Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

More Related Content

You Might Also Like

Related Books

Free with a 30 day trial from Scribd

See all

Top Ten Tips For Tenacious Defense In Asp.Net

  1. 1. Top Ten Tips for Tenacious Defense in ASP.NET Alex Smolen Senior Consultant SoCal Code Camp , 2008
  2. 2. 1. Cross-Site Request Forgery
  3. 3. CSRF <ul><li>Attacker entices victim to view an HTML page containing a malicious image tag (hosted by an “accomplice”) </li></ul><ul><li>Victim unknowingly submits a request to a server of the attacker’s choosing - using the victim’s credentials </li></ul><ul><li>Effects can vary </li></ul><ul><ul><li>Log the user out </li></ul></ul><ul><ul><li>Execute a transaction </li></ul></ul><ul><ul><li>Post a message </li></ul></ul><ul><ul><li>Modify settings on an intranet device with a web interface </li></ul></ul>
  4. 4. CSRF - Examples <ul><ul><li><!--Buy shares of Microsoft in the background--> </li></ul></ul><ul><li>< img src = &quot;;> </li></ul><ul><ul><li><!--Open up a firewall port--> </li></ul></ul><ul><li>< img src =&quot;http://firewall/openPort?portNumber=5344&quot;> </li></ul>
  5. 5. CSRF - Defense <ul><li>The root cause is “Ambient Authority” </li></ul><ul><ul><li>Cookies, NTLM Creds, HTTP Auth automatically sent by browser </li></ul></ul><ul><li>Site needs to provide another form of secret that attacker can’t guess </li></ul>
  6. 6. CSRF Defense <ul><li>Referer </li></ul><ul><li>ViewStateUserKey </li></ul><ul><li>Secret token </li></ul><ul><li>CAPTCHA </li></ul><ul><li>Password Re-authentication </li></ul>
  7. 7. CSRF Defense - Referer <ul><li>Check the HTTP referer to make sure that the user just came from the right page </li></ul><ul><ul><li>Misspelling intentional </li></ul></ul><ul><li>Referer isn’t always sent </li></ul><ul><ul><li>Privacy settings </li></ul></ul><ul><li>Difficult to tell who referer will be </li></ul><ul><li>Can be faked with vulnerable versions of Flash </li></ul>
  8. 8. CSRF Defense - ViewStateUserKey <ul><li>ViewStateUserKey is combined with ViewState </li></ul><ul><ul><li>ViewStateMac check will fail if ViewStateUserKey is different </li></ul></ul><ul><li>Can be used to ensure that ViewState is unique between users </li></ul><ul><ul><li>Set the value to session ID </li></ul></ul>
  9. 9. CSRF Defense – ViewStateUserKey <ul><li>There are problems with this solution </li></ul><ul><ul><li>Have blogged about this </li></ul></ul><ul><li>What if </li></ul><ul><ul><li>ViewStateMac isn’t enabled? </li></ul></ul><ul><ul><li>The action isn’t a postback? </li></ul></ul><ul><ul><li>You don’t want to use ViewState at all? </li></ul></ul>
  10. 10. CSRF Defense - Secret Token <ul><li>This is a more flexible approach </li></ul><ul><li>The form (or URL, potentially) contains a secret token that is required </li></ul><ul><ul><li>Could be the same or based on session ID </li></ul></ul><ul><li>Page checks for this token as well as session ID in cookie </li></ul><ul><li>Ambient authority is superseded </li></ul>
  11. 11. CSRF Defense – Secret Token <ul><li>Both CSRFGuard from OWASP and AntiCsrf from Barry Dorrans use this approach </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Need to watch GET versus POST </li></ul><ul><ul><li>Idempotency and verb agnositicty, oh my! </li></ul></ul>
  12. 12. CSRF Defense - CAPTCHA <ul><li>CAPTCHA theoretically requires a human to solve </li></ul><ul><ul><li>Bleh… </li></ul></ul><ul><li>They work, but aren’t very user-friendly </li></ul><ul><li>CSRF is possible for a lot of actions </li></ul><ul><li>Maybe if it’s Asirra… </li></ul><ul><ul><li> </li></ul></ul>
  13. 13. CSRF Defense – Password Re-authentication <ul><li>Simply require users to re-authenticate to perform an action </li></ul><ul><ul><li>The most secure, hopefully </li></ul></ul><ul><li>Can be done for BIG DEAL transactions, like cashing out an account or changing password (this is usually done anyways) </li></ul><ul><li>Example: Amazon Shopping Cart </li></ul>
  14. 14. 2. Session Fixation
