improving web application security · improving web application security threats and...
TRANSCRIPT
-
Improving Web Application Security Threats and Countermeasures
Forewords by Mark Curphey, Joel Scambray, and Erik Olson
-
Improving Web Application Security
Threats and Countermeasures
patterns & practices
J.D. Meier, Microsoft Corporation
Alex Mackman, Content Master
Srinath Vasireddy, Microsoft Corporation
Michael Dunner, Microsoft Corporation
Ray Escamilla, Microsoft Corporation
Anandha Murukan, Satyam Computer Services
-
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BizTalk, IntelliSense, MSDN, Visual Basic, Visual C#, Visual C++, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
© 2003 Microsoft Corporation. All rights reserved.
Version 1.0
6/30/2003
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
-
Contents
Forewords xliii Foreword by Mark Curphey .....................................................................................xliii Foreword by Joel Scambray .....................................................................................xlv Foreword by Erik Olson .......................................................................................... xlvi
Introduction xlix Why We Wrote This Guide .......................................................................................... xlix What Is a Hack-Resilient Application? .............................................................................l Scope of This Guide ..................................................................................................... li
Securing the Network, Host, and Application .............................................................. li Technologies in Scope............................................................................................. lii
Who Should Read This Guide ....................................................................................... lii How to Use This Guide ............................................................................................... liii
Applying the Guidance to Your Role ......................................................................... liii Applying the Guidance to Your Product Life Cycle ...................................................... liv Microsoft Solutions Framework ................................................................................ lv
Organization of This Guide ........................................................................................... lv Solutions at a Glance.............................................................................................. lv Fast Track............................................................................................................... lv Parts..................................................................................................................... lvi Checklists .............................................................................................................lvii “How To” Articles.................................................................................................. lviii
Approach Used in This Guide ..................................................................................... lviii Secure Your Network, Host, and Application ............................................................ lviii Focus on Threats ................................................................................................... lix Follow a Principle-Based Approach............................................................................ lx
Positioning of This Guide ............................................................................................. lx Volume I, Building Secure ASP.NET Applications ........................................................ lx Volume II, Improving Web Application Security .......................................................... lxi
Feedback and Support ...............................................................................................lxii Feedback on the Guide...........................................................................................lxii Technical Support ..................................................................................................lxii Community and Newsgroup Support ........................................................................lxii
The Team Who Brought You This Guide ....................................................................... lxiii Contributors and Reviewers ................................................................................... lxiii
Tell Us About Your Success........................................................................................ lxiv Summary ................................................................................................................. lxiv
-
vi Improving Web Application Security: Threats and Countermeasures
Solutions at a Glance lxv Architecture and Design Solutions...............................................................................lxv Development Solutions ............................................................................................. lxvi Administration Solutions.............................................................................................lxx
Fast Track — How To Implement the Guidance lxxv Goal and Scope ....................................................................................................... lxxv The Holistic Approach...............................................................................................lxxvi Securing Your Network.............................................................................................lxxvii Securing Your Host..................................................................................................lxxvii Securing Your Application ....................................................................................... lxxviii Identify Threats........................................................................................................lxxix Applying the Guidance to Your Product Life Cycle ........................................................lxxxi Implementing the Guidance .....................................................................................lxxxii Who Does What? ................................................................................................... lxxxiii
RACI Chart ........................................................................................................ lxxxiii Summary .............................................................................................................. lxxxiv
Part I Introduction to Threats and Countermeasures 1
Chapter 1 Web Application Security Fundamentals 3
We Are Secure — We Have a Firewall ............................................................................ 3 What Do We Mean By Security? ................................................................................... 4
The Foundations of Security..................................................................................... 4 Threats, Vulnerabilities, and Attacks Defined................................................................. 5 How Do You Build a Secure Web Application?................................................................ 5 Secure Your Network, Host, and Application .................................................................. 6 Securing Your Network................................................................................................. 7
Network Component Categories ............................................................................... 7 Securing Your Host...................................................................................................... 7
Host Configuration Categories.................................................................................. 8 Securing Your Application ............................................................................................ 9
Application Vulnerability Categories .......................................................................... 9 Security Principles..................................................................................................... 11 Summary ................................................................................................................. 12 Additional Resources ................................................................................................ 12
Chapter 2 Threats and Countermeasures 13
In This Chapter ......................................................................................................... 13 Overview .................................................................................................................. 13
-
Contents vii
How to Use This Chapter ........................................................................................... 14 Anatomy of an Attack ................................................................................................ 14
Survey and Assess ............................................................................................... 15 Exploit and Penetrate ............................................................................................ 15 Escalate Privileges................................................................................................ 15 Maintain Access ................................................................................................... 16 Deny Service ........................................................................................................ 16
Understanding Threat Categories ............................................................................... 16 STRIDE ................................................................................................................ 16 STRIDE Threats and Countermeasures ................................................................... 17
Network Threats and Countermeasures ...................................................................... 18 Information Gathering............................................................................................ 18 Sniffing ................................................................................................................ 19 Spoofing .............................................................................................................. 19 Session Hijacking ................................................................................................. 19 Denial of Service .................................................................................................. 20
