Secure Dot Net Programming


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Add description of advantages gained – centralizing validation. Drag example of a few properties from cs file with validation applied.
  • Add description of advantages gained – centralizing validation. Drag example of a few properties from cs file with validation applied.
  • Add description of advantages gained – centralizing validation. Drag example of a few properties from cs file with validation applied.
  • Add description of advantages gained – centralizing validation. Drag example of a few properties from cs file with validation applied.
  • Store Files in a Binary Blob in a SQL Database?
  • Store Files in a Binary Blob in a SQL Database?
  • Can be attacked using null byte injection to access any file on web server file system
    Can change cart ID to whatever parameter they want to access other data
    Australian Taxation Office site – user changed ABN, company tax id, to farm details about 17,000 companies to e-mail/spam them.
  • From MSDN
  • From MSDN
  • Replace with Recruitment Role Provider
  • Secure Dot Net Programming

    1. 1. Adam Getchell ( Scott Kirkland ( Alan Lai ( College of Agricultural & Environmental Sciences Dean’s Office IT Security Symposium June 20-22, 2007
    2. 2. Introductions  Not experts, just offering experience gained from .NET programs we’ve done  Goal is practical advice, based on principles and “code smells1”, rather than exact code one is supposed to apply to every programs (though reusable code is good)  This (mostly) works for us – it may not work for you. Use what works for your team, but remember: Good Software = Secure Software
    3. 3. OWASP Top 10 20072 1. Cross Site Scripting (XSS) 2. SQL Injection 3. Malicious File Execution (via Remote File Inclusion) 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access
    4. 4. XSS  Cross site scripting is the most prevalent/pernicious web application security issue. XSS flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content.  XSS types: 1. Reflected – displaying user supplied (hostile) data directly 2. Stored – storing user supplied (hostile) data and displaying (e.g. CMS, blogs, forums) 3. DOM Injection – Manipulating JavaScript directly on the page, including using XmlHttpRequest (basis of AJAX) to get around same source origination policies to forward users to hostile sites, etc.
    5. 5. SQL Injection Attacks  SQL Injection Attacks: Easy, Common, Dangerous.  Definition: Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers trick the interpreter into executing unintended commands via supplying specially crafted data.
    6. 6. SQL Injection Attacks Vulnerability: String query = "SELECT user_id FROM user_data WHERE user_name = '" + txtUserName.Text + "'";
    7. 7. SQL Injection Attacks Protection:  Use Input Validation – Check for length, type, sytax, etc.  Use Stored Procedures or at least strongly typed parameterized queries.  Don’t show detailed error messages.
    8. 8. SQL Injection Attacks Parameterized Queries: SqlCommand command = new SqlCommand(); command.CommandText = "SELECT user_id FROM user_data WHERE user_name = @user_name"; command.Parameters.AddWithValue("@user_name", txtUserName.Text);
    9. 9. Input Validation  .NET makes it easy to validate input controls using the <asp:xxxValidator> controls.  ASP.NET Validators (except for the customValidator) validate controls once using client side JavaScript and again on the server side (protecting you from clients who turn off JavaScript).
