Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1....
-
Upload
beverly-jennings -
Category
Documents
-
view
226 -
download
0
Transcript of Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1....
Security.NETSecurity.NET
Chapter 1Chapter 1
How Do Attacks Occur?How Do Attacks Occur?
Stages of Stages of attackattack
Examples of attacker actionsExamples of attacker actions
1. Footprint Runs a port scan on the firewall
2. Penetration Exploits an unpatched Web server
3. Elevation of privilege
Creates an account with administrator rights
4. ExploitUploads unlicensed software to the
Web server
5. Cover-up Erases the audit trail of the exploit
VulnerabilityVulnerability ExamplesExamples
Weak passwords Employees use blank or default passwords
Unpatched software Patches are not updated Security hotfixes are not applied
Misconfigured software Services have more privileges than required Services run as the Local System account
Social engineering Help desk administrator resets a password
without verifying the identity of the caller
Weak security on Internet connections
Unused services and ports are not secured Firewalls are used improperly
Unencrypted data transfer
Authentication packets are sent in clear text Important data is sent over the Internet in
clear text
Buffer overrun A trusted process runs untrusted code
STRIDE ModelSTRIDE Model
• Spoofing identity
• Tampering
• Repudiability
• Information disclosure
• Denial of Service
• Elevation of Privilege
• Spoofing identity
• Tampering
• Repudiability
• Information disclosure
• Denial of Service
• Elevation of Privilege
Spoofing IdentitySpoofing Identity
• Attacker impersonates a valid system user or resource to gain access to the system
• Example:– Spoofing a server identity to gain access to
passwords and other system data
• Attacker impersonates a valid system user or resource to gain access to the system
• Example:– Spoofing a server identity to gain access to
passwords and other system data
Tampering with Data (Integrity)Tampering with Data (Integrity)
• Malicious modification of system or user data with or without detection
• Data tampering can occur on:– Database objects through
SQL injection attacks– Application objects, such as application
configuration information and HTML files– Communications and interactions
• Malicious modification of system or user data with or without detection
• Data tampering can occur on:– Database objects through
SQL injection attacks– Application objects, such as application
configuration information and HTML files– Communications and interactions
RepudiabilityRepudiability
• Users can deny performing an action without administrators having any way to prove otherwise– A service that is attacked through an anonymous
request
– A system where audit logging is not enabled
– An attacker that tampers with or deletes logged data
– An attacker that spoofs another user to exploit the system
• Enable logging to avoid repudiability threats
• Users can deny performing an action without administrators having any way to prove otherwise– A service that is attacked through an anonymous
request
– A system where audit logging is not enabled
– An attacker that tampers with or deletes logged data
– An attacker that spoofs another user to exploit the system
• Enable logging to avoid repudiability threats
Information DisclosureInformation Disclosure
• Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it– Encryption Keys– Business Plans– Credit Card Information
• Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it– Encryption Keys– Business Plans– Credit Card Information
Denial of ServiceDenial of Service
• Denying service to valid users– Overloading a server with spurious requests– Causing a process to consume CPU, memory,
and bandwidth– Using viruses and worms that consume hard
disk space on a Web server
• Denying service to valid users– Overloading a server with spurious requests– Causing a process to consume CPU, memory,
and bandwidth– Using viruses and worms that consume hard
disk space on a Web server
Elevation of PrivilegeElevation of Privilege
• Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system– Can be undetected
– Can become part of the trusted system
• Example:– A buffer overrun attack that causes injected code to run
at an elevated privilege, giving the malicious code access to unauthorized pieces of the system
• Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system– Can be undetected
– Can become part of the trusted system
• Example:– A buffer overrun attack that causes injected code to run
at an elevated privilege, giving the malicious code access to unauthorized pieces of the system
Enabling LoggingEnabling Logging
• Maintain a log of activities that are performed on the system by the users and Web applications– Windows logs– IIS logs– SQL Server logs– Custom logs
• Maintain a log of activities that are performed on the system by the users and Web applications– Windows logs– IIS logs– SQL Server logs– Custom logs
User InputUser Input
• URLs– Request individual resources of a Web application
• GET data– Parameters and values that a client passes to a Web application to
satisfy a GET request • POST data
– Parameters and values that a client passes to a Web application to satisfy a POST request
• Cookies– Store data on the client computer
• HTTP headers– Provide numerous HTTP request header values to describe the
client environment to the server
• URLs– Request individual resources of a Web application
• GET data– Parameters and values that a client passes to a Web application to
satisfy a GET request • POST data
– Parameters and values that a client passes to a Web application to satisfy a POST request
• Cookies– Store data on the client computer
• HTTP headers– Provide numerous HTTP request header values to describe the
client environment to the server
Why Validate User Input?Why Validate User Input?
