Security.NETSecurity.NET

Chapter 1Chapter 1

How Do Attacks Occur?How Do Attacks Occur?

Stages of Stages of attackattack

Examples of attacker actionsExamples of attacker actions

1. Footprint Runs a port scan on the firewall

2. Penetration Exploits an unpatched Web server

3. Elevation of privilege

Creates an account with administrator rights

4. ExploitUploads unlicensed software to the

Web server

5. Cover-up Erases the audit trail of the exploit

VulnerabilityVulnerability ExamplesExamples

Weak passwords Employees use blank or default passwords

Unpatched software Patches are not updated Security hotfixes are not applied

Misconfigured software Services have more privileges than required Services run as the Local System account

Social engineering Help desk administrator resets a password

without verifying the identity of the caller

Weak security on Internet connections

Unused services and ports are not secured Firewalls are used improperly

Unencrypted data transfer

Authentication packets are sent in clear text Important data is sent over the Internet in

clear text

Buffer overrun A trusted process runs untrusted code

STRIDE ModelSTRIDE Model

• Spoofing identity

• Tampering

• Repudiability

• Information disclosure

• Denial of Service

• Elevation of Privilege

• Spoofing identity

• Tampering

• Repudiability

• Information disclosure

• Denial of Service

• Elevation of Privilege

Spoofing IdentitySpoofing Identity

• Attacker impersonates a valid system user or resource to gain access to the system

• Example:– Spoofing a server identity to gain access to

passwords and other system data

• Attacker impersonates a valid system user or resource to gain access to the system

• Example:– Spoofing a server identity to gain access to

passwords and other system data

Tampering with Data (Integrity)Tampering with Data (Integrity)

• Malicious modification of system or user data with or without detection

• Data tampering can occur on:– Database objects through

SQL injection attacks– Application objects, such as application

configuration information and HTML files– Communications and interactions

• Malicious modification of system or user data with or without detection

• Data tampering can occur on:– Database objects through

SQL injection attacks– Application objects, such as application

configuration information and HTML files– Communications and interactions

RepudiabilityRepudiability

• Users can deny performing an action without administrators having any way to prove otherwise– A service that is attacked through an anonymous

request

– A system where audit logging is not enabled

– An attacker that tampers with or deletes logged data

– An attacker that spoofs another user to exploit the system

• Enable logging to avoid repudiability threats

• Users can deny performing an action without administrators having any way to prove otherwise– A service that is attacked through an anonymous

request

– A system where audit logging is not enabled

– An attacker that tampers with or deletes logged data

– An attacker that spoofs another user to exploit the system

• Enable logging to avoid repudiability threats

Information DisclosureInformation Disclosure

• Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it– Encryption Keys– Business Plans– Credit Card Information

• Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it– Encryption Keys– Business Plans– Credit Card Information

Denial of ServiceDenial of Service

• Denying service to valid users– Overloading a server with spurious requests– Causing a process to consume CPU, memory,

and bandwidth– Using viruses and worms that consume hard

disk space on a Web server

• Denying service to valid users– Overloading a server with spurious requests– Causing a process to consume CPU, memory,

and bandwidth– Using viruses and worms that consume hard

disk space on a Web server

Elevation of PrivilegeElevation of Privilege

• Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system– Can be undetected

– Can become part of the trusted system

• Example:– A buffer overrun attack that causes injected code to run

at an elevated privilege, giving the malicious code access to unauthorized pieces of the system

• Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system– Can be undetected

– Can become part of the trusted system

• Example:– A buffer overrun attack that causes injected code to run

at an elevated privilege, giving the malicious code access to unauthorized pieces of the system

Enabling LoggingEnabling Logging

• Maintain a log of activities that are performed on the system by the users and Web applications– Windows logs– IIS logs– SQL Server logs– Custom logs

• Maintain a log of activities that are performed on the system by the users and Web applications– Windows logs– IIS logs– SQL Server logs– Custom logs

User InputUser Input

• URLs– Request individual resources of a Web application

• GET data– Parameters and values that a client passes to a Web application to

satisfy a GET request • POST data

– Parameters and values that a client passes to a Web application to satisfy a POST request

• Cookies– Store data on the client computer

• HTTP headers– Provide numerous HTTP request header values to describe the

client environment to the server

• URLs– Request individual resources of a Web application

• GET data– Parameters and values that a client passes to a Web application to

satisfy a GET request • POST data

– Parameters and values that a client passes to a Web application to satisfy a POST request

• Cookies– Store data on the client computer

• HTTP headers– Provide numerous HTTP request header values to describe the

client environment to the server

Why Validate User Input?Why Validate User Input?

• User input can be used to attack a Web application to:– Reveal implementation details– Create malicious data– Execute malicious script– Access restricted resources

• To avoid a user input attack:– Do not accept user input without validating– Define valid input and write code to accept data within

a valid range

• User input can be used to attack a Web application to:– Reveal implementation details– Create malicious data– Execute malicious script– Access restricted resources

• To avoid a user input attack:– Do not accept user input without validating– Define valid input and write code to accept data within

a valid range

Types of User Input ValidationTypes of User Input Validation

• Client-side validation– Executes validation code, in a script, within the user’s

browser– Minimizes server round-trips for data validation

• Server-side validation– Executes data validation code on the server– Validation errors need to be sent back to the client,

resulting in more server round-trips

• ASP.NET validation controls– Support both client-side and server-side validation

