An Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006

Transcription

1 An Introduction to Application Security In ASP.NET Environments Houston.NET User Group February 23 rd, 2006

2 Overview Background What is Application Security and Why Is It Important? Examples ASP.NET Specific Examples What is New in.net 2.0? Resources and Conclusions 1

3 Background Denim Group Texas-based consultancy Microsoft Gold Certified Partner Custom software development Systems integration Application security Management Team Experience Large-scale software development Air Force information warfare Client service for DoD, Big 4, Fortune 500 Myself: Dan Cornell Microsoft Certified Solution Developer Java 2 Certified Programmer 2

4 What is Application Security and Why is it Important? Application Security Defined Fit with General Information Security Landscape Why Does Application Security Matter 3

5 Application Security Defined Ensuring that custom application code performs as expected under the entire range of possible inputs Goals: Confidentiality Integrity Availability Relationship to Software Quality Assurance Really a sub-area of SQA SQA typically verifies that software does what it is supposed to do Application security is concerned that software does not do what it should not do 4

6 Software Implementation Perfect World Actual Functionality Intended Functionality 5

7 Software Implementation Real World Actual Functionality Intended Functionality Built Features Bugs Unintended And Undocumented Functionality 6

8 Information Security Software Development: Build Culture Features, functions and timelines Information Security: Measure Culture Audit, assess and maintain Application security applies information security principles to custom software development efforts Many traditional information security practitioners are illequipped to mitigate application security issues 7

9 Why Does This Matter? Business-critical web applications are Internet-facing An increasing number of assets are exposed Most applications have serious flaws Foundstone (McAfee) (Symantec) studies The regulator environment has changed Sarbanes Oxley GLB California SB

10 OWASP Top 10 Critical Web Application Security Vulnerabilities Unvalidated Input Broken Access Control Broken Authentication and Authorization Cross Site Scripting (XSS) Buffer Overflows Injection Flaws Improper Error Handling Insecure Storage Denial of Service Insecure Configuration Management 9

11 Examples Hidden parameter tampering Cookie manipulation SQL injection 10

12 Hidden Parameter Tampering Price information is stored in hidden HTML form field Assumption: hidden field won t be edited Attacker edits price parameter Attacker submits altered web page with new price Application trusts the price parameter from the user Still widespread in many web stores 11

13 The Attack 12

14 The Result 13

15 Cookie Manipulation Browser cookie is used to store user identity information Assumption: cookies are set by server side code, handled by the browser automatically and not manipulated by users Attacker alters cookie Application trusts the browser cookie and allows attacker to assume identity of another user 14

16 The Attack 15

17 The Attack 16

18 The Result 17

19 SQL Injection SQL statements are created from a combination of static text and user inputs Assumption: users will enter well-formed inputs Attacker crafts a custom input to hijack control of the SQL interpreter and execute arbitrary code Very common flaw with tremendous security implications 18

20 The Attack string username = Request[ username ]; string password = Request[ password ]; string sql = SELECT * FROM User WHERE username = + username + AND password = + password + ; SqlCommand cmd = new SqlCommand(sql); IDataReader reader = cmd.executereader(); 19

21 The Attack Specially crafted input contains SQL control characters 20

22 The Attack Malicious user sends in a username parameter of: Dcornell ; DROP DATABASE Ecommerce; -- SQL Executed is: SELECT * FROM User WHERE username = Dcornell ; DROP DATABASE Ecommerce; -- AND password = whocares Attacker can execute arbitrary database queries with the same permissions as the application View sensitive data Modify data Destroy data 21

23 ASP.NET Specific Examples Access Control Authentication Authorization Input Validation ASP.NET validation SQL injection Cross Site Scripting (XSS) Buffer Overflows 22

24 Access Control Authentication HTTP Basic Windows Forms Available in ASP.NET 1.1 Much improved in ASP.NET 2.0 lots of ready-made controls See: Authorization Control access to pages: NTFS: FileAuthorizationModule web.config: UrlAuthorizationModule See: Imperative security: Page.User.IsInRole( rolename ) 23

25 Input Validation ASP.NET Validation SQL Injection Cross Site Scripting (XSS) Buffer Overflows 24

26 ASP.NET Validation Perform both client-side and server-side validation RequiredFieldValidator requires that a field be present Other validators will pass through blank inputs, so often you must use two validators Other examples of Validators include: CompareValidator RangeValidator RegularExpressionValidator CustomValidator Validators display error messages in-place ValidationSummary object used to display a summary of all errors from validators on a page 25

27 SQL Injection As seen before, this is the result of creating SQL queries by combining static text and unfiltered user inputs To prevent attacks, use proper escaping for potentially hostile inputs: Stored procedures (CommandType.StoredProcedure) Parameterized queries Be sure to actually escape malicious data 26

28 Cross Site Scripting (XSS) ASP.NET framework provides pretty good protection against some XSS attacks This is an example of blacklisting inputs rather than whitelisting inputs Underlying problem is a failure to properly escape special HTML characters Most ASP.NET controls provide this Literals do not Use a Label instead when possible Or use HttpServerUtility.HtmlEncode method 27

29 Buffer Overflows Managed code should typically be fine This can give a false sense of security Legacy COM components Can still contain buffer overflows Seamless.NET/COM integration makes these sneaky Wrap potentially dangerous calls 28

30 What is New in.net 2.0? Reference connection strings contained in machine.config Encrypt sections of.config files with machine key Easier access to DPAPI functions from.net Forms Authentication improvements (mentioned earlier) SecureString class More 29

31 Resources OWASP Top 10 Guide WebGoat training tool WebScarab penetration testing tool (proxy) Discussion lists MSDN msdn.microsoft.com/security 30

32 Questions Dan Cornell Denim Group, Ltd. 31