o2 platform and asp.net mvc, by michael hidalgo
DESCRIPTION
Presentation (still in draft) to be presented at OWASP's Latam 2012 conference in Uruguay https://www.owasp.org/index.php/AppSecLatam2012TRANSCRIPT
The O2 Platform: Exploiting and Fixing Microsoft ASP.net
MVC Vulnerabilities
Michael Hidalgo [email protected]
Chapter Leader OWASP Costa Rica Colaborador OWASP O2 Platform Project
About Me
Software Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software for Financial Institutions (FI,CU) –Web Services, Interoperatibility
OWASP Costa Rica Chapter Leader
Participation in the OData Protocol
OWASP Projects contributor – OWASP O2 Platform (Dinis Cruz)
– REST Security Cheat Sheet (Jim Manico)
2
Software Developers need tools!
3
Why this presentation?
We Software Developers need a framework that help us to write secure applications
But also because…
4
• An overview of the O2 Platform
• An overview of Microsoft ASP.net MVC Framework
• A demo running the IE automation script against Music Store MVC Application.
Agenda
5
What is the O2 Platform?
The O2 Platform
6
The O2 Platform
The O2 platform represents a new paradigm for how to perform, document and distribute Web
Application security reviews.
O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-
security experts to access and consume Security Knowledge
7
The O2 Platform
• The Project Manager is Dinis Cruz, a security expert based in the UK. Dinis has a strong background in the application security world and he has performed very interesting researches.
• Some features of O2 platform: – Scripting Engine and development environment.
– Black-Box/Browser-automation environment.
– Source Code analysis environment.
– Data Consumption and API Generation
The O2 Platform
The O2 Platform: More features!
• Powerful search engine
• Graphical Engines
• Multiple APIs
• Integration with third parties
The O2 Platform
9
• A comprehensive UI!
10
The O2 Platform
• A look at the IE automation editor
11
The O2 Platform
• IE Automation syntax • var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(false); ie.open("http://www.google.com"); ie.field("q").Value="OWASP Costa Rica"; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Tag_DontAddExtraO2Files;
12
The O2 Platform
• O2 Platform inside Visual Studio IDE
13
The O2 Platform
Where to get O2 Platform?
• From Visual Studio Gallery : • http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d-
ea4741905dc2
• Getting the standalone installer • http://tiny.cc/O2Platform
• For more info on O2 see: • O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2
Platform
• O2 Blog: https://o2platform.wordpress.com
14
The O2 Platform
• An overview of the O2 Platform
• An overview of Microsoft ASP.net MVC Framework
• A demo running the IE automation script against Music Store MVC Application.
Agenda
15
Architecture of the World Wide Web
• Addressable resources
• Standard resource formats
• Uniform interface for interacting with resource
• Stateless and Hyperlinking
MVC Architecture
16
Uniform Interface
17
•Retrieves a resource
•Safe
•Cacheable GET
•Creates a new resource.
•Unsafe, effect of this verb is not defined by HTTP POST •Updates an existing resource
•Used for resource creation
• Idempotent PUT
•Removes a resource
•Call N times, same thing always happen (idempotent) DELETE
Web Applications should embrace the Web!
MVC Architecture
18
• MVC is a standard design pattern that many developers are familiar with. Some types of Web applications will benefit from the MVC framework..
• Some feature : – Embrace the Web: MVC is a standard compliant architecture
that embraces the Web Architecture. – Easy to implement: The industry is adopting MVC framework
because it provides an easy approach to create rapid applications.
– Separation of concerns:This architecture is designed to separate responsabilities within your application.
– Testability
MVC Architecture
Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
• MVC Actors:
20
MVC Architecture
Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
• Models : Model Objects are the parts of the application that implements the logic for the application’s data domain.
• Retrieve and store model state in databases.
• An example is a Product model, a Customer model or a Speaker model.
21
MVC Architecture
• Views:Components that displays application’s user interface (UX).
• Created from Model Data.
• An example is editing a Speaker information, dispñaying text boxes for name and address.
22
MVC Architecture
• Controllers:Components that handle user interactions, work with the model and select a view to render that displays in the UI.
• Handles and responds to user input and interactions.
23
MVC Architecture
• Vulnerabilities on top of MVC Framework
• MVC applications are vulnerable to most of the vector attacks in Web applications (XSS,CSRF).
• Mass Assignments (Auto Binding) : This vulnerability can be found in Spring MVC and Microsoft ASP.NET MVC Framework.
24
MVC Architecture
• Mass Assignments (aka Auto Binding).
• MVC frameworks rely heavily on binding query strings, route values and form values to in-code objects.
• This vulnerability is a kind of parameter tampering.
• Model Binding works by assigning HTML form fields to object properties.
25
MVC Architecture
Mass Assignments (aka Auto Binding). • Let’s take a look at the following Model Object:
public class BlogMember { public string Name { get; set; } public string LastName { get; set; } public string EmailAddress{ get; set; } public bool IsAdmin{ get; set; }
}
26
MVC Architecture
What can happen?
Someone could send a HTTP request using Fiddler2 or cURL Request URL: http://yourBlog/register
Request Method: POST Status Code: 200 OK...... Name: Michael LastName: Hidalgo EmailAddress: [email protected] IsAdmin: true
27
MVC Architecture
• An overview of the O2 Platform
• An overview of Microsoft ASP.net MVC Framework
• A demo running the IE automation script against Music Store MVC Application.
Agenda
28
Running a O2 Demo!!!
29
MVC Architecture
How to protect us against Mass assignments?
• Never trust user input!!!!
• Matching incoming parameters
• Using a ViewModel
• Protect your sensitive Model properties (i.e SSN, Id’s, Account numbers)
30
MVC Architecture
How to protect us against Mass assignments?
Matching incoming parameters
31
MVC Architecture
How to protect us against Mass assignments?
Protecting sensitive fields (using Bind Attribute)
32
MVC Architecture
How to protect us against Mass assignments?
• Protecting sensitive fields (using Bind Attribute)
• BlackList
33
MVC Architecture
