Improving Web Application Security · Improving Web Application Security Threats and Countermeasures patterns & practices J.D. Meier, Microsoft Corporation Alex Mackman, Content Master

Improving Web Application Security Threats and Countermeasures

Forewords by Mark Curphey, Joel Scambray, and Erik Olson

Improving Web Application Security

Threats and Countermeasures

patterns & practices

J.D. Meier, Microsoft Corporation

Alex Mackman, Content Master

Srinath Vasireddy, Microsoft Corporation

Michael Dunner, Microsoft Corporation

Ray Escamilla, Microsoft Corporation

Anandha Murukan, Satyam Computer Services

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BizTalk, IntelliSense, MSDN, Visual Basic, Visual C#, Visual C++, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

© 2003 Microsoft Corporation. All rights reserved.

Version 1.0

6/30/2003

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Forewords xliii Foreword by Mark Curphey .....................................................................................xliii Foreword by Joel Scambray .....................................................................................xlv Foreword by Erik Olson .......................................................................................... xlvi

Introduction xlix Why We Wrote This Guide .......................................................................................... xlix What Is a Hack-Resilient Application? .............................................................................l Scope of This Guide ..................................................................................................... li

Securing the Network, Host, and Application .............................................................. li Technologies in Scope............................................................................................. lii

Who Should Read This Guide ....................................................................................... lii How to Use This Guide ............................................................................................... liii

Applying the Guidance to Your Role ......................................................................... liii Applying the Guidance to Your Product Life Cycle ...................................................... liv Microsoft Solutions Framework ................................................................................ lv

Organization of This Guide ........................................................................................... lv Solutions at a Glance.............................................................................................. lv Fast Track............................................................................................................... lv Parts..................................................................................................................... lvi Checklists .............................................................................................................lvii “How To” Articles.................................................................................................. lviii

Approach Used in This Guide ..................................................................................... lviii Secure Your Network, Host, and Application ............................................................ lviii Focus on Threats ................................................................................................... lix Follow a Principle-Based Approach............................................................................ lx

Positioning of This Guide ............................................................................................. lx Volume I, Building Secure ASP.NET Applications ........................................................ lx Volume II, Improving Web Application Security .......................................................... lxi

Feedback and Support ...............................................................................................lxii Feedback on the Guide...........................................................................................lxii Technical Support ..................................................................................................lxii Community and Newsgroup Support ........................................................................lxii

The Team Who Brought You This Guide ....................................................................... lxiii Contributors and Reviewers ................................................................................... lxiii

Tell Us About Your Success........................................................................................ lxiv Summary ................................................................................................................. lxiv

vi Improving Web Application Security: Threats and Countermeasures

Solutions at a Glance lxv Architecture and Design Solutions...............................................................................lxv Development Solutions ............................................................................................. lxvi Administration Solutions.............................................................................................lxx

Fast Track — How To Implement the Guidance lxxv Goal and Scope ....................................................................................................... lxxv The Holistic Approach...............................................................................................lxxvi Securing Your Network.............................................................................................lxxvii Securing Your Host..................................................................................................lxxvii Securing Your Application ....................................................................................... lxxviii Identify Threats........................................................................................................lxxix Applying the Guidance to Your Product Life Cycle ........................................................lxxxi Implementing the Guidance .....................................................................................lxxxii Who Does What? ................................................................................................... lxxxiii

RACI Chart ........................................................................................................ lxxxiii Summary .............................................................................................................. lxxxiv

Part I Introduction to Threats and Countermeasures 1

Chapter 1 Web Application Security Fundamentals 3

We Are Secure — We Have a Firewall ............................................................................ 3 What Do We Mean By Security? ................................................................................... 4

The Foundations of Security..................................................................................... 4 Threats, Vulnerabilities, and Attacks Defined................................................................. 5 How Do You Build a Secure Web Application?................................................................ 5 Secure Your Network, Host, and Application .................................................................. 6 Securing Your Network................................................................................................. 7

Network Component Categories ............................................................................... 7 Securing Your Host...................................................................................................... 7

Host Configuration Categories.................................................................................. 8 Securing Your Application ............................................................................................ 9

Application Vulnerability Categories .......................................................................... 9 Security Principles..................................................................................................... 11 Summary ................................................................................................................. 12 Additional Resources ................................................................................................ 12

Chapter 2 Threats and Countermeasures 13

In This Chapter ......................................................................................................... 13 Overview .................................................................................................................. 13

Contents vii

How to Use This Chapter ........................................................................................... 14 Anatomy of an Attack ................................................................................................ 14

Survey and Assess ............................................................................................... 15 Exploit and Penetrate ............................................................................................ 15 Escalate Privileges................................................................................................ 15 Maintain Access ................................................................................................... 16 Deny Service ........................................................................................................ 16

