net from the hacker's perspective

Post on 05-Jan-2017






.NET from the HackerÕsPerspective

Drew Miller

.NET from the HackerÕsPerspective

What Hackers Dislike

l .NET Buffer Overflows

l Role Security

l CAS Code Access Security

l Cryptography

l Summary

.NET Buffer Overflows

l Managed Code

l Legacy Code

l The Developer Mind Set

.NET Buffer Overflows: ManagedCode

l Self-resizing variables

l .NET Framework keeps fixed sizedvariables from being copied to byvariable sized variables

.NET Buffer Overflows: LegacyCode

l It is still very common to use previouslycoded modules and routines

l Why reinvent the wheel?l Security?

.NET Buffer Overflows: TheDeveloperÕs Mind Set

l No buffer overflows in .NET? I no longerneed to bounds check my variable lengthvariables.

l Less could mean more

Role Security

l DonÕt call meÉ IÕll call you

l Framework for defining class andfunction level call security

CAS Code Access Security

l Mobile Code

l Default user permission settings for theInternet Zone makes hard case forignoring use in public market

l Signing Assemblies (GAC)

l Key Management (Source Safe)

l Encrypt vs. Encode vs. Hashing

l Minimal Coding Requirements

l Fast

l Easy Key Management


What Hackers Dislike: Summary

l Buffer Overflow Protectionl Always bounds check

l Role Based Security In Codel Validate who is allowed to call functions

l Newer Code Difficult To Trojanl Avoid Trojans like ÒFunLoveÓ

l Everything Encryptedl Avoid information leakage

.NET from the HackerÕsPerspective

l Everyone has a deadline

l Everyone has a performancerequirement

l NEW -> Everyone has a securityrequirement

l Dollar -> Security -> Risk

.NET from the HackerÕsPerspective

What Hackers Like

l Information Leakagel View state


l SQL errors

l Web errors

l Cookies

l URLs

l Does easy todevelop mean easyto exploit?

l Cross Site Scripting

l Reaply/Hijacking

l Injection XML/SQL

Information Leakage: View State

l View Statel Base64 encoded

l Dynamic properties of server-side controls

l Map to exposures and vulnerabilities

Information Leakage: XML

l The world of plaintext

l Sniffed traffic can lead to informationleakage

l Encrypting XML can be cumbersomeand degrades performance

l Signing XML is also difficult anddegrades performance

Information Leakage: SQL errors

l Not once, not twice, but N times

l The exploitation road map to accessingyour dataÉ

l The small to medium company go-to-guy

Information Leakage: Web errors

l Programmers are logical

l Hackers are logical

l Login examplel Password Invalid

l User Invalid

l User or Password Invalid

l Enumeration functions

Information Leakage: Cookies

l Stored on client

l Modifiable

l Extents to any client side persisted stateinformation

l Serialization

l Client to server program configurationfiles (non-HTTP)

Information Leakage: URLs

l URLs tell a storyl System Administrator/Deployment Know-


l Incrementing variables

l Arguments to functions

Information Leakage: EasyDevelopment leads to Easy Exploits

l If I do not incorporate security knowledgeand processing during development anddeployment of all resources, regardlessof whether the access to that resource isanonymous or authenticated, isexploitation possible? YES.

Cross Site Scripting

l HTML inputs for everyone

l How do I validate?

l Just donÕt do it if you can avoid itÉ gooddesign makes for good security

Replay / Hijacking

l Session Hijackingl HTTP Session IDs

l .NET Forms Authentication

l Got SSL?l Hey! Cross Site Scripting to the rescueÉ

l Validation = ( Authentication -> Session )* Each Request

Injection XML/SQL


l Dynamic SQL

l .NET SqlParameter

.NET from the HackerÕsPerspective

l Parameter validation still key to amajority of vulnerabilities

l Why authenticate when you can hijack?

l Sign code, encrypt data, or elseÉ

l Server side security much betterÉcommunication security still difficult tosecure with ease, but definitely possible

.NET from the HackerÕsPerspective

Drew Miller

