-in policies
Require compilation(!)
Require passing FxCop
Require evaluation
Bug and project tracking
Automated (nightly) builds with MSBuild
Test-driven development
Unit testing
Database testing
Setup & deployment projects
Use Design Patterns
Singletons
Factories
Inversion of Control/Dependency Injection
Consider using frameworks
Microsoft Enterprise Library
NHibernate (Object-relational mapping) [7]
Castle (Object interceptors) [8]
57. References
1. “A Taxonomy for Bad Code Smells.”
http://www.soberit.hut.fi/mmantyla/BadCodeSmellsTaxonomy.htm
2. The Open Web Application Security
Project.<http://www.owasp.org/index.php/Top_10_2007>.
3. "software engineering." The Free On-line Dictionary of Computing. Denis Howe. 13
Jun. 2007. <Dictionary.com http://dictionary.reference.com/browse/software
engineering>.
4. “Threat Profiling Microsoft SQL Server (A Guide to Security Auditing)”, David
Litchfield, 20 July 2002. http://www.nextgenss.com/papers/tp-SQL2000.pdf
5. “Security in SQL Server 2005 as seen by a programmer”, Software Developer’s Journal,
21 March 2006. http://www.codeproject.com/database/sqlserver_secure.asp
6. “How To: Use Code Access Security in ASP.NET 2.0”, Microsoft Patterns & Practices
Developer Center, August 2005. http://msdn2.microsoft.com/en-
us/library/ms998326.aspx
7. “NHibernate for .NET”, Sergey Koshcheyev, Ayende Rahien, and others.
http://www.hibernate.org/343.html
8. “Castle Project”, Castle Project. http://www.castleproject.org/
9. “Enterprise Library”, Microsoft Patterns & Practices Developer Center, May 2007.
http://msdn2.microsoft.com/en-us/library/aa480453.aspx
58. Adam Getchell (acgetchell@ucdavis.edu)
Scott Kirkland (srkirkland@ucdavis.edu)
Alan Lai (anlai@ucdavis.edu)
College of Agricultural & Environmental Sciences
Dean’s Office
IT Security Symposium
June 20-22, 2007
Editor's Notes
Add description of advantages gained – centralizing validation. Drag example of a few properties from cs file with validation applied.
Add description of advantages gained – centralizing validation. Drag example of a few properties from cs file with validation applied.
Add description of advantages gained – centralizing validation. Drag example of a few properties from cs file with validation applied.
Add description of advantages gained – centralizing validation. Drag example of a few properties from cs file with validation applied.
Store Files in a Binary Blob in a SQL Database?
Store Files in a Binary Blob in a SQL Database?
Can be attacked using null byte injection to access any file on web server file system
Can change cart ID to whatever parameter they want to access other data
Australian Taxation Office site – user changed ABN, company tax id, to farm details about 17,000 companies to e-mail/spam them.
From MSDN http://msdn2.microsoft.com/en-us/library/aa479032.aspx
From MSDN http://msdn2.microsoft.com/en-us/library/aa479032.aspx