Securing MVC.NET Web Applications Andrew Wilson 오 안녕하세요!!!! • • • • • Senior Software Consultant Obsessed security guy OWASP co-lead Long walks on the beach desert Drinking IPA in the rain Overview • Microsoft SDL • Introduction to OWASP – OWASP Projects – Top 10 Security problems • Microsoft Framework Security Components • Summary • Further Reading Brief Rant • • • • • Lists are generic, your problems aren’t Narrows the field of vision Simple face on a complex problem Top 10 gets you started in the right direction Secure development processes gets you the rest the way Brief Review of SDL • • • • • Defined security process from MS History lesson of what worked and didn’t Low cost of entry (free) You need a Secure Development Lifecycle It might be too big for your needs Tools • WebScarab is free, and hence awesome • Burp Suite is free, and also awesome • Burp Suite Pro is not free, but it’s the most awesomest of them all. Introduction to OWASP • Focused on improving security of applications • OWASP Projects Include: – Developer & Tester Guides – SAMM (Software Assurance Maturity Model) • OWASP Tools – WebScarab, Live CD, WebGoat, ESAPI OWASP Top 10 Injection Attacks Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… SQL injection is still quite common • Many applications still susceptible (really don’t know why) • Even though it’s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access ATTACK Billing Directories Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 3. Application forwards attack to the database in a SQL query App Server Web Server Firewall Hardened OS Firewall DB Table "SELECT * FROM Account Summary Account: accounts WHERE SKU: acct=‘’ OR 1=1-Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data Custom Code Network Layer Human Resrcs Web Services Databases HTTP SQL response query HTTP request APPLICATION Legacy Systems Communication Knowledge Mgmt E-Commerce Bus. Functions Administration Transactions Accounts Finance Application Layer Injection Attacks Illustrated 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Pop Quiz! • Q: Is .NET a compiled language or is it an interpreted one? • A: Yes! Injection Defense • This is the single hardest problem in web security. Data. • Common Approaches include: – White Listing – Black Listing – Encoding • Once you identify something is wrong… What do you do next? Injection Vectors • Html input data • Javascript itself • Reflection attacks are injection based (because they attack the reflection / interrupter) • XML attacks against web services • JIT attacks (what the world?) • LDAP & SQL MS-AntiXSS Encoding Method Should Be Used If … Example/Pattern HtmlEncode Untrusted input is used in HTML output except when assigning to an HTML attribute. <a href="http://www.contoso.com">Click Here [Untrusted input]</a> HtmlAttributeEncode Untrusted input is used as an HTML attribute <hr noshade size=[Untrusted input]> Untrusted input is used within a JavaScript context <script type="text/javascript"> … [Untrusted input] … </script> Untrusted input is used in a URL (such as a value in a querystring) <a href="http://search.msn.com/results. aspx?q=[Untrusted-input]">Click Here!</a> VisualBasicScriptEncode Untrusted input is used within a Visual Basic Script context <script type="text/vbscript" language="vbscript"> … [Untrusted input] … </script> XmlEncode Untrusted input is used in XML output, except when assigning to an XML attribute <xml_tag>[Untrusted input]</xml_tag> XmlAttributeEncode Untrusted input is used as an XML attribute <xml_tag attribute=[Untrusted input]>Some Text</xml_tag> JavaScriptEncode UrlEncode XSS Attacks Occurs any time… • Raw data from attacker is sent to an innocent user’s browser Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie) Typical Impact • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites Victim views page – sees attacker profile Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Administration Transactions Attacker enters a malicious script into a web page that stores the data on the server Application with stored XSS vulnerability Accounts Finance 1 XSS Illustrated Attacker sets the trap – update my profile Defense • • • • Encoding your variables Built in XSS defensive bits in MVC.net Anti-XSS library What are the attack vectors? – – – – – – Cookies Url Querystring Post Variables HTTP Request Headers JSON / XML payloads Broken Auth & Session Management HTTP is a “stateless” protocol • Means credentials have to go with every request • Should use SSL for everything requiring authentication Session management flaws • SESSION ID used to track state since HTTP doesn’t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact • User accounts compromised or user sessions hijacked www.boi.com?JSESSIONID=9FA1DB9EA... Site uses URL rewriting (i.e., put session in URL) 3 2 Custom Code User clicks on a link to http://www.hacker.com in a forum Hacker checks referer logs on www.hacker.com and finds user’s JSESSIONID Hacker uses JSESSIONID and takes over victim’s account Communication Knowledge Mgmt E-Commerce Bus. Functions User sends credentials Accounts Finance 1 Administration Transactions Broken Auth Illustrated 4 Defense (Bad news) • ASP.NET has no built in countermeasures • RegenerateExpiredSessionId doesn’t work the way you’d expect • MS has no plans to fix this (yet) Defense • Set your web.config to not allow sessions to be stored for cookieless browsers. • Set your sessions data ONLY in secure pages • Password reset is mostly a logical bug • Be wary of relationships that can be faked • Regenerate Login once logged in • Don’t leak the sessionId (if possible) Insecure Direct Object Reference How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • • • • • Only listing the ‘authorized’ objects for the current user, or Hiding the object references in hidden fields … and then not enforcing these restrictions on the server side This is called presentation layer access control, and doesn’t work Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data Direct Object Reference Illustrated https://www.onlinebank.com/user?acct=6065 • Attacker notices his acct parameter is 6065 ?acct=6065 • He modifies it to a nearby number ?acct=6066 • Attacker views the victim’s account information Defense • • • • • Rutroh! This is how MVC