beefing up security in asp.net dot net bangalore 3rd meet up on may 16 2015
TRANSCRIPT
Devouring Security
Marudhamaran Gunasekaran@gmaran23
Beefing up Security in ASP.NET
Dot Net Bangalore 3rd meet up May 16 2015 @ Prowareness, Bangalore
Watch the screen recording of this presentation here at https://vimeo.com/gmaran23/beefingupsecurityinaspdotnet
Next 30 minutes
• Addressing the low-hanging fruits• See the vulnerabilities in action• Leveraging ASP.NET mitigations
https
://b
log.
mal
war
ebyt
es.o
rg/i
ntel
ligen
ce/2
013/
03/o
bfus
catio
n-m
alw
ares
-bes
t-frie
nd/
Configuring Custom Errors Right
<system.web> <customErrors mode="On" defaultRedirect="Error.aspx" redirectMode="ResponseRewrite"/> </system.web>
mode=“RemoteOnly” is defaultredirectMode=“responseRedirect” is default
DOS attack and safe/vulnerable .Net versions
.Net framework 2.0.50727.5477 or higher
.Net framework 4.0.30319.34011 or higher
.Net framework 2.0.50727.5420 or lower
.Net framework 4.0.30319.1 or lower
.Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable?
.Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?
Information Disclosure problems
Remove the Server and X-AspNetMvc-Version Header
protected void Application_BeginRequest(object sender, EventArgs e) { var application = sender as HttpApplication; if (application != null && application.Context != null) { application.Context.Response.Headers.Remove("Server"); } }
protected void Application_Start() {MvcHandler.DisableMvcResponseHeader = true; }
Remove ASP.NET Version and X-Powered-By Header
<httpRuntime enableVersionHeader="false"/>
<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /></customHeaders> </httpProtocol></system.webServer>
ASP.NET Tracing Vulnerabilites
Secure <trace> configurations<trace enabled="true" localOnly="false"/>
<trace enabled="false" localOnly ="true"/>(default)
<deployment retail="true" />
<configuration> <system.web> <deployment retail=”true”/> </system.web></configuration>
At
%windir%\Microsoft.Net\Framework64\v4.0.30319\Config\machine.config
- Disables debugging- Switches on Custom errors- Disables tracing
Vulnerable session is in the URL
Secure <sessionState> configurations
<sessionState cookieless="UseUri"
<sessionState cookieless="UseCookies" (default)
Secure <sessionState> configurations
Default cookie name obfuscation<sessionState cookieName="_umt_"/>
Secure <httpCookies> configurations
<httpCookies httpOnlyCookies ="true" requireSSL="true"/>
httpOnlyCookies – make the cookie unavailable to client side scripts
requireSSL – send the cookie only https connections
Cross Site Scripting (XSS) Risks
• Spread drive by download malware• Steal credentials• Hijack someone’s session• Privilege escalations• Client side DOS
http:
//w
ww
.tech
new
swor
ld.c
om/s
tory
/689
46.h
tml
Make sure request validation is enabled
Make sure request validation is enabled
Request Validation in ASP.NET 4 - Breaking changes http://www.asp.net/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147
Request Validation in ASP.NET - https://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx
Caution!
• The following code codes not trigger request validation or delays it
Context specific output encoding
ASP.Net code behind:
lblName.Text = "Hello, " + HttpUtility.HtmlEncode(txtValue.Text);
lblName.Text = "Hello," + AntiXss.HtmlEncode(txtValue.Text);
ASPX view engine :
<%: data %>
Razor view engine:
@data
Auth(en) & Auth(or) with <location>
<location path="Administration.aspx"> <system.web> <authorization> <allow roles="Administrators"/> <deny users="*"/> </authorization> </system.web> </location>
Authorization in ASP.NET MVC
[Authorize(Roles="Administrators")]public ActionResult Index(){}
Sample Login Page in ASP.NET MVC
[HttpPost][RequireHttps][AllowAnonymous][ValidateInput(true)][ValidateAntiForgeryToken] public ActionResult Login(LoginModel model, string returnUrl)
�We discovered CSRF vulnerabilities in ING�s site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user�s account to the attacker�s account,� the research paper noted, adding that SSL did nothing to prevent the attack. �Since ING did not explicitly protect against CSRF attacks, transferring funds from a user�s accounts was as simple as mimicking the steps a user would take when transferring funds.�
http:
//w
ww
.thet
echh
eral
d.co
m/a
rticl
es/C
SRF-
bug-
on-IN
GD
irect
-com
-cou
ld-h
ave-
allo
wed
-frau
dule
nt-t
rans
fers
http:
//w
ww
.cs.
utex
as.e
du/~
shm
at/c
ours
es/c
s378
_spr
ing0
9/ze
ller.p
df
Cross-Site Request Forgeries: Exploitation and Prevention by William Zeller and Edward W. Felten
Sample: CSRF protection in TFS web interface
CSRF Mitigation in ASP.Net MVCLogin.cshtml
LoginController.cs
CSRF Mitigation in ASP.Net MVC• Adds a html hidden field named
__RequestVerificationToken
• Adds a cookie named __RequestVerificationToken
CSRF Mitigation in ASP.Net WebForms
• Available at Site.Master.cs• The __AntiXsrfToken gets sent at the __VIEWSTATE
and the cookie for any WebForm that used the Site.Master master page
Clickjacking
Clickjacking
X-XSS-Protection
• http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
• X-XSS-Protection: 1
X-FRAME-OPTIONS
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Browser_Support
Strict-Transport-Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Browser_Support
Adding necessary response headers
<system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="DENY" /> <add name="X-XSS-Protection" value="1; mode=block" /> <add name="Strict-Transport-Security" value="max-age=31536000" /> </customHeaders> </httpProtocol></system.webServer>
View State Security
<pages enableEventValidation="true" enableViewStateMac="true" viewStateEncryptionMode="Always" />
https://twitter.com/gmaran23
SqliXMLXSSOWASP ZAP
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://vimeo.com/gmaran23 Developer focused talks
1. https://renouncedthoughts.wordpress.com/2014/01/14/devouring-security-sql-injection-exploitation-and-prevention-part-1/
2. https://renouncedthoughts.wordpress.com/2014/02/07/devouring-security-sql-injection-exploitation-and-prevention-part-2/
3. https://renouncedthoughts.wordpress.com/2014/05/09/sql-injection-testing-for-qa-testers/
4. https://renouncedthoughts.wordpress.com/2014/05/09/devouring-security-xml-attack-surface-and-defenses/
5. https://renouncedthoughts.wordpress.com/2014/09/26/devouring-security-cross-site-scripting-xss/
6. https://renouncedthoughts.wordpress.com/2015/05/20/practical-security-testing-for-developers-using-owasp-zap-at-dot-net-bangalore-3rd-meet-up-on-feb-21-2015/