c# security testing and debugging
DESCRIPTION
C# Security Testing and DebuggingTRANSCRIPT
![Page 1: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/1.jpg)
Security Testing/Debugging
From Rich Helton’s October 2010 C# Web Security
![Page 2: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/2.jpg)
Security Testing-FXCop
-CAT.NET-Nunit
-HTMLUnit-Seleniumin
![Page 3: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/3.jpg)
White Box Testing
White-Box testing is testing the system based on the internal perspective of the system.
In this case, this is also known as Static Analysis. These tools can find issues with the source code before
the code is actually executed. A list of tools can be found at
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
![Page 4: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/4.jpg)
CAT.NET(A plugin that can be added from the Windows SDK)
CAT.NET can be used with Visual Studio to analyze the current solution, here is a Visual Studio 2008 popup after selecting Tools->CAT.NET Analysis Tool from the menu:
![Page 5: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/5.jpg)
CAT.NET(After pushing the Excel report button)
![Page 6: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/6.jpg)
FXCop
CAT.NET rules can can be run in FXCop instead of Visual Studio.
FXCop examines the assemblies and object code and not the source. It can be downloaded as part of the Windows SDK.
![Page 7: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/7.jpg)
NUNIT
White-Box testing is testing the system based on the internal perspective of the system.
See www.nunit.org These tools can find issues with the source code before
the code is actually executed. A list of tools can be found at
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
![Page 8: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/8.jpg)
NUNIT
![Page 9: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/9.jpg)
Headless Browser
Headless Browser Automation Can replicate a real world browser. Can automate the test. Provides low-level control over the HTML and HTTP. Reference
http://blog.stevensanderson.com/2010/03/30/using-htmlunit-on-net-for-headless-browser-automation/
![Page 10: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/10.jpg)
HTMLUnit steps
Download HTMLUnit http://sourceforge.net/projects/htmlunit/
Download IKVM http://sourceforge.net/projects/ikvm/files/
Create the HTMLUnit DLL: Run “ikvmc –out:htmlunit-2.7.dll *.jar”
Include the htmlunit, IKVM.OpenJDK, and nunit dll’s in the external assemblies.
Can automate the test. Provides low-level control over the HTML and HTTP. Reference
http://blog.stevensanderson.com/2010/03/30/using-htmlunit-on-net-for-headless-browser-automation/
![Page 11: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/11.jpg)
What about the HTML?
HTTPUnit is great for HTTP Requests and Responses, but what if I want to parse the HTML code directly from the Web Server and examine the HTML before doing any work.
HTMLUnit allows a “getPage()” routine to examine the HTML source code. This allows the walking through of “HREF”, images, and others
pieces of the HTML code before executing on the item.
Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin. This allows a recording of the browser actions that can be played
back execute buttons being pushed and actions inside the browser. Assertions can be executed on the HTML pages itself for checking
specific information. The test itself can be exported into Junit Java code to execute in Java.
![Page 12: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/12.jpg)
HtmlUnit on C#
![Page 13: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/13.jpg)
HtmlUnit on C# (Nunit Test)(Under Construction page)
![Page 14: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/14.jpg)
HtmlUnit on C# (Nunit Test)(Page not found)
![Page 15: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/15.jpg)
Selenium IDE
Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.
Supports load testing. This allows a recording of the browser actions that can be
played back execute buttons being pushed and actions inside the browser.
Assertions can be executed on the HTML pages itself for checking specific information.
The test itself can be exported into Java, .NET, Perl, Ruby, etc, and then code to execute the tests in that language.
![Page 16: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/16.jpg)
Selenium IDE Test
![Page 17: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/17.jpg)
Does the framework matter?
JWebUnit wraps both HTMLUnit and Selenium so that code can be written for either framework using a unified framwork.
This way code can once in a single framework and executed using multiple HTML frameworks. http://jwebunit.sourceforge.net/
![Page 18: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/18.jpg)
Security Debugging-Logging
-Exceptions-Log4Net
-NLog-Error Pages
![Page 19: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/19.jpg)
Has my system been compromised?
Logging and Error handling is one of the most important concept in Security.
When an incident happens, the first questions are always “How did they get in?” and “What data was compromised?”.
The least favorite answer is usually “No one knows.” With efficient logging of authorization, access to secure
information, and any anomalous interaction with the system, a proper recovery of the system is usually insured.
The logs should be store into a different system in case the Web system is ever compromised, one where the Web system sends them but never asks for them back.
Logging is a fundamental API that comes with the Java and .NET languages.
![Page 20: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/20.jpg)
Logging the C# way….
using System;
using System.Diagnostics;
class EventLogExample
{
static void Main(string[] args)
{
string sSource = "my warning message";
string sLog = "Application";
string sEvent = "Sample Event";
if (!EventLog.SourceExists(sSource))
EventLog.CreateEventSource(sSource, sLog);
EventLog.WriteEntry(sSource, sEvent);
EventLog.WriteEntry(sSource, sEvent,
EventLogEntryType.Warning, 234);
}
}
![Page 21: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/21.jpg)
The C# Logger output….