Understanding Threat Categories ............................................................................... 16 STRIDE ................................................................................................................ 16 STRIDE Threats and Countermeasures ................................................................... 17

Network Threats and Countermeasures ...................................................................... 18 Information Gathering............................................................................................ 18 Sniffing ................................................................................................................ 19 Spoofing .............................................................................................................. 19 Session Hijacking ................................................................................................. 19 Denial of Service .................................................................................................. 20

Host Threats and Countermeasures ........................................................................... 20 Viruses, Trojan Horses, and Worms ........................................................................ 21 Footprinting .......................................................................................................... 21 Password Cracking................................................................................................ 22 Denial of Service .................................................................................................. 22 Arbitrary Code Execution........................................................................................ 23 Unauthorized Access............................................................................................. 23

Application Threats and Countermeasures .................................................................. 23 Input Validation......................................................................................................... 24

Buffer Overflows ................................................................................................... 25 Cross-Site Scripting............................................................................................... 26 SQL Injection ........................................................................................................ 27 Canonicalization ................................................................................................... 28

Authentication .......................................................................................................... 29 Network Eavesdropping ......................................................................................... 29 Brute Force Attacks............................................................................................... 30 Dictionary Attacks................................................................................................. 30 Cookie Replay Attacks........................................................................................... 31 Credential Theft .................................................................................................... 31

Authorization ............................................................................................................ 31 Elevation of Privilege ............................................................................................. 32 Disclosure of Confidential Data.............................................................................. 32 Data Tampering..................................................................................................... 32 Luring Attacks....................................................................................................... 33

Configuration Management ........................................................................................ 33 Unauthorized Access to Administration Interfaces ................................................... 33 Unauthorized Access to Configuration Stores .......................................................... 34 Retrieval of Plaintext Configuration Secrets ............................................................. 34 Lack of Individual Accountability ............................................................................. 34 Over-privileged Application and Service Accounts..................................................... 34

viii Improving Web Application Security: Threats and Countermeasures

Sensitive Data .......................................................................................................... 35 Access to Sensitive Data in Storage....................................................................... 35 Network Eavesdropping ......................................................................................... 35 Data Tampering..................................................................................................... 35

Session Management ............................................................................................... 36 Session Hijacking ................................................................................................. 36 Session Replay..................................................................................................... 36 Man in the Middle Attacks ..................................................................................... 37

Cryptography ............................................................................................................ 37 Poor Key Generation or Key Management................................................................ 38 Weak or Custom Encryption ................................................................................... 38 Checksum Spoofing .............................................................................................. 38

Parameter Manipulation ............................................................................................ 39 Query String Manipulation ..................................................................................... 39 Form Field Manipulation ........................................................................................ 40 Cookie Manipulation ............................................................................................. 40 HTTP Header Manipulation..................................................................................... 40

Exception Management ............................................................................................. 40 Attacker Reveals Implementation Details ................................................................ 41 Denial of Service .................................................................................................. 41

Auditing and Logging ................................................................................................. 41 User Denies Performing an Operation ..................................................................... 42 Attackers Exploit an Application Without Leaving a Trace .......................................... 42 Attackers Cover Their Tracks .................................................................................. 42

Summary ................................................................................................................. 42 Additional Resources ................................................................................................ 43

Chapter 3 Threat Modeling 45

In This Chapter ......................................................................................................... 45 Overview .................................................................................................................. 45 Before You Begin ...................................................................................................... 45 How to Use This Chapter ........................................................................................... 46 Threat Modeling Principles......................................................................................... 47

The Process ......................................................................................................... 47 The Output ........................................................................................................... 48

Step 1. Identify Assets .............................................................................................. 49 Step 2. Create an Architecture Overview ..................................................................... 49

Identify What the Application Does ......................................................................... 50 Create an Architecture Diagram.............................................................................. 50 Identify the Technologies ....................................................................................... 51

Contents ix

Step 3. Decompose the Application............................................................................ 52 Identify Trust Boundaries ....................................................................................... 53 Identify Data Flow ................................................................................................. 53 Identify Entry Points .............................................................................................. 54 Identify Privileged Code ......................................................................................... 54 Document the Security Profile ................................................................................ 55

Step 4. Identify the Threats ....................................................................................... 56 Identify Network Threats........................................................................................ 57 Identify Host Threats ............................................................................................. 58 Identify Application Threats.................................................................................... 58 Using Attack Trees and Attack Patterns................................................................... 59

Step 5. Document the Threats ................................................................................... 62 Step 6. Rate the Threats ........................................................................................... 62

Risk = Probability * Damage Potential .................................................................... 63 High, Medium, and Low Ratings ............................................................................. 63 DREAD................................................................................................................. 63

What Comes After Threat Modeling?........................................................................... 65 Generating a Work Item Report .............................................................................. 66

Summary ................................................................................................................. 66 Additional Resources ................................................................................................ 66

