Devouring Security

Marudhamaran Gunasekaran@gmaran23

Beefing up Security in ASP.NET

Dot Net Bangalore 3rd meet up May 16 2015 @ Prowareness, Bangalore

Watch the screen recording of this presentation here at https://vimeo.com/gmaran23/beefingupsecurityinaspdotnet

Next 30 minutes

• Addressing the low-hanging fruits• See the vulnerabilities in action• Leveraging ASP.NET mitigations

https

://b

log.

mal

war

ebyt

es.o

rg/i

ntel

ligen

ce/2

013/

03/o

bfus

catio

n-m

alw

ares

-bes

t-frie

nd/

Configuring Custom Errors Right

<system.web> <customErrors mode="On" defaultRedirect="Error.aspx" redirectMode="ResponseRewrite"/> </system.web>

mode=“RemoteOnly” is defaultredirectMode=“responseRedirect” is default

DOS attack and safe/vulnerable .Net versions

.Net framework 2.0.50727.5477 or higher

.Net framework 4.0.30319.34011 or higher

.Net framework 2.0.50727.5420 or lower

.Net framework 4.0.30319.1 or lower

.Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable?

.Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?

Information Disclosure problems

Remove the Server and X-AspNetMvc-Version Header

protected void Application_BeginRequest(object sender, EventArgs e) { var application = sender as HttpApplication; if (application != null && application.Context != null) { application.Context.Response.Headers.Remove("Server"); } }

protected void Application_Start() {MvcHandler.DisableMvcResponseHeader = true; }

Remove ASP.NET Version and X-Powered-By Header

<httpRuntime enableVersionHeader="false"/>

<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /></customHeaders> </httpProtocol></system.webServer>

ASP.NET Tracing Vulnerabilites

Secure <trace> configurations<trace enabled="true" localOnly="false"/>

<trace enabled="false" localOnly ="true"/>(default)

<deployment retail="true" />

<configuration> <system.web> <deployment retail=”true”/> </system.web></configuration>

At

%windir%\Microsoft.Net\Framework64\v4.0.30319\Config\machine.config

- Disables debugging- Switches on Custom errors- Disables tracing

Vulnerable session is in the URL

Secure <sessionState> configurations

<sessionState cookieless="UseUri"

<sessionState cookieless="UseCookies" (default)

Secure <sessionState> configurations

Default cookie name obfuscation<sessionState cookieName="_umt_"/>

Secure <httpCookies> configurations

<httpCookies httpOnlyCookies ="true" requireSSL="true"/>

httpOnlyCookies – make the cookie unavailable to client side scripts

requireSSL – send the cookie only https connections

Cross Site Scripting (XSS) Risks

• Spread drive by download malware• Steal credentials• Hijack someone’s session• Privilege escalations• Client side DOS

http:

//w

ww

.tech

new

swor

ld.c

om/s

tory

/689

46.h

tml

Make sure request validation is enabled

Make sure request validation is enabled

Request Validation in ASP.NET 4 - Breaking changes http://www.asp.net/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147

Request Validation in ASP.NET - https://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx

Caution!

• The following code codes not trigger request validation or delays it

Context specific output encoding

ASP.Net code behind:

lblName.Text = "Hello, " + HttpUtility.HtmlEncode(txtValue.Text);

lblName.Text = "Hello," + AntiXss.HtmlEncode(txtValue.Text);

ASPX view engine :

<%: data %>

Razor view engine:

@data

Auth(en) & Auth(or) with <location>

<location path="Administration.aspx"> <system.web> <authorization> <allow roles="Administrators"/> <deny users="*"/> </authorization> </system.web> </location>

Authorization in ASP.NET MVC

[Authorize(Roles="Administrators")]public ActionResult Index(){}

Sample Login Page in ASP.NET MVC

[HttpPost][RequireHttps][AllowAnonymous][ValidateInput(true)][ValidateAntiForgeryToken] public ActionResult Login(LoginModel model, string returnUrl)

�We discovered CSRF vulnerabilities in ING�s site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user�s account to the attacker�s account,� the research paper noted, adding that SSL did nothing to prevent the attack. �Since ING did not explicitly protect against CSRF attacks, transferring funds from a user�s accounts was as simple as mimicking the steps a user would take when transferring funds.�

http:

//w

ww

.thet

echh

eral

d.co

m/a

rticl

es/C

SRF-

bug-

on-IN

GD

irect

-com

-cou

ld-h

ave-

allo

wed

-frau

dule

nt-t

rans

fers

http:

//w

ww

.cs.

utex

as.e

du/~

shm

at/c

ours

es/c

s378

_spr

ing0

9/ze

ller.p

df

Cross-Site Request Forgeries: Exploitation and Prevention by William Zeller and Edward W. Felten

Sample: CSRF protection in TFS web interface

CSRF Mitigation in ASP.Net MVCLogin.cshtml

LoginController.cs

CSRF Mitigation in ASP.Net MVC• Adds a html hidden field named

__RequestVerificationToken

• Adds a cookie named __RequestVerificationToken

CSRF Mitigation in ASP.Net WebForms

• Available at Site.Master.cs• The __AntiXsrfToken gets sent at the __VIEWSTATE

and the cookie for any WebForm that used the Site.Master master page

Clickjacking

Clickjacking

X-XSS-Protection

• http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx

• X-XSS-Protection: 1

X-FRAME-OPTIONS

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Browser_Support

Strict-Transport-Security

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Browser_Support

Adding necessary response headers

<system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="DENY" /> <add name="X-XSS-Protection" value="1; mode=block" /> <add name="Strict-Transport-Security" value="max-age=31536000" /> </customHeaders> </httpProtocol></system.webServer>

View State Security

<pages enableEventValidation="true" enableViewStateMac="true" viewStateEncryptionMode="Always" />

https://twitter.com/gmaran23

SqliXMLXSSOWASP ZAP

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

https://vimeo.com/gmaran23 Developer focused talks

1. https://renouncedthoughts.wordpress.com/2014/01/14/devouring-security-sql-injection-exploitation-and-prevention-part-1/

2. https://renouncedthoughts.wordpress.com/2014/02/07/devouring-security-sql-injection-exploitation-and-prevention-part-2/

3. https://renouncedthoughts.wordpress.com/2014/05/09/sql-injection-testing-for-qa-testers/

4. https://renouncedthoughts.wordpress.com/2014/05/09/devouring-security-xml-attack-surface-and-defenses/

5. https://renouncedthoughts.wordpress.com/2014/09/26/devouring-security-cross-site-scripting-xss/

6. https://renouncedthoughts.wordpress.com/2015/05/20/practical-security-testing-for-developers-using-owasp-zap-at-dot-net-bangalore-3rd-meet-up-on-feb-21-2015/