• Client-side validation– Executes validation code, in a script, within the user’s

browser– Minimizes server round-trips for data validation

• Server-side validation– Executes data validation code on the server– Validation errors need to be sent back to the client,

resulting in more server round-trips

• ASP.NET validation controls– Support both client-side and server-side validation

URL Format AttacksURL Format Attacks

• ::$DATA format– Returned the script source instead of the HTML

response

• Dotless IP Addresses – Previously considered part of intranet– http://031713501415

• Parent paths– Can access files outside a virtual directory

• ::$DATA format– Returned the script source instead of the HTML

response

• Dotless IP Addresses – Previously considered part of intranet– http://031713501415

• Parent paths– Can access files outside a virtual directory

HTTP Cookie AttacksHTTP Cookie Attacks

• Two types of cookies: persistent and session • Persistent cookies can be edited with Notepad.exe

– C:\Documents and Settings\username\Cookies

• All cookies can be edited in client-side script– document.cookie is in JavaScript

• Do not store sensitive data in a cookie– Instead store a lookup key

• Encrypt cookie data if necessary

• Two types of cookies: persistent and session • Persistent cookies can be edited with Notepad.exe

– C:\Documents and Settings\username\Cookies

• All cookies can be edited in client-side script– document.cookie is in JavaScript

• Do not store sensitive data in a cookie– Instead store a lookup key

• Encrypt cookie data if necessary

HTTP Header AttacksHTTP Header Attacks

• Do not trust the header values sent by the client– Header values can be set maliciously

• Do not trust header values for important decisions– Example: invoicing based on the Referrer

header value

• Do not trust the header values sent by the client– Header values can be set maliciously

• Do not trust header values for important decisions– Example: invoicing based on the Referrer

header value

Form Data AttacksForm Data Attacks

• Form values– GET method includes the field values in the URL– POST method includes the field values in the body of the

request

• Form fields– All form fields and field names are visible in source code– Hidden fields are not secure

• Validate field values and field names• Validate field value type and length• Use forms for the minimum required data

• Form values– GET method includes the field values in the URL– POST method includes the field values in the body of the

request

• Form fields– All form fields and field names are visible in source code– Hidden fields are not secure

• Validate field values and field names• Validate field value type and length• Use forms for the minimum required data

Script Command Injection Attacks

Script Command Injection Attacks

• XSS

• Used with Trusted Web Application

• Embed script in text controls

• XSS

• Used with Trusted Web Application

• Embed script in text controls

Example (ASP)Example (ASP)

<html><body><form action="a.asp" method=post><input name="t1"><input type="submit"></form></body></html>

<html><body><form action="a.asp" method=post><input name="t1"><input type="submit"></form></body></html>

ASP FileASP File

<html>

<body>

<% response.write "you entered:" & request("t1") %>

</body>

</html>

• Enter <script>alert(‘hello’);</script>

<html>

<body>

<% response.write "you entered:" & request("t1") %>

</body>

</html>

• Enter <script>alert(‘hello’);</script>

ASP.NETASP.NET

• Error message • But if you write:<%00script>alert('hello');</script>To bypass check:

<%@ Page validateRequest="false"%>• Or in web.config:<System.web>

<pages validateRequest="false" /></system.web>

• Error message • But if you write:<%00script>alert('hello');</script>To bypass check:

<%@ Page validateRequest="false"%>• Or in web.config:<System.web>

<pages validateRequest="false" /></system.web>

Trusted codeTrusted code

<SCRIPT>

var fso = new ActiveXObject('Scripting.FileSystemObject');

var e=fso.GetFile('d:\\a.txt');

e.Delete();

</SCRIPT>

If you add to trusted sites its work

<SCRIPT>

var fso = new ActiveXObject('Scripting.FileSystemObject');

var e=fso.GetFile('d:\\a.txt');

e.Delete();

</SCRIPT>

If you add to trusted sites its work

Prevent XSSPrevent XSS

• Validate user input

• Use:– Server.HtmlEncode(str);

• Validate user input

• Use:– Server.HtmlEncode(str);

ASP.NET Validation ControlsASP.NET Validation Controls

• Five Web Server Controls used for validating user input– RequiredFieldValidator– RegularExpressionValidator– CompareValidator– CustomValidator– RangeValidator

• Five Web Server Controls used for validating user input– RequiredFieldValidator– RegularExpressionValidator– CompareValidator– CustomValidator– RangeValidator

Regular ExpressionsRegular Expressions

string test = "Words only &%";Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, "");

string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches =

expression.Matches(test1); foreach (Match match in matches)

Console.WriteLine(match.Index);

string test = "Words only &%";Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, "");

string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches =

expression.Matches(test1); foreach (Match match in matches)

Console.WriteLine(match.Index);

Providing Feedback to UsersProviding Feedback to Users

• During normal conditions– Verification messages

– Success messages

– Explanatory messages

• During error conditions– Keep detailed error information hidden: error codes,

error messages, system information, call stacks

– Return general error message and log error details

– Never return the data that generated the error

• During normal conditions– Verification messages

– Success messages

– Explanatory messages

• During error conditions– Keep detailed error information hidden: error codes,

error messages, system information, call stacks

– Return general error message and log error details

– Never return the data that generated the error

Obscuring Error Details from Users

Obscuring Error Details from Users

• In Web.config file:

<customErrors mode="On" defaultRedirect="GenericError.aspx"/>

• In Web.config file:

<customErrors mode="On" defaultRedirect="GenericError.aspx"/>