Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Published byBeverly Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits."— Presentation transcript:

1 Security.NET Chapter 1

2 How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits an unpatched Web server 3. Elevation of privilege Creates an account with administrator rights 4. Exploit Uploads unlicensed software to the Web server 5. Cover-upErases the audit trail of the exploit

3 VulnerabilityExamples Weak passwords  Employees use blank or default passwords Unpatched software  Patches are not updated  Security hotfixes are not applied Misconfigured software  Services have more privileges than required  Services run as the Local System account Social engineering  Help desk administrator resets a password without verifying the identity of the caller Weak security on Internet connections  Unused services and ports are not secured  Firewalls are used improperly Unencrypted data transfer  Authentication packets are sent in clear text  Important data is sent over the Internet in clear text Buffer overrun  A trusted process runs untrusted code

4 STRIDE Model Spoofing identity Tampering Repudiability Information disclosure Denial of Service Elevation of Privilege Spoofing identity Tampering Repudiability Information disclosure Denial of Service Elevation of Privilege

5 Spoofing Identity Attacker impersonates a valid system user or resource to gain access to the system Example: –Spoofing a server identity to gain access to passwords and other system data Attacker impersonates a valid system user or resource to gain access to the system Example: –Spoofing a server identity to gain access to passwords and other system data

6 Tampering with Data (Integrity) Malicious modification of system or user data with or without detection Data tampering can occur on: –Database objects through SQL injection attacks –Application objects, such as application configuration information and HTML files –Communications and interactions Malicious modification of system or user data with or without detection Data tampering can occur on: –Database objects through SQL injection attacks –Application objects, such as application configuration information and HTML files –Communications and interactions

7 Repudiability Users can deny performing an action without administrators having any way to prove otherwise –A service that is attacked through an anonymous request –A system where audit logging is not enabled –An attacker that tampers with or deletes logged data –An attacker that spoofs another user to exploit the system Enable logging to avoid repudiability threats Users can deny performing an action without administrators having any way to prove otherwise –A service that is attacked through an anonymous request –A system where audit logging is not enabled –An attacker that tampers with or deletes logged data –An attacker that spoofs another user to exploit the system Enable logging to avoid repudiability threats

8 Information Disclosure Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it –Encryption Keys –Business Plans –Credit Card Information Compromised private or business-critical information through the exposure of that information to individuals who are not supposed to see it –Encryption Keys –Business Plans –Credit Card Information

9 Denial of Service Denying service to valid users –Overloading a server with spurious requests –Causing a process to consume CPU, memory, and bandwidth –Using viruses and worms that consume hard disk space on a Web server Denying service to valid users –Overloading a server with spurious requests –Causing a process to consume CPU, memory, and bandwidth –Using viruses and worms that consume hard disk space on a Web server

10 Elevation of Privilege Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system –Can be undetected –Can become part of the trusted system Example: –A buffer overrun attack that causes injected code to run at an elevated privilege, giving the malicious code access to unauthorized pieces of the system Unprivileged user gains privileged access, thereby gaining sufficient access to compromise or destroy the entire system –Can be undetected –Can become part of the trusted system Example: –A buffer overrun attack that causes injected code to run at an elevated privilege, giving the malicious code access to unauthorized pieces of the system

11 Enabling Logging Maintain a log of activities that are performed on the system by the users and Web applications –Windows logs –IIS logs –SQL Server logs –Custom logs Maintain a log of activities that are performed on the system by the users and Web applications –Windows logs –IIS logs –SQL Server logs –Custom logs

12 User Input URLs –Request individual resources of a Web application GET data –Parameters and values that a client passes to a Web application to satisfy a GET request POST data –Parameters and values that a client passes to a Web application to satisfy a POST request Cookies –Store data on the client computer HTTP headers –Provide numerous HTTP request header values to describe the client environment to the server URLs –Request individual resources of a Web application GET data –Parameters and values that a client passes to a Web application to satisfy a GET request POST data –Parameters and values that a client passes to a Web application to satisfy a POST request Cookies –Store data on the client computer HTTP headers –Provide numerous HTTP request header values to describe the client environment to the server

13 Why Validate User Input? User input can be used to attack a Web application to: –Reveal implementation details –Create malicious data –Execute malicious script –Access restricted resources To avoid a user input attack: –Do not accept user input without validating –Define valid input and write code to accept data within a valid range User input can be used to attack a Web application to: –Reveal implementation details –Create malicious data –Execute malicious script –Access restricted resources To avoid a user input attack: –Do not accept user input without validating –Define valid input and write code to accept data within a valid range

