Cybercrime, cyber war, infowar - what's this all about from an hacker's perspective (raoul chiesa)
NET from the Hacker's Perspective
36
Transcript of NET from the Hacker's Perspective
.NET from the HackerÕsPerspective
What Hackers DislikeRiskWhat Hackers LikeSummary
What Hackers Dislike
l .NET Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
.NET Buffer Overflows
l Managed Code
l Legacy Code
l The Developer Mind Set
.NET Buffer Overflows: ManagedCode
l Self-resizing variables
l .NET Framework keeps fixed sizedvariables from being copied to byvariable sized variables
.NET Buffer Overflows: LegacyCode
l It is still very common to use previouslycoded modules and routines
l Why reinvent the wheel?l Security?
.NET Buffer Overflows: TheDeveloperÕs Mind Set
l No buffer overflows in .NET? I no longerneed to bounds check my variable lengthvariables.
l Less could mean more
What Hackers Dislike
l Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
Role Security
l DonÕt call meÉ IÕll call you
l Framework for defining class andfunction level call security
What Hackers Dislike
l Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
CAS Code Access Security
l Mobile Code
l Default user permission settings for theInternet Zone makes hard case forignoring use in public market
l Signing Assemblies (GAC)
l Key Management (Source Safe)
What Hackers Dislike
l Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
Cryptography
l Encrypt vs. Encode vs. Hashing
l Minimal Coding Requirements
l Fast
l Easy Key Management
l XML
What Hackers Dislike
l Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
What Hackers Dislike: Summary
l Buffer Overflow Protectionl Always bounds check
l Role Based Security In Codel Validate who is allowed to call functions
l Newer Code Difficult To Trojanl Avoid Trojans like ÒFunLoveÓ
l Everything Encryptedl Avoid information leakage
.NET from the HackerÕsPerspective
What Hackers DislikeRiskWhat Hackers LikeSummary
Risk
l Everyone has a deadline
l Everyone has a performancerequirement
l NEW -> Everyone has a securityrequirement
l Dollar -> Security -> Risk
.NET from the HackerÕsPerspective
What Hackers DislikeRiskWhat Hackers LikeSummary
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Cross Site Scripting
l Reaply/Hijacking
l Injection XML/SQL
Information Leakage: View State
l View Statel Base64 encoded
l Dynamic properties of server-side controls
l Map to exposures and vulnerabilities
Information Leakage: XML
l The world of plaintext
l Sniffed traffic can lead to informationleakage
l Encrypting XML can be cumbersomeand degrades performance
l Signing XML is also difficult anddegrades performance
Information Leakage: SQL errors
l Not once, not twice, but N times
l The exploitation road map to accessingyour dataÉ
l The small to medium company go-to-guy
Information Leakage: Web errors
l Programmers are logical
l Hackers are logical
l Login examplel Password Invalid
l User Invalid
l User or Password Invalid
l Enumeration functions
Information Leakage: Cookies
l Stored on client
l Modifiable
l Extents to any client side persisted stateinformation
l Serialization
l Client to server program configurationfiles (non-HTTP)
Information Leakage: URLs
l URLs tell a storyl System Administrator/Deployment Know-
How
l Incrementing variables
l Arguments to functions
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Cross Site Scripting
l Replay/Hijacking
l Injection XML/SQL
Information Leakage: EasyDevelopment leads to Easy Exploits
l If I do not incorporate security knowledgeand processing during development anddeployment of all resources, regardlessof whether the access to that resource isanonymous or authenticated, isexploitation possible? YES.
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Cross Site Scripting
l Replay/Hijacking
l Injection XML/SQL
Cross Site Scripting
l HTML inputs for everyone
l How do I validate?
l Just donÕt do it if you can avoid itÉ gooddesign makes for good security
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Cross Site Scripting
l Replay/Hijacking
l Injection XML/SQL
Replay / Hijacking
l Session Hijackingl HTTP Session IDs
l .NET Forms Authentication
l Got SSL?l Hey! Cross Site Scripting to the rescueÉ
l Validation = ( Authentication -> Session )* Each Request
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Replay/Hijacking
l Injection XML/SQL
Injection XML/SQL
l SOAP
l Dynamic SQL
l .NET SqlParameter
.NET from the HackerÕsPerspective
What Hackers DislikeRiskWhat Hackers LikeSummary
Summary
l Parameter validation still key to amajority of vulnerabilities
l Why authenticate when you can hijack?
l Sign code, encrypt data, or elseÉ
l Server side security much betterÉcommunication security still difficult tosecure with ease, but definitely possible
