8/14/2019 ISA Web Application Security

1/8

INTERACTIVE SAUDI ARABIA LTD.

ISA Web Application

SecuritySecurity Guidelines and Checklist Ahmed Abdulhamid

3/10/2009

2008, Interactive Saudi Arabia Limited. All rights reserved. This document or any part thereof may not, without thewritten consent of Interactive Saudi Arabia Limited (ISA), be copied, reprinted, or reproduced in any material from,including but not limited to photocopying, tanscribing, transmitting, or sorting it in any medium or translationg it intoany language, in any form or by any means, be it electronic, mechanical, xerographic, optical, magnatic orotherwise.The information contained in this document is proprietry and confidential; all copyrights, trademarks, tradenames, patents and other intellectual property rights in the documentation are the exclusive propery of ISA unlessotherwise specified. The information (including but not limited to data, drawings, specification and documentation)shall not at any time, be disclosed directly or indirectly to any third party without the prior written consent of ISA. Theinformation contained herein is believed to be accurate and reliable. ISA accepts no repsonsibility for its use by anymeans or in any way whatsoever.The indormation contained herein is subject to change without notice.

8/14/2019 ISA Web Application Security

2/8

Prepared by: Ahmed Abdulhamid Page 2

Table of ContentsSecurity Guidelines....................................................................................................................... 3

Input/Data Validation ................................................................................................................ 3

Authentication ........................................................................................................................... 3

Authorization ............................................................................................................................. 3

Code access security .................................................................................................................. 4

Data Access ................................................................................................................................ 4Exception Management ............................................................................................................. 4

Impersonation/Delegation ........................................................................................................ 4

Parameter Manipulation ........................................................................................................... 5

Sensitive Data ............................................................................................................................ 5

Session Management ................................................................................................................ 5

Security Checklist ......................................................................................................................... 6

Authentication ........................................................................................................................... 6

Authorization ............................................................................................................................. 6

Client Side Attack ....................................................................................................................... 7

Command Execution .................................................................................................................. 7

Error Handling ........................................................................................................................... 7

Logical Attacks ........................................................................................................................... 8

8/14/2019 ISA Web Application Security

3/8

Prepared by: Ahmed Abdulhamid Page 3

Security Guidelines

Input/Data Validation

Do not rely on ASP.NET request validation Validate input for length, range, format, and type Validate input from all sources like QueryString, cookies, and HTML controls Do not rely on client-side validation Avoid user-supplied file name and path input Do not echo untrusted input If you need to write out untrusted data, encode the output

Authentication

Forms Authentication

Use membership providers instead of custom authentication Use SSL to protect credentials and authentication cookies If you cannot use SSL, consider reducing session lifetime Validate user login information Do not store passwords directly in the user store Enforce strong passwords Protect access to your credential store Do not persist authentication cookies Restrict authentication tickets to HTTPS connections Consider partitioning your site to restricted areas and public areas Use unique cookie names and paths

Windows Authentication

Choose Windows authentication when you can Enforce strong password policies

Authorization

Use URL authorization for page and directory access control Configure ACLs on your Web site files Use ASP.NET role manager for roles authorization

http://msdn.microsoft.com/en-us/library/ms998258.aspx#pagguidelines0001_restrictauthenticationticketstohttpsconnhttp://msdn.microsoft.com/en-us/library/ms998258.aspx#pagguidelines0001_restrictauthenticationticketstohttpsconn

8/14/2019 ISA Web Application Security

4/8

Prepared by: Ahmed Abdulhamid Page 4

If your role lookup is expensive, consider role caching Protect your authorization cookie

Code Access Security

Consider code access security for partial trust applications Choose a trust level that does not exceed your application's requirements Create a custom trust policy if your application needs additional permissions Use Medium trust in shared hosting environments

Data Access

Encrypt your connection strings Use least-privileged accounts for database access Use Windows authentication where possible If you use Windows authentication, use a trusted service account If you cannot use a domain account, consider mirrored accounts When using SQL authentication, use strong passwords When using SQL authentication, protect credentials over the network When using SQL authentication, protect credentials in configuration files Validate untrusted input passed to your data access methods When constructing SQL queries, use type safe SQL parameters

Avoid dynamic queries that accept user input

Exception Management

Use structured exception handling Do not reveal exception details to the client Use a global error handler to catch unhandled exceptions

Impersonation/Delegation

Know your tradeoffs with impersonation Avoid Calling LogonUser Avoid programmatic impersonation where possible If you need to impersonate, consider threading issues If you need to impersonate, clean up appropriately Avoid losing impersonation tokens

8/14/2019 ISA Web Application Security

5/8

8/14/2019 ISA Web Application Security

6/8

Prepared by: Ahmed Abdulhamid Page 6

Security Checklist

Authentication

1. Brute Force

A Brute Force attack is an automated process of trial and error used to guess a persons username, password, credit -card number or cryptographic key.

2. Insufficient Authentication Insufficient Authentication occurs when a web site permits anattacker to access sensitive content or functionality without havingto properly authenticate.

3. Weak Password Recovery Validation Weak Password Recovery Validation is when a web site permits anattacker to illegally obtain, change or recover another users password.

Authorization

4. Credential/Session Prediction Credential/Session Prediction is a method of hijacking or impersonating a web site user.

5. Insufficient Authorization Insufficient Authorization is when a web site permits access tosensitive content or functionality that should require increased

access control restrictions.

6. Insufficient Session Expiration Insufficient Session Expiration is when a web site permits anattacker to reuse old session credentials or session IDs for authorization.

8/14/2019 ISA Web Application Security

7/8

Prepared by: Ahmed Abdulhamid Page 7

7. Session Fixation Session Fixation is an attack technique that forces a user's session ID to an explicit value.

Client-side Attacks

8. Content Spoofing Content Spoofing is an attack technique used to trick a user intobelieving that certain content appearing on a web site is legitimateand not from an external source.

9.

Cross-site Scripting Cross-site Scripting (XSS) is an attack technique that forces a website to echo attacker-supplied executable code, which loads in ausers browser.

Command Execution

10. Buffer Overflow Buffer Overflow exploits are attacks that alter the flow of anapplication by overwriting parts of memory.

11. Format String Attack Format String Attacks alter the flow of an application by usingstring formatting library features to access other memory space.

12. SSI Injection SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a webapplication, which will later be executed locally by the web server.

Error Handling

13. Directory Indexing

8/14/2019 ISA Web Application Security

8/8

Prepared by: Ahmed Abdulhamid Page 8

Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base

file is not present.

14. Information Leakage Information Leakage is when a web site reveals sensitive data,such as developer comments or error messages, which may aid anattacker in exploiting the system.

15. Path Traversal The Path Traversal attack technique forces access to files,directories, and commands that potentially reside outside the webdocument root directory.

16. Predictable Resource Location Predictable Resource Location is an attack technique used touncover hidden web site content and functionality.

Logical Attacks

17. Abuse of Functionality Abuse of Functionality is an attack technique that uses a web site'sown features and functionality to consume, defraud, or circumvents access controls mechanisms.

18. Denial of Service Denial of Service (DoS) is an attack technique with the intent of preventing a web site from serving normal user activity.

19. Insufficient Anti-automation Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually.

20. Insufficient Process Validation Insufficient Process Validation is when a web site permits anattacker to bypass or circumvent the intended flow control of anapplication.