Presentation is loading. Please wait.

Presentation is loading. Please wait.

Изграждане на сигурни уеб приложения - заплахи и методи на защита

Published byMarvin Lucas Modified over 6 years ago

Similar presentations

Presentation on theme: "Изграждане на сигурни уеб приложения - заплахи и методи на защита"— Presentation transcript:

1 Изграждане на сигурни уеб приложения - заплахи и методи на защита
11/15/2018 1:01 AM Изграждане на сигурни уеб приложения - заплахи и методи на защита Иво Моравски MCT, MCSD.NET CTEC-BG © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2 Session Agenda - Threats
11/15/2018 1:01 AM Session Agenda - Threats Types of threats Threats against the application SQL injection Cross-site scripting Input tampering Session hijacking More Threat modeling © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 Session Agenda - Countermeasures
11/15/2018 1:01 AM Session Agenda - Countermeasures Holistic approach to security Writing secure code Validating input Accessing databases securely Using forms authentication securely Storing secrets securely Securing session state Handling errors properly © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 Types of Threats Spoofed packets, etc.
11/15/2018 1:01 AM Types of Threats Network Host Application Threats against the network Spoofed packets, etc. Threats against the host Buffer overflows, illicit paths, etc. Threats against the application SQL injection, XSS, input tampering, etc. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5 Threats Against the Network
11/15/2018 1:01 AM Threats Against the Network Threat Examples Information gathering Port scanning Using trace routing to detect network topologies Using broadcast requests to enumerate subnet hosts Eavesdropping Using packet sniffers to steal passwords Denial of service (DoS) SYN floods ICMP echo request floods Malformed packets Spoofing Packets with spoofed source addresses © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6 Threats Against the Host
11/15/2018 1:01 AM Threats Against the Host Threat Examples Arbitrary code execution Buffer overflows in ISAPI DLLs (e.g., MS01-033) Directory traversal attacks (MS00-078) File disclosure Malformed HTR requests (MS01-031) Virtualized UNC share vulnerability (MS00-019) Denial of service (DoS) Malformed SMTP requests (MS02-012) Malformed WebDAV requests (MS01-016) Malformed URLs (MS01-012) Brute-force file uploads Unauthorized access Resources with insufficiently restrictive ACLs Spoofing with stolen login credentials Exploitation of open ports and protocols Using NetBIOS and SMB to enumerate hosts Connecting remotely to SQL Server © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7 Threats Against the Application
11/15/2018 1:01 AM Threats Against the Application Threat Examples SQL injection Including a DROP TABLE command in text typed into an input field Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections Session hijacking Using a stolen session ID cookie to access someone else's session state Identity spoofing Using a stolen forms authentication cookie to pose as another user Information disclosure Allowing client to see a stack trace when an unhandled exception occurs © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8 11/15/2018 1:01 AM SQL Injection © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

9 Cross-Site Scripting 11/15/2018 1:01 AM
© Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

10 Session Hijacking Web applications use sessions to store state
11/15/2018 1:01 AM Session Hijacking Web applications use sessions to store state Sessions are private to individual users Sessions can be compromised Threat Risk Factor Theft and replay of session ID cookies High* Links to sites that use cookieless session state Medium* Predictable session IDs Low* Remote connection to state server service Medium Remote connection to state server database Eavesdropping on state server connection * Shorter session time-outs mitigate the risk by reducing the attack window © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

11 Identity Spoofing Security depends on authentication
11/15/2018 1:01 AM Identity Spoofing Security depends on authentication If authentication can be compromised, security goes out the window Authentication can be compromised Threat Risk Factor Theft of Windows authentication credentials High Theft of forms authentication credentials Theft and replay of authentication cookies Medium* Dictionary attacks and password guessing * Depends on the time-out values assigned to authentication cookies © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

12 Information Disclosure
11/15/2018 1:01 AM Information Disclosure Which is the better error message? © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

13 11/15/2018 1:01 AM Threat Modeling Structured approach to identifying, quantifying, and addressing threats Essential part of development process Just like specing and designing Just like coding and testing © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

14 The Threat Modeling Process
11/15/2018 1:01 AM The Threat Modeling Process 1 Identify assets 2 Document architecture 3 Decompose application 4 Identify threats 5 Document threats 6 Rate threats © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

15 Example – Identifying Assets
Web Server Database Server Firewall IIS ASP.NET Login Bob Alice Main Bill State Asset #4 Asset #5 Asset #6 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 Example – Decomposing App
Forms Authentication URL Authorization Web Server Database Server Trust Firewall Bob IIS ASP.NET Login Alice Main Bill State DPAPI Windows Authentication © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

17 Identifying Threats: STRIDE model
Spoofing S Can an attacker gain access using a false identity? Tampering T Can an attacker modify data as it flows through the application? Repudiation R If an attacker denies an exploit, can you prove him or her wrong? Information disclosure I Can an attacker gain access to private or potentially injurious data? Denial of service D Can an attacker crash or reduce the availiability of the system? Elevation of privilege E Can an attacker assume the identity of a privileged user?