Host Threats and Countermeasures ........................................................................... 20 Viruses, Trojan Horses, and Worms ........................................................................ 21 Footprinting .......................................................................................................... 21 Password Cracking................................................................................................ 22 Denial of Service .................................................................................................. 22 Arbitrary Code Execution........................................................................................ 23 Unauthorized Access............................................................................................. 23
Application Threats and Countermeasures .................................................................. 23 Input Validation......................................................................................................... 24
Buffer Overflows ................................................................................................... 25 Cross-Site Scripting............................................................................................... 26 SQL Injection ........................................................................................................ 27 Canonicalization ................................................................................................... 28
Authentication .......................................................................................................... 29 Network Eavesdropping ......................................................................................... 29 Brute Force Attacks............................................................................................... 30 Dictionary Attacks................................................................................................. 30 Cookie Replay Attacks........................................................................................... 31 Credential Theft .................................................................................................... 31
Authorization ............................................................................................................ 31 Elevation of Privilege ............................................................................................. 32 Disclosure of Confidential Data.............................................................................. 32 Data Tampering..................................................................................................... 32 Luring Attacks....................................................................................................... 33
Configuration Management ........................................................................................ 33 Unauthorized Access to Administration Interfaces ................................................... 33 Unauthorized Access to Configuration Stores .......................................................... 34 Retrieval of Plaintext Configuration Secrets ............................................................. 34 Lack of Individual Accountability ............................................................................. 34 Over-privileged Application and Service Accounts..................................................... 34
-
viii Improving Web Application Security: Threats and Countermeasures
Sensitive Data .......................................................................................................... 35 Access to Sensitive Data in Storage....................................................................... 35 Network Eavesdropping ......................................................................................... 35 Data Tampering..................................................................................................... 35
Session Management ............................................................................................... 36 Session Hijacking ................................................................................................. 36 Session Replay..................................................................................................... 36 Man in the Middle Attacks ..................................................................................... 37
Cryptography ............................................................................................................ 37 Poor Key Generation or Key Management................................................................ 38 Weak or Custom Encryption ................................................................................... 38 Checksum Spoofing .............................................................................................. 38
Parameter Manipulation ............................................................................................ 39 Query String Manipulation ..................................................................................... 39 Form Field Manipulation ........................................................................................ 40 Cookie Manipulation ............................................................................................. 40 HTTP Header Manipulation..................................................................................... 40
Exception Management ............................................................................................. 40 Attacker Reveals Implementation Details ................................................................ 41 Denial of Service .................................................................................................. 41
Auditing and Logging ................................................................................................. 41 User Denies Performing an Operation ..................................................................... 42 Attackers Exploit an Application Without Leaving a Trace .......................................... 42 Attackers Cover Their Tracks .................................................................................. 42
Summary ................................................................................................................. 42 Additional Resources ................................................................................................ 43
Chapter 3 Threat Modeling 45
In This Chapter ......................................................................................................... 45 Overview .................................................................................................................. 45 Before You Begin ...................................................................................................... 45 How to Use This Chapter ........................................................................................... 46 Threat Modeling Principles......................................................................................... 47
The Process ......................................................................................................... 47 The Output ........................................................................................................... 48
Step 1. Identify Assets .............................................................................................. 49 Step 2. Create an Architecture Overview ..................................................................... 49
Identify What the Application Does ......................................................................... 50 Create an Architecture Diagram.............................................................................. 50 Identify the Technologies ....................................................................................... 51
-
Contents ix
Step 3. Decompose the Application............................................................................ 52 Identify Trust Boundaries ....................................................................................... 53 Identify Data Flow ................................................................................................. 53 Identify Entry Points .............................................................................................. 54 Identify Privileged Code ......................................................................................... 54 Document the Security Profile ................................................................................ 55
Step 4. Identify the Threats ....................................................................................... 56 Identify Network Threats........................................................................................ 57 Identify Host Threats ............................................................................................. 58 Identify Application Threats.................................................................................... 58 Using Attack Trees and Attack Patterns................................................................... 59
Step 5. Document the Threats ................................................................................... 62 Step 6. Rate the Threats ........................................................................................... 62
Risk = Probability * Damage Potential .................................................................... 63 High, Medium, and Low Ratings ............................................................................. 63 DREAD................................................................................................................. 63
What Comes After Threat Modeling?........................................................................... 65 Generating a Work Item Report .............................................................................. 66
Summary ................................................................................................................. 66 Additional Resources ................................................................................................ 66
Part II Designing Secure Web Applications 67
Chapter 4 Design Guidelines for Secure Web Applications 69
In This Chapter ......................................................................................................... 69 Overview .................................................................................................................. 69 How to Use This Chapter ........................................................................................... 70 Architecture and Design Issues for Web Applications ................................................... 70 Deployment Considerations ....................................................................................... 72
Security Policies and Procedures............................................................................ 73 Network Infrastructure Components ....................................................................... 73 Deployment Topologies.......................................................................................... 73 Intranet, Extranet, and Internet............................................................................... 74
Input Validation......................................................................................................... 74 Assume All Input Is Malicious ................................................................................ 75 Centralize Your Approach ....................................................................................... 75 Do Not Rely on Client-Side Validation...................................................................... 76 Be Careful with Canonicalization Issues.................................................................. 76 Constrain, Reject, and Sanitize Your Input ............................................................... 77 In Practice ............................................................................................................ 79
-
x Improving Web Application Security: Threats and Countermeasures
Authentication .......................................................................................................... 80 Separate Public and Restricted Areas..................................................................... 81 Use Account Lockout Policies for End-User Accounts ............................................... 81 Support Password Expiration Periods...................................................................... 81 Be Able to Disable Accounts .................................................................................. 82 Do Not Store Passwords in User Stores.................................................................. 82 Require Strong Passwords..................................................................................... 82 Do Not Send Passwords Over the Wire in Plaintext .................................................. 82 Protect Authentication Cookies .............................................................................. 82
Authorization ............................................................................................................ 83 Use Multiple Gatekeepers ..................................................................................... 83 Restrict User Access to System Level Resources .................................................... 83 Consider Authorization Granularity .......................................................................... 83
Configuration Management ........................................................................................ 86 Secure Your Administration Interfaces .................................................................... 86 Secure Your Configuration Stores ........................................................................... 86 Separate Administration Privileges ......................................................................... 87 Use Least Privileged Process and Service Accounts................................................. 87
Sensitive Data .......................................................................................................... 87 Secrets ................................................................................................................ 87 Sensitive Per User Data......................................................................................... 89
Session Management ............................................................................................... 90 Use SSL to Protect Session Authentication Cookies ................................................ 90 Encrypt the Contents of the Authentication Cookies................................................. 90 Limit Session Lifetime........................................................................................... 91 Protect Session State from Unauthorized Access .................................................... 91
Cryptography ............................................................................................................ 91 Do Not Develop Your Own Cryptography .................................................................. 92 Keep Unencrypted Data Close to the Algorithm ....................................................... 92 Use the Correct Algorithm and Correct Key Size....................................................... 92 Secure Your Encryption Keys.................................................................................. 92
Parameter Manipulation ............................................................................................ 93 Encrypt Sensitive Cookie State .............................................................................. 93 Make Sure that Users Do Not Bypass Your Checks.................................................. 93 Validate All Values Sent from the Client .................................................................. 94 Do Not Trust HTTP Header Information.................................................................... 94
Exception Management ............................................................................................. 94 Do Not Leak Information to the Client..................................................................... 94 Log Detailed Error Messages ................................................................................. 95 Catch Exceptions .................................................................................................. 95
Auditing and Logging ................................................................................................. 95 Audit and Log Access Across Application Tiers ........................................................ 95 Consider Identity Flow ........................................................................................... 96 Log Key Events ..................................................................................................... 96 Secure Log Files ................................................................................................... 96 Back Up and Analyze Log Files Regularly................................................................. 96
-
Contents xi
Design Guidelines Summary ...................................................................................... 97 Summary ................................................................................................................. 98 Additional Resources ................................................................................................ 98
Chapter 5 Architecture and Design Review for Security 99
In This Chapter ......................................................................................................... 99 Overview .................................................................................................................. 99 How to Use This Chapter ......................................................................................... 100 Architecture and Design Review Process................................................................... 100 Deployment and Infrastructure Considerations .......................................................... 101
Does the Network Provide Secure Communication? ............................................... 102 Does Your Deployment Topology Include an Internal Firewall? ................................. 102 Does Your Deployment Topology Include a Remote Application Server? ................... 102 What Restrictions Does Infrastructure Security Impose? ........................................ 103 Have You Considered Web Farm Issues?............................................................... 104 What Trust Levels Does the Target Environment Support? ...................................... 104
Input Validation....................................................................................................... 105 How Do You Validate Input? ................................................................................. 106 What Do You Do with the Input? ........................................................................... 107
Authentication ........................................................................................................ 107 Do You Separate Public and Restricted Access?.................................................... 108 Have You Identified Service Account Requirements? .............................................. 108 How Do You Authenticate the Caller?.................................................................... 109 How Do You Authenticate with the Database? ....................................................... 109 Do You Enforce Strong Account Management Practices? ........................................ 111
Authorization .......................................................................................................... 111 How Do You Authorize End Users?........................................................................ 112 How Do You Authorize the Application in the Database?......................................... 113 How Do You Restrict Access to System-Level Resources? ...................................... 113
Configuration Management ...................................................................................... 114 Do You Support Remote Administration? .............................................................. 114 Do You Secure Configuration Stores? ................................................................... 115 Do You Separate Administrator Privileges?............................................................ 115
Sensitive Data ........................................................................................................ 115 Do You Store Secrets? ........................................................................................ 116 How Do You Store Sensitive Data? ....................................................................... 117 Do You Pass Sensitive Data Over the Network? ..................................................... 117 Do You Log Sensitive Data?................................................................................. 117