Part II Designing Secure Web Applications 67

Chapter 4 Design Guidelines for Secure Web Applications 69

In This Chapter ......................................................................................................... 69 Overview .................................................................................................................. 69 How to Use This Chapter ........................................................................................... 70 Architecture and Design Issues for Web Applications ................................................... 70 Deployment Considerations ....................................................................................... 72

Security Policies and Procedures............................................................................ 73 Network Infrastructure Components ....................................................................... 73 Deployment Topologies.......................................................................................... 73 Intranet, Extranet, and Internet............................................................................... 74

Input Validation......................................................................................................... 74 Assume All Input Is Malicious ................................................................................ 75 Centralize Your Approach ....................................................................................... 75 Do Not Rely on Client-Side Validation...................................................................... 76 Be Careful with Canonicalization Issues.................................................................. 76 Constrain, Reject, and Sanitize Your Input ............................................................... 77 In Practice ............................................................................................................ 79

x Improving Web Application Security: Threats and Countermeasures

Authentication .......................................................................................................... 80 Separate Public and Restricted Areas..................................................................... 81 Use Account Lockout Policies for End-User Accounts ............................................... 81 Support Password Expiration Periods...................................................................... 81 Be Able to Disable Accounts .................................................................................. 82 Do Not Store Passwords in User Stores.................................................................. 82 Require Strong Passwords..................................................................................... 82 Do Not Send Passwords Over the Wire in Plaintext .................................................. 82 Protect Authentication Cookies .............................................................................. 82

Authorization ............................................................................................................ 83 Use Multiple Gatekeepers ..................................................................................... 83 Restrict User Access to System Level Resources .................................................... 83 Consider Authorization Granularity .......................................................................... 83

Configuration Management ........................................................................................ 86 Secure Your Administration Interfaces .................................................................... 86 Secure Your Configuration Stores ........................................................................... 86 Separate Administration Privileges ......................................................................... 87 Use Least Privileged Process and Service Accounts................................................. 87

Sensitive Data .......................................................................................................... 87 Secrets ................................................................................................................ 87 Sensitive Per User Data......................................................................................... 89

Session Management ............................................................................................... 90 Use SSL to Protect Session Authentication Cookies ................................................ 90 Encrypt the Contents of the Authentication Cookies................................................. 90 Limit Session Lifetime........................................................................................... 91 Protect Session State from Unauthorized Access .................................................... 91

Cryptography ............................................................................................................ 91 Do Not Develop Your Own Cryptography .................................................................. 92 Keep Unencrypted Data Close to the Algorithm ....................................................... 92 Use the Correct Algorithm and Correct Key Size....................................................... 92 Secure Your Encryption Keys.................................................................................. 92

Parameter Manipulation ............................................................................................ 93 Encrypt Sensitive Cookie State .............................................................................. 93 Make Sure that Users Do Not Bypass Your Checks.................................................. 93 Validate All Values Sent from the Client .................................................................. 94 Do Not Trust HTTP Header Information.................................................................... 94

Exception Management ............................................................................................. 94 Do Not Leak Information to the Client..................................................................... 94 Log Detailed Error Messages ................................................................................. 95 Catch Exceptions .................................................................................................. 95

Auditing and Logging ................................................................................................. 95 Audit and Log Access Across Application Tiers ........................................................ 95 Consider Identity Flow ........................................................................................... 96 Log Key Events ..................................................................................................... 96 Secure Log Files ................................................................................................... 96 Back Up and Analyze Log Files Regularly................................................................. 96

Contents xi

Design Guidelines Summary ...................................................................................... 97 Summary ................................................................................................................. 98 Additional Resources ................................................................................................ 98

Chapter 5 Architecture and Design Review for Security 99

In This Chapter ......................................................................................................... 99 Overview .................................................................................................................. 99 How to Use This Chapter ......................................................................................... 100 Architecture and Design Review Process................................................................... 100 Deployment and Infrastructure Considerations .......................................................... 101

Does the Network Provide Secure Communication? ............................................... 102 Does Your Deployment Topology Include an Internal Firewall? ................................. 102 Does Your Deployment Topology Include a Remote Application Server? ................... 102 What Restrictions Does Infrastructure Security Impose? ........................................ 103 Have You Considered Web Farm Issues?............................................................... 104 What Trust Levels Does the Target Environment Support? ...................................... 104

Input Validation....................................................................................................... 105 How Do You Validate Input? ................................................................................. 106 What Do You Do with the Input? ........................................................................... 107

Authentication ........................................................................................................ 107 Do You Separate Public and Restricted Access?.................................................... 108 Have You Identified Service Account Requirements? .............................................. 108 How Do You Authenticate the Caller?.................................................................... 109 How Do You Authenticate with the Database? ....................................................... 109 Do You Enforce Strong Account Management Practices? ........................................ 111