  15. 15. Session Fixation <ul><li>Let’s say… </li></ul><ul><ul><li>You visit a web site </li></ul></ul><ul><ul><li>You enter your username and password </li></ul></ul><ul><ul><li>You continue browsing to other pages </li></ul></ul><ul><ul><li>The web site continues to knows who you are </li></ul></ul><ul><li>How? </li></ul>
  16. 16. Session Fixation <ul><li>Sessions! </li></ul><ul><li>An identifier is passed with each request (usually in a cookie) </li></ul><ul><li>I can steal your session if I know your session identifier </li></ul><ul><li>Session identifiers are like a temporary password </li></ul>
  17. 17. Session Fixation <ul><li>Session fixation occurs when I force you to use a known session identifier </li></ul><ul><li>Shared terminal </li></ul><ul><ul><li>At a library, hotel, etc </li></ul></ul><ul><ul><li>I visit a site, note the session ID, wait for someone else to login </li></ul></ul><ul><li>Click a link </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>If you click on my link, I know your session ID </li></ul></ul>
  18. 18. Session Fixation Defense <ul><li>To defend against this, regenerate the session ID after login </li></ul><ul><li>You probably don’t do this </li></ul><ul><ul><li>There’s no good way to regenerate the session ID in ASP.NET </li></ul></ul><ul><li>If you use Forms authentication, you’re OK…sorta </li></ul><ul><ul><li>FormsAuthenticationTicket is used in addition to cookie and can’t be preset </li></ul></ul><ul><ul><li>However I may be able to access your information with my FormsAuthenticationTicket and your session identifier </li></ul></ul>
  19. 19. Session Fixation - Defense <ul><li>You could do something like this: </li></ul><ul><li>Gross  </li></ul><ul><li>Use an extra authentication cookie if you don’t use Forms Authentication </li></ul><ul><li>Make sure all requests to a session are from the right authentication user according to the authentication cookie </li></ul>
  20. 20. 3. Real World Crypto
  21. 21. Real-World Crypto <ul><li>cryptography:security::concurrency:programming </li></ul><ul><ul><li>Truly understood by few, screwed up by almost everyone </li></ul></ul><ul><li>People like cryptography because it is a security feature </li></ul><ul><li>A lot of times, they don’t know what it does </li></ul><ul><li>Magic fairy dust </li></ul>
  22. 23. Read-World Crypto <ul><li>People will use hash functions, random numbers, encryption algorithms, for all sorts of reasons </li></ul><ul><li>There building blocks, are there are very specific purposes for each of them! </li></ul>
  23. 24. Real-World Crypto <ul><li>Random Data </li></ul><ul><ul><li>Properties: Difficult to guess </li></ul></ul><ul><ul><li>Uses: Generated passwords or links, session identifiers, cryptographic keys </li></ul></ul><ul><ul><li>How people mess this up: </li></ul></ul><ul><ul><ul><li>Use System.Random() </li></ul></ul></ul><ul><ul><ul><ul><li>Not good enough! </li></ul></ul></ul></ul><ul><ul><ul><li>Use a predictable seed </li></ul></ul></ul><ul><ul><ul><li>Don’t use enough bits </li></ul></ul></ul>
  24. 26. Real-World Crypto <ul><li>Hashing </li></ul><ul><ul><li>Properties: One-way </li></ul></ul><ul><ul><li>Uses: Verify knowledge of something (e.g. passwords), verify integrity of something </li></ul></ul><ul><ul><li>How people mess this up: </li></ul></ul><ul><ul><ul><li>Use hash for authentication </li></ul></ul></ul><ul><ul><ul><ul><li>Verify this hacked file download with this hacked file hash! </li></ul></ul></ul></ul><ul><ul><ul><li>Use hash for something else (random data) </li></ul></ul></ul><ul><ul><ul><li>Use insecure algorithm (not really an issue for most scenarios, but easy enough to fix) </li></ul></ul></ul>
  25. 28. Real-World Crypto <ul><li>Symmetric cryptography </li></ul><ul><ul><li>Properties: Keeps a big secret with a smaller secret </li></ul></ul><ul><ul><li>Uses: Keep sensitive data confidential </li></ul></ul><ul><ul><li>How people mess this up: </li></ul></ul><ul><ul><ul><li>The key has to be a secret </li></ul></ul></ul><ul><ul><ul><li>Don’t lose the key </li></ul></ul></ul><ul><ul><li>Use the DPAPI! </li></ul></ul><ul><ul><ul><li>Key management for free! </li></ul></ul></ul><ul><ul><li>You can build your own as well, just be careful </li></ul></ul>