Session Management ............................................................................................. 117 How Are Session Identifiers Exchanged?............................................................... 118 Do You Restrict Session Lifetime?........................................................................ 118 How Is the Session State Store Secured?............................................................. 118
-
xii Improving Web Application Security: Threats and Countermeasures
Cryptography .......................................................................................................... 119 Why Do You Use Particular Algorithms?................................................................. 119 How Do You Secure Encryption Keys?................................................................... 120
Parameter Manipulation .......................................................................................... 120 Do You Validate All Input Parameters? .................................................................. 121 Do You Pass Sensitive Data in Parameters?.......................................................... 121 Do You Use HTTP Header Data for Security? ......................................................... 121
Exception Management ........................................................................................... 122 Do You Use Structured Exception Handling?.......................................................... 122 Do You Reveal Too Much Information to the Client? ............................................... 122
Auditing and Logging ............................................................................................... 123 Have You Identified Key Activities to Audit? ........................................................... 123 Have You Considered How to Flow Original Caller Identity? ..................................... 124 Have You Considered Secure Log File Management Policies? ................................. 124
Summary ............................................................................................................... 124 Additional Resources .............................................................................................. 125
Part III Building Secure Web Applications 127
Chapter 6 .NET Security Overview 129
In This Chapter ....................................................................................................... 129 Overview ................................................................................................................ 129 How to Use This Chapter ......................................................................................... 130 Managed Code Benefits .......................................................................................... 130 User vs. Code Security ............................................................................................ 131
Role-Based Security ............................................................................................ 131 Code Access Security.......................................................................................... 132
.NET Framework Role-Based Security........................................................................ 133 Principals and Identities ...................................................................................... 134 PrincipalPermission Objects................................................................................. 134 Role-Based Security Checks................................................................................. 137 URL Authorization ............................................................................................... 138
.NET Framework Security Namespaces ..................................................................... 139 System.Security.................................................................................................. 140 System.Web.Security........................................................................................... 141 System.Security.Cryptography .............................................................................. 141 System.Security.Principal..................................................................................... 141 System.Security.Policy ......................................................................................... 142 System.Security.Permissions ............................................................................... 142
Summary ............................................................................................................... 144 Additional Resources .............................................................................................. 144
-
Contents xiii
Chapter 7 Building Secure Assemblies 145
In This Chapter ....................................................................................................... 145 Overview ................................................................................................................ 145 How to Use This Chapter ......................................................................................... 146 Threats and Countermeasures ................................................................................. 146
Unauthorized Access or Privilege Elevation, or both................................................ 147 Code Injection .................................................................................................... 147 Information Disclosure ........................................................................................ 148 Tampering .......................................................................................................... 149
Privileged Code....................................................................................................... 149 Privileged Resources ........................................................................................... 150 Privileged Operations .......................................................................................... 150
Assembly Design Considerations ............................................................................. 150 Identify Privileged Code ....................................................................................... 150 Identify the Trust Level of Your Target Environment................................................. 151 Sandbox Highly Privileged Code............................................................................ 152 Design Your Public Interface................................................................................. 153
Class Design Considerations ................................................................................... 153 Restrict Class and Member Visibility..................................................................... 153 Seal Non-Base Classes ....................................................................................... 153 Restrict Which Users Can Call Your Code.............................................................. 154 Expose Fields Using Properties ............................................................................ 154
Strong Names ........................................................................................................ 155 Security Benefits of Strong Names ....................................................................... 156 Using Strong Names ........................................................................................... 156 Delay Signing...................................................................................................... 157 ASP.NET and Strong Names................................................................................. 158 Authenticode vs. Strong Names ........................................................................... 159
Authorization .......................................................................................................... 160 Exception Management ........................................................................................... 161
Use Structured Exception Handling....................................................................... 161 Do Not Log Sensitive Data................................................................................... 162 Do Not Reveal Sensitive System or Application Information .................................... 162 Consider Exception Filter Issues .......................................................................... 162 Consider an Exception Management Framework .................................................... 163
File I/O .................................................................................................................. 164 Avoid Untrusted Input for File Names.................................................................... 164 Do Not Trust Environment Variables...................................................................... 164 Validate Input File Names.................................................................................... 164 Constrain File I/O Within Your Application’s Context............................................... 165
Event Log ............................................................................................................... 165
-
xiv Improving Web Application Security: Threats and Countermeasures
Registry ................................................................................................................. 166 HKEY_LOCAL_MACHINE....................................................................................... 166 HKEY_CURRENT_USER........................................................................................ 166 Reading from the Registry ................................................................................... 167
Data Access ........................................................................................................... 167 Unmanaged Code ................................................................................................... 168
Validate Input and Output String Parameters ......................................................... 168 Validate Array Bounds ......................................................................................... 169 Check File Path Lengths ...................................................................................... 169 Compile Unmanaged Code With the /GS Switch .................................................... 169 Inspect Unmanaged Code for Dangerous APIs....................................................... 169
Delegates............................................................................................................... 169 Do Not Accept Delegates from Untrusted Sources................................................. 169