Authorization .......................................................................................................... 111 How Do You Authorize End Users?........................................................................ 112 How Do You Authorize the Application in the Database?......................................... 113 How Do You Restrict Access to System-Level Resources? ...................................... 113

Configuration Management ...................................................................................... 114 Do You Support Remote Administration? .............................................................. 114 Do You Secure Configuration Stores? ................................................................... 115 Do You Separate Administrator Privileges?............................................................ 115

Sensitive Data ........................................................................................................ 115 Do You Store Secrets? ........................................................................................ 116 How Do You Store Sensitive Data? ....................................................................... 117 Do You Pass Sensitive Data Over the Network? ..................................................... 117 Do You Log Sensitive Data?................................................................................. 117

Session Management ............................................................................................. 117 How Are Session Identifiers Exchanged?............................................................... 118 Do You Restrict Session Lifetime?........................................................................ 118 How Is the Session State Store Secured?............................................................. 118

xii Improving Web Application Security: Threats and Countermeasures

Cryptography .......................................................................................................... 119 Why Do You Use Particular Algorithms?................................................................. 119 How Do You Secure Encryption Keys?................................................................... 120

Parameter Manipulation .......................................................................................... 120 Do You Validate All Input Parameters? .................................................................. 121 Do You Pass Sensitive Data in Parameters?.......................................................... 121 Do You Use HTTP Header Data for Security? ......................................................... 121

Exception Management ........................................................................................... 122 Do You Use Structured Exception Handling?.......................................................... 122 Do You Reveal Too Much Information to the Client? ............................................... 122

Auditing and Logging ............................................................................................... 123 Have You Identified Key Activities to Audit? ........................................................... 123 Have You Considered How to Flow Original Caller Identity? ..................................... 124 Have You Considered Secure Log File Management Policies? ................................. 124

Summary ............................................................................................................... 124 Additional Resources .............................................................................................. 125

Part III Building Secure Web Applications 127

Chapter 6 .NET Security Overview 129

In This Chapter ....................................................................................................... 129 Overview ................................................................................................................ 129 How to Use This Chapter ......................................................................................... 130 Managed Code Benefits .......................................................................................... 130 User vs. Code Security ............................................................................................ 131

Role-Based Security ............................................................................................ 131 Code Access Security.......................................................................................... 132

.NET Framework Role-Based Security........................................................................ 133 Principals and Identities ...................................................................................... 134 PrincipalPermission Objects................................................................................. 134 Role-Based Security Checks................................................................................. 137 URL Authorization ............................................................................................... 138

.NET Framework Security Namespaces ..................................................................... 139 System.Security.................................................................................................. 140 System.Web.Security........................................................................................... 141 System.Security.Cryptography .............................................................................. 141 System.Security.Principal..................................................................................... 141 System.Security.Policy ......................................................................................... 142 System.Security.Permissions ............................................................................... 142


Contents xiii

Chapter 7 Building Secure Assemblies 145

In This Chapter ....................................................................................................... 145 Overview ................................................................................................................ 145 How to Use This Chapter ......................................................................................... 146 Threats and Countermeasures ................................................................................. 146

Unauthorized Access or Privilege Elevation, or both................................................ 147 Code Injection .................................................................................................... 147 Information Disclosure ........................................................................................ 148 Tampering .......................................................................................................... 149

Privileged Code....................................................................................................... 149 Privileged Resources ........................................................................................... 150 Privileged Operations .......................................................................................... 150

Assembly Design Considerations ............................................................................. 150 Identify Privileged Code ....................................................................................... 150 Identify the Trust Level of Your Target Environment................................................. 151 Sandbox Highly Privileged Code............................................................................ 152 Design Your Public Interface................................................................................. 153

Class Design Considerations ................................................................................... 153 Restrict Class and Member Visibility..................................................................... 153 Seal Non-Base Classes ....................................................................................... 153 Restrict Which Users Can Call Your Code.............................................................. 154 Expose Fields Using Properties ............................................................................ 154

Strong Names ........................................................................................................ 155 Security Benefits of Strong Names ....................................................................... 156 Using Strong Names ........................................................................................... 156 Delay Signing...................................................................................................... 157 ASP.NET and Strong Names................................................................................. 158 Authenticode vs. Strong Names ........................................................................... 159

Authorization .......................................................................................................... 160 Exception Management ........................................................................................... 161

Use Structured Exception Handling....................................................................... 161 Do Not Log Sensitive Data................................................................................... 162 Do Not Reveal Sensitive System or Application Information .................................... 162 Consider Exception Filter Issues .......................................................................... 162 Consider an Exception Management Framework .................................................... 163

File I/O .................................................................................................................. 164 Avoid Untrusted Input for File Names.................................................................... 164 Do Not Trust Environment Variables...................................................................... 164 Validate Input File Names.................................................................................... 164 Constrain File I/O Within Your Application’s Context............................................... 165

