Sofia, Bulgaria | 9-10 October Writing Secure Code for ASP.NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte CTO,

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
ASP.NET Web Application Security Hannes Preishuber ppedv AG
Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Martin Kruliš by Martin Kruliš (v1.0)1.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Sofia, Bulgaria | 9-10 October TSQL Enhancements in SQL Server 2005 Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
Sofia, Bulgaria | 9-10 October Using XQuery to Query and Manipulate XML Data Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Databases and security continued CMSC 461 Michael Wilson.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com
Crash Course in Web Hacking
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
Securing Angular Apps Brian Noyes
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Building Secure ColdFusion Applications
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
CS 371 Web Application Programming
Security.
Web Systems Development (CSC-215)
PHP: Security issues FdSc Module 109 Server side scripting and
Security.
Presentation transcript:

Sofia, Bulgaria | 9-10 October Writing Secure Code for ASP.NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA)

Sofia, Bulgaria | 9-10 October Speaker.Bio.ToString() ●CTO and co-Founder of Corzen, Inc ●Microsoft MVP and INETA Speaker ●International Conference Speaker for 9+ Years ●Wrote a few books on databases and development ●Co-moderator & founder of NYC.NET Developers Group ● ●Former CTO of Zagat Survey ●CTO and co-Founder of Corzen, Inc ●Microsoft MVP and INETA Speaker ●International Conference Speaker for 9+ Years ●Wrote a few books on databases and development ●Co-moderator & founder of NYC.NET Developers Group ● ●Former CTO of Zagat Survey

Sofia, Bulgaria | 9-10 October Agenda ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management

Sofia, Bulgaria | 9-10 October What we won’t cover ●Administrative Security ●Authentication and Authorization from an Admin level ●Code Access Security from an Admin level ●Cryptology ●Administrative Security ●Authentication and Authorization from an Admin level ●Code Access Security from an Admin level ●Cryptology

Sofia, Bulgaria | 9-10 October Agenda ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management

Sofia, Bulgaria | 9-10 October Writing Secure Code ●Developers usually think that security is an administrative problem, not a coding problem ●While several security issues are administrative in nature, you can write secure code to protect your application ●Some simple changes to your coding style can result in massive security holes closed ●Developers usually think that security is an administrative problem, not a coding problem ●While several security issues are administrative in nature, you can write secure code to protect your application ●Some simple changes to your coding style can result in massive security holes closed

Sofia, Bulgaria | 9-10 October Agenda ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management

Sofia, Bulgaria | 9-10 October Input and Query String Validation ●All user input is evil! ●Not properly validating user input can lead to: ●SQL Injection ●XSS (Cross Site Scripting) ●All user input is evil! ●Not properly validating user input can lead to: ●SQL Injection ●XSS (Cross Site Scripting)

Sofia, Bulgaria | 9-10 October Do Not Trust User Input ●Validate all input ●Guilty until proven innocent: assume all input is bad until you prove otherwise ●Look for valid data and reject everything else ●Don’t assume that your client validations were applied, revalidate on the server (a hacker can bypass your client scripting) ●Avoid Query Strings altogether if possible ●Validate all input ●Guilty until proven innocent: assume all input is bad until you prove otherwise ●Look for valid data and reject everything else ●Don’t assume that your client validations were applied, revalidate on the server (a hacker can bypass your client scripting) ●Avoid Query Strings altogether if possible

Sofia, Bulgaria | 9-10 October Ways to Validate Input ●Client Side: ●Validation Controls ●Server Side: ●Regular Expressions (RegEx) are your friend ●Validate for TLRF: ●Type checks ●Length checks ●Range checks ●Format checks ●Client Side: ●Validation Controls ●Server Side: ●Regular Expressions (RegEx) are your friend ●Validate for TLRF: ●Type checks ●Length checks ●Range checks ●Format checks Validator.ValidationExpression =

Sofia, Bulgaria | 9-10 October Proper Validation

Sofia, Bulgaria | 9-10 October Agenda ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management

Sofia, Bulgaria | 9-10 October What is SQL Injection? ●What is SQL Injection? ●The process of adding SQL statements in user input ●Used by hackers to: ●Probe databases and call built-in stored procedures ●Bypass authorization (adding records into custom login tables) ●Execute multiple SQL statements to delete data or drop tables ●What is SQL Injection? ●The process of adding SQL statements in user input ●Used by hackers to: ●Probe databases and call built-in stored procedures ●Bypass authorization (adding records into custom login tables) ●Execute multiple SQL statements to delete data or drop tables

