building secure web applications
DESCRIPTION
Building Secure Web Applications. With ASP.Net MVC. What is ASP.Net MVC?. An extension to ASP.Net. Implements the MVC software pattern that divides an application's implementation into three component roles: models views controllers. Models. - PowerPoint PPT PresentationTRANSCRIPT
Building Secure Web Building Secure Web ApplicationsApplications
With ASP.Net MVCWith ASP.Net MVC
What is ASP.Net MVC?What is ASP.Net MVC?
An extension to ASP.Net.An extension to ASP.Net. Implements the MVC software Implements the MVC software
pattern that divides an application's pattern that divides an application's implementation into three implementation into three component roles: component roles: – modelsmodels– viewsviews– controllers.controllers.
ModelsModels
"Models" in a MVC based application "Models" in a MVC based application are the components responsible for:are the components responsible for:– Maintaining state. Maintaining state. – Often a database.Often a database.
ViewsViews
"Views" in a MVC based application "Views" in a MVC based application are the components responsible for:are the components responsible for:– Displaying the application's user Displaying the application's user
interface. interface. – Typically this UI is created off of the Typically this UI is created off of the
model data.model data.
ControllersControllers
Responsible for:Responsible for:– Handling user interactionHandling user interaction– Manipulating the modelManipulating the model– Choosing a view to render to display UI. Choosing a view to render to display UI.
In a MVC application the view is only In a MVC application the view is only about displaying information - it is the about displaying information - it is the controller that handles and responds to controller that handles and responds to user input and interaction.user input and interaction.
Part 1: Form SecurityPart 1: Form Security
Cross Site Scripting (XSS)Cross Site Scripting (XSS) Injection FlawsInjection Flaws
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Common flaw in a web applicationsCommon flaw in a web applications Allows attackers to execute script in Allows attackers to execute script in
the victims browser.the victims browser. Caused by improper input validation Caused by improper input validation
and encoding.and encoding.
Cross Site Scripting Cross Site Scripting PreventionPrevention
Request Validation enabled by Request Validation enabled by default. default.
Server.HtmlEncode();Server.HtmlEncode(); Microsoft AntiXSS LibraryMicrosoft AntiXSS Library
Injection FlawsInjection Flaws
Common in web applications.Common in web applications. Caused when user input is evaluated as Caused when user input is evaluated as
part of a command or query.part of a command or query. SQL Injection most common.SQL Injection most common.
If _userName = “admin” and _password = If _userName = “admin” and _password = ““' OR 1 = 1 --' OR 1 = 1 --” the result would be:” the result would be:
SELECT * FROM tblUsers WHERE UserName SELECT * FROM tblUsers WHERE UserName = 'admin' and Password = '' OR 1 = 1 --'= 'admin' and Password = '' OR 1 = 1 --'
Injection PreventionInjection Prevention
MVC is built around a data ModelMVC is built around a data Model Object Relational Mappers (ORM)Object Relational Mappers (ORM)
– Linq to SQLLinq to SQL– ADO.Net Entity FrameworkADO.Net Entity Framework
Handle CRUD commands in an Handle CRUD commands in an Injection safe way.Injection safe way.
Part 2: Application SecurityPart 2: Application Security
Malicious File Execution Malicious File Execution
Occurs when an attacker is able to Occurs when an attacker is able to upload and execute code on a server.upload and execute code on a server.
The ASP.Net MVC AdvantageThe ASP.Net MVC Advantage– Classic ASP.Net served pages from their Classic ASP.Net served pages from their
corresponding location on the disk.corresponding location on the disk.– ASP.Net MVC routes requests to the ASP.Net MVC routes requests to the
appropriate controller and view.appropriate controller and view.– Attacker doesn’t know the applications Attacker doesn’t know the applications
directory structure.directory structure.
Insecure Direct Object Insecure Direct Object ReferenceReference
Occurs when an application exposes Occurs when an application exposes a direct reference to a resource.a direct reference to a resource.– FilesFiles– Primary keys for database recordsPrimary keys for database records
Attackers can edit these references Attackers can edit these references to gain access to protected data.to gain access to protected data.
Prevention:Prevention:– Encrypt any reference data when Encrypt any reference data when
passing it between pages.passing it between pages.
Cross Site Request Forgery Cross Site Request Forgery (CSRF)(CSRF)
Tricks logged-on victim's browser to Tricks logged-on victim's browser to send a pre-authenticated request to send a pre-authenticated request to a vulnerable web application.a vulnerable web application.
Can cause a user to perform an Can cause a user to perform an action they did not intend to do. action they did not intend to do.
Example:Example:
CSRF PreventionCSRF Prevention
Avoid updating user data from HTTP Avoid updating user data from HTTP Get requests.Get requests.
ASP.Net MVC ASP.Net MVC AntiForgeryTokeAntiForgeryTokenn
Attack ResultAttack Result
Information Leakage and Information Leakage and Improper Error HandlingImproper Error Handling
Improper error handling exposes Improper error handling exposes implementation detail.implementation detail.
Prevention:Prevention:– Disable debugging.Disable debugging.– Custom error pages.Custom error pages.– ASP.Net MVC ASP.Net MVC HandleErrorHandleError Attribute Attribute
Failure to Restrict URL Failure to Restrict URL AccessAccess
Web application only protects URL by Web application only protects URL by not showing them to unauthorized not showing them to unauthorized users.users.
URL can still be accesses manually.URL can still be accesses manually. Prevention:Prevention:
– ASP.Net MVC ASP.Net MVC [Authorize][Authorize] Attribute Attribute
Thank You Thank You
Kevin Watt Kevin Watt
www.list2lend.comwww.list2lend.com
Chris BrousseauChris Brousseau
www.windows7ips.cowww.windows7ips.comm