Devouring Security

Marudhamaran Gunasekaran@gmaran23

Beefing up Security in ASP.NETPart 2

Dot Net Bangalore 4th meet up August 08 2015 @ Prowareness,

Bangalore

Part 1Screen recording https://vimeo.com/gmaran23/beefingupsecurityinaspdotnet Slides http://www.slideshare.net/gmaran23/beefing-up-security-in-aspnet-dot-net-bangalore

Part 2 – (this presentation)Screen recordinghttps://vimeo.com/gmaran23/beefingupsecurityinaspdotnetpart2

Next 30 minutes

• See the vulnerabilities in action• Leveraging ASP.NET mitigations

Allowing to be DOS-ed with large HTTP requests

Controlling HTTP requests size or leaving it to default

<system.web> <httpRuntime maxRequestLength=“4096"/> </system.web>

• Leave it to default of 4 MB • Or be wary about the consequences or adjusting the size

__VIEWSTATE insecurity

Securing the __VIEWSTATE

<pages enableEventValidation="true" enableViewStateMac="true" viewStateEncryptionMode="Always" />

Synchronizing decryptionKey and validationKey across servers

Synchronizing decryptionKey and validationKey across servers

Leave useUnsafeHeaderParsing to default

<system.net> <settings> <httpWebRequest useUnsafeHeaderParsing="false"/> </settings> </system.net>

protection from invalid http requests

Beefing up Forms Authentication

<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120"</authentication>

• Shorter timeout is more secure

Beefing up Forms Authentication

<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies"/></authentication>

• UseCookies and Not the Uri for authentication information

Beefing up Forms Authentication<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies" name="NotVeryObvious"/></authentication>

• Obscure the name of auth cookie from the default .ASPXAUTH

Beefing up Forms Authentication

<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies" name="NotVeryObvious" requireSSL="true" /></authentication>

• Send authentication information only over SSL

Beefing up Forms Authentication<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies" name="NotVeryObvious" requireSSL="true" slidingExpiration="false"/></authentication>

• When timeout expires, require re-authentication

Beefing up Forms Authentication<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="120" cookieless="UseCookies" name="NotVeryObvious" requireSSL="true" slidingExpiration="false"

protection="All" /></authentication>

• Protection by verification and encryption

Password policies within Membership

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15"> <providers> <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="DefaultConnection" applicationName="SqliModernApp" enablePasswordRetrieval="false" passwordFormat="Hashed" minRequiredPasswordLength="7" maxInvalidPasswordAttempts="5" passwordAttemptWindow="30" minRequiredNonAlphanumericCharacters="1"/> </providers> </membership>

Protecting Sensitive Configurations

• Web.config protection – single server deployment - https://msdn.microsoft.com/en-us/library/ms998280.aspx

aspnet_regiis.exe -pef "connectionStrings" C:\WebDirRootFolder -prov "DataProtectionConfigurationProvider“

Protecting Sensitive Configurations

• Web.config protection – web farm deployment - https://msdn.microsoft.com/en-us/library/ff650304.aspx

aspnet_regiis.exe -pef "connectionStrings" C:\WebDirRootFolder

Protecting Sensitive Configurations

• RSA based web.config encryption –how to synchronize (export and import) key pairs

• https://msdn.microsoft.com/en-us/library/ff650304.aspx#paght000006_webfarmscenarios

https://twitter.com/gmaran23

SqliXMLXSSOWASP ZAPASP.NET Security

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

https://vimeo.com/gmaran23 Developer focused talks

1. https://renouncedthoughts.wordpress.com/2014/01/14/devouring-security-sql-injection-exploitation-and-prevention-part-1/

2. https://renouncedthoughts.wordpress.com/2014/02/07/devouring-security-sql-injection-exploitation-and-prevention-part-2/

3. https://renouncedthoughts.wordpress.com/2014/05/09/sql-injection-testing-for-qa-testers/

4. https://renouncedthoughts.wordpress.com/2014/05/09/devouring-security-xml-attack-surface-and-defenses/

5. https://renouncedthoughts.wordpress.com/2014/09/26/devouring-security-cross-site-scripting-xss/

6. https://renouncedthoughts.wordpress.com/2015/05/20/practical-security-testing-for-developers-using-owasp-zap-at-dot-net-bangalore-3rd-meet-up-on-feb-21-2015/