Serialization ........................................................................................................... 170 Do Not Serialize Sensitive Data............................................................................ 170 Validate Serialized Data Streams ......................................................................... 170 Partial Trust Considerations ................................................................................. 171
Threading ............................................................................................................... 171 Do Not Cache the Results of Security Checks ....................................................... 171 Consider Impersonation Tokens ........................................................................... 172 Synchronize Static Class Constructors.................................................................. 172 Synchronize Dispose Methods ............................................................................. 172
Reflection............................................................................................................... 172 Obfuscation............................................................................................................ 173 Cryptography .......................................................................................................... 174
Use Platform-provided Cryptographic Services ....................................................... 174 Key Generation ................................................................................................... 174 Key Storage........................................................................................................ 176 Key Exchange ..................................................................................................... 178 Key Maintenance ................................................................................................ 178
Summary ............................................................................................................... 179 Additional Resources .............................................................................................. 179
Chapter 8 Code Access Security in Practice 181
In This Chapter ....................................................................................................... 181 Overview ................................................................................................................ 181 How to Use This Chapter ......................................................................................... 182 Code Access Security Explained............................................................................... 182
Code.................................................................................................................. 183 Evidence ............................................................................................................ 183 Permissions ....................................................................................................... 184 Assert, Deny, and PermitOnly Methods.................................................................. 185 Policy ................................................................................................................. 185 Code Groups ...................................................................................................... 186
-
Contents xv
Code Access Security Explained (continued) How Does It Work?.............................................................................................. 186 How Is Policy Evaluated? ..................................................................................... 187
APTCA.................................................................................................................... 191 Avoid Using APTCA .............................................................................................. 191 Diagnosing APTCA Issues .................................................................................... 192
Privileged Code....................................................................................................... 193 Privileged Resources ........................................................................................... 193 Privileged Operations .......................................................................................... 194
Requesting Permissions .......................................................................................... 194 RequestMinimum................................................................................................ 195 RequestOptional ................................................................................................. 195 RequestRefused ................................................................................................. 195 Implications of Using RequestOptional or RequestRefuse ...................................... 196
Authorizing Code..................................................................................................... 196 Restrict Which Code Can Call Your Code ............................................................... 197 Restrict Inheritance............................................................................................. 198 Consider Protecting Cached Data ......................................................................... 199 Protect Custom Resources with Custom Permissions ............................................ 199
Link Demands ........................................................................................................ 199 Luring Attacks..................................................................................................... 200 Performance and Link Demands........................................................................... 201 Calling Methods with Link Demands ..................................................................... 201 Mixing Class and Method Level Link Demands ...................................................... 201 Interfaces and Link Demands .............................................................................. 202 Structures and Link Demands.............................................................................. 202 Virtual Methods and Link Demands...................................................................... 203
Assert and RevertAssert.......................................................................................... 203 Use the Demand / Assert Pattern ........................................................................ 204 Reduce the Assert Duration................................................................................. 204
Constraining Code................................................................................................... 204 Using Policy Permission Grants ............................................................................ 205 Using Stack Walk Modifiers ................................................................................. 205
File I/O .................................................................................................................. 205 Constraining File I/O within your Application’s Context ........................................... 205 Requesting FileIOPermission................................................................................ 207
Event Log ............................................................................................................... 207 Constraining Event Logging Code ......................................................................... 208 Requesting EventLogPermission........................................................................... 208
Registry ................................................................................................................. 208 Constraining Registry Access............................................................................... 209 Requesting RegistryPermission ............................................................................ 209
Data Access ........................................................................................................... 209 Directory Services................................................................................................... 210
Constraining Directory Service Access.................................................................. 210 Requesting DirectoryServicesPermission .............................................................. 211
-
xvi Improving Web Application Security: Threats and Countermeasures
Environment Variables ............................................................................................. 211 Constraining Environment Variable Access ............................................................ 211 Requesting EnvironmentPermission...................................................................... 211
Web Services ......................................................................................................... 212 Constraining Web Service Connections ................................................................. 212
Sockets and DNS.................................................................................................... 213 Constraining Socket Access................................................................................. 213 Requesting SocketPermission and DnsPermission................................................. 214
Unmanaged Code ................................................................................................... 214 Use Naming Conventions to Indicate Risk ............................................................. 214 Request the Unmanaged Code Permission............................................................ 215 Sandbox Unmanaged API Calls............................................................................. 215 Use SuppressUnmanagedCodeSecurity with Caution ............................................. 216
Delegates............................................................................................................... 217 Serialization ........................................................................................................... 218
Restricting Serialization ....................................................................................... 218 Summary ............................................................................................................... 219 Additional Resources .............................................................................................. 219
Chapter 9 Using Code Access Security with ASP.NET 221