Event Log ............................................................................................................... 165

xiv Improving Web Application Security: Threats and Countermeasures

Registry ................................................................................................................. 166 HKEY_LOCAL_MACHINE....................................................................................... 166 HKEY_CURRENT_USER........................................................................................ 166 Reading from the Registry ................................................................................... 167

Data Access ........................................................................................................... 167 Unmanaged Code ................................................................................................... 168

Validate Input and Output String Parameters ......................................................... 168 Validate Array Bounds ......................................................................................... 169 Check File Path Lengths ...................................................................................... 169 Compile Unmanaged Code With the /GS Switch .................................................... 169 Inspect Unmanaged Code for Dangerous APIs....................................................... 169

Delegates............................................................................................................... 169 Do Not Accept Delegates from Untrusted Sources................................................. 169

Serialization ........................................................................................................... 170 Do Not Serialize Sensitive Data............................................................................ 170 Validate Serialized Data Streams ......................................................................... 170 Partial Trust Considerations ................................................................................. 171

Threading ............................................................................................................... 171 Do Not Cache the Results of Security Checks ....................................................... 171 Consider Impersonation Tokens ........................................................................... 172 Synchronize Static Class Constructors.................................................................. 172 Synchronize Dispose Methods ............................................................................. 172

Reflection............................................................................................................... 172 Obfuscation............................................................................................................ 173 Cryptography .......................................................................................................... 174

Use Platform-provided Cryptographic Services ....................................................... 174 Key Generation ................................................................................................... 174 Key Storage........................................................................................................ 176 Key Exchange ..................................................................................................... 178 Key Maintenance ................................................................................................ 178


Chapter 8 Code Access Security in Practice 181

In This Chapter ....................................................................................................... 181 Overview ................................................................................................................ 181 How to Use This Chapter ......................................................................................... 182 Code Access Security Explained............................................................................... 182

Code.................................................................................................................. 183 Evidence ............................................................................................................ 183 Permissions ....................................................................................................... 184 Assert, Deny, and PermitOnly Methods.................................................................. 185 Policy ................................................................................................................. 185 Code Groups ...................................................................................................... 186

Contents xv

Code Access Security Explained (continued) How Does It Work?.............................................................................................. 186 How Is Policy Evaluated? ..................................................................................... 187

APTCA.................................................................................................................... 191 Avoid Using APTCA .............................................................................................. 191 Diagnosing APTCA Issues .................................................................................... 192

Privileged Code....................................................................................................... 193 Privileged Resources ........................................................................................... 193 Privileged Operations .......................................................................................... 194

Requesting Permissions .......................................................................................... 194 RequestMinimum................................................................................................ 195 RequestOptional ................................................................................................. 195 RequestRefused ................................................................................................. 195 Implications of Using RequestOptional or RequestRefuse ...................................... 196

Authorizing Code..................................................................................................... 196 Restrict Which Code Can Call Your Code ............................................................... 197 Restrict Inheritance............................................................................................. 198 Consider Protecting Cached Data ......................................................................... 199 Protect Custom Resources with Custom Permissions ............................................ 199

Link Demands ........................................................................................................ 199 Luring Attacks..................................................................................................... 200 Performance and Link Demands........................................................................... 201 Calling Methods with Link Demands ..................................................................... 201 Mixing Class and Method Level Link Demands ...................................................... 201 Interfaces and Link Demands .............................................................................. 202 Structures and Link Demands.............................................................................. 202 Virtual Methods and Link Demands...................................................................... 203

Assert and RevertAssert.......................................................................................... 203 Use the Demand / Assert Pattern ........................................................................ 204 Reduce the Assert Duration................................................................................. 204

Constraining Code................................................................................................... 204 Using Policy Permission Grants ............................................................................ 205 Using Stack Walk Modifiers ................................................................................. 205

File I/O .................................................................................................................. 205 Constraining File I/O within your Application’s Context ........................................... 205 Requesting FileIOPermission................................................................................ 207

Event Log ............................................................................................................... 207 Constraining Event Logging Code ......................................................................... 208 Requesting EventLogPermission........................................................................... 208

Registry ................................................................................................................. 208 Constraining Registry Access............................................................................... 209 Requesting RegistryPermission ............................................................................ 209

Data Access ........................................................................................................... 209 Directory Services................................................................................................... 210

Constraining Directory Service Access.................................................................. 210 Requesting DirectoryServicesPermission .............................................................. 211

xvi Improving Web Application Security: Threats and Countermeasures

Environment Variables ............................................................................................. 211 Constraining Environment Variable Access ............................................................ 211 Requesting EnvironmentPermission...................................................................... 211

Web Services ......................................................................................................... 212 Constraining Web Service Connections ................................................................. 212