Sofia, Bulgaria | 9-10 October Examples of SQL Injection ●If the ID variable is read directly from a Windows form textbox, the user could enter any of the following: ●21001' or 1=1 -- ●21001' DROP TABLE OrderDetail -- ●21001' exec xp_cmdshell('fdisk.exe') -- ●If the ID variable is read directly from a Windows form textbox, the user could enter any of the following: ●21001' or 1=1 -- ●21001' DROP TABLE OrderDetail -- ●21001' exec xp_cmdshell('fdisk.exe') -- strSQL = "SELECT * FROM" + " Orders WHERE OrderID ='" + ID + "'";

Sofia, Bulgaria | 9-10 October Preventing SQL Injection ●All User Input is Evil! ●Validate all input twice ●Client side validation controls ●Server Side manual validation for Type, Length, Format, and Range using RegEx ●Use Stored Procedures! ●Run with least privilege ●Never execute as “sa” ●Consider two databases with 2 logins ●Remove access to all tables and restrict access to built-in stored procedures (reduces attack surface) ●All User Input is Evil! ●Validate all input twice ●Client side validation controls ●Server Side manual validation for Type, Length, Format, and Range using RegEx ●Use Stored Procedures! ●Run with least privilege ●Never execute as “sa” ●Consider two databases with 2 logins ●Remove access to all tables and restrict access to built-in stored procedures (reduces attack surface)

Sofia, Bulgaria | 9-10 October SQL Injection

Sofia, Bulgaria | 9-10 October Agenda ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management

Sofia, Bulgaria | 9-10 October Storing Secret Data ●Your application should not store secret data (passwords, etc) ●If you must store secret data, do not encrypt it in the database ●Hackers may guess or get the key ●Store a hashed representation of the data ●Your application should not store secret data (passwords, etc) ●If you must store secret data, do not encrypt it in the database ●Hackers may guess or get the key ●Store a hashed representation of the data

Sofia, Bulgaria | 9-10 October What is a Hash? ●A mathematical formula that converts a message of any length into a unique fixed-length string of digits (typically 160 bits) known as "message digest" that represents the original message. ●A hash is a one-way function - that is, it is infeasible to reverse the process to determine the original message. ●A hash function will not produce the same message digest from two different inputs. ●The MD5 and SHA-1 algorithms are two of the most popular algorithms although any cryptosystem can be used to create a hash function (as, indeed, any cryptographically secure hash can be used to create a cryptosystem). ●A mathematical formula that converts a message of any length into a unique fixed-length string of digits (typically 160 bits) known as "message digest" that represents the original message. ●A hash is a one-way function - that is, it is infeasible to reverse the process to determine the original message. ●A hash function will not produce the same message digest from two different inputs. ●The MD5 and SHA-1 algorithms are two of the most popular algorithms although any cryptosystem can be used to create a hash function (as, indeed, any cryptographically secure hash can be used to create a cryptosystem).

Sofia, Bulgaria | 9-10 October Storing a Password Hash ●Will only store the message digest (hash) of the password in the database not the actual password. ●When a user comes back to the site they will have to provide the password and you will then recompute the hash of that password and compare them. ●So you are only storing the verifier in the database, not the actual password. ●Will only store the message digest (hash) of the password in the database not the actual password. ●When a user comes back to the site they will have to provide the password and you will then recompute the hash of that password and compare them. ●So you are only storing the verifier in the database, not the actual password.

Sofia, Bulgaria | 9-10 October Random Salting a Hash ●Problem: If you know the password of a user, and some other user happens to have the same hash, then you know both have the same password ●A hacker can exploit this with a dictionary attack ●To “salt” a hash, generate a random string and prefix it to the clear password before hashing it. ●Save both the salt and the hashed password in the Users table. ●Drastically diminishes a dictionary attack ●Problem: If you know the password of a user, and some other user happens to have the same hash, then you know both have the same password ●A hacker can exploit this with a dictionary attack ●To “salt” a hash, generate a random string and prefix it to the clear password before hashing it. ●Save both the salt and the hashed password in the Users table. ●Drastically diminishes a dictionary attack