  26. 30. Real-World Crypto <ul><li>That’s it! </li></ul><ul><li>Not really, cryptography is really complicated </li></ul><ul><li>If you’re doing anything with certificates, SSL, digital signatures, WS-Security, get a book </li></ul>
  27. 32. 4. The AntiXss Library
  28. 33. The AntiXSS Library <ul><li>XSS is an issue </li></ul><ul><ul><li>Has been for a while </li></ul></ul><ul><li>Really hard to stop </li></ul><ul><li>The problem is the browser </li></ul><ul><li>Also, we end up putting user-modifiable data in weird places, such as </li></ul><ul><li>ASP.NET doesn’t help us too much </li></ul>
  29. 34. Control Behavior Literal None by default. HTML Encoded if Mode property is set to LiteralMode.Encode Label None TextBox Single-line text box is not encoded. Multiline text box is HTML encoded Button Text is attribute encoded LinkButton None Hyperlink Text is not encoded. NavigateUrl is URL path encoded, unless it is JavaScript, in which case it is attribute encoded DropDownList and ListBox Option values are attribute encoded. Option display texts are HTML encoded. CheckBox and CheckBoxList Value is not used. Display text is not encoded. RadioButton and RadioButtonList Value is attribute encoded. Display text is not encoded. GridView and DetailsView Text fields are HTML encoded if their HtmlEncode property is set to true. Null display text is never encoded.
  30. 35. The Anti-XSS Library <ul><li>Data needs to be encoded </li></ul><ul><ul><li>Fully </li></ul></ul><ul><ul><li>With the right context </li></ul></ul><ul><li>User data could be output to… </li></ul><ul><ul><li>HTML </li></ul></ul><ul><ul><li>HTML attribute </li></ul></ul><ul><ul><li>JavaScript </li></ul></ul><ul><ul><li>XML </li></ul></ul><ul><ul><li>Etc… </li></ul></ul>
  31. 36. Method Description HtmlEncode More robust version of the HttpUtility.HtmlEncode method. HtmlAttributeEncode Encoding for dynamically created HTML attributes (i.e src=“”) XmlEncode/ XmlAttributeEncode Encoding for XML elements and attributes UrlEncode Encoding for dynamically constructed URLs JavaScriptEncode/ VisualBasicEncode Encoding for dynamically generated JavaScript or VBScript
  32. 37. 5. Stop Injection!
  33. 38. Stop Injection! <ul><li>Injection occurs when: </li></ul><ul><ul><li>We treat data as code? </li></ul></ul><ul><ul><li>We fail to properly validate input? </li></ul></ul><ul><ul><li>We fail to properly encode output? </li></ul></ul><ul><ul><li>Like, all the time? </li></ul></ul><ul><li>Yes </li></ul>
  34. 39. Stop Injection! <ul><li>How do we stop </li></ul><ul><ul><li>SQL injection </li></ul></ul><ul><ul><li>Command injection </li></ul></ul><ul><ul><li>Path manipulation </li></ul></ul><ul><ul><li>XML injection </li></ul></ul><ul><ul><li>LDAP injection </li></ul></ul><ul><ul><li>Who-knows-what-else </li></ul></ul>
  35. 41. Stop Injection! <ul><li>Two things we can do: </li></ul><ul><li>Validate </li></ul><ul><ul><li>Make sure all request data looks the way it’s supposed to </li></ul></ul><ul><ul><li>Uh, that’s all data (cookies, headers, hidden fields) </li></ul></ul><ul><li>Encode </li></ul><ul><ul><li>Make sure all data is properly encoded for it’s destination </li></ul></ul><ul><ul><li>SqlCommand with SqlParameters does this for SQL </li></ul></ul><ul><ul><li>Otherwise, you are on your own </li></ul></ul>
  36. 43. 6. Authorization Woes
  37. 44. Authorization Woes <ul><li>Who is allowed to do what? </li></ul><ul><li>Well, we don’t know… </li></ul><ul><li>Draw an authorization matrix! </li></ul><ul><li>Think about horizontal and vertical privilege escalation! </li></ul><ul><li>I’m serious! </li></ul>
  38. 45. Authorization Woes Orders Products /admin … Customers View View No … Managers View, Modify View, Modify, Add No … Administrators View, Modify, Add, Delete View, Modify, Add, Delete Yes … … … ... ... …
