Secure .NET Programming

Secure .NET ProgrammingAdam Getchell (acgetchell@ucdavis.edu)Scott Kirkland (srkirkland@ucdavis.edu)Alan Lai (anlai@ucdavis.edu)College of Agricultural & Environmental Sciences Deans OfficeIT Security SymposiumJune 20-22, 2007

1IntroductionsNot experts, just offering experience gained from .NET programs weve doneGoal is practical advice, based on principles and code smells1, rather than exact code one is supposed to apply to every programs (though reusable code is good)This (mostly) works for us it may not work for you. Use what works for your team, but remember:

Good Software = Secure Software2OWASP Top 10 20072Cross Site Scripting (XSS)SQL InjectionMalicious File Execution (via Remote File Inclusion)Insecure Direct Object ReferenceCross Site Request Forgery (CSRF)Information Leakage and Improper Error HandlingBroken Authentication and Session ManagementInsecure Cryptographic StorageInsecure CommunicationsFailure to Restrict URL Access

3XSSCross site scripting is the most prevalent/pernicious web application security issue. XSS flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content.XSS types:Reflected displaying user supplied (hostile) data directlyStored storing user supplied (hostile) data and displaying (e.g. CMS, blogs, forums)DOM Injection Manipulating JavaScript directly on the page, including using XmlHttpRequest (basis of AJAX) to get around same source origination policies to forward users to hostile sites, etc.SQL Injection AttacksSQL Injection Attacks: Easy, Common, Dangerous.

Definition: Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers trick the interpreter into executing unintended commands via supplying specially crafted data. SQL Injection AttacksVulnerability:

String query = "SELECT user_id FROM user_data WHERE user_name = '" + txtUserName.Text + "'";SQL Injection AttacksProtection:

Use Input Validation Check for length, type, sytax, etc.Use Stored Procedures or at least strongly typed parameterized queries.Dont show detailed error messages.SQL Injection AttacksParameterized Queries:

SqlCommand command = new SqlCommand();command.CommandText = "SELECT user_id FROM user_data WHERE user_name = @user_name";command.Parameters.AddWithValue("@user_name", txtUserName.Text);Input Validation.NET makes it easy to validate input controls using the controls.

ASP.NET Validators (except for the customValidator) validate controls once using client side JavaScript and again on the server side (protecting you from clients who turn off JavaScript)..NET Validation TipsAn Empty Control will pass every validation test except for the RequiredFieldValidatorEx: If you want to make sure a string is not empty and matches a regular expression (like an Email address), you must use both a RequiredFieldValidator and a RegularExpressionValidator.The CompareValidator can do much more than comparing two controls.Leave the ControlToValidate propery blank, use the Type, Operator and ValueToCompare properties.Operators: dataTypeCheck, Equal, NotEqual, GreaterThan, GreaterThanEqual, LessThan, LessThanEqualTypes: Currency, Date, Double, Integer, String

.NET CompareValidator ExamplesThe value entered should convert to an integer greater than one