Sockets and DNS.................................................................................................... 213 Constraining Socket Access................................................................................. 213 Requesting SocketPermission and DnsPermission................................................. 214

Unmanaged Code ................................................................................................... 214 Use Naming Conventions to Indicate Risk ............................................................. 214 Request the Unmanaged Code Permission............................................................ 215 Sandbox Unmanaged API Calls............................................................................. 215 Use SuppressUnmanagedCodeSecurity with Caution ............................................. 216

Delegates............................................................................................................... 217 Serialization ........................................................................................................... 218

Restricting Serialization ....................................................................................... 218 Summary ............................................................................................................... 219 Additional Resources .............................................................................................. 219

Chapter 9 Using Code Access Security with ASP.NET 221

In This Chapter ....................................................................................................... 221 Overview ................................................................................................................ 221 How to Use This Chapter ......................................................................................... 223 Resource Access .................................................................................................... 223 Full Trust and Partial Trust ....................................................................................... 224 Configuring Code Access Security in ASP.NET ........................................................... 225

Configuring Trust Levels....................................................................................... 225 Locking the Trust Level ........................................................................................ 226

ASP.NET Policy Files................................................................................................ 227 ASP.NET Policy ....................................................................................................... 227

Inside an ASP.NET Policy File ............................................................................... 228 Permission State and Unrestricted Permissions .................................................... 229 The ASP.NET Named Permission Set .................................................................... 229 Substitution Parameters ...................................................................................... 230

Developing Partial Trust Web Applications ................................................................. 231 Why Partial Trust? ............................................................................................... 231 Problems You Might Encounter............................................................................. 231

Trust Levels ............................................................................................................ 232 Approaches for Partial Trust Web Applications ........................................................... 234 Customize Policy..................................................................................................... 235 Sandbox Privileged Code ......................................................................................... 236

A Sandboxing Pattern .......................................................................................... 236

Contents xvii

Deciding Which Approach to Take ............................................................................. 238 Customizing Policy .............................................................................................. 238 Sandboxing ........................................................................................................ 238

Medium Trust ......................................................................................................... 239 Reduced Attack Surface ...................................................................................... 239 Application Isolation............................................................................................ 239

Medium Trust Restrictions ....................................................................................... 240 OLE DB .............................................................................................................. 240 Event Log ........................................................................................................... 244 Web Services ..................................................................................................... 248 Registry ............................................................................................................. 250


Chapter 10 Building Secure ASP.NET Pages and Controls 253


Code Injection .................................................................................................... 255 Session Hijacking ............................................................................................... 256 Identity Spoofing................................................................................................. 257 Parameter Manipulation ...................................................................................... 258 Network Eavesdropping ....................................................................................... 259 Information Disclosure ........................................................................................ 259

Design Considerations ............................................................................................ 260 Use Server-Side Input Validation .......................................................................... 260 Partition Your Web Site ........................................................................................ 261 Consider the Identity That Is Used for Resource Access......................................... 262 Protect Credentials and Authentication Tickets...................................................... 262 Fail Securely ....................................................................................................... 262 Consider Authorization Granularity ........................................................................ 263 Place Web Controls and User Controls in Separate Assemblies .............................. 263 Place Resource Access Code in a Separate Assembly ........................................... 263

Input Validation....................................................................................................... 263 Constrain, Then Sanitize...................................................................................... 264 Regular Expressions............................................................................................ 264 String Fields ....................................................................................................... 265 Date Fields......................................................................................................... 267 Numeric Fields.................................................................................................... 267 Sanitizing Input................................................................................................... 269 Validating HTML Controls..................................................................................... 269 Validating Input Used for Data Access .................................................................. 270 Validating Input Used For File I/O ......................................................................... 270 Common Regular Expressions.............................................................................. 271

xviii Improving Web Application Security: Threats and Countermeasures

Cross-Site Scripting................................................................................................. 272 Validate Input ..................................................................................................... 273 Encode Output.................................................................................................... 273 Defense in Depth Countermeasures..................................................................... 274

Authentication ........................................................................................................ 277 Forms Authentication .......................................................................................... 277 Partition Your Web Site ........................................................................................ 278 Secure Restricted Pages with SSL........................................................................ 279 Use URL Authorization......................................................................................... 279 Secure the Authentication Cookie......................................................................... 280 Use Absolute URLs for Navigation ........................................................................ 282 Use Secure Credential Management..................................................................... 283

Authorization .......................................................................................................... 284 Use URL Authorization for Page and Directory Access Control................................. 284 Use File Authorization with Windows Authentication ............................................... 284 Use Principal Demands on Classes and Methods .................................................. 284 Use Explicit Role Checks for Fine-Grained Authorization ......................................... 285

Impersonation ........................................................................................................ 286 Using Programmatic Impersonation ...................................................................... 286