  39. 46. Authorization Woes <ul><li>Role-based access control works well here </li></ul><ul><li>Group users by role </li></ul><ul><li>Some users will need additional privileges </li></ul><ul><ul><li>Can use finer-grained model </li></ul></ul><ul><li>Some authorization concerns rely on state </li></ul><ul><ul><li>“ After 5PM, traders cannot place orders greater than the sum of the previous weeks total, minus exemptions…” </li></ul></ul><ul><ul><li>This becomes business logic </li></ul></ul>
  40. 47. Authorization Woes <ul><li>User logs in, clicks on “My Account” URL </li></ul><ul><li> </li></ul><ul><li>What if I got my neighbors statement by mistake? </li></ul><ul><li> </li></ul><ul><li>I shouldn’t be seeing their statement </li></ul><ul><li>Horizontal privilege escalation </li></ul>
  41. 48. 7. Mind Your Cookies!
  42. 49. Mind Your Cookies <ul><li>Don’t use cookies! </li></ul><ul><ul><li>Let ASP.NET do the session stuff for you </li></ul></ul><ul><ul><li>What else could you possibly need to use cookies for? </li></ul></ul><ul><li>OK, OK, so maybe you can use them sometimes </li></ul><ul><li>Don’t base security decisions off the data! </li></ul>
  43. 50. Mind Your Cookies <ul><li>There are two tags that can be added to the set-cookie response header </li></ul><ul><li>Secure </li></ul><ul><ul><li>Do not transmit this cookie over non-SSL connections </li></ul></ul><ul><li>HttpOnly </li></ul><ul><ul><li>Do not allow JavaScript to access this cooke </li></ul></ul>
  44. 51. Mind Your Cookies <ul><li>Domain </li></ul><ul><ul><li>Think about what sub-domains need access </li></ul></ul><ul><li>Path </li></ul><ul><ul><li>You can limit what parts of your application cookies are sent to </li></ul></ul><ul><li>Expiration </li></ul><ul><ul><li>Don’t go crazy </li></ul></ul>
  45. 52. Mind Your Cookies <ul><li>URL Rewriting </li></ul><ul><li>Pass the session ID as a URL argument </li></ul><ul><li> sessionid=123123123 </li></ul><ul><li>Bad idea </li></ul><ul><li>Ends up in history, bookmarks, links sent to friends </li></ul><ul><li>Originally for users with cookies disabled </li></ul><ul><li>Probably a small enough minority to ignore </li></ul>
  46. 53. Session State in ASP.NET <ul><li><httpCookies httpOnlyCookies=&quot; true &quot;> </li></ul><ul><ul><li>Mark all container issued cookies as HttpOnly </li></ul></ul><ul><li><sessionState cookieless=&quot; UseCookies &quot;> </li></ul><ul><ul><li>Prevent URL rewriting </li></ul></ul><ul><li><forms requireSSL=&quot; true &quot;> </li></ul><ul><ul><li>Marks Forms Authentication as secure </li></ul></ul>
  47. 54. 8. Password Potpourri
  48. 55. Password Potpourri <ul><li>Make your passwords strong </li></ul><ul><ul><li>Eight characters, one letter, one number, one symbol </li></ul></ul><ul><ul><li>Actually this could be totally inappropriate, depends on your security requirements </li></ul></ul><ul><li>Hash and salt stored passwords </li></ul><ul><ul><li>Salting prevents rainbow table attacks if password table compromised </li></ul></ul>
  49. 56. Password Potpourri <ul><li>Think about your password reset scheme </li></ul><ul><ul><li>Could send link to reset page in a email, but what if email is hacked? </li></ul></ul><ul><ul><li>Could ask secret question and answer, but what if their answer is really easy (“Your dog’s name is… Fido”) </li></ul></ul><ul><ul><li>Use both </li></ul></ul><ul><li>Lockout brute forcers </li></ul><ul><ul><li>Just for a little bit </li></ul></ul>
  50. 57. 9. Users, users, users
  51. 58. Users, users, users <ul><li>They (some of them) are dumb! </li></ul><ul><li>Don’t trust them… </li></ul><ul><ul><li>to recognize your sites with the right domain and SSL cert </li></ul></ul><ul><ul><li>to not have malware installed </li></ul></ul><ul><li>Assume the worst can happen </li></ul>
  52. 59. 10. Full Trust Exercise
  53. 60. Full Trust Exercise <ul><li>Full trust is ASP.NET mode that allows code to do anything it wants </li></ul><ul><li>Sound dangerous? It is! </li></ul><ul><li>It’s also the default and the way a LOT of ASP.NET sites run </li></ul><ul><li>Consider placing your application in Medium trust </li></ul><ul><li>It could prevent the attacks you don’t know about! </li></ul>