Devouring Security

Beefing up Security in ASP.NET

Watch the screen recording of this presentation here at

https://vimeo.com/gmaran23/beefingupsecurityinaspdotnet

Dot Net Bangalore 3rd meet up Marudhamaran Gunasekaran

May 16 2015 @ Prowareness, @gmaran23
Bangalore
 Next 30 minutes

• Addressing the low-hanging fruits

• See the vulnerabilities in action
• Leveraging ASP.NET mitigations
https://blog.malwarebytes.org/intelligence/2013/03/obfuscation-malwares-best-friend/
 Configuring Custom Errors Right
<system.web>
<customErrors mode="On"
defaultRedirect="Error.aspx"
redirectMode="ResponseRewrite"/>
</system.web>

mode=“RemoteOnly” is default
redirectMode=“responseRedirect” is default
Information Disclosure problems

DOS attack and safe/vulnerable .Net versions

.Net framework 2.0.50727.5420 or lower

.Net framework 4.0.30319.1 or lower

.Net framework 2.0 - Revision 5420 to 5476 -- Safe/Vulnerable?

.Net framework 4.0 - Revision 1 to 34010 -- Safe/Vulnerable?

.Net framework 2.0.50727.5477 or higher

.Net framework 4.0.30319.34011 or higher
 Remove the Server and X-AspNetMvc-
Version Header
protected void Application_BeginRequest(object sender, EventArgs e)
{
var application = sender as HttpApplication;
if (application != null && application.Context != null)
{
application.Context.Response.Headers.Remove("Server");
}
}

protected void Application_Start()

{
MvcHandler.DisableMvcResponseHeader = true;
}
 Remove ASP.NET Version and X-
Powered-By Header
<httpRuntime enableVersionHeader="false"/>

<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
ASP.NET Tracing Vulnerabilites
 Secure <trace> configurations
<trace enabled="true" localOnly="false"/>

<trace enabled="false" localOnly

="true"/>
(default)
 <deployment retail="true" />

<configuration>
<system.web>
<deployment retail=”true”/>
</system.web>
</configuration>

At

%windir%\Microsoft.Net\Framework64\v4.0.30319\Config
\machine.config

- Disables debugging
- Switches on Custom errors
- Disables tracing
Vulnerable session is in the URL
Secure <sessionState> configurations
<sessionState cookieless="UseUri"

<sessionState
cookieless="UseCookies" (default)
Secure <sessionState> configurations
Default cookie name obfuscation
<sessionState cookieName="_umt_"/>
 Secure <httpCookies> configurations
<httpCookies httpOnlyCookies
="true" requireSSL="true"/>

httpOnlyCookies – make the cookie

unavailable to client side scripts

requireSSL – send the cookie only

https connections
 Cross Site Scripting (XSS) Risks
• Spread drive by download malware
• Steal credentials
• Hijack someone’s session
• Privilege escalations
• Client side DOS
http://www.technewsworld.com/story/68946.html
Make sure request validation is
enabled
 Make sure request validation is
enabled

Request Validation in ASP.NET 4 - Breaking changes

http://www.asp.net/whitepapers/aspnet4/breaking-
changes#0.1__Toc256770147

Request Validation in ASP.NET -

https://msdn.microsoft.com/en-
us/library/hh882339(v=vs.110).aspx
 Caution!
• The following code codes not trigger request
validation or delays it
 Context specific output encoding
ASP.Net code behind:

lblName.Text = "Hello, " +

HttpUtility.HtmlEncode(txtValue.Text);
lblName.Text = "Hello," +
AntiXss.HtmlEncode(txtValue.Text);
ASPX view engine :

<%: data %>

Razor view engine:

@data
 Auth(en) & Auth(or) with <location>
<location path="Administration.aspx">
<system.web>
<authorization>
<allow
roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
 Authorization in ASP.NET MVC

[Authorize(Roles="Administrators")]
public ActionResult Index()
{}
Sample Login Page in ASP.NET MVC

[HttpPost]
[RequireHttps]
[AllowAnonymous]
[ValidateInput(true)]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string
returnUrl)
 http://www.thetechherald.com/articles/CSRF-bug-on-INGDirect-com-could-have-allowed-fraudulent-transfers
�We discovered CSRF vulnerabilities in ING�s site that allowed an attacker to
open additional accounts on behalf of a user and transfer funds from a user�s
account to the attacker�s account,� the research paper noted, adding that SSL
did nothing to prevent the attack. �Since ING did not explicitly protect against
CSRF attacks, transferring funds from a user�s accounts was as simple as
mimicking the steps a user would take when transferring funds.�
Cross-Site Request Forgeries: Exploitation and Prevention
by William Zeller and Edward W. Felten

http://www.cs.utexas.edu/~shmat/courses/cs378_spring09/zeller.pdf
Sample: CSRF protection in TFS web
interface
CSRF Mitigation in ASP.Net MVC
Login.cshtml

LoginController.cs
 CSRF Mitigation in ASP.Net MVC
• Adds a html hidden field named
__RequestVerificationToken

• Adds a cookie named

__RequestVerificationToken
CSRF Mitigation in ASP.Net WebForms
• Available at Site.Master.cs
• The __AntiXsrfToken gets sent at the __VIEWSTATE
and the cookie for any WebForm that used the
Site.Master master page
Clickjacking
Clickjacking
 X-XSS-Protection
• http://blogs.msdn.com/b/ie/archive/2008/07/
02/ie8-security-part-iv-the-xss-filter.aspx

• X-XSS-Protection: 1
 X-FRAME-OPTIONS

https://www.owasp.org/index.php/Clickjacking_
Defense_Cheat_Sheet#Browser_Support
 Strict-Transport-Security

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Browser_Support
 Adding necessary response headers
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="Strict-Transport-Security" value="max-age=31536000" />
</customHeaders>
</httpProtocol>
</system.webServer>
 View State Security

<pages enableEventValidation="true"
enableViewStateMac="true"
viewStateEncryptionMode="Always" />
https://twitter.com/gmaran23

Sqli Developer focused talks

XML https://vimeo.com/gmaran23
XSS
OWASP ZAP

https://www.owasp.org/index.php/List_of_useful_HTTP_headers
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
1. https://renouncedthoughts.wordpress.com/2014/01/14/devouring-security-sql-
injection-exploitation-and-prevention-part-1/

2. https://renouncedthoughts.wordpress.com/2014/02/07/devouring-security-sql-
injection-exploitation-and-prevention-part-2/

3. https://renouncedthoughts.wordpress.com/2014/05/09/sql-injection-testing-
for-qa-testers/

4. https://renouncedthoughts.wordpress.com/2014/05/09/devouring-security-xml-
attack-surface-and-defenses/

5. https://renouncedthoughts.wordpress.com/2014/09/26/devouring-security-
cross-site-scripting-xss/

6. https://renouncedthoughts.wordpress.com/2015/05/20/practical-security-
testing-for-developers-using-owasp-zap-at-dot-net-bangalore-3rd-meet-up-on-
feb-21-2015/