web platform security final
DESCRIPTION
Final Web Security dotnet xss sql injectionTRANSCRIPT
-
Web Platform Security
Vimal Rajyaguru
Security Engineer
Microsoft ACE Security Team
-
Need for Security
Web applications are most vulnerable to attacks.
Popular web development platforms are ASP.Net, LAMP and J2EE platform
All these platforms offer certain security features to mitigate against common security vulnerabilities.
However it is up to the developers to use these features effectively and develop secure applications.
-
Agenda
ASP.NET Security
IIS Security
Summary
-
Common attacks
Code injection Session hijacking Identity spoofing Parameter manipulation Network eavesdropping
-
ASP.NET Security
-
Why ASP.NET?
ASP.NET as a Web Platform consists of security as an in-built mechanism for many of the common
requirements.
The built-in architecture and APIs help in developing secure web applications quickly
-
ASP.NET Security
Secured by Design Form Validation View State Tampering Input Validation
Secured by Default Web Configuration Authentication / Authorization Techniques Membership Provider
Secured by Deployment Precompiled Deployment in ASP.NET 2.0 PE Verification
-
Protection against XSS
ValidateRequest: Checks request for potentially dangerous content like javascript, html etc.
Enabled by default.
Can be toggled at application level in web.config
Can also be toggled at page level also
-
Protection against XSS contd
Encode all user-controllable output using Microsoft Anti-XSS Librarys approriate encoding methods.
Anti-Xss Library can be downloaded from http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-
bfaf-e11625130c25&displaylang=en
Use XSSDetect A freely available tool from MSDN to analyze .Net code for XSS vulnerabilities.
XssDetect can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=19A9E348-BDB9-
45B3-A1B7-44CCDCB7CFBE&displaylang=en
-
Protection against XSRF/One-Click attack
One-click attack relies on the ability of an attacker to create a prefilled form which a user submits
unknowingly.
Page.ViewStateUserKey ensures that the viewstatecannot be calculated which prevents an attacker from
preparing a prefilled form.
override protected void OnInit(EventArgs e){// ...
Page.ViewStateUserKey = Session.SessionID;// ...}
-
ViewState Protection
ViewState is tamper-proof by default. This is controlled by the key
An HMAC is calculated and appended to the ViewStateto ensure integrity. The key and algorithm used is
defined in the element
-
Protecting Forms Authentication cookie
Authentication cookie can be protected.
-
Event Validation in ASP.Net 2.0
Event Validation verifies that arguments to postback or callback events originate from the server control that
originally rendered them.
Can be toggled at page level by
-
ASP.NET Validation Controls
Framework provides a variety of controls for common validation tasks
Required Field Validator
Compare Validator
Range Validator
Regular Expression Validator
Custom Validator
Validates at client and server side. However Page.IsValid property of the control needs to be checked
to ensure that server validation has succeeded.
-
Authentication & Authorization
Authentication
Authorization
File authorization
URL authorization
Windows
Passport
Forms
Impersonation
Who did the
request come
from?
What is the caller
allowed to do?
Use process identity
or caller identity?
-
Configuring Authentication
Web.config
-
ASP.NET Authorization
File authorization
Typically combined with Windows auth
Uses NTFS permissions to control access to resources based on caller's Windows identity
URL authorization
Typically combined with forms authentication
Controls access to resources based on caller's Windows, Passport, or forms identity
Applied in Web.config
-
Role and Membership providers
Provide features to implement authentication and authorization quickly and securely.
ASP.Net comes with SqlMembershipProvider and ActiveDirectoryMembershipProvider
Provides a lot of security features like password length and complexity, storing hashed or encrypted passwords,
configuring account lockouts, password retrieval etc.
-
Protected Configuration Provider
Protected Configuration Provider helps improve the security of an application by letting you encrypt sensitive
information that is stored in a web.config file.
Sections that contains sensitive information
-
IIS Security
-
Authentication
Authorization
Windows Access Controls Lists
Authorization rules (IIS 7)
Anonymous
Basic
Digest
SSL/TLS
Who did the request
come from?
What is the caller
allowed to do?
IP Restrictions Are calls from this
IP address allowed?
X.509 Certificates
Integrated Windows
Passport (IIS 6)
Forms (IIS 7)
Protection and PoolingWhere should the
code execute?
Should traffic be
encrypted?
Au
dit
ing
/Req
uest
Tra
cin
gIIS Security Architecture
-
Application pools in IIS
Application pools separate applications by process boundaries to prevent an application from affecting
another application on the server.
Each application pool can be configured to run under a separate service account.
*Application pools are available only in IIS 6 and IIS 7.
-
Worker Process Identity
On IIS 5, ASP.NET runs as ASPNET by default.
Weak local account with limited privileges
Created at install time
Password autogenerated
On IIS 6 & IIS 7, ASP.NET runs as Network Service (machine$) by default.
Weak account with limited privileges
Has network credentials
Built into Windows 2003 Server
-
IIS 7 Security Enhancements
Integrated Request Pipeline
Authentication and Authorization modules available to all types of content like ASP, static files etc.
Can use features like .Net Role or membership providers for any content.
Can configure Authorization rules for all types of content in IIS.
-
Request filtering
A tool like URLScan which can be used to filter requests based on rules like URL patterns, content lengths,
encodings, verbs etc.
Hidden Namespaces/Segments: Used to prevent IIS from serving certain sections of url.
e.g. web.config, bin, App_code, App_Data etc.
This can be used to protect sections of website which should not be
accessible to user.
-
Web Development Best Practices
Don't trust user input.
Encode all user-controllable outputs before displaying.
Use parameterized SQL statements and stored procedures.
Employ the Principle of Least Privilege.
Reduce attack surface by locking down web server and application.
Use structured exception handling.
-
Summary
ASP.Net provides a large number of security features to enable developers to write secure code Familiarize yourself with the security features offered by the
framework.
Use these features wisely according to your needs.
Use IIS security features to lock down your web applications against intrusion. Use appropriate authentication methods. Isolate applications to minimize damage due to a rouge or
compromised application.
-
Resources
Security Developer Center: http://msdn.microsoft.com/security
Threats & Countermeasures: http://msdn2.microsoft.com/en-us/library/ms994921.aspx
Building Secure ASP.NET Applications http://msdn2.microsoft.com/en-us/library/Aa302415.aspx
http://www.iis.net
http://blogs.msdn.com/ace_team/
-
Application Security Consulting Services
Services offered by Microsoft ACE Services: Application Security Code Reviews Threat Modeling/Design Reviews Training:
Secure Application Development Threat Modeling
Assistance with developing and deploying SDL-IT within your environment
Contact [email protected] [email protected]
-
Questions?
Email: [email protected]
Blog: http://blogs.msdn.com/ace_team