is structured! Don’t bind to ID’s that can be enumerated? Accept it as loss? Rewrite the URIs! (IIS) Secure the URIs! CSRF Attacks Cross Site Request Forgery • An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details CSRF Illustrated While logged into vulnerable site, victim views attacker site Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Administration Transactions Hidden <img> tag contains attack against vulnerable site Application with CSRF vulnerability Accounts Finance 1 Attacker sets the trap on some website on the internet (or simply via an e-mail) Custom Code 3 <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site Vulnerable site sees legitimate request from victim and performs the action requested Defense • • • • • Protect valuable actions with CAPTCHA Validation of Headers (Weak-Sauce) Expire session, offer logout options New JSON exposure Protect the website with CSRF Tokens – Built into MVC.NET – Implementation is more difficult than it seems Security Misconfigurations Web applications rely on a secure foundation • Everywhere from the OS up through the App Server • Don’t forget all the libraries you are using!! Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code CM must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing OS or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration Communication Knowledge Mgmt E-Commerce Bus. Functions Administration Transactions Accounts Finance Security Misconfig Illustrated Database Custom Code App Configuration Framework Development App Server QA Servers Web Server Insider Hardened OS Test Servers Source Control Defense • Cassini is a LIAR, do not trust it! • ASP.NET won’t serve particular types of files by default: – DON’T RENAME THEM! Web.config.bak WILL be served! – Don’t allow directory browsing • Don’t let developers know secure connection strings to production if you can avoid it. Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined 1 Victim enters credit card number in form Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Insecure Cryptographic Storage Illustrated Custom Code 4 Log files Malicious insider steals 4 million credit card numbers Logs are accessible to all members of IT staff for debugging purposes Error handler logs CC details because merchant gateway is unavailable 3 2 Defense • Are you encrypting sensitive information w/ SQL Server 2008? • Are you storing sensitive information in places you ought not to? Logs, emails, etc.. • What are you encrypting in the database URL Access How do you protect access to URLs (pages)? • This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References A common mistake … • Displaying only authorized links and menu choices • This is called presentation layer access control, and doesn’t work • Attacker simply forges direct access to ‘unauthorized’ pages Typical Impact • Attackers invoke functions and services they’re not authorized for • Access other user’s accounts and data • Perform privileged actions Failure to Restrict URL Access Illustrated h ttp s ://w w w .o n lin e b a n k .c o m /u s er/g e tA c c o u n ts • Attacker notices the URL indicates his role /user/getAccounts • He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts • Attacker views more accounts than just their own Defense • Use [Authorization] headers where appropriate • Use Web.Config <sections> where appropriate • Consider using Role filters and [Permission.Demand] attributes over features • Consider: Who owns this, who can maintain it, how high up the chain can they call? • Don’t forget all your super rad JSON stuff! • Service calls need security love too! Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined Insufficient Transport Layer Protection Illustrated Business Partners External Victim Custom Code 1 External attacker steals credentials and data off network External Attacker Backend Systems 2 Employees Internal attacker steals credentials and data from internal network Internal Attacker Defense • Use awesome certificates (aka, 3rd party verified, non-expired) • Set them UP CORRECTLY (validate) • Insecure landing page • Don’t use redirects, use HTTPS only • Insecure Content Attacks • Use Strong encryption Unvalidated Redirects & Forwards Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren’t validated, attacker can send victim to a site of their choice Forwards (aka Transfer in .NET) are common too • They internally send the request to a new page in the same application • Sometimes parameters define the target page • If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact • Redirect victim to phishing or malware site • Attacker’s request is forwarded past security checks, allowing unauthorized function or data access Unvalidated Redirect Illustrated Attacker sends attack to victim via email or webpage Bus. Functions E-Commerce Knowledge Mgmt Communication Transactions Victim clicks link containing unvalidated parameter Application redirects victim to attacker’s site Administration 2 3 Finance From: Internal Revenue Service Subject: Your Unclaimed Tax Refund Our records show you have an unclaimed federal tax refund. Please click here to initiate your claim. Accounts 1 Custom Code Request sent to vulnerable site, including attacker’s destination site as parameter. Redirect sends victim to attacker site http://www.irs.gov/taxrefund/claim.jsp?year=2006 & … &dest=www.evilsite.com Evil Site 4 Evil site installs malware on victim, or phish’s for private information Defense • Don’t do that! • If you have to, use some variable to control location, not user supplied code • Be wary of Response.Redirect! The action may still performed even if the site is redirected! Other .NET Framework Components • • • • Monitoring / health frameworks SecureStrings Encryption: Built in frameworks Data leaking: – Viewstate encryption – Errors and error handling More stuff • • • • Awareness of what is publicly indexed Developer comments Robots.txt Crossdomain.xml Summary • Out of the box, MVC.NET is the easiest defendable web application framework I have ever used. • ASP.NET comes with many built in components that can really help you out (if utilized) • Bad code can be written in any language. Don’t do that QA? • Twitter: awilsong • Blog: http://pinvoke.wordpress.com • Email: pinvoke@doublethunk.org