Attack and defence: Securing ASP.NET applications

A small introduction for these posts you can find here. Lunch at www.devdays.nl was well taken care of. Salmon sandwiches and plenty of them.

The next session for day 1 for me was “Attack and defence: Securing ASP.NET applications”  http://www.devdays.nl/sessies/detail.aspx?code=SEC01KB By Keith Brown. ( http://twitter.com/keithbrown42 )

As a preface Keith showed us is jojo skills, pretty impressive.

According to Keith in security you need to find a balance. You need to start by thread modelling. You can find info from P&P http://www.msdn.com/securityguidance.

tips:

1. principle of minimum privileges. Don’t use the network  service account, create your own account
2. do security in depth,  assume all input is evil. Do security validation on the server.
3. put user input quickly in strongly typed variables don’t keep them in strings to long
4. don’t use regex without ^ and $, otherwise people still can insert stuff .
5. use sql parameters , don’t concatenate input in your query.
6. don’t show complete error messages, put the in the log and give the user the possibility to correlate there error with the log.
7. using a maximum length in textboxes doesn’t help. Use server side validation

If you use validation controls you need to program them correctly. You need the check on the server side the IsValid property.

Viewstate by default gets hashed and checked on tampering. Cookies don’t get this, form login cookies do.

printf(a,b,c,d) has a big security issue (not console,writeline()) a is a control channel, the rest is a data channel. Don’t give up control of the control channel. Equal so Proces.Start(a,b) and sql.commandtext = a.

demo on sql- injection (people have automated this)

• in a search box start with a ‘ and see if you get an error (if it is a string, for a number you don’t need it.
• use ‘ or 1=1 – to get all the rows
• do ‘union select null,null,null (keep adding rows)
• replace a null with intersting stuf @@version, username, tables from table_schema
• if there is a user table, select emails and passwords and put them in an excell sheet.
• change price
• exec xp_cmdshell ‘net user hacker password /add’

Keith his anti virus software wanted to let the entire audience know that it was out of date during the presentation.

To test for XSS protection turn of validateRequest and see if your application can handle it. Web.config Demo:

• put in a textbox <h2>test<h2> see if the formatting is kept.
• put forms, JavaScript and what you want in the textbox (example change logo to Google)
• when an error page is show that get’s its message from the query string, you can use this to enhance a phishing attack.

To fix the problem sandbox the output. When getting the data out of the database use HttpUtility.HtmlEncode(data). On the input side filter the input.

get free modules and examples form pluralsight.