14 Types of User Input Validation Client-side validation –Executes validation code, in a script, within the user’s browser –Minimizes server round-trips for data validation Server-side validation –Executes data validation code on the server –Validation errors need to be sent back to the client, resulting in more server round-trips ASP.NET validation controls –Support both client-side and server-side validation Client-side validation –Executes validation code, in a script, within the user’s browser –Minimizes server round-trips for data validation Server-side validation –Executes data validation code on the server –Validation errors need to be sent back to the client, resulting in more server round-trips ASP.NET validation controls –Support both client-side and server-side validation

15 URL Format Attacks ::$DATA format –Returned the script source instead of the HTML response Dotless IP Addresses –Previously considered part of intranet –http://031713501415http://031713501415 Parent paths –Can access files outside a virtual directory ::$DATA format –Returned the script source instead of the HTML response Dotless IP Addresses –Previously considered part of intranet –http://031713501415http://031713501415 Parent paths –Can access files outside a virtual directory

16 HTTP Cookie Attacks Two types of cookies: persistent and session Persistent cookies can be edited with Notepad.exe –C:\Documents and Settings\username\Cookies All cookies can be edited in client-side script –document.cookie is in JavaScript Do not store sensitive data in a cookie –Instead store a lookup key Encrypt cookie data if necessary Two types of cookies: persistent and session Persistent cookies can be edited with Notepad.exe –C:\Documents and Settings\username\Cookies All cookies can be edited in client-side script –document.cookie is in JavaScript Do not store sensitive data in a cookie –Instead store a lookup key Encrypt cookie data if necessary

17 HTTP Header Attacks Do not trust the header values sent by the client –Header values can be set maliciously Do not trust header values for important decisions –Example: invoicing based on the Referrer header value Do not trust the header values sent by the client –Header values can be set maliciously Do not trust header values for important decisions –Example: invoicing based on the Referrer header value

18 Form Data Attacks Form values –GET method includes the field values in the URL –POST method includes the field values in the body of the request Form fields –All form fields and field names are visible in source code –Hidden fields are not secure Validate field values and field names Validate field value type and length Use forms for the minimum required data Form values –GET method includes the field values in the URL –POST method includes the field values in the body of the request Form fields –All form fields and field names are visible in source code –Hidden fields are not secure Validate field values and field names Validate field value type and length Use forms for the minimum required data

19 Script Command Injection Attacks XSS Used with Trusted Web Application Embed script in text controls XSS Used with Trusted Web Application Embed script in text controls

20 Example (ASP)

21 ASP File Enter alert(‘hello’); Enter alert(‘hello’);

22 ASP.NET Error message But if you write: alert('hello'); To bypass check: Or in web.config: Error message But if you write: alert('hello'); To bypass check: Or in web.config:

23 Trusted code var fso = new ActiveXObject('Scripting.FileSystemObject'); var e=fso.GetFile('d:\\a.txt'); e.Delete(); If you add to trusted sites its work var fso = new ActiveXObject('Scripting.FileSystemObject'); var e=fso.GetFile('d:\\a.txt'); e.Delete(); If you add to trusted sites its work

24 Prevent XSS Validate user input Use: –Server.HtmlEncode(str); Validate user input Use: –Server.HtmlEncode(str);

25 ASP.NET Validation Controls Five Web Server Controls used for validating user input –RequiredFieldValidator –RegularExpressionValidator –CompareValidator –CustomValidator –RangeValidator Five Web Server Controls used for validating user input –RequiredFieldValidator –RegularExpressionValidator –CompareValidator –CustomValidator –RangeValidator

26 Regular Expressions string test = "Words only &%"; Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, ""); string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches = expression.Matches(test1); foreach (Match match in matches) Console.WriteLine(match.Index); string test = "Words only &%"; Regex expression = new Regex("\\W+"); string replaced = expression.Replace(text, ""); string test1 = "Looking for 1256 in here"; Regex expression = new Regex("\\d{4}"); MatchCollection matches = expression.Matches(test1); foreach (Match match in matches) Console.WriteLine(match.Index);

27 Providing Feedback to Users During normal conditions –Verification messages –Success messages –Explanatory messages During error conditions –Keep detailed error information hidden: error codes, error messages, system information, call stacks –Return general error message and log error details –Never return the data that generated the error During normal conditions –Verification messages –Success messages –Explanatory messages During error conditions –Keep detailed error information hidden: error codes, error messages, system information, call stacks –Return general error message and log error details –Never return the data that generated the error

28 Obscuring Error Details from Users In Web.config file: In Web.config file:

Download ppt "Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits."

Similar presentations

Webgoat.

Webgoat.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Web App Access Control Design

Web App Access Control Design
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Similar presentations

Ads by Google