![Page 22: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/22.jpg)
Exception Handling
Exception handling has helped debugging immensely. It allows a programmer to code for anomalies and handle a bizarre behavior.
There are 3 components of handling an exception, and they are the “try”, “catch” and “finally” blocks.
The “try” block will throw an exception from normal code, the “catch” block will catch the exception and handle it, and the “finally” block will process the cleanup afterwards.
The “catch” block can log the anomaly, stop the program, or process it in a hundred different ways.
You can write your own custom exception classes to trace specific pieces of code.
![Page 23: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/23.jpg)
C# Exception Handling code….
class TestException{
static void Main(string[] args){
StreamReader myReader = null;
try{
// constructor will throw FileNotFoundException
myReader = new StreamReader("IamNotHere.txt");
}catch (FileNotFoundException e){
Console.WriteLine("FileNotFoundException was {0}", e.Message);
}catch (IOException e){
Console.WriteLine("IOException was {0}" + e.Message);
}finally{
if (myReader != null){
try{
myReader.Close();
}catch (IOException e){
Console.WriteLine("IOException was {0}" + e.Message);}}}}}
Output-> FileNotFoundException was Could not find file ‘C:\IamNotHere.txt'.
![Page 24: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/24.jpg)
Log4net
The previous logging and exception handling example has many hard coded pieces. Log4Net offers more de-coupling by being separated as highly configurable framework.
http://logging.apache.org/log4net/ Even though the basic CLR logging framework can
accept changes on destination through its Handler in the “logging.properties”, Log4Net offers more advanced features in its XML use of its Appender class.
Log4Net supports XML configuration and a text configuration in log4Net.properties.
Log4Net supports Appenders that will append the logs to databases, emails, files, etc. http://logging.apache.org/log4net/release/config-examples.html
![Page 25: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/25.jpg)
Log4Net ASP.NET code
![Page 26: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/26.jpg)
Log4j Console output
![Page 27: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/27.jpg)
Adding an Appender #1
Let’s read the XML Appender from app.config. Change the BasicConfigurator to XmlConfigurator:
![Page 28: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/28.jpg)
Adding an Appender #2
Add app.config for "c:\\Log\\log.txt”:
![Page 29: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/29.jpg)
Adding an Appender Running
Reading "c:\\Log\\log.txt”:
![Page 30: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/30.jpg)
NLog
Nlog is similar to Log4Net. The difference is that Log4Net is a .Net version of Log4J and is a framework. NLog is a plugin to Visual Studio with templates.
http://nlog-project.org/
![Page 31: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/31.jpg)
NLog
Adding log configuration with Visual 2010 plugin:
![Page 32: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/32.jpg)
NLog
When debugging from VS2010, the default logging directory maps to C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0 .
This Nlog.config will append the logger in to a file named after the classname, i.e Webapplication1._Default.txt:
![Page 33: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/33.jpg)
Nlog code
From the WebApplication1 Class, Default.aspx.cs code:
![Page 34: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/34.jpg)
Nlog log file
Printing the Webapplication1._Default.txt:
![Page 35: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/35.jpg)
Error Pages
Default Error pages may display unintentional information. For instance, some error pages may display database information in an exception.
An error page giving details, like a database or table name, may be more than enough to give an attacker enough information launch an attack at the website.
To correct bad error handling in pages, Tomcat, Struts and other Web engines will allow default configurations to throw a specific error page for any unknown exceptions. For instance, many Web Application Firewalls (WAFs) will generate a error page 500 “Internal Server Error” for blocking an attack.
![Page 36: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/36.jpg)
Hackme Books(Bad error handling)
![Page 37: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/37.jpg)
Send something more generic(based on business input)
![Page 38: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/38.jpg)
Web Error pages….
Many web sites use the default error pages that show the user exceptions and even exceptions into the database. The database exceptions have a tendency to display table names and invalid SQL statements that can be used for further probing.
To send all errors to a custom Error page, the web.config file for IIS:
<customErrors mode="On"
defaultRedirect="errors/ErrorPage.aspx"></customErrors>
![Page 39: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/39.jpg)
Custom Errors in ASP.NET
A good resource on the issue is http://www.codeproject.com/KB/aspnet/customerrorsinaspnet.aspx
The idea is to redirect the error to a generic error.html page by the web.config configuration.
![Page 40: C# Security Testing and Debugging](https://reader035.vdocument.in/reader035/viewer/2022062418/5554afceb4c90502618b5541/html5/thumbnails/40.jpg)
Send something more generic(based on business input)