![A4 – Insecure direct object
references
Authorize attribute
◦ Using role-based authentication
◦ When a message is sent to an endpoint, service calls custom role provider
for the requested operation
◦ Example:
[Authorize(“Administrators”)]
public void GetAllUsers();
BRETT NEMEC](https://image.slidesharecdn.com/capstonepresentation-130423230845-phpapp01/85/Securing-Net-Hosted-Services-13-320.jpg)
Uploaded byBrett Nemec
Securing .Net Hosted Services
This document discusses securing Microsoft .Net hosted services. It provides an overview of Windows Communication Foundation (WCF) and ASP.NET MVC Web API for building services, and examines the top 10 security risks from the OWASP project. For each risk, it describes how it could apply to hosted services and recommendations for mitigation, such as using parameterized queries to prevent SQL injection, encrypting sensitive data, and implementing role-based access controls.
More Related Content
![[OWASP Poland Day] Application frameworks' vulnerabilities](https://cdn.slidesharecdn.com/ss_thumbnails/wd-applicationframeworksvulns-pub-171003211201-thumbnail.jpg?width=640&height=640&fit=bounds)
![[OWASP Poland Day] Web App Security Architectures](https://cdn.slidesharecdn.com/ss_thumbnails/michaelschlapferwebapplicationsecurityarchitectures-171003211454-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Wroclaw #6] Introduction to desktop browser add-ons](https://cdn.slidesharecdn.com/ss_thumbnails/owaspppt2wz-170531065551-thumbnail.jpg?width=640&height=640&fit=bounds)
![[OWASP Poland Day] A study of Electron security](https://cdn.slidesharecdn.com/ss_thumbnails/lucacarettonia-study-of-electron-security-171003211450-thumbnail.jpg?width=640&height=640&fit=bounds){kind=icon}
![[OWASP Poland Day] Saving private token](https://cdn.slidesharecdn.com/ss_thumbnails/pawelbochenskisecuretoken2-171003211501-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Securing .Net Hosted Services
Securing .Net Hosted Services
- 1. Securing Microsoft .Net Hosted Services INFORMATIONSECURITY PRACTICUM CAPSTONE PROJECT LEWIS UNIVERSITY BRETT NEMEC
- 2. Introduction Myself ◦ Education ◦ Professionalexperience Project ◦ .Net Hosted Services ◦ WCF ◦ Web API ◦ Data Services ◦ OWASP ◦ Top Ten ◦ How it applies to hosted services BRETT NEMEC
- 3. Windows Communication Foundation Part ofthe .Net framework ◦ System.ServiceModel namespace ◦ Introduced in version 3.0 The Service Model ◦ Service oriented ◦ Interoperable ◦ Automatic configuration ◦ Follows security standards ◦ Supports multiple transports and encodings ◦ Extensible Security ◦ SOAP ◦ Message integrity ◦ Authentication on service and client ◦ Integration with existing technology BRETT NEMEC
- 4. BRETT NEMEC Host WAS ASP.NET Windows Service ServiceModel Services Endpoints Contracts Operations Messaging HTTP TCP Queues Transport Security Message Security XML or Binary Serialization
- 5. MVC Web API Formerlypart of WCF ASP.NET MVC 4 ◦ Model-View-Controller pattern ◦ RESTful architecture ◦ CRUD Security ◦ Integration with existing technology ◦ Authentication ◦ Attributes ◦ HttpGet ◦ HttpPost ◦ Authorize BRETT NEMEC
- 6. Using the Authorizeattribute BRETT NEMEC
- 7. Data Services Model drivenarchitecture ◦ Object Relational Mapping ◦ Entity Framework Odata ◦ Open Data Protocol Data owner has more control over data Cloud ◦ Introduces added risk due to foreign environments ◦ Data owner can have less control BRETT NEMEC
- 8. OWASP Stands for OpenWeb Application Security Project Not for profit organization Dedicated to web security ◦ Helps raise awareness of trends in security threats Support for most popular web technologies ◦ Java ◦ C/C++ ◦ .Net ◦ PHP Top ten security risks of 2013 BRETT NEMEC
- 9. OWASP Top TenSecurity Risks of 2013 RC A1 – Injection A2 – Broken authentication and session management A3 – Cross-site scripting (XSS) A4 – Insecure direct object references A5 – Security misconfigurations A6 – Sensitive data exposure A7 – Missing functional level access control A8 – Cross-site request forgery (CSRF) A9 – Using known vulnerable components A10 – Unvalidated redirects and forwards BRETT NEMEC