In This Chapter ....................................................................................................... 221 Overview ................................................................................................................ 221 How to Use This Chapter ......................................................................................... 223 Resource Access .................................................................................................... 223 Full Trust and Partial Trust ....................................................................................... 224 Configuring Code Access Security in ASP.NET ........................................................... 225
Configuring Trust Levels....................................................................................... 225 Locking the Trust Level ........................................................................................ 226
ASP.NET Policy Files................................................................................................ 227 ASP.NET Policy ....................................................................................................... 227
Inside an ASP.NET Policy File ............................................................................... 228 Permission State and Unrestricted Permissions .................................................... 229 The ASP.NET Named Permission Set .................................................................... 229 Substitution Parameters ...................................................................................... 230
Developing Partial Trust Web Applications ................................................................. 231 Why Partial Trust? ............................................................................................... 231 Problems You Might Encounter............................................................................. 231
Trust Levels ............................................................................................................ 232 Approaches for Partial Trust Web Applications ........................................................... 234 Customize Policy..................................................................................................... 235 Sandbox Privileged Code ......................................................................................... 236
A Sandboxing Pattern .......................................................................................... 236
-
Contents xvii
Deciding Which Approach to Take ............................................................................. 238 Customizing Policy .............................................................................................. 238 Sandboxing ........................................................................................................ 238
Medium Trust ......................................................................................................... 239 Reduced Attack Surface ...................................................................................... 239 Application Isolation............................................................................................ 239
Medium Trust Restrictions ....................................................................................... 240 OLE DB .............................................................................................................. 240 Event Log ........................................................................................................... 244 Web Services ..................................................................................................... 248 Registry ............................................................................................................. 250
Summary ............................................................................................................... 252 Additional Resources .............................................................................................. 252
Chapter 10 Building Secure ASP.NET Pages and Controls 253
In This Chapter ....................................................................................................... 253 Overview ................................................................................................................ 253 How to Use This Chapter ......................................................................................... 254 Threats and Countermeasures ................................................................................. 254
Code Injection .................................................................................................... 255 Session Hijacking ............................................................................................... 256 Identity Spoofing................................................................................................. 257 Parameter Manipulation ...................................................................................... 258 Network Eavesdropping ....................................................................................... 259 Information Disclosure ........................................................................................ 259
Design Considerations ............................................................................................ 260 Use Server-Side Input Validation .......................................................................... 260 Partition Your Web Site ........................................................................................ 261 Consider the Identity That Is Used for Resource Access......................................... 262 Protect Credentials and Authentication Tickets...................................................... 262 Fail Securely ....................................................................................................... 262 Consider Authorization Granularity ........................................................................ 263 Place Web Controls and User Controls in Separate Assemblies .............................. 263 Place Resource Access Code in a Separate Assembly ........................................... 263
Input Validation....................................................................................................... 263 Constrain, Then Sanitize...................................................................................... 264 Regular Expressions............................................................................................ 264 String Fields ....................................................................................................... 265 Date Fields......................................................................................................... 267 Numeric Fields.................................................................................................... 267 Sanitizing Input................................................................................................... 269 Validating HTML Controls..................................................................................... 269 Validating Input Used for Data Access .................................................................. 270 Validating Input Used For File I/O ......................................................................... 270 Common Regular Expressions.............................................................................. 271
-
xviii Improving Web Application Security: Threats and Countermeasures
Cross-Site Scripting................................................................................................. 272 Validate Input ..................................................................................................... 273 Encode Output.................................................................................................... 273 Defense in Depth Countermeasures..................................................................... 274
Authentication ........................................................................................................ 277 Forms Authentication .......................................................................................... 277 Partition Your Web Site ........................................................................................ 278 Secure Restricted Pages with SSL........................................................................ 279 Use URL Authorization......................................................................................... 279 Secure the Authentication Cookie......................................................................... 280 Use Absolute URLs for Navigation ........................................................................ 282 Use Secure Credential Management..................................................................... 283
Authorization .......................................................................................................... 284 Use URL Authorization for Page and Directory Access Control................................. 284 Use File Authorization with Windows Authentication ............................................... 284 Use Principal Demands on Classes and Methods .................................................. 284 Use Explicit Role Checks for Fine-Grained Authorization ......................................... 285
Impersonation ........................................................................................................ 286 Using Programmatic Impersonation ...................................................................... 286
Sensitive Data ........................................................................................................ 288 Do not Pass Sensitive Data from Page to Page...................................................... 288 Avoid Plaintext Passwords in Configuration Files.................................................... 288 Use DPAPI to Avoid Key Management ................................................................... 288 Do Not Cache Sensitive Data............................................................................... 288
Session Management ............................................................................................. 289 Require Authentication for Sensitive Pages ........................................................... 289 Do Not Rely on Client-Side State Management Options .......................................... 289 Do Not Mix Session Tokens and Authentication Tokens .......................................... 290 Use SSL Effectively ............................................................................................. 290 Secure the Session Data..................................................................................... 290