    10. 10. .NET Validation Tips  An Empty Control will pass every validation test except for the RequiredFieldValidator  Ex: If you want to make sure a string is not empty and matches a regular expression (like an Email address), you must use both a RequiredFieldValidator and a RegularExpressionValidator.  The CompareValidator can do much more than comparing two controls.  Leave the ControlToValidate propery blank, use the Type, Operator and ValueToCompare properties.  Operators: dataTypeCheck, Equal, NotEqual, GreaterThan, GreaterThanEqual, LessThan, LessThanEqual  Types: Currency, Date, Double, Integer, String
    11. 11. .NET CompareValidator Examples  The value entered should convert to an integer greater than one <asp:CompareValidator ID="val" runat="server" Type="integer" ValueToCompare="1" Operator="greaterThan“ />
    12. 12. .NET CompareValidator Examples  The value entered should convert to a DateTime <asp:CompareValidator ID="val" runat="server" Type="date" Operator="dataTypeCheck" />
    13. 13. Parsing Objects int age = 0; if (int.TryParse(textBoxAge.Text, out age)) { // Success in parsing string to int } else // Was not able to parse string { // Handle error }
    14. 14. Microsoft Enterprise Library [9]  What is it?  Reusable source-code components implementing best practices and providing proven solutions to common problems. Can be integrated into applications and extended/customized  Caching Application Block  Cryptography Application Block  Data Access Application Block  Exception Handling Application Block  Logging Application Block  Policy Injection Application Block  Security Application Block  Validation Application Block
    15. 15. Validation Application Block  Ex: Nullable Phone Number [IgnoreNulls()] [RegexValidator(@"(((d{3}) ?)|(d{3}- ))?d{3}-d{4}", MessageTemplate="Phone number must be properly formatted")] public virtual string HRPhone { get { return _HRPhone; } set { _HRPhone = value; } }
    16. 16. Validation Application Block  Ex: Non-Null Email Address between 7 and 150 chars. [NotNullValidator()] [StringLengthValidator(7, RangeBoundaryType.Inclusive, 150, RangeBoundaryType.Inclusive, MessageTemplate = "Email address must be from 7 to 150 characters")] [RegexValidator(@"w+([-+.']w+)*@w+([-.]w+)*.w+([- .]w+)*", MessageTemplate = "Email must be properly formatted")] public virtual string HREmail { get { return _HREmail; } set { _HREmail = value; } }
    17. 17. Validation Application Block  Ex: Non-Null String between 1 and 100 chars. [NotNullValidator()] [StringLengthValidator(1, 100)] public virtual string PositionTitle { get { return _PositionTitle; } set { _PositionTitle = value;} }
    18. 18. Validation Application Block Ex: Nullable DateTime between now and next month. [IgnoreNulls()] [DateTimeRangeValidator(DateTime.Now, DateTime.Now.AddMonths(1))] public virtual DateTime? DatePosted { get { return _DatePosted; } set { _DatePosted = value; } }
    19. 19. Validation Application Block public static class ValidateBO<T> { public static bool isValid(T obj) { return Validation.Validate<T>(obj).IsValid; } public static ValidationResults GetValidationResults(T obj) { return Validation.Validate<T>(obj); } public static string GetValidationResultsAsString(T obj) { StringBuilder ErrorString = new StringBuilder(); foreach (ValidationResult r in GetValidationResults(obj)) { ErrorString.AppendLine(string.Format("{0}, {1}", r.Key, r.Message)); } return ErrorString.ToString(); } }
    20. 20. Validation Application Block if (ValidateBO<File>.isValid(jobDescription)) { newPosition.DescriptionFile = jobDescription; } else { Trace.Warn(ValidateBO<File>.GetValidationResultsAsSt ring(jobDescription)); //Throw error }
    21. 21. File Upload/Download -- No direct file access  Don’t allow direct URL access to stored (user supplied) files.  Potential Issues:  Remote Code Execution  Unauthorized File Access
    22. 22. File Upload/Download -- No direct file access  Protection  Obscure Filenames: Store files as a hash or partial reference  Use a proxy class to retrieve files on behalf of a user  Check user permissions on retrieval  Return the file as a binary stream (application/octet-stream)
    23. 23. File Upload/Download -- No direct file access File fileToDownload = GetFile(); System.IO.FileInfo file = new System.IO.FileInfo(FilePath + fileToDownload.HashedFileName); if (file.Exists) { Response.Clear(); //Control the name that they see Response.ContentType = "application/octet-stream"; Response.AddHeader("Content-Disposition", "attachment;filename=" + HttpUtility.UrlEncode(fileToDownload.FileName)); Response.AddHeader("Content-Length", file.Length.ToString()); //Response.TransmitFile(path + FileID.ToString()); Response.TransmitFile(file.FullName); Response.End(); }
    24. 24. Insecure Direct Object Reference  “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key as a URL or form parameter”  Without access control checks such as authorization and parameter checking, very easy to abuse/manipulate systems.  Ex: (can you spot the flaws) <select name="language"><option value="fr">Français</option></select> … require_once ($_REQUEST['language’]."lang.php"); And, assuming no SQL injection is possible, what is wrong with the following? int cartID = Integer.parseInt( request.getParameter( "cartID" ) ); String query = "SELECT * FROM table WHERE cartID=" + cartID;
    25. 25. Direct Object Reference countermeasures  Avoid use of object references whenever possible, such as primary keys or filenames  Validate any private object references extensively (e.g. RegEx’s)  Verify authorization to all referenced objects  It’s the web – Assume a user will access any published URL, don’t assume they’ll follow links to get there  But see more on CSRF!