- 10. A1 - Injection SQLInjection ◦ Example ◦ WCF method: GetPersonByName(string name), where name = “‟ or „1‟ = „1” ◦ Executes SQL ◦ var query = “select * from Person where name = „” + p1 + “‟”; ◦ Resolves to “select * from Person where name = „‟ or „1‟ = „1‟” ◦ One of the the most prominent classes of input validation errors ◦ Don’t use command interpreters ◦ Use a parameterized interface ◦ var query = “select * from Person where name = @name”; ◦ Entity Framework v5 ◦ ORM ◦ SQL is generated behind the scenes ◦ Model driven ◦ Linq to SQL BRETT NEMEC
- 11. A2 – Brokenauthentication and session management WCF is stateless by default ◦ Stateful session can be enabled in configuration Message Authentication ◦ Certificate authentication over transport security ◦ Satisfies Level 1 requirements of the OWASP Application Security Verification Standard (ASVS) ◦ Section V2, all pages and resources must be authenticated except those that are public ◦ Certificate authentication pre-authenticates the client ◦ Authorize attribute is used for business authentication, while client is authenticated to the service BRETT NEMEC
- 12. A3 – Cross-sitescripting (XSS) WCF is not directly vulnerable to XSS ◦ Messages are XML based, not URLs Implement custom input/output parameter inspectors ◦ IParameterInspector interface BRETT NEMEC
- 13. A4 – Insecuredirect object references Authorize attribute ◦ Using role-based authentication ◦ When a message is sent to an endpoint, service calls custom role provider for the requested operation ◦ Example: [Authorize(“Administrators”)] public void GetAllUsers(); BRETT NEMEC
- 14. A5 – Security misconfigurations Don’texpose metadata ◦ Can be turned on for debugging in configuration ◦ App.config or web.config, using the system.serviceModel element ◦ Must be disabled for production ◦ Custom web page BRETT NEMEC
- 15. A6 – Sensitivedata exposure Store sensitive data in it’s encrypted form Passwords ◦ Don’t actually store the password, store a hash ◦ Random salt (256 bytes) ◦ RSA Pseudo random number generator ◦ SHA-256(Salt + Password) = Salted Password Hash ◦ Every time user changes the password, a new salt is used ◦ Database table has two columns, allows for one way validation ◦ PasswordSalt, non-sensitive ◦ PasswordHash ◦ Timeout after specified number of failed attempts ◦ Stops brute force attacks BRETT NEMEC
- 16. A7 – Missingfunctional level access control Related to A4, Insecure Direct Object References WCF by default is stateless ◦ If using default, sessions are not of concern ◦ If using sessions, control with OperationContract ◦ IsInitiating property ◦ IsTerminating property Windows Identity Foundation ◦ Supports federated claims based security ◦ Authorized claim sets ◦ Used similarly as role-based authorization BRETT NEMEC
- 17. A8 – Cross-siterequest forgery (CSRF) WCF is message based, not as much of a risk It is possible to implement controls for this risk Windows Identity Foundation ◦ If implemented, service is already using a Security Token Service (STS) ◦ STS processes user validation request ◦ Provides a claim-set for the user ◦ When the user sends a message request to the service, the claim-set is provided as a token, STS evaluates the token BRETT NEMEC
- 18. A9 – Usingknown vulnerable components Don’t use components that are untested or source is unknown Most controls and tools are already part of the .Net framework ◦ Entity Framework v5 ◦ Tight integration with existing Microsoft .Net technologies ◦ Beta versions are not a good idea OWASP ESAPI for .Net ◦ Website states it’s not suitable for production use ◦ Good reason not to use it BRETT NEMEC
- 19. A10 – Unvalidatedredirects and forwards Redirects and forwards should be avoided WCF not at risk like web applications are ◦ Sometimes parameters can contain the target page ◦ IParameterInspector custom inspector BRETT NEMEC
- 20. Review Windows Communication Foundation ASP.NETMVC Web API OWASP Top Ten project BRETT NEMEC