Sensitive Data ........................................................................................................ 288 Do not Pass Sensitive Data from Page to Page...................................................... 288 Avoid Plaintext Passwords in Configuration Files.................................................... 288 Use DPAPI to Avoid Key Management ................................................................... 288 Do Not Cache Sensitive Data............................................................................... 288

Session Management ............................................................................................. 289 Require Authentication for Sensitive Pages ........................................................... 289 Do Not Rely on Client-Side State Management Options .......................................... 289 Do Not Mix Session Tokens and Authentication Tokens .......................................... 290 Use SSL Effectively ............................................................................................. 290 Secure the Session Data..................................................................................... 290

Parameter Manipulation .......................................................................................... 291 Protect View State with MACs .............................................................................. 291 Use Page.ViewStateUserKey to Counter One-Click Attacks...................................... 292 Maintain Sensitive Data on the Server.................................................................. 292 Validate Input Parameters.................................................................................... 293

Exception Management ........................................................................................... 293 Return Generic Error Pages to the Client ............................................................... 293 Implement Page-Level or Application-Level Error Handlers....................................... 294

Auditing and Logging ............................................................................................... 295 EventLogPermission ............................................................................................ 296


Contents xix

Chapter 11 Building Secure Serviced Components 299


Network Eavesdropping ....................................................................................... 301 Unauthorized Access........................................................................................... 301 Unconstrained Delegation.................................................................................... 301 Disclosure of Configuration Data .......................................................................... 302 Repudiation........................................................................................................ 302

Design Considerations ............................................................................................ 302 Role-Based Authorization ..................................................................................... 302 Sensitive Data Protection .................................................................................... 302 Audit Requirements............................................................................................. 303 Application Activation Type................................................................................... 303 Transactions....................................................................................................... 303 Code Access Security.......................................................................................... 303

Authentication ........................................................................................................ 304 Use (At Least) Call Level Authentication................................................................ 304

Authorization .......................................................................................................... 304 Enable Role-Based Security ................................................................................. 304 Enable Component Level Access Checks .............................................................. 305 Enforce Component Level Access Checks ............................................................. 305

Configuration Management ...................................................................................... 305 Use Least Privileged Run-As Accounts .................................................................. 306 Avoid Storing Secrets in Object Constructor Strings ............................................... 306 Avoid Unconstrained Delegation ........................................................................... 306

Sensitive Data ........................................................................................................ 307 Auditing and Logging ............................................................................................... 308

Audit User Transactions....................................................................................... 308 Building a Secure Serviced Component .................................................................... 309

Assembly Implementation.................................................................................... 310 Serviced Component Class Implementation .......................................................... 311

Code Access Security Considerations ....................................................................... 313 Deployment Considerations ..................................................................................... 314

Firewall Restrictions ............................................................................................ 314 Summary ............................................................................................................... 316 Additional Resources .............................................................................................. 317

Chapter 12 Building Secure Web Services 319

In This Chapter ....................................................................................................... 319 Overview ................................................................................................................ 319 How to Use This Chapter ......................................................................................... 320

xx Improving Web Application Security: Threats and Countermeasures

Threats and Countermeasures ................................................................................. 320 Unauthorized Access........................................................................................... 321 Parameter Manipulation ...................................................................................... 322 Network Eavesdropping ....................................................................................... 322 Disclosure of Configuration Data .......................................................................... 323 Message Replay ................................................................................................. 323

Design Considerations ............................................................................................ 325 Authentication Requirements ............................................................................... 325 Privacy and Integrity Requirements ....................................................................... 325 Resource Access Identities.................................................................................. 325 Code Access Security.......................................................................................... 326

Input Validation....................................................................................................... 326 Strongly Typed Parameters................................................................................... 326 Loosely Typed Parameters ................................................................................... 328 XML Data ........................................................................................................... 328 SQL Injection ...................................................................................................... 331 Cross-Site Scripting............................................................................................. 331

Authentication ........................................................................................................ 332 Platform Level Authentication............................................................................... 332 Message Level Authentication.............................................................................. 333 Application Level Authentication ........................................................................... 335

Authorization .......................................................................................................... 335 Web Service Endpoint Authorization...................................................................... 336 Web Method Authorization ................................................................................... 336 Programmatic Authorization ................................................................................. 336

Sensitive Data ........................................................................................................ 337 XML Encryption................................................................................................... 337 Encrypting Parts of a Message............................................................................. 338

Parameter Manipulation .......................................................................................... 339 Exception Management ........................................................................................... 339

Using SoapExceptions......................................................................................... 340 Application Level Error Handling in Global.asax...................................................... 341

Auditing and Logging ............................................................................................... 341 Proxy Considerations............................................................................................... 341 Code Access Security Considerations ....................................................................... 342 Deployment Considerations ..................................................................................... 343

Intranet Deployment............................................................................................ 343 Extranet Deployment ........................................................................................... 343 Internet Deployment............................................................................................ 344


