Web Platform Security

Vimal Rajyaguru

Security Engineer

Microsoft ACE Security Team

Need for Security

• Web applications are most vulnerable to attacks.

• Popular web development platforms are ASP.Net, LAMP

and J2EE platform

• All these platforms offer certain security features to

mitigate against common security vulnerabilities.

• However it is up to the developers to use these features

effectively and develop secure applications.

Agenda

• ASP.NET Security

• IIS Security

• Summary

Common attacks

• Code injection

• Session hijacking

• Identity spoofing

• Parameter manipulation

• Network eavesdropping

ASP.NET Security

Why ASP.NET?

• ASP.NET as a Web Platform consists of security as an

in-built mechanism for many of the common

requirements.

• The built-in architecture and APIs help in developing

secure web applications quickly

ASP.NET Security

• Secured by Design– Form Validation

– View State Tampering

– Input Validation

• Secured by Default– Web Configuration

– Authentication / Authorization Techniques

– Membership Provider

• Secured by Deployment– Precompiled Deployment in ASP.NET 2.0

– PE Verification

Protection against XSS

• ValidateRequest: Checks request for potentially

dangerous content like javascript, html etc.

• Enabled by default.

• Can be toggled at application level in web.config

<pages validateRequest="true" />

• Can also be toggled at page level also

<%@ Page Language="C#" ValidateRequest="true"

*Use output encoding to effectively defend against Cross-Site scripting attacks. Use Microsoft Anti-Xss library

(http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-bfaf-

e11625130c25&displaylang=en) to encode output.

Protection against XSS contd…

• Encode all user-controllable output using Microsoft Anti-

XSS Library’s approriate encoding methods.– Anti-Xss Library can be downloaded from

http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-

bfaf-e11625130c25&displaylang=en

• Use XSSDetect – A freely available tool from MSDN to

analyze .Net code for XSS vulnerabilities.– XssDetect can be downloaded from

http://www.microsoft.com/downloads/details.aspx?FamilyID=19A9E348-BDB9-

45B3-A1B7-44CCDCB7CFBE&displaylang=en

Protection against XSRF/One-Click attack

• One-click attack relies on the ability of an attacker to

create a prefilled form which a user submits

unknowingly.

• Page.ViewStateUserKey ensures that the viewstate

cannot be calculated which prevents an attacker from

preparing a prefilled form.

override protected void OnInit(EventArgs e){// ...

Page.ViewStateUserKey = Session.SessionID;// ...}

ViewState Protection

• ViewState is tamper-proof by default. This is controlled

by the key

<pages enableViewStateMac="true"/>

• An HMAC is calculated and appended to the ViewState

to ensure integrity. The key and algorithm used is

defined in the element

<machineKey validationKey="AutoGenerate,IsolateApps“ validation="SHA1" />

• Viewstate can also be encrypted to ensure

confidentiality.

<pages viewStateEncryptionMode="Always">

Protecting Forms Authentication cookie

• Authentication cookie can be protected.

<forms loginUrl="Login.aspx”

protection="All“

timeout=“20“

slidingExpiration="false“

requireSSL="true“

*Authentication cookies are httpOnly by default in ASP.Net 2.0

Event Validation in ASP.Net 2.0

• Event Validation verifies that arguments to postback or

callback events originate from the server control that

originally rendered them.

• Can be toggled at page level by

<%@ Page EnableEventValidation=“true" %>

• Also at application level by

<pages enableEventValidation=“true"/>

ASP.NET Validation Controls

• Framework provides a variety of controls for common

validation tasks

– Required Field Validator

– Compare Validator

– Range Validator

– Regular Expression Validator

– Custom Validator

• Validates at client and server side. However

Page.IsValid property of the control needs to be checked

to ensure that server validation has succeeded.

Authentication & Authorization

Authentication

Authorization

File authorization

URL authorization

Windows

Passport

Forms

Impersonation

Who did the

request come

from?

What is the caller

allowed to do?

Use process identity

or caller identity?

