varun sharma security engineer | ace team | microsoft information security...
TRANSCRIPT
Top 5 Web Application Security bugs in custom code
Varun SharmaSecurity Engineer | ACE Team | Microsoft Information [email protected]
Top 5 Web App Security bugs
Relative percentage of the Top 5 Web Application Security vulnerabilities found by Microsoft ACE Team since 1st Jan 08
Agenda
Cross-Site ScriptingClear Text SecretsAuthorization Issues
Disabling Controls in the Web site to enforce authorizationDirect Object ReferenceMissing Authorization controls in web services
SQL Injection Verbose Error messages
Cross-Site Scripting
User controlled input is rendered back to browser without sufficient input validation or output encoding
Leads to execution of script (controlled by the attacker) under the context of the victim
Cross-Site Scripting
Common Buggy Code Some ASP.NET Controls encode and some do not
Cross-Site Scripting
Common Buggy Code Some ASP.NET Controls encode and some do not
Cross-Site Scripting
User input going in attribute context
User input going in JavaScript context
Cross-Site Scripting
CountermeasuresValidate all input and encode all outputPerform context specific encodingUse the AntiXss Library
Clear Text Secrets
The application may need to store credentials to connect to SQL Server, SMTP Server etc May need to store symmetric keys to perform encryption of application dataMay be storing user passwords or other secret information in the database
Clear Text Secrets
CountermeasuresDo not store secrets (passwords/ keys) in codeUse the aspnet_regiis tool to encrypt configuration settings For application specific data, consider using SQL Server 2005/ 2008 Native Encryption
Authorization Issues
Disabling Controls in the Web site to enforce authorization (Normal execution)
Authorization Issues
Disabling Controls in the Web site to enforce authorization (What attacker does)
Authorization Issues
Disabling HTML text boxes, buttons in only a visual indication, not a security controlNeed to perform explicit authorization checks on the server side
Authorization Issues
Direct Object Reference (What attacker does)
Authorization Issues
Direct Object ReferenceUnique identifier is used to retrieve and update data for an object. This unique identifier is an incrementing integer (or easily available). No explicit authorization check is performed to ensure current user has access to the object.
Authorization Issues
Missing authorization in web services in multi- tier applications
Web Server SQL ServerWeb Server
(Website) (Web service) (Database)
Authorization Issues
Countermeasures:-Perform server side authorizationUse a platform provided authorization mechanism
URL AuthorizationDeclarative and Imperative checks
Implement authorization controls in middle tiers
SQL Injection
User input without sufficient validation is used to create and execute a dynamic SQL statementUser can manipulate the SQL statement that gets executed
SQL Injection
Countermeasures:-Validate all inputUse parameterized SQL statements (in stored procedures as well, using sp_executesql)Configure SQL server with least privilege for defense in depth
Verbose Error messages
Detailed error messages reveal inner workings of an application and make an attackers job easier
Verbose Error messages
Common Buggy Code:-Missing exception handling in ASMX web services
References
AntiXss Library
http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-bfaf-e11625130c25&displaylang=en
ASP.NET IIS Registration Tool (Aspnet_regiis)http://msdn.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx
ASP.NET Authorization
http://msdn.microsoft.com/en-us/library/wce3kxhd(VS.80).
aspx
Using sp_executesql
http://msdn.microsoft.com/en-us/library/ms175170.aspx
Feedback / QnA
Your Feedback is Important!Please take a few moments to fill out our
online feedback form
Use the Question Manager on LiveMeeting to ask your questions now!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.