    26. 26. Code Access Security  Identify Permissions your application requires using Permission Calculator (Permcalc.exe)  Choose an appropriate trust level with required permissions, or better yet, create a custom trust level with only the permissions needed by the application  Configure the ASP.NET application to use
    27. 27. Code Access Security  Declarative Code Security Checks  Check by Role, User or Authenticated  In the System.Security.Permissions namespace.  Throws a System.Security.SecurityException. [PrincipalPermission( SecurityAction.Demand, Role="Admin")] private void secureOperation() { }
    28. 28. Custom Permissions  Copy the Medium trust policy file, web_MediumTrust.conf, located in %windir%Microsoft.NETFramework{version}CONFIG to a file located in your application directory  Add RegistryPermission to <SecurityClass> in Web_CustomTrust.config: <SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.Regis tryPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    29. 29. Custom Permissions  Add new <trustLevel> element to the <securityPolicy> section of the Web.config file to define new level called “Custom” associated with custom policy file <location allowOverride="true"> <system.web> <securityPolicy> <trustLevel name="Full" policyFile="internal" /> <trustLevel name="High" policyFile="web_hightrust.config" /> <trustLevel name="Medium" policyFile="web_mediumtrust.config" /> <trustLevel name="Low" policyFile="web_lowtrust.config" /> <trustLevel name="Minimal" policyFile="web_minimaltrust.config" /> <trustLevel name="Custom" policyFile="web_CustomTrust.config" /> </securityPolicy> <trust level="Full" originUrl="" /> </system.web> </location>
    30. 30. Custom Permissions  Add RegistryPermission to <SecurityClass> in Web_CustomTrust.config: <SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.R egistryPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    31. 31. Custom Permissions  Refer to web_CustomTrust.config in your application’s web.config: ... <location allowOverride="true"> <system.web> <securityPolicy> <trustLevel name="Custom" policyFile="web_CustomTrust.config" /> </securityPolicy> <trust level="Custom" originUrl="" /> </system.web> </location> ...
    32. 32. Code Signing  Sign common necessary files with private key to emplace in the Global Assembly Cache
    33. 33. Example of Signing Enterprise Library  Signing Enterprise Library 3.0 is easier than ever!  Strong-Naming Guidance Package (included in download)  Generates Key Pair files  Places keys into each project (each application block has its own project )  All you have to do is build
    34. 34. CSRF  Cross site request forger forces a logged-on browser to send a request to a vulnerable web app, which performs chosen actions on behalf of the victim.  Example: <img src="">  Changed to: <img src=" rm.frmAcct& toAcct=4345754&toSWIFTid=434343&amt=3434.43">  Note the use of Direct Object access, but done in the context of the user!  (Hence my own preference to not use URL-based object references)
    35. 35. Information Leakage and Improper Error Handling  In a production environment, always set customErrors to “On” or “RemoteOnly” in the web.config file.  You can set a generic error page to be displayed when an uncaught error is raised, and specific error pages when certain status codes appear (403/404/etc).
