P0wnd! (Or how to redirect your friend's website ... - DevExpress

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 8 months ago)

72 views

Don’t get Stung

(An introduction to the OWASP Top Ten Project)

Barry Dorrans

Microsoft Information Security Tools

Contents


OWASP Top Ten


http://www.owasp.org


A worldwide free and open community
focused on improving the security of
application software

Introduction


Do not try this at home. Or at work.


These are not just ASP.NET vulnerabilities


If you don’t want to ask public questions ...


barryd@idunno.org / http://idunno.org


10


Unvalidated

Redirects and Forwards

Unvalidated

Redirect and Forwards


Users don’t check the address bar


MVC authentication (pre
-
3.0) is vulnerable.


Check the
R
eturnUrl

parameter



http://weblogs.asp.net/jgalloway/archive/201
1/01/25/preventing
-
open
-
redirection
-
attacks
-
in
-
asp
-
net
-
mvc.aspx

9


Insufficient Transport Layer Protection

Insufficient Transport Layer Protection


Use SSL


Protection communications between web
server and backend systems (SSL, IPSEC etc.)


Replay attacks


use time limited tokens

8



Failure to restrict URI access

Failure to restrict URI access


Security by obscurity is useless


Restrict via ASP.NET


no rolling your own!


Integrated pipeline restricts everything


Use [
PrincipalPermission
] to protect yourself


IIS7 replaces file ACLs with a
web.config

based
authorization list.

7



Insecure Cryptographic Storage

Insecure Cryptographic Storage


Symmetric


same key


Asymmetric


public/private keys


Use safe algorithms


Hashing :

SHA256

Symmetric:

AES

Asymmetric:

CMS/PKCS#7


Encrypt then sign

Insecure Cryptographic Storage


Use symmetric when


All systems are under your control


No need to identify who did the encryption


Use asymmetric when


Talking/accepting from external systems


Non
-
repudiation on who encrypted/signed (X509)


All in memory


so no large plain
tex
!


Combine the two for speed and security

Insecure Cryptographic Storage


Do not reuse keys for different purposes


Store keys outside the main database


Use
CryptGenRandom

for random numbers


Use & rotate salts


Use unique IVs


DAPI can provide a key store

6


Security Misconfiguration

Security Misconfiguration


PATCH
PATCH

PATCH


IIS7 App
Pool Isolation


http://learn.iis.net/page.aspx/764/ensure
-
security
-
isolation
-
for
-
web
-
sites/


URLScan


Security Runtime Engine (CTP)


Disable unused modules, accounts etc.


Security Misconfiguration

<
httpModules
>



<add name="
OutputCache
" type="
System.Web.Caching.OutputCacheModule
" />



<add name="Session" type="
System.Web.SessionState.SessionStateModule
" />



<add name="
WindowsAuthentication
"


type
="
System.Web.Security.WindowsAuthenticationModule
" />



<add name="
FormsAuthentication
"


type
="
System.Web.Security.FormsAuthenticationModule
" />



<add name="
PassportAuthentication
"


type
="
System.Web.Security.PassportAuthenticationModule
" />



<add name="
RoleManager
" type="
System.Web.Security.RoleManagerModule
" />



<add name="
UrlAuthorization
"


type
="
System.Web.Security.UrlAuthorizationModule
" />



<add name="
FileAuthorization
"


type
="
System.Web.Security.FileAuthorizationModule
" />



<add name="
AnonymousIdentification
"


type
="
System.Web.Security.AnonymousIdentificationModule
" />



<add name="Profile" type="
System.Web.Profile.ProfileModule
" />

</
httpModules
>

Security Misconfiguration

<
httpModules
>



<remove name="
PassportAuthentication
" />



<remove name="Profile" />



<remove name="
AnonymousIdentification
" />

</
httpModules
>



NB: Some modules depend on others

Forms
auth

needs caching.

There’s no easy way to tell!


5


Cross Site Request Forgery

Cross Site Request Forgery


WebForms


Lock
ViewState

using
ViewStateUserKey



Needs a way to identify user


Set in
Page_Init


Use a CSRF token


http://anticsrf.codeplex.com


MVC

<%=
Html.AntiForgeryToken
() %>
-

in form

[
ValidateAntiForgeryToken
]


on action method


Encourage users to log out


When is a
postback

not a
postback
?

4


Insecure Direct Object Reference

Insecure Direct Object Reference


Use indirect object references


Always check access permissions


For MVC don’t allow binding to your ID field

[Bind(Exclude
="id")]

3

-

Broken Authentication/Sessions

Broken Authentication/Sessions


Don’t roll your own!


If you must validate sessions on every request

check the browser string, not the IP

2



Cross Site Scripting

XSS


<IMG SRC=
javascript:alert
('XSS')>


<IMG SRC=
JaVaScRiPt:alert
('XSS')>


<IMG
SRC=&#106;&#97;&#118;&#97;&#115;&#99;
&#114;&#105;&#112;&#116;&#58;&#97;&#1
08;&#101;&#114;&#116;&#40;&#39;&#88;&#
83;&#83;&#39;&#41;>

XSS


All input is evil


Work from white
-
lists not black
-
lists.


Store un
-
encoded data in your database


Use
HttpOnly

cookies


AntiXSS

project http://antixss.codeplex.com


Better HTML/URL Encoding


Adds HTML Attribute,
Javascript
, VBScript


XSS Cheat Sheet http://ha.ckers.org/xss.html



1



Injection Flaws

Injection Flaws


SQL


Use SQL parameters


Remove direct SQL table access


When building SQL strings within SPs
parameterise those too!


Xpath


Use
XsltContext


http://mvpxml.codeplex.com/


Injection Flaws

DECLARE @
cmd
=

'SELECT * FROM Customer WHERE


FirstName

LIKE @first OR


LastName

LIKE @last
'

EXEC @
cmd
,



N
'
@first

nvarchar
(25),


@last
nvarchar
(25)',


@first, @last

Changes from 2007


Malicious File Execution


Information Leakage / Improper Error
Handling


Security Misconfiguration


Un
-
validated Redirects and Forwards



The OWASP Top Ten


A1
-
Injection


A2
-
Cross Site Scripting (XSS)


A3
-
Broken Authentication and Session
Management


A4
-
Insecure Direct Object References


A5
-
Cross Site Request Forgery (CSRF)


A6
-
Security Misconfiguration


A7
-
Insecure Cryptographic Storage


A8
-
Failure to Restrict URL Access


A9
-
Insufficient Transport Layer Protection


A10
-
Unvalidated Redirects and Forwards

Mandatory Book Pimping

Questions