Security.NET Chapter 1

How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits an unpatched Web server 3. Elevation of privilege Creates an account with administrator rights 4. Exploit Uploads unlicensed software to the Web server 5. Cover-upErases the audit trail of the exploit

VulnerabilityExamples Weak passwords  Employees use blank or default passwords Unpatched software  Patches are not updated  Security hotfixes are not applied Misconfigured software  Services have more privileges than required  Services run as the Local System account Social engineering  Help desk administrator resets a password without verifying the identity of the caller Weak security on Internet connections  Unused services and ports are not secured  Firewalls are used improperly Unencrypted data transfer  Authentication packets are sent in clear text  Important data is sent over the Internet in clear text Buffer overrun  A trusted process runs untrusted code

STRIDE Model Spoofing identity Tampering Repudiability Information disclosure Denial of Service Elevation of Privilege Spoofing identity Tampering Repudiability Information disclosure Denial of Service Elevation of Privilege

Spoofing Identity Attacker impersonates a valid system user or resource to gain access to the system Example: –Spoofing a server identity to gain access to passwords and other system data Attacker impersonates a valid system user or resource to gain access to the system Example: –Spoofing a server identity to gain access to passwords and other system data

Tampering with Data (Integrity) Malicious modification of system or user data with or without detection Data tampering can occur on: –Database objects through SQL injection attacks –Application objects, such as application configuration information and HTML files –Communications and interactions Malicious modification of system or user data with or without detection Data tampering can occur on: –Database objects through SQL injection attacks –Application objects, such as application configuration information and HTML files –Communications and interactions

Repudiability Users can deny performing an action without administrators having any way to prove otherwise –A service that is attacked through an anonymous request –A system where audit logging is not enabled –An attacker that tampers with or deletes logged data –An attacker that spoofs another user to exploit the system Enable logging to avoid repudiability threats Users can deny performing an action without administrators having any way to prove otherwise –A service that is attacked through an anonymous request –A system where audit logging is not enabled –An attacker that tampers with or deletes logged data –An attacker that spoofs another user to exploit the system Enable logging to avoid repudiability threats

Information Disclosure Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it –Encryption Keys –Business Plans –Credit Card Information Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it –Encryption Keys –Business Plans –Credit Card Information

Denial of Service Denying service to valid users –Overloading a server with spurious requests –Causing a process to consume CPU, memory, and bandwidth –Using viruses and worms that consume hard disk space on a Web server Denying service to valid users –Overloading a server with spurious requests –Causing a process to consume CPU, memory, and bandwidth –Using viruses and worms that consume hard disk space on a Web server

Elevation of Privilege Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system –Can be undetected –Can become part of the trusted system Example: –A buffer overrun attack that causes injected code to run at an elevated privilege, giving the malicious code access to unauthorized pieces of the system Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system –Can be undetected –Can become part of the trusted system Example: –A buffer overrun attack that causes injected code to run at an elevated privilege, giving the malicious code access to unauthorized pieces of the system

Enabling Logging Maintain a log of activities that are performed on the system by the users and Web applications –Windows logs –IIS logs –SQL Server logs –Custom logs Maintain a log of activities that are performed on the system by the users and Web applications –Windows logs –IIS logs –SQL Server logs –Custom logs

User Input URLs –Request individual resources of a Web application GET data –Parameters and values that a client passes to a Web application to satisfy a GET request POST data –Parameters and values that a client passes to a Web application to satisfy a POST request Cookies –Store data on the client computer HTTP headers –Provide numerous HTTP request header values to describe the client environment to the server URLs –Request individual resources of a Web application GET data –Parameters and values that a client passes to a Web application to satisfy a GET request POST data –Parameters and values that a client passes to a Web application to satisfy a POST request Cookies –Store data on the client computer HTTP headers –Provide numerous HTTP request header values to describe the client environment to the server

Why Validate User Input? User input can be used to attack a Web application to: –Reveal implementation details –Create malicious data –Execute malicious script –Access restricted resources To avoid a user input attack: –Do not accept user input without validating –Define valid input and write code to accept data within a valid range User input can be used to attack a Web application to: –Reveal implementation details –Create malicious data –Execute malicious script –Access restricted resources To avoid a user input attack: –Do not accept user input without validating –Define valid input and write code to accept data within a valid range