Parameter Manipulation .......................................................................................... 291 Protect View State with MACs .............................................................................. 291 Use Page.ViewStateUserKey to Counter One-Click Attacks...................................... 292 Maintain Sensitive Data on the Server.................................................................. 292 Validate Input Parameters.................................................................................... 293
Exception Management ........................................................................................... 293 Return Generic Error Pages to the Client ............................................................... 293 Implement Page-Level or Application-Level Error Handlers....................................... 294
Auditing and Logging ............................................................................................... 295 EventLogPermission ............................................................................................ 296
Summary ............................................................................................................... 296 Additional Resources .............................................................................................. 297
-
Contents xix
Chapter 11 Building Secure Serviced Components 299
In This Chapter ....................................................................................................... 299 Overview ................................................................................................................ 299 How to Use This Chapter ......................................................................................... 300 Threats and Countermeasures ................................................................................. 300
Network Eavesdropping ....................................................................................... 301 Unauthorized Access........................................................................................... 301 Unconstrained Delegation.................................................................................... 301 Disclosure of Configuration Data .......................................................................... 302 Repudiation........................................................................................................ 302
Design Considerations ............................................................................................ 302 Role-Based Authorization ..................................................................................... 302 Sensitive Data Protection .................................................................................... 302 Audit Requirements............................................................................................. 303 Application Activation Type................................................................................... 303 Transactions....................................................................................................... 303 Code Access Security.......................................................................................... 303
Authentication ........................................................................................................ 304 Use (At Least) Call Level Authentication................................................................ 304
Authorization .......................................................................................................... 304 Enable Role-Based Security ................................................................................. 304 Enable Component Level Access Checks .............................................................. 305 Enforce Component Level Access Checks ............................................................. 305
Configuration Management ...................................................................................... 305 Use Least Privileged Run-As Accounts .................................................................. 306 Avoid Storing Secrets in Object Constructor Strings ............................................... 306 Avoid Unconstrained Delegation ........................................................................... 306
Sensitive Data ........................................................................................................ 307 Auditing and Logging ............................................................................................... 308
Audit User Transactions....................................................................................... 308 Building a Secure Serviced Component .................................................................... 309
Assembly Implementation.................................................................................... 310 Serviced Component Class Implementation .......................................................... 311
Code Access Security Considerations ....................................................................... 313 Deployment Considerations ..................................................................................... 314
Firewall Restrictions ............................................................................................ 314 Summary ............................................................................................................... 316 Additional Resources .............................................................................................. 317
Chapter 12 Building Secure Web Services 319
In This Chapter ....................................................................................................... 319 Overview ................................................................................................................ 319 How to Use This Chapter ......................................................................................... 320
-
xx Improving Web Application Security: Threats and Countermeasures
Threats and Countermeasures ................................................................................. 320 Unauthorized Access........................................................................................... 321 Parameter Manipulation ...................................................................................... 322 Network Eavesdropping ....................................................................................... 322 Disclosure of Configuration Data .......................................................................... 323 Message Replay ................................................................................................. 323
Design Considerations ............................................................................................ 325 Authentication Requirements ............................................................................... 325 Privacy and Integrity Requirements ....................................................................... 325 Resource Access Identities.................................................................................. 325 Code Access Security.......................................................................................... 326
Input Validation....................................................................................................... 326 Strongly Typed Parameters................................................................................... 326 Loosely Typed Parameters ................................................................................... 328 XML Data ........................................................................................................... 328 SQL Injection ...................................................................................................... 331 Cross-Site Scripting............................................................................................. 331
Authentication ........................................................................................................ 332 Platform Level Authentication............................................................................... 332 Message Level Authentication.............................................................................. 333 Application Level Authentication ........................................................................... 335
Authorization .......................................................................................................... 335 Web Service Endpoint Authorization...................................................................... 336 Web Method Authorization ................................................................................... 336 Programmatic Authorization ................................................................................. 336
Sensitive Data ........................................................................................................ 337 XML Encryption................................................................................................... 337 Encrypting Parts of a Message............................................................................. 338
Parameter Manipulation .......................................................................................... 339 Exception Management ........................................................................................... 339
Using SoapExceptions......................................................................................... 340 Application Level Error Handling in Global.asax...................................................... 341
Auditing and Logging ............................................................................................... 341 Proxy Considerations............................................................................................... 341 Code Access Security Considerations ....................................................................... 342 Deployment Considerations ..................................................................................... 343
Intranet Deployment............................................................................................ 343 Extranet Deployment ........................................................................................... 343 Internet Deployment............................................................................................ 344
Summary ............................................................................................................... 345 Additional Resources .............................................................................................. 345
-
Contents xxi
Chapter 13 Building Secure Remoted Components 347
In This Chapter ....................................................................................................... 347 Overview ................................................................................................................ 347 How to Use This Chapter ......................................................................................... 348 Threats and Countermeasures ................................................................................. 349
Unauthorized Access........................................................................................... 349 Network Eavesdropping ....................................................................................... 350 Parameter Manipulation ...................................................................................... 351 Serialization ....................................................................................................... 351
Design Considerations ............................................................................................ 352 Do Not Expose Remoted Objects to the Internet.................................................... 352 Use the HttpChannel to Take Advantage of ASP.NET Security ................................. 352 Use the TcpChannel Only in Trusted Server Scenarios............................................ 352
Input Validation....................................................................................................... 354 Serialization Attacks............................................................................................ 354 MarshalByRefObject Attacks ................................................................................ 354
Authentication ........................................................................................................ 355 ASP.NET Hosting................................................................................................. 355 Custom Process Hosting ..................................................................................... 358
Authorization .......................................................................................................... 359 Use IPSec for Machine Level Access Control ......................................................... 359 Enable File Authorization for User Access Control .................................................. 359 Authorize Users with Principal-Based Role Checks ................................................. 360 Consider Limiting Remote Access ........................................................................ 360
Sensitive Data ........................................................................................................ 361 Using IPSec........................................................................................................ 361 Using SSL .......................................................................................................... 361 Using a Custom Encryption Sink........................................................................... 361
Denial of Service .................................................................................................... 364 Exception Management ........................................................................................... 364
Using a Custom Channel Sink.............................................................................. 365 Auditing and Logging ............................................................................................... 365
Using a Custom Channel Sink.............................................................................. 365 Code Access Security (CAS) Considerations .............................................................. 365 Summary ............................................................................................................... 365 Additional Resources .............................................................................................. 366
Chapter 14 Building Secure Data Access 367
In this Chapter........................................................................................................ 367 Overview ................................................................................................................ 367 How to Use This Chapter ......................................................................................... 368
-
xxii Improving Web Application Security: Threats and Countermeasures
Threats and Countermeasures ................................................................................. 368 SQL Injection ...................................................................................................... 369 Disclosure of Configuration Data .......................................................................... 370 Disclosure of Sensitive Application Data ............................................................... 370 Disclosure of Database Schema and Connection Details ....................................... 371 Unauthorized Access........................................................................................... 371 Network Eavesdropping ....................................................................................... 372
Design Considerations ............................................................................................ 372 Use Windows Authentication................................................................................ 373 Use Least Privileged Accounts ............................................................................. 373 Use Stored Procedures........................................................................................ 373 Protect Sensitive Data in Storage......................................................................... 374 Use Separate Data Access Assemblies ................................................................ 375
Input Validation....................................................................................................... 376 SQL Injection .......................................................................................................... 376
Preventing SQL Injection...................................................................................... 376 Constrain Input ................................................................................................... 376 Use Type Safe SQL Parameters ............................................................................ 377 Using Parameter Batching.................................................................................... 378 Using Filter Routines ........................................................................................... 378 Using LIKE Clauses............................................................................................. 378
Authentication ........................................................................................................ 379 Use Windows Authentication................................................................................ 379 Protect the Credentials for SQL Authentication ...................................................... 380 Connect Using a Least Privileged Account............................................................. 380
Authorization .......................................................................................................... 380 Restrict Unauthorized Callers............................................................................... 382 Restrict Unauthorized Code ................................................................................. 383 Restrict the Application in the Database ............................................................... 383
Configuration Management ...................................................................................... 384 Use Window Authentication.................................................................................. 384 Secure Your Connection Strings ........................................................................... 384 Secure UDL Files with Restricted ACLs ................................................................. 386
Sensitive Data ........................................................................................................ 386 Encrypt Sensitive Data if You Need to Store It ....................................................... 386 Secure Sensitive Data Over the Network............................................................... 387 Store Password Hashes with Salt......................................................................... 388
Exception Management ........................................................................................... 389 Trap and Log ADO.NET Exceptions ........................................................................ 389 Ensure Database Connections Are Closed ............................................................ 391 Use a Generic Error Page in Your ASP.NET Applications.......................................... 392
Building a Secure Data Access Component............................................................... 393 Code Access Security Considerations ....................................................................... 396
-
Contents xxiii
Deployment Considerations ..................................................................................... 397 Firewall Restrictions ............................................................................................ 397 Connection String Management ........................................................................... 398 Login Account Configuration................................................................................. 398 Logon Auditing.................................................................................................... 398 Data Privacy and Integrity on the Network ............................................................. 399
Summary ............................................................................................................... 399 Additional Resources .............................................................................................. 399
Part IV Securing Your Network, Host, and Application 401
Chapter 15 Securing Your Network 403
In This Chapter ....................................................................................................... 403 Overview ................................................................................................................ 403 How to Use This Chapter ..................................................