    36. 36. Information Leakage and Improper Error Handling  Using Global.asax to handle and log uncaught exceptions globally void Application_Error(object sender, EventArgs e) { Exception baseException = Server.GetLastError().GetBaseException(); //Handle Error: Log and Redirect to Error Page }
    37. 37. Information Leakage and Improper Error Handling  Overriding System.UI.Web.Page to handle and log uncaught exceptions globally public class ApplicationPage : System.Web.UI.Page { public ApplicationPage() { } protected override void OnError(EventArgs e) { Exception baseException = Server.GetLastError().GetBaseException(); //Handle Error: Log and Redirect to Error Page base.OnError(e); } }
    38. 38. Error Handling / Logging  Logging of errors  Writing errors to database  Emailing errors  Writing to the event log  When reporting errors be sure to get any inner exceptions, not just the outer most exception
    39. 39. Error Handling / Logging ErrorReporting eReport = new ErrorReporting("ApplicationName", "EventLogName"); try { // Execute Database call } catch (SqlException sqlEx) { eReport.ReportError(sqlEx, System.Reflection.MethodBase.GetCurrentMethod()); }
    40. 40. GridView DataKeys  Use DataKeys to store primary key fields without displaying them to the user.  Note: The DataKeyNames property must be set for the automatic updating and deleting features of the GridView control to work.
    41. 41. GridView DataKeys <asp:GridView ID="CustomersGridView" DataSourceID="CustomersSqlDataSource" DataKeyNames="CustomerID" runat="server"> <Columns> <asp:BoundField DataField="CustomerName" HeaderText="Name" /> </Columns> </asp:GridView> //Access the datakey in your codefile gViewData.DataKeys[rowIndex].Value;
    42. 42. Broken Authentication/Session Management  Account credentials and session tokens are not often properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users identities.
    43. 43. Role Provider  The fundamental job of a role provider is to interface with data sources containing role data mapping users to roles, and to provide methods for creating roles, deleting roles, adding users to roles, and so on.  Given a user name, the role manager relies on the role provider to determine whether what role or roles the user belongs to.
    44. 44. Role Provider public abstract class RoleProvider : ProviderBase { // Abstract properties public abstract string ApplicationName { get; set; } // Abstract methods public abstract bool IsUserInRole(string username, string roleName); public abstract string[] GetRolesForUser(string username); public abstract void CreateRole(string roleName); public abstract bool DeleteRole(string roleName, bool throwOnPopulatedRole); public abstract bool RoleExists(string roleName); public abstract void AddUsersToRoles(string[] usernames, string[] roleNames); public abstract void RemoveUsersFromRoles(string[] usernames, string[] roleNames); public abstract string[] GetUsersInRole(string roleName); public abstract string[] GetAllRoles(); public abstract string[] FindUsersInRole(string roleName, string usernameToMatch); }
    45. 45. Role Provider <authentication mode="Forms"> <forms name="FormsAuthDB.AspxAuth" loginUrl="~/login.aspx" defaultUrl="~/Default.aspx" protection="All" timeout="120" path="/"> </forms> </authentication> <roleManager enabled="true" defaultProvider="CAESDORoleProvider" cacheRolesInCookie="true"> <providers> <add name="CAESDORoleProvider" type="CAESDO.Recruitment.Providers.CAESDORoleProvider" applicationName="Recruitment" description="CAESDO Authorization Test Program" connectionString="CATBERT"/> </providers> </roleManager>
    46. 46. Role Provider <location path="members"> <system.web> <authorization> <allow roles="member, manager" /> <deny users="*" /> </authorization> </system.web> </location> <system.web> <authorization> <deny users="?" /> </authorization> </system.web>
    47. 47. Role Provider: Code Demo  Login.aspx.cs
    48. 48. Encrypting the Web.config  Why use the Web.Config?  Centrally store sensitive information (passwords, connection strings, etc.)  Why encrypt?  Sensitive information in plain text is no good Password
    49. 49. Encrypting the Web.Config  Methods  Programmatic Encryption  Requires manual encryption and decryption in code  Changes to legacy programs required  Encrypting using Machine Keys (RSA Keys)  Performs on the fly decryption  No changes to code necessary
    50. 50. Encrypting the Web.Config Changes to make to the web.config : <configProtectedData> <providers> <add keyContainerName="CustomKeys" useMachineContainer="true" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" name="CustomProvider" type="System.Configuration.RsaProtectedConfigurationPr ovider, System.Configuration, Version=, Cultural=neutral, PublicKeyToken=b03f5f7f11d50a3a"/> </providers> </configProtectedData>
    51. 51. Encrypting the Web.Config  How? (Using machine key method)  Use tool called aspnet_regiis.exe 1. Add necessary lines to the web.config 2. Import / create machine key 3. Encrypt desired section (appSettings or connectionStrings)
    52. 52. Insecure Communications  Use SSL  Purchase Certs at IT Secuity site:   Or you can use selfcert.exe or OpenSSH to create your own certificates  No excuse!