Contents xxi

Chapter 13 Building Secure Remoted Components 347


Unauthorized Access........................................................................................... 349 Network Eavesdropping ....................................................................................... 350 Parameter Manipulation ...................................................................................... 351 Serialization ....................................................................................................... 351

Design Considerations ............................................................................................ 352 Do Not Expose Remoted Objects to the Internet.................................................... 352 Use the HttpChannel to Take Advantage of ASP.NET Security ................................. 352 Use the TcpChannel Only in Trusted Server Scenarios............................................ 352

Input Validation....................................................................................................... 354 Serialization Attacks............................................................................................ 354 MarshalByRefObject Attacks ................................................................................ 354

Authentication ........................................................................................................ 355 ASP.NET Hosting................................................................................................. 355 Custom Process Hosting ..................................................................................... 358

Authorization .......................................................................................................... 359 Use IPSec for Machine Level Access Control ......................................................... 359 Enable File Authorization for User Access Control .................................................. 359 Authorize Users with Principal-Based Role Checks ................................................. 360 Consider Limiting Remote Access ........................................................................ 360

Sensitive Data ........................................................................................................ 361 Using IPSec........................................................................................................ 361 Using SSL .......................................................................................................... 361 Using a Custom Encryption Sink........................................................................... 361

Denial of Service .................................................................................................... 364 Exception Management ........................................................................................... 364

Using a Custom Channel Sink.............................................................................. 365 Auditing and Logging ............................................................................................... 365

Using a Custom Channel Sink.............................................................................. 365 Code Access Security (CAS) Considerations .............................................................. 365 Summary ............................................................................................................... 365 Additional Resources .............................................................................................. 366

Chapter 14 Building Secure Data Access 367

In this Chapter........................................................................................................ 367 Overview ................................................................................................................ 367 How to Use This Chapter ......................................................................................... 368

xxii Improving Web Application Security: Threats and Countermeasures

Threats and Countermeasures ................................................................................. 368 SQL Injection ...................................................................................................... 369 Disclosure of Configuration Data .......................................................................... 370 Disclosure of Sensitive Application Data ............................................................... 370 Disclosure of Database Schema and Connection Details ....................................... 371 Unauthorized Access........................................................................................... 371 Network Eavesdropping ....................................................................................... 372

Design Considerations ............................................................................................ 372 Use Windows Authentication................................................................................ 373 Use Least Privileged Accounts ............................................................................. 373 Use Stored Procedures........................................................................................ 373 Protect Sensitive Data in Storage......................................................................... 374 Use Separate Data Access Assemblies ................................................................ 375

Input Validation....................................................................................................... 376 SQL Injection .......................................................................................................... 376

Preventing SQL Injection...................................................................................... 376 Constrain Input ................................................................................................... 376 Use Type Safe SQL Parameters ............................................................................ 377 Using Parameter Batching.................................................................................... 378 Using Filter Routines ........................................................................................... 378 Using LIKE Clauses............................................................................................. 378

Authentication ........................................................................................................ 379 Use Windows Authentication................................................................................ 379 Protect the Credentials for SQL Authentication ...................................................... 380 Connect Using a Least Privileged Account............................................................. 380

Authorization .......................................................................................................... 380 Restrict Unauthorized Callers............................................................................... 382 Restrict Unauthorized Code ................................................................................. 383 Restrict the Application in the Database ............................................................... 383

Configuration Management ...................................................................................... 384 Use Window Authentication.................................................................................. 384 Secure Your Connection Strings ........................................................................... 384 Secure UDL Files with Restricted ACLs ................................................................. 386

Sensitive Data ........................................................................................................ 386 Encrypt Sensitive Data if You Need to Store It ....................................................... 386 Secure Sensitive Data Over the Network............................................................... 387 Store Password Hashes with Salt......................................................................... 388

Exception Management ........................................................................................... 389 Trap and Log ADO.NET Exceptions ........................................................................ 389 Ensure Database Connections Are Closed ............................................................ 391 Use a Generic Error Page in Your ASP.NET Applications.......................................... 392

Building a Secure Data Access Component............................................................... 393 Code Access Security Considerations ....................................................................... 396

Contents xxiii

Deployment Considerations ..................................................................................... 397 Firewall Restrictions ............................................................................................ 397 Connection String Management ........................................................................... 398 Login Account Configuration................................................................................. 398 Logon Auditing.................................................................................................... 398 Data Privacy and Integrity on the Network ............................................................. 399


Part IV Securing Your Network, Host, and Application 401

Chapter 15 Securing Your Network 403

In This Chapter ....................................................................................................... 403 Overview ................................................................................................................ 403 How to Use This Chapter ..................................................

Documents

Improving Web Application Security · Improving Web Application Security Threats and Countermeasures patterns & practices J.D. Meier, Microsoft Corporation Alex Mackman, Content Master