Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Top 5 Web App Security bugs Relative percentage of the Top 5 Web Application Security vulnerabilities found by Microsoft ACE Team since 1 st Jan 08

Agenda Cross-Site Scripting Clear Text Secrets Authorization Issues Disabling Controls in the Web site to enforce authorization Direct Object Reference Missing Authorization controls in web services SQL Injection Verbose Error messages

Cross-Site Scripting User controlled input is rendered back to browser without sufficient input validation or output encoding Leads to execution of script (controlled by the attacker) under the context of the victim

Cross-Site Scripting Normal execution

Cross-Site Scripting What attacker does

Cross-Site Scripting Common Buggy Code Some ASP.NET Controls encode and some do not

Cross-Site Scripting Common Buggy Code Some ASP.NET Controls encode and some do not

Cross-Site Scripting User input going in attribute context User input going in JavaScript context

Cross-Site Scripting Countermeasures Validate all input and encode all output Perform context specific encoding Use the AntiXss Library

Clear Text Secrets The application may need to store credentials to connect to SQL Server, SMTP Server etc May need to store symmetric keys to perform encryption of application data May be storing user passwords or other secret information in the database

Clear Text Secrets Common bugs

Clear Text Secrets Common bugs

Clear Text Secrets Countermeasures Do not store secrets (passwords/ keys) in code Use the aspnet_regiis tool to encrypt configuration settings For application specific data, consider using SQL Server 2005/ 2008 Native Encryption

Authorization Issues Disabling Controls in the Web site to enforce authorization (Normal execution)

Authorization Issues Disabling Controls in the Web site to enforce authorization (What attacker does)

Authorization Issues Disabling HTML text boxes, buttons in only a visual indication, not a security control Need to perform explicit authorization checks on the server side

Authorization Issues Common Buggy Code

Authorization Issues Direct Object Reference (Normal execution)

Authorization Issues Direct Object Reference (What attacker does)

Authorization Issues Direct Object Reference Unique identifier is used to retrieve and update data for an object. This unique identifier is an incrementing integer (or easily available). No explicit authorization check is performed to ensure current user has access to the object.

Authorization Issues Missing authorization in web services in multi- tier applications Web Server SQL Server Web Server (Website) (Web service)(Database)

Authorization Issues Countermeasures:- Perform server side authorization Use a platform provided authorization mechanism URL Authorization Declarative and Imperative checks Implement authorization controls in middle tiers

SQL Injection User input without sufficient validation is used to create and execute a dynamic SQL statement User can manipulate the SQL statement that gets executed

SQL Injection Normal execution

SQL Injection What attacker does

SQL Injection Common buggy code

SQL Injection Common buggy code

SQL Injection Countermeasures:- Validate all input Use parameterized SQL statements (in stored procedures as well, using sp_executesql) Configure SQL server with least privilege for defense in depth

Verbose Error messages Detailed error messages reveal inner workings of an application and make an attackers job easier

Verbose Error messages Common Buggy Code:-

Verbose Error messages Common Buggy Code:- Missing exception handling in ASMX web services

Verbose Error messages Leads to…

Verbose Error messages Common Bad Configuration:-

Verbose Error messages Leads to…

References AntiXss Library 53ff-4f82-bfaf-e c25&displaylang=en ASP.NET IIS Registration Tool (Aspnet_regiis) ASP.NET Authorization Using sp_executesql

Feedback / QnA Your Feedback is Important! Please take a few moments to fill out our online feedback form Use the Question Manager on LiveMeeting to ask your questions now!

Contact Blog Address

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.