Securing .Net Hosted Services


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Securing .Net Hosted Services

  2. 2. IntroductionMyself◦ Education◦ Professional experienceProject◦ .Net Hosted Services◦ WCF◦ Web API◦ Data Services◦ OWASP◦ Top Ten◦ How it applies to hosted servicesBRETT NEMEC
  3. 3. Windows CommunicationFoundationPart of the .Net framework◦ System.ServiceModel namespace◦ Introduced in version 3.0The Service Model◦ Service oriented◦ Interoperable◦ Automatic configuration◦ Follows security standards◦ Supports multiple transports and encodings◦ ExtensibleSecurity◦ SOAP◦ Message integrity◦ Authentication on service and client◦ Integration with existing technologyBRETT NEMEC
  4. 4. BRETT NEMECHostWASASP.NETWindows ServiceService ModelServicesEndpointsContractsOperationsMessagingHTTP TCP QueuesTransportSecurityMessageSecurityXML orBinarySerialization
  5. 5. MVC Web APIFormerly part of WCFASP.NET MVC 4◦ Model-View-Controller pattern◦ RESTful architecture◦ CRUDSecurity◦ Integration with existingtechnology◦ Authentication◦ Attributes◦ HttpGet◦ HttpPost◦ AuthorizeBRETT NEMEC
  6. 6. Using the Authorize attributeBRETT NEMEC
  7. 7. Data ServicesModel driven architecture◦ Object Relational Mapping◦ Entity FrameworkOdata◦ Open Data ProtocolData owner has more control over dataCloud◦ Introduces added risk due to foreign environments◦ Data owner can have less controlBRETT NEMEC
  8. 8. OWASPStands for Open Web Application Security ProjectNot for profit organizationDedicated to web security◦ Helps raise awareness of trends in security threatsSupport for most popular web technologies◦ Java◦ C/C++◦ .Net◦ PHPTop ten security risks of 2013BRETT NEMEC
  9. 9. OWASP Top Ten SecurityRisks of 2013 RCA1 – InjectionA2 – Broken authenticationand session managementA3 – Cross-site scripting (XSS)A4 – Insecure direct objectreferencesA5 – SecuritymisconfigurationsA6 – Sensitive data exposureA7 – Missing functional levelaccess controlA8 – Cross-site request forgery(CSRF)A9 – Using known vulnerablecomponentsA10 – Unvalidated redirectsand forwardsBRETT NEMEC
  10. 10. A1 - InjectionSQL Injection◦ Example◦ WCF method: GetPersonByName(string name), where name = “‟ or „1‟ = „1”◦ Executes SQL◦ var query = “select * from Person where name = „” + p1 + “‟”;◦ Resolves to “select * from Person where name = „‟ or „1‟ = „1‟”◦ One of the the most prominent classes of input validation errors◦ Don’t use command interpreters◦ Use a parameterized interface◦ var query = “select * from Person where name = @name”;◦ Entity Framework v5◦ ORM◦ SQL is generated behind the scenes◦ Model driven◦ Linq to SQLBRETT NEMEC
  11. 11. A2 – Broken authenticationand session managementWCF is stateless by default◦ Stateful session can be enabled in configurationMessage Authentication◦ Certificate authentication over transport security◦ Satisfies Level 1 requirements of the OWASP Application Security VerificationStandard (ASVS)◦ Section V2, all pages and resources must be authenticated except those thatare public◦ Certificate authentication pre-authenticates the client◦ Authorize attribute is used for business authentication, while client isauthenticated to the serviceBRETT NEMEC
  12. 12. A3 – Cross-site scripting(XSS)WCF is not directly vulnerable to XSS◦ Messages are XML based, not URLsImplement custom input/output parameter inspectors◦ IParameterInspector interfaceBRETT NEMEC
  13. 13. A4 – Insecure direct objectreferencesAuthorize attribute◦ Using role-based authentication◦ When a message is sent to an endpoint, service calls custom role providerfor the requested operation◦ Example:[Authorize(“Administrators”)]public void GetAllUsers();BRETT NEMEC
  14. 14. A5 – SecuritymisconfigurationsDon’t expose metadata◦ Can be turned on for debugging in configuration◦ App.config or web.config, using the system.serviceModel element◦ Must be disabled for production◦ Custom web pageBRETT NEMEC
  15. 15. A6 – Sensitive dataexposureStore sensitive data in it’s encrypted formPasswords◦ Don’t actually store the password, store a hash◦ Random salt (256 bytes)◦ RSA Pseudo random number generator◦ SHA-256(Salt + Password) = Salted Password Hash◦ Every time user changes the password, a new salt is used◦ Database table has two columns, allows for one way validation◦ PasswordSalt, non-sensitive◦ PasswordHash◦ Timeout after specified number of failed attempts◦ Stops brute force attacksBRETT NEMEC
  16. 16. A7 – Missing functionallevel access controlRelated to A4, Insecure Direct Object ReferencesWCF by default is stateless◦ If using default, sessions are not of concern◦ If using sessions, control with OperationContract◦ IsInitiating property◦ IsTerminating propertyWindows Identity Foundation◦ Supports federated claims based security◦ Authorized claim sets◦ Used similarly as role-based authorizationBRETT NEMEC
  17. 17. A8 – Cross-site requestforgery (CSRF)WCF is message based, not as much of a riskIt is possible to implement controls for this riskWindows Identity Foundation◦ If implemented, service is already using a Security Token Service (STS)◦ STS processes user validation request◦ Provides a claim-set for the user◦ When the user sends a message request to the service, the claim-set isprovided as a token, STS evaluates the tokenBRETT NEMEC
  18. 18. A9 – Using knownvulnerable componentsDon’t use components that are untested or source is unknownMost controls and tools are already part of the .Net framework◦ Entity Framework v5◦ Tight integration with existing Microsoft .Net technologies◦ Beta versions are not a good ideaOWASP ESAPI for .Net◦ Website states it’s not suitable for production use◦ Good reason not to use itBRETT NEMEC
  19. 19. A10 – Unvalidated redirectsand forwardsRedirects and forwards should be avoidedWCF not at risk like web applications are◦ Sometimes parameters can contain the target page◦ IParameterInspector custom inspectorBRETT NEMEC
  20. 20. ReviewWindows Communication FoundationASP.NET MVC Web APIOWASPTop Ten projectBRETT NEMEC