18 Rating Threats Simple model Other models 1-10 Scale 1-10 Scale
11/15/2018 1:01 AM Rating Threats Simple model Other models Risk = Probability * Damage Potential 1-10 Scale 1 = Least probable 10 = Most probable 1-10 Scale 1 = Least damage 10 = Most damage © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

19 Defenses and Countermeasures
11/15/2018 1:01 AM Defenses and Countermeasures © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

20 Session Agenda - Countermeasures
11/15/2018 1:01 AM Session Agenda - Countermeasures Holistic approach to security Writing secure code Validating input Accessing databases securely Storing secrets securely Using forms authentication securely Securing session state Handling errors properly © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

21 Holistic Approach to Security
Network Host Application Port blocking Filtering Encryption Updates IIS hardening ACLs CAS Logging Least privilege Account mgmt. Validation Hashing Encryption Secrets mgmt. Cookie mgmt. Session mgmt. Error handling Defend the network Spoofed packets, etc. Defend the host Buffer overflows, illicit paths, etc. Defend the application SQL injection, XSS, input tampering, etc.

22 Defending the Network Harden firewalls Harden routers and switches
11/15/2018 1:01 AM Defending the Network Harden firewalls Stay current with patches and updates Block unused ports and protocols Use filtering to reject illicit requests Harden routers and switches Stay current with patches and updates Use ingress/egress filtering to reject spoofed packets Screen ICMP traffic from the internal network Screen directed broadcast requests from the internal network Reject trace routing requests Encrypt sensitive communications © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

23 Defending the Host Stay current with service packs and updates
11/15/2018 1:01 AM Defending the Host Stay current with service packs and updates Harden IIS with IISLockdown and URLScan Harden the Web server's TCP/IP stack Run ASP.NET using principle of least privilege ACL resources to prevent unauthorized access Disable unused shares and services Move Web root to drive other than C: © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

24 Defending the Application
11/15/2018 1:01 AM Defending the Application Never trust user input (validate!) Access databases securely Avoid vulnerabilities in forms authentication Secure ASP.NET session state Store secrets securely Anticipate errors and handle them appropriately © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 Validating Input Filter potentially injurious characters and strings
11/15/2018 1:01 AM Validating Input Filter potentially injurious characters and strings HTML-encode all input echoed to a Web page Avoid using file names as input if possible © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 Tools for Validating Input
11/15/2018 1:01 AM Tools for Validating Input Tool Description Regex Class in System.Text.RegularExpressions namespace that wraps .NET Framework's regular expression engine Validation controls Set of six controls that validate input on both client and server: RequiredFieldValidator, RegularExpression-Validator, RangeValidator, etc. HttpUtility.HtmlEncode HTML-encodes input, converting potentially dangerous characters such as "<" into harmless escape sequences Request.MapPath Resolves path names and optionally checks for path names that violate application boundaries ASP.NET 1.1 request validation Feature of ASP.NET 1.1 that automatically rejects requests containing certain characters and character sequences (e.g., "<script") © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 Input Validation 11/15/2018 1:01 AM
© Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 Accessing Data Securely
11/15/2018 1:01 AM Accessing Data Securely Use stored procedures or parameterized commands in lieu of dynamic SQL commands Never use sa to access Web databases Store connection strings securely Apply administrative protections to SQL Server Optionally use SSL/TLS or IPSec to secure the connection to the database server © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 Dynamic SQL Commands Vulnerable to SQL injection attacks
// DANGER! User input used to generate database query string sql = String.Format ("select count (*) " + "from users where username=\'{0}\' and cast " + "(password as varbinary)=cast (\'{1}\' as " + varbinary)", username, password); SqlCommand command = new SqlCommand (sql, connection); int count = (int) command.ExecuteScalar (); © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

30 Stored Procedures Less vulnerable to SQL injection attacks
11/15/2018 1:01 AM Stored Procedures Less vulnerable to SQL injection attacks Added security via EXECUTE permission // BEST: Input passed to stored proc SqlCommand command = new SqlCommand ("proc_IsUserValid", connection); command.CommandType = CommandType.StoredProcedure; command.Parameters.Add SqlDbType.VarChar).Value = username; command.Parameters.Add SqlDbType.VarChar).Value = password; command.Parameters.Add SqlDbType.Int). Direction = ParameterDirection.ReturnValue; int count = (int) command.ExecuteScalar (); © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31 11/15/2018 1:01 AM The sa Account For administration only; never use it to access a database programmatically Instead, use one or more accounts that have limited database permissions For queries, use SELECT-only account Better yet, use stored procs and grant account EXECUTE permission for the stored procs Reduces an attacker's ability to execute harmful commands (e.g., DROP TABLE) © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

32 Windows Authentication
11/15/2018 1:01 AM Windows Authentication Microsoft SQL Server supports two types of authentication: Authentication using SQL Server logins Authentication using Windows identities Windows authentication reduces threat surface area by eliminating user names and passwords from connection strings server=localhost;database=pubs;Trusted_Connection=yes © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