Sofia, Bulgaria | 9-10 October Pros and Cons ●Pros: ●Easy to set up ●Protects against disgruntled corporate users ●If the database is cracked, the hacker will not have and passwords-the hash is useless (remember a Hash is 1 way) ●Cons: ●Cannot send a user their password if they forget, you will have to reset it for them ●Pros: ●Easy to set up ●Protects against disgruntled corporate users ●If the database is cracked, the hacker will not have and passwords-the hash is useless (remember a Hash is 1 way) ●Cons: ●Cannot send a user their password if they forget, you will have to reset it for them

Sofia, Bulgaria | 9-10 October Hashed Password Values

Sofia, Bulgaria | 9-10 October Agenda ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management

Sofia, Bulgaria | 9-10 October Exception Handling ●Never ever show the default ASP.NET debug page ●Never show trace information ●Never reveal any debug information to the user ●Never ever show the default ASP.NET debug page ●Never show trace information ●Never reveal any debug information to the user

Sofia, Bulgaria | 9-10 October Audit Everything ●Make sure everything that happens on your site is reproducible ●Do not rely on IIS logs, audit your code ●Commercial products to do this ●Make sure everything that happens on your site is reproducible ●Do not rely on IIS logs, audit your code ●Commercial products to do this

Sofia, Bulgaria | 9-10 October Proper Exception Handling

Sofia, Bulgaria | 9-10 October Agenda ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management ●Why Care? ●Best Practices for Writing Secure Code ●Query String and Input Validation ●SQL Injection ●Storing Secret Data ●Exception Handling ●XSS and HTML Management

Sofia, Bulgaria | 9-10 October What Is Cross-Site Scripting? ●A technique that allows hackers to: ●Execute malicious script in a client’s Web browser ●Insert,,,, and tags ●Steal Web session information and authentication cookies ●Access the client computer ●A technique that allows hackers to: ●Execute malicious script in a client’s Web browser ●Insert,,,, and tags ●Steal Web session information and authentication cookies ●Access the client computer Any Web page that renders HTML containing user input is vulnerable

Sofia, Bulgaria | 9-10 October Two Common Exploits of Cross- Site Scripting ●Attacking Web-based platforms and discussion boards ●Using HTML tags to redirect private information ●Attacking Web-based platforms and discussion boards ●Using HTML tags to redirect private information

Sofia, Bulgaria | 9-10 October Form-Based Attacks (1 of 2) Response.Write("Welcome" & Request.QueryString("UserName"))

Sofia, Bulgaria | 9-10 October Form-Based Attacks (2 of 2) idForm.cookie.value=document.cookie; idForm.submit(); > here

Sofia, Bulgaria | 9-10 October Defending Against Cross-Site Scripting Attacks ●Do not: ●Trust user input ●Echo Web-based user input unless you have validated it ●Store secret information in cookies ●Do: ●Use the HttpOnly cookie option ●Use the security attribute ●Take advantage of ASP.NET features ●Do not: ●Trust user input ●Echo Web-based user input unless you have validated it ●Store secret information in cookies ●Do: ●Use the HttpOnly cookie option ●Use the security attribute ●Take advantage of ASP.NET features

Sofia, Bulgaria | 9-10 October Protection ●Use HTMLEncode and URLEncode ●Use RegEx to remove any script of HTML code from user input ●Use HTMLEncode and URLEncode ●Use RegEx to remove any script of HTML code from user input

Sofia, Bulgaria | 9-10 October Defending Against Cross-Site Scripting Attacks ●Do not: ●Trust user input ●Echo Web-based user input unless you have validated it ●Store secret information in cookies ●Do: ●Use the HttpOnly cookie option ●Use the security attribute ●Take advantage of ASP.NET features ●Do not: ●Trust user input ●Echo Web-based user input unless you have validated it ●Store secret information in cookies ●Do: ●Use the HttpOnly cookie option ●Use the security attribute ●Take advantage of ASP.NET features

Sofia, Bulgaria | 9-10 October Cross Site Scripting

Sofia, Bulgaria | 9-10 October Questions?

Sofia, Bulgaria | 9-10 October Thanks! ●Please fill out your evaluation form! ●Please put (Secure ASP.NET in the subject) ●Please fill out your evaluation form! ●Please put (Secure ASP.NET in the subject)