• User input can be used to attack a Web application to:– Reveal implementation details– Create malicious data– Execute malicious script– Access restricted resources
• To avoid a user input attack:– Do not accept user input without validating– Define valid input and write code to accept data within
a valid range
• User input can be used to attack a Web application to:– Reveal implementation details– Create malicious data– Execute malicious script– Access restricted resources
• To avoid a user input attack:– Do not accept user input without validating– Define valid input and write code to accept data within
a valid range
Types of User Input ValidationTypes of User Input Validation
• Client-side validation– Executes validation code, in a script, within the user’s
browser– Minimizes server round-trips for data validation
• Server-side validation– Executes data validation code on the server– Validation errors need to be sent back to the client,
resulting in more server round-trips
• ASP.NET validation controls– Support both client-side and server-side validation
• Client-side validation– Executes validation code, in a script, within the user’s
browser– Minimizes server round-trips for data validation
• Server-side validation– Executes data validation code on the server– Validation errors need to be sent back to the client,
resulting in more server round-trips
• ASP.NET validation controls– Support both client-side and server-side validation
URL Format AttacksURL Format Attacks
• ::$DATA format– Returned the script source instead of the HTML
response
• Dotless IP Addresses – Previously considered part of intranet– http://031713501415
• Parent paths– Can access files outside a virtual directory
• ::$DATA format– Returned the script source instead of the HTML
response
• Dotless IP Addresses – Previously considered part of intranet– http://031713501415
• Parent paths– Can access files outside a virtual directory
HTTP Cookie AttacksHTTP Cookie Attacks
• Two types of cookies: persistent and session • Persistent cookies can be edited with Notepad.exe
– C:\Documents and Settings\username\Cookies
• All cookies can be edited in client-side script– document.cookie is in JavaScript
• Do not store sensitive data in a cookie– Instead store a lookup key
• Encrypt cookie data if necessary
• Two types of cookies: persistent and session • Persistent cookies can be edited with Notepad.exe
– C:\Documents and Settings\username\Cookies
• All cookies can be edited in client-side script– document.cookie is in JavaScript
• Do not store sensitive data in a cookie– Instead store a lookup key
• Encrypt cookie data if necessary
HTTP Header AttacksHTTP Header Attacks
• Do not trust the header values sent by the client– Header values can be set maliciously
• Do not trust header values for important decisions– Example: invoicing based on the Referrer
header value
• Do not trust the header values sent by the client– Header values can be set maliciously
• Do not trust header values for important decisions– Example: invoicing based on the Referrer
header value
Form Data AttacksForm Data Attacks
• Form values– GET method includes the field values in the URL– POST method includes the field values in the body of the
request
• Form fields– All form fields and field names are visible in source code– Hidden fields are not secure
• Validate field values and field names• Validate field value type and length• Use forms for the minimum required data
• Form values– GET method includes the field values in the URL– POST method includes the field values in the body of the
request
• Form fields– All form fields and field names are visible in source code– Hidden fields are not secure
• Validate field values and field names• Validate field value type and length• Use forms for the minimum required data
Script Command Injection Attacks
Script Command Injection Attacks
• XSS
• Used with Trusted Web Application
• Embed script in text controls
• XSS
• Used with Trusted Web Application
• Embed script in text controls
Example (ASP)Example (ASP)
<html><body><form action="a.asp" method=post><input name="t1"><input type="submit"></form></body></html>
<html><body><form action="a.asp" method=post><input name="t1"><input type="submit"></form></body></html>
ASP FileASP File
<html>
<body>
<% response.write "you entered:" & request("t1") %>
</body>
</html>
• Enter <script>alert(‘hello’);</script>
<html>
<body>
<% response.write "you entered:" & request("t1") %>
</body>
</html>
• Enter <script>alert(‘hello’);</script>
ASP.NETASP.NET
• Error message • But if you write:<%00script>alert('hello');</script>To bypass check:
<%@ Page validateRequest="false"%>• Or in web.config:<System.web>
<pages validateRequest="false" /></system.web>
• Error message • But if you write:<%00script>alert('hello');</script>To bypass check:
<%@ Page validateRequest="false"%>• Or in web.config:<System.web>
<pages validateRequest="false" /></system.web>
Trusted codeTrusted code
<SCRIPT>
var fso = new ActiveXObject('Scripting.FileSystemObject');
var e=fso.GetFile('d:\\a.txt');
e.Delete();
</SCRIPT>
If you add to trusted sites its work
<SCRIPT>
var fso = new ActiveXObject('Scripting.FileSystemObject');
var e=fso.GetFile('d:\\a.txt');
e.Delete();
</SCRIPT>
If you add to trusted sites its work
Prevent XSSPrevent XSS
• Validate user input
• Use:– Server.HtmlEncode(str);
• Validate user input
• Use:– Server.HtmlEncode(str);
ASP.NET Validation ControlsASP.NET Validation Controls
• Five Web Server Controls used for validating user input– RequiredFieldValidator– RegularExpressionValidator– CompareValidator– CustomValidator– RangeValidator
• Five Web Server Controls used for validating user input– RequiredFieldValidator– RegularExpressionValidator– CompareValidator– CustomValidator– RangeValidator
Regular ExpressionsRegular Expressions
string test = "Words only &%";Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, "");
string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches =
expression.Matches(test1); foreach (Match match in matches)
Console.WriteLine(match.Index);
string test = "Words only &%";Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, "");
string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches =
expression.Matches(test1); foreach (Match match in matches)
Console.WriteLine(match.Index);
Providing Feedback to UsersProviding Feedback to Users
• During normal conditions– Verification messages
– Success messages
– Explanatory messages
• During error conditions– Keep detailed error information hidden: error codes,
error messages, system information, call stacks
– Return general error message and log error details
– Never return the data that generated the error
• During normal conditions– Verification messages
– Success messages
– Explanatory messages
• During error conditions– Keep detailed error information hidden: error codes,
error messages, system information, call stacks
– Return general error message and log error details
– Never return the data that generated the error
Obscuring Error Details from Users
Obscuring Error Details from Users
• In Web.config file:
<customErrors mode="On" defaultRedirect="GenericError.aspx"/>
• In Web.config file:
<customErrors mode="On" defaultRedirect="GenericError.aspx"/>