Embed Size (px)
Citation preview
An Introduction to Application Security In ASP.NET Environments
Houston .NET User Group
February 23rd, 2006
1
Overview
• Background• What is Application Security and Why Is It Important?• Examples• ASP.NET Specific Examples• What is New in .NET 2.0?• Resources and Conclusions
2
Background
• Denim Group– Texas-based consultancy– Microsoft Gold Certified Partner– Custom software development– Systems integration– Application security
• Management Team Experience– Large-scale software development– Air Force information warfare– Client service for DoD, Big 4, Fortune 500
• Myself: Dan Cornell– Microsoft Certified Solution Developer– Java 2 Certified Programmer
3
What is Application Security and Why is it Important?• Application Security Defined• Fit with General Information Security Landscape• Why Does Application Security Matter
4
Application Security Defined
• Ensuring that custom application code performs as expected under the entire range of possible inputs
• Goals:– Confidentiality– Integrity– Availability
• Relationship to Software Quality Assurance– Really a sub-area of SQA– SQA typically verifies that software does what it is supposed to do– Application security is concerned that software does not do what it should
not do
5
Software Implementation – Perfect World
Intended Functionality
Actual Functionality
6
Software Implementation – Real WorldIntended Functionality
Actual Functionality
BugsBuilt
Features
UnintendedAnd UndocumentedFunctionality
7
Information Security
• Software Development: “Build” Culture– Features, functions and timelines
• Information Security: “Measure” Culture– Audit, assess and maintain
• Application security applies information security principles to custom software development efforts
• Many traditional information security practitioners are ill-equipped to mitigate application security issues
8
Why Does This Matter?
• Business-critical web applications are Internet-facing– An increasing number of assets are exposed
• Most applications have serious flaws– Foundstone (McAfee) and @Stake (Symantec) studies
• The regulator environment has changed– Sarbanes Oxley– GLB– California SB-1386
9
OWASP Top 10 Critical Web Application Security Vulnerabilities• Unvalidated Input• Broken Access Control• Broken Authentication and Authorization• Cross Site Scripting (XSS)• Buffer Overflows• Injection Flaws• Improper Error Handling• Insecure Storage• Denial of Service• Insecure Configuration Managementhttp://www.owasp.org/documentation/topten.html
10
Examples
• Hidden parameter tampering• Cookie manipulation• SQL injection
11
Hidden Parameter Tampering
• Price information is stored in hidden HTML form field • Assumption: hidden field won’t be edited• Attacker edits price parameter• Attacker submits altered web page with new “price”• Application trusts the price parameter from the user• Still widespread in many web stores
12
The Attack
13
The Result
14
Cookie Manipulation
• Browser cookie is used to store user identity information• Assumption: cookies are set by server side code, handled by
the browser automatically and not manipulated by users• Attacker alters cookie• Application trusts the browser cookie and allows attacker to
assume identity of another user
15
The Attack
16
The Attack
17
The Result
18
SQL Injection
• SQL statements are created from a combination of static text and user inputs
• Assumption: users will enter well-formed inputs• Attacker crafts a custom input to hijack control of the SQL
interpreter and execute arbitrary code• Very common flaw with tremendous security implications
19
The Attack
string username = Request[“username”];string password = Request[“password”];string sql = “SELECT * FROM User WHERE username =
‘” + username + “’ AND password = ‘” + password + “’”;
SqlCommand cmd = new SqlCommand(sql);IDataReader reader = cmd.ExecuteReader();
20
The Attack
• Specially crafted input contains SQL control characters
21
The Attack
• Malicious user sends in a username parameter of:Dcornell’; DROP DATABASE Ecommerce; --
SQL Executed is:SELECT * FROM User WHERE username = ‘Dcornell’;
DROP DATABASE Ecommerce; -- AND password = ‘whocares’
• Attacker can execute arbitrary database queries with the same permissions as the application
– View sensitive data– Modify data– Destroy data
22
ASP.NET Specific Examples
• Access Control– Authentication– Authorization
• Input Validation– ASP.NET validation– SQL injection– Cross Site Scripting (XSS)– Buffer Overflows
23
Access Control
• Authentication– HTTP Basic– Windows– Forms
• Available in ASP.NET 1.1• Much improved in ASP.NET 2.0 – lots of ready-made controls• See: http://www.sitepoint.com/article/asp-net-2-security
• Authorization– Control access to pages:
• NTFS: FileAuthorizationModule• web.config: UrlAuthorizationModule• See: http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/cpguide/html/cpconaspnetauthorization.asp– Imperative security: Page.User.IsInRole(“roleName”)
24
Input Validation
• ASP.NET Validation• SQL Injection• Cross Site Scripting (XSS)• Buffer Overflows
25
ASP.NET Validation
• Perform both client-side and server-side validation• RequiredFieldValidator requires that a field be present
– Other validators will pass through blank inputs, so often you must use two validators
• Other examples of Validators include:– CompareValidator– RangeValidator– RegularExpressionValidator– CustomValidator
• Validators display error messages in-place• ValidationSummary object used to display a summary of all
errors from validators on a page
26
SQL Injection
• As seen before, this is the result of creating SQL queries by combining static text and unfiltered user inputs
• To prevent attacks, use proper escaping for potentially hostile inputs:
– Stored procedures (CommandType.StoredProcedure)– Parameterized queries– Be sure to actually escape malicious data
27
Cross Site Scripting (XSS)
• ASP.NET framework provides pretty good protection against some XSS attacks
– This is an example of blacklisting inputs rather than whitelisting inputs
• Underlying problem is a failure to properly escape special HTML characters
• Most ASP.NET controls provide this– Literals do not– Use a Label instead when possible– Or use HttpServerUtility.HtmlEncode method
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemWebHttpServerUtilityClassHtmlEncodeTopic1.asp
28
Buffer Overflows
• Managed code should typically be fine– This can give a false sense of security
• Legacy COM components– Can still contain buffer overflows– “Seamless” .NET/COM integration makes these sneaky– Wrap potentially dangerous calls
29
What is New in .NET 2.0?
• Reference connection strings contained in machine.config• Encrypt sections of .config files with machine key• Easier access to DPAPI functions from .NET• Forms Authentication improvements (mentioned earlier)• SecureString class• More…
30
Resources
• OWASP www.owasp.org– Top 10– Guide– WebGoat training tool– WebScarab penetration testing tool (proxy)– Discussion lists
• MSDN msdn.microsoft.com/security