    53. 53. Secure SQL server access  Use Windows Authentication  Mixed mode uses trivially crackable encryption  Unicode password XOR’d with byte value 0xA5! [4]  Recommend local Windows password rather than Domain account  Associate with Application Pool  Keep separate accounts for separate App Pools  Development vs. Production  Sensitive vs. Non-sensitive
    54. 54. Other SQL Server practices  Strong password to ‘sa’ account, even when not in mixed mode  Prevent brute force attacks  Yes, SQL Server 2005 has an ‘sa’ account  Use Firewall to only allow certain servers to talk to particular ports  Don’t give generic access to 1433 and 1434  Lots of attacks that do not require authentication  Check for backdoors  Audit startup procedures (sp_MSRepl_startup)  Audit commonly run procedures (sp_help, sp_password)  Administrator Xstatus (2218 allows Admin login with no password)  Use SQL Server 2005 if possible  Reduced attack surface  Table and column encryption [6]
    55. 55. But … All that can change next year. So what principles stay in common? Software Engineering - A systematic approach to the analysis, design, implementation and maintenance of software3  Software Development Life Cycle  Security is a process  Maintainable, auditable, provably correct code  Architecture  Separation of concerns into functional, independent, minimally coupled layers  Service Oriented Architecture  Infrastructure  Separation of concerns into functional, independent, minimally coupled tiers  Deployment, maintenance, upgrade, and retirement handled separately from programming/development
    56. 56. Software Engineering  Team Foundation Server with Visual Studio Team System  Source control and code check-in policies  Require compilation(!)  Require passing FxCop  Require evaluation  Bug and project tracking  Automated (nightly) builds with MSBuild  Test-driven development  Unit testing  Database testing  Setup & deployment projects  Use Design Patterns  Singletons  Factories  Inversion of Control/Dependency Injection  Consider using frameworks  Microsoft Enterprise Library  NHibernate (Object-relational mapping) [7]  Castle (Object interceptors) [8]
    57. 57. References 1. “A Taxonomy for Bad Code Smells.” 2. The Open Web Application Security Project.<>. 3. "software engineering." The Free On-line Dictionary of Computing. Denis Howe. 13 Jun. 2007. < engineering>. 4. “Threat Profiling Microsoft SQL Server (A Guide to Security Auditing)”, David Litchfield, 20 July 2002. 5. “Security in SQL Server 2005 as seen by a programmer”, Software Developer’s Journal, 21 March 2006. 6. “How To: Use Code Access Security in ASP.NET 2.0”, Microsoft Patterns & Practices Developer Center, August 2005. us/library/ms998326.aspx 7. “NHibernate for .NET”, Sergey Koshcheyev, Ayende Rahien, and others. 8. “Castle Project”, Castle Project. 9. “Enterprise Library”, Microsoft Patterns & Practices Developer Center, May 2007.
    58. 58. Adam Getchell ( Scott Kirkland ( Alan Lai ( College of Agricultural & Environmental Sciences Dean’s Office IT Security Symposium June 20-22, 2007