Configuring Authentication

<configuration><system.web><!-- mode="Windows|Passport|Forms|None" --><authentication mode="Windows" />

</system.web></configuration>

Web.config

ASP.NET Authorization

• File authorization

– Typically combined with Windows auth

– Uses NTFS permissions to control access to resources based on

caller's Windows identity

• URL authorization

– Typically combined with forms authentication

– Controls access to resources based on caller's Windows,

Passport, or forms identity

– Applied in Web.config

Role and Membership providers

• Provide features to implement authentication and

authorization quickly and securely.

• ASP.Net comes with SqlMembershipProvider and

ActiveDirectoryMembershipProvider

• Provides a lot of security features like password length

and complexity, storing hashed or encrypted passwords,

configuring account lockouts, password retrieval etc.

Protected Configuration Provider

• Protected Configuration Provider helps improve the

security of an application by letting you encrypt sensitive

information that is stored in a web.config file.

• Sections that contains sensitive information

– <appSettings>

– <connectionStrings>

– <identity>

– <sessionState>

IIS Security

Authentication

Authorization

Windows Access Controls Lists

Authorization rules (IIS 7)

Anonymous

Basic

Digest

SSL/TLS

Who did the request

come from?

What is the caller

allowed to do?

IP Restrictions Are calls from this

IP address allowed?

X.509 Certificates

Integrated Windows

Passport (IIS 6)

Forms (IIS 7)

Protection and PoolingWhere should the

code execute?

Should traffic be

encrypted?

Au

dit

ing

/Req

uest

Tra

cin

gIIS Security Architecture

Application pools in IIS

• Application pools separate applications by process

boundaries to prevent an application from affecting

another application on the server.

• Each application pool can be configured to run under a

separate service account.

*Application pools are available only in IIS 6 and IIS 7.

Worker Process Identity

• On IIS 5, ASP.NET runs as ASPNET by default.

– Weak local account with limited privileges

– Created at install time

– Password autogenerated

• On IIS 6 & IIS 7, ASP.NET runs as Network Service

(machine$) by default.

– Weak account with limited privileges

– Has network credentials

– Built into Windows 2003 Server

IIS 7 Security Enhancements

• Integrated Request Pipeline

– Authentication and Authorization modules available to all types

of content like ASP, static files etc.

– Can use features like .Net Role or membership providers for any

content.

– Can configure Authorization rules for all types of content in IIS.

Request filtering

• A tool like URLScan which can be used to filter requests

based on rules like URL patterns, content lengths,

encodings, verbs etc.

• Hidden Namespaces/Segments: Used to prevent IIS

from serving certain sections of url.

e.g. web.config, bin, App_code, App_Data etc.

This can be used to protect sections of website which should not be

accessible to user.

Web Development Best Practices

• Don't trust user input.

• Encode all user-controllable outputs before displaying.

• Use parameterized SQL statements and stored

procedures.

• Employ the Principle of Least Privilege.

• Reduce attack surface by locking down web server and

application.

• Use structured exception handling.

Summary

• ASP.Net provides a large number of security features to enable developers to write secure code– Familiarize yourself with the security features offered by the

framework.

– Use these features wisely according to your needs.

• Use IIS security features to lock down your web applications against intrusion.– Use appropriate authentication methods.

– Isolate applications to minimize damage due to a rouge or compromised application.

Resources

• Security Developer Center: http://msdn.microsoft.com/security

• Threats & Countermeasures: http://msdn2.microsoft.com/en-us/library/ms994921.aspx

• Building Secure ASP.NET Applications http://msdn2.microsoft.com/en-us/library/Aa302415.aspx

• http://www.iis.net

• http://blogs.msdn.com/ace_team/

Application Security Consulting Services

• Services offered by Microsoft ACE Services:– Application Security Code Reviews

– Threat Modeling/Design Reviews

– Training:

• Secure Application Development

• Threat Modeling

– Assistance with developing and deploying SDL-IT within your environment

• Contact– vimalr@microsoft.com

– SDL-IT@microsoft.com

Questions?

• Email: vimalr@microsoft.com

• Blog: http://blogs.msdn.com/ace_team