Types of User Input Validation Client-side validation –Executes validation code, in a script, within the user’s browser –Minimizes server round-trips for data validation Server-side validation –Executes data validation code on the server –Validation errors need to be sent back to the client, resulting in more server round-trips ASP.NET validation controls –Support both client-side and server-side validation Client-side validation –Executes validation code, in a script, within the user’s browser –Minimizes server round-trips for data validation Server-side validation –Executes data validation code on the server –Validation errors need to be sent back to the client, resulting in more server round-trips ASP.NET validation controls –Support both client-side and server-side validation

URL Format Attacks ::$DATA format –Returned the script source instead of the HTML response Dotless IP Addresses –Previously considered part of intranet – Parent paths –Can access files outside a virtual directory ::$DATA format –Returned the script source instead of the HTML response Dotless IP Addresses –Previously considered part of intranet – Parent paths –Can access files outside a virtual directory

HTTP Cookie Attacks Two types of cookies: persistent and session Persistent cookies can be edited with Notepad.exe –C:\Documents and Settings\username\Cookies All cookies can be edited in client-side script –document.cookie is in JavaScript Do not store sensitive data in a cookie –Instead store a lookup key Encrypt cookie data if necessary Two types of cookies: persistent and session Persistent cookies can be edited with Notepad.exe –C:\Documents and Settings\username\Cookies All cookies can be edited in client-side script –document.cookie is in JavaScript Do not store sensitive data in a cookie –Instead store a lookup key Encrypt cookie data if necessary

HTTP Header Attacks Do not trust the header values sent by the client –Header values can be set maliciously Do not trust header values for important decisions –Example: invoicing based on the Referrer header value Do not trust the header values sent by the client –Header values can be set maliciously Do not trust header values for important decisions –Example: invoicing based on the Referrer header value

Form Data Attacks Form values –GET method includes the field values in the URL –POST method includes the field values in the body of the request Form fields –All form fields and field names are visible in source code –Hidden fields are not secure Validate field values and field names Validate field value type and length Use forms for the minimum required data Form values –GET method includes the field values in the URL –POST method includes the field values in the body of the request Form fields –All form fields and field names are visible in source code –Hidden fields are not secure Validate field values and field names Validate field value type and length Use forms for the minimum required data

Script Command Injection Attacks XSS Used with Trusted Web Application Embed script in text controls XSS Used with Trusted Web Application Embed script in text controls

Example (ASP)

ASP File Enter alert(‘hello’); Enter alert(‘hello’);

ASP.NET Error message But if you write: alert('hello'); To bypass check: Or in web.config: Error message But if you write: alert('hello'); To bypass check: Or in web.config:

Trusted code var fso = new ActiveXObject('Scripting.FileSystemObject'); var e=fso.GetFile('d:\\a.txt'); e.Delete(); If you add to trusted sites its work var fso = new ActiveXObject('Scripting.FileSystemObject'); var e=fso.GetFile('d:\\a.txt'); e.Delete(); If you add to trusted sites its work

Prevent XSS Validate user input Use: –Server.HtmlEncode(str); Validate user input Use: –Server.HtmlEncode(str);

ASP.NET Validation Controls Five Web Server Controls used for validating user input –RequiredFieldValidator –RegularExpressionValidator –CompareValidator –CustomValidator –RangeValidator Five Web Server Controls used for validating user input –RequiredFieldValidator –RegularExpressionValidator –CompareValidator –CustomValidator –RangeValidator

Regular Expressions string test = "Words only &%"; Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, ""); string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches = expression.Matches(test1); foreach (Match match in matches) Console.WriteLine(match.Index); string test = "Words only &%"; Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, ""); string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches = expression.Matches(test1); foreach (Match match in matches) Console.WriteLine(match.Index);

Providing Feedback to Users During normal conditions –Verification messages –Success messages –Explanatory messages During error conditions –Keep detailed error information hidden: error codes, error messages, system information, call stacks –Return general error message and log error details –Never return the data that generated the error During normal conditions –Verification messages –Success messages –Explanatory messages During error conditions –Keep detailed error information hidden: error codes, error messages, system information, call stacks –Return general error message and log error details –Never return the data that generated the error

Obscuring Error Details from Users In Web.config file: In Web.config file: