Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Transcript of Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Devouring Security
Marudhamaran Gunasekaran@gmaran23
Beefing up Security in ASP.NET
Dot Net Bangalore 3rd meet up May 16 2015 @ Prowareness, Bangalore
Watch the screen recording of this presentation here at https://vimeo.com/gmaran23/beefingupsecurityinaspdotnet
Next 30 minutes
• Addressing the low-hanging fruits• See the vulnerabilities in action• Leveraging ASP.NET mitigations
https
://b
log.
mal
war
ebyt
es.o
rg/i
ntel
ligen
ce/2
013/
03/o
bfus
catio
n-m
alw
ares
-bes
t-frie
nd/
Configuring Custom Errors Right
<system.web> <customErrors mode="On" defaultRedirect="Error.aspx" redirectMode="ResponseRewrite"/> </system.web>
mode=“RemoteOnly” is defaultredirectMode=“responseRedirect” is default
DOS attack and safe/vulnerable .Net versions
.Net framework 2.0.50727.5477 or higher
.Net framework 4.0.30319.34011 or higher
.Net framework 2.0.50727.5420 or lower
.Net framework 4.0.30319.1 or lower
.Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable?
.Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?
Information Disclosure problems
Remove the Server and X-AspNetMvc-Version Header
protected void Application_BeginRequest(object sender, EventArgs e) { var application = sender as HttpApplication; if (application != null && application.Context != null) { application.Context.Response.Headers.Remove("Server"); } }
protected void Application_Start() {MvcHandler.DisableMvcResponseHeader = true; }
Remove ASP.NET Version and X-Powered-By Header
<httpRuntime enableVersionHeader="false"/>
<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /></customHeaders> </httpProtocol></system.webServer>
Secure <trace> configurations<trace enabled="true" localOnly="false"/>
<trace enabled="false" localOnly ="true"/>(default)
<deployment retail="true" />
<configuration> <system.web> <deployment retail=”true”/> </system.web></configuration>
At
%windir%\Microsoft.Net\Framework64\v4.0.30319\Config\machine.config
- Disables debugging- Switches on Custom errors- Disables tracing
Secure <sessionState> configurations
<sessionState cookieless="UseUri"
<sessionState cookieless="UseCookies" (default)
Secure <sessionState> configurations
Default cookie name obfuscation<sessionState cookieName="_umt_"/>
Secure <httpCookies> configurations
<httpCookies httpOnlyCookies ="true" requireSSL="true"/>
httpOnlyCookies – make the cookie unavailable to client side scripts
requireSSL – send the cookie only https connections
Cross Site Scripting (XSS) Risks
• Spread drive by download malware• Steal credentials• Hijack someone’s session• Privilege escalations• Client side DOS
http:
//w
ww
.tech
new
swor
ld.c
om/s
tory
/689
46.h
tml
Make sure request validation is enabled
Request Validation in ASP.NET 4 - Breaking changes http://www.asp.net/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147
Request Validation in ASP.NET - https://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx
Context specific output encoding
ASP.Net code behind:
lblName.Text = "Hello, " + HttpUtility.HtmlEncode(txtValue.Text);
lblName.Text = "Hello," + AntiXss.HtmlEncode(txtValue.Text);
ASPX view engine :
<%: data %>
Razor view engine:
@data
Auth(en) & Auth(or) with <location>
<location path="Administration.aspx"> <system.web> <authorization> <allow roles="Administrators"/> <deny users="*"/> </authorization> </system.web> </location>
Sample Login Page in ASP.NET MVC
[HttpPost][RequireHttps][AllowAnonymous][ValidateInput(true)][ValidateAntiForgeryToken] public ActionResult Login(LoginModel model, string returnUrl)
�We discovered CSRF vulnerabilities in ING�s site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user�s account to the attacker�s account,� the research paper noted, adding that SSL did nothing to prevent the attack. �Since ING did not explicitly protect against CSRF attacks, transferring funds from a user�s accounts was as simple as mimicking the steps a user would take when transferring funds.�
http:
//w
ww
.thet
echh
eral
d.co
m/a
rticl
es/C
SRF-
bug-
on-IN
GD
irect
-com
-cou
ld-h
ave-
allo
wed
-frau
dule
nt-t
rans
fers
http:
//w
ww
.cs.
utex
as.e
du/~
shm
at/c
ours
es/c
s378
_spr
ing0
9/ze
ller.p
df
Cross-Site Request Forgeries: Exploitation and Prevention by William Zeller and Edward W. Felten
CSRF Mitigation in ASP.Net MVC• Adds a html hidden field named
__RequestVerificationToken
• Adds a cookie named __RequestVerificationToken
CSRF Mitigation in ASP.Net WebForms
• Available at Site.Master.cs• The __AntiXsrfToken gets sent at the __VIEWSTATE
and the cookie for any WebForm that used the Site.Master master page
X-XSS-Protection
• http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
• X-XSS-Protection: 1
X-FRAME-OPTIONS
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Browser_Support
Strict-Transport-Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Browser_Support
Adding necessary response headers
<system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="DENY" /> <add name="X-XSS-Protection" value="1; mode=block" /> <add name="Strict-Transport-Security" value="max-age=31536000" /> </customHeaders> </httpProtocol></system.webServer>
View State Security
<pages enableEventValidation="true" enableViewStateMac="true" viewStateEncryptionMode="Always" />
https://twitter.com/gmaran23
SqliXMLXSSOWASP ZAP
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://vimeo.com/gmaran23 Developer focused talks
1. https://renouncedthoughts.wordpress.com/2014/01/14/devouring-security-sql-injection-exploitation-and-prevention-part-1/
2. https://renouncedthoughts.wordpress.com/2014/02/07/devouring-security-sql-injection-exploitation-and-prevention-part-2/
3. https://renouncedthoughts.wordpress.com/2014/05/09/sql-injection-testing-for-qa-testers/
4. https://renouncedthoughts.wordpress.com/2014/05/09/devouring-security-xml-attack-surface-and-defenses/
5. https://renouncedthoughts.wordpress.com/2014/09/26/devouring-security-cross-site-scripting-xss/
6. https://renouncedthoughts.wordpress.com/2015/05/20/practical-security-testing-for-developers-using-owasp-zap-at-dot-net-bangalore-3rd-meet-up-on-feb-21-2015/