33 Whom Do You Authenticate?
11/15/2018 1:01 AM Whom Do You Authenticate? Identity Pros Cons Worker process Connection pooling No one-hop issues ASPNET account lacks network credentials All callers share one set of database permissions Impersonated identity Company policies sometimes require user-level auditing of database accesses Increased granularity of database permissions Foils connection pooling Raises one-hop issues Added administration Grants database access to more principals COM+ identity Decreased performance Increased complexity © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

34 Storing Secrets - Connection Strings
11/15/2018 1:01 AM Storing Secrets - Connection Strings Storing plaintext database connection strings in Web.config is risky Vulnerable to file disclosure attacks Storing encrypted database connection strings increases security Encrypting connection strings is easy System.Security.Cryptography classes Key management is not Where do you store the decryption key? See “How to Create a DPAPI Library” for instructions on creating your own library © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

35 Data Protection API (DPAPI)
11/15/2018 1:01 AM Data Protection API (DPAPI) Present in Windows 2000 and higher Provides strong encryption, automatic key generation, and secure key storage Triple-DES encryption PKCS #5 key generation Two “stores”: User store – Per-user keys based on profiles Machine store – Per-machine keys with optional entropy values © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

36 Securing Connection Strings
11/15/2018 1:01 AM Securing Connection Strings Description Security Store encrypted connection strings in Web.config Store key in ACLed registry entry Good Let DPAPI perform key management Better Store encrypted connection strings in ACLed registry key Use entropy values to harden DPAPI encryption Store entropy values in ACLed registry key Best © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

37 Forms Authentication Protect login credentials with SSL/TLS
11/15/2018 1:01 AM Forms Authentication Protect login credentials with SSL/TLS Don't store passwords; store password hashes Limit authentication cookie lifetimes to minimize windows for replay attacks Assume authentication cookies are spoofed or stolen when performing sensitive operations Don't rely on forms authentication to protect resources not owned by ASP.NET © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

38 Protecting Login Credentials
11/15/2018 1:01 AM Protecting Login Credentials Place login forms in directories protected by SSL/TLS to guard against eavesdropping <authentication mode="Forms"> <forms loginUrl=" /> </authentication> Encrypted connection © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

39 Storing Login Passwords
11/15/2018 1:01 AM Storing Login Passwords Don't store passwords in login databases Store password hashes for added security Salt hashes to impede dictionary attacks Format Comments Plaintext passwords Exposes entire application if database is compromised Encrypted passwords Better than plaintext, but still vulnerable if decryption key is compromised 1-way password hashes Better than encrypted passwords, but still vulnerable to dictionary attacks Salted password hashes Less vulnerable to dictionary attacks © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

40 Authentication Cookies
11/15/2018 1:01 AM Authentication Cookies Forms authentication cookies are encrypted and validated by default Prevents reading and alteration Doesn’t prevent theft and replay Preventative measures are required to defend against unauthorized access Defense Comments Restrict cookies to SSL Prevents cookie theft (strongest defense) Limit cookie lifetime Mitigates replay attacks by limiting attack window Disable sliding renewal © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

41 11/15/2018 1:01 AM ASP.NET View State Great alternative to hidden fields when round-tripping data to the client Validated by default Encrypted if desired © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

42 Securing Session State
11/15/2018 1:01 AM Securing Session State Limit session time-outs as much as possible Avoid using cookieless session state if possible Close port in firewall if using state service Disable ASP.NET state service if you're not using it Close ports 1433 and 1434 if using SQL Server Encrypt connection string if using SQL Server © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

43 Session State, Cont. Don’t store potentially injurious data (such as
11/15/2018 1:01 AM Session State, Cont. Don’t store potentially injurious data (such as credit card numbers) in session state Optionally use SSL/TLS to protect session ID cookies Optionally use SSL/TLS or IPSec to secure the connection to the database server © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

44 Error Handling Anticipate errors and handle them sensibly
11/15/2018 1:01 AM Error Handling Anticipate errors and handle them sensibly Use <customErrors> to display custom error pages Don't reveal too much information in error pages Beware mode="off" and debug="true" Log unhandled exceptions Be aggressive about logging failures © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

45 © 2003-2004 Microsoft Corporation. All rights reserved.
11/15/2018 1:01 AM © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Изграждане на сигурни уеб приложения - заплахи и методи на защита"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Steven Borg & Richard Hundhausen Accentient, Inc

Steven Borg & Richard Hundhausen Accentient, Inc
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Understand Database Security Concepts

Understand Database Security Concepts
Security Threat Modeling

Security Threat Modeling
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET Security Part 1 Dave Glover

ASP.NET Security Part 1 Dave Glover
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Threat Modeling for Secure Web Application Development Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd.

Threat Modeling for Secure Web Application Development Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Similar presentations

Ads by Google