1. Varun Sharma Security Engineer | ACE Team | Microsoft Information Security varun.sharma@microsoft.com

2. Top 5 Web App Security bugs Relative percentage of the Top 5 Web Application Security vulnerabilities found by Microsoft ACE Team since 1 st Jan 08

3. Agenda Cross-Site Scripting Clear Text Secrets Authorization Issues Disabling Controls in the Web site to enforce authorization Direct Object Reference Missing Authorization controls in web services SQL Injection Verbose Error messages

4. Cross-Site Scripting User controlled input is rendered back to browser without sufficient input validation or output encoding Leads to execution of script (controlled by the attacker) under the context of the victim

5. Cross-Site Scripting Normal execution

6. Cross-Site Scripting What attacker does

7. Cross-Site Scripting Common Buggy Code Some ASP.NET Controls encode and some do not

8. Cross-Site Scripting Common Buggy Code Some ASP.NET Controls encode and some do not

9. Cross-Site Scripting User input going in attribute context User input going in JavaScript context

10. Cross-Site Scripting Countermeasures Validate all input and encode all output Perform context specific encoding Use the AntiXss Library

11. Clear Text Secrets The application may need to store credentials to connect to SQL Server, SMTP Server etc May need to store symmetric keys to perform encryption of application data May be storing user passwords or other secret information in the database

12. Clear Text Secrets Common bugs

13. Clear Text Secrets Common bugs

14. Clear Text Secrets Countermeasures Do not store secrets (passwords/ keys) in code Use the aspnet_regiis tool to encrypt configuration settings For application specific data, consider using SQL Server 2005/ 2008 Native Encryption

15. Authorization Issues Disabling Controls in the Web site to enforce authorization (Normal execution)

16. Authorization Issues Disabling Controls in the Web site to enforce authorization (What attacker does)

17. Authorization Issues Disabling HTML text boxes, buttons in only a visual indication, not a security control Need to perform explicit authorization checks on the server side

18. Authorization Issues Common Buggy Code

19. Authorization Issues Direct Object Reference (Normal execution)

20. Authorization Issues Direct Object Reference (What attacker does)

21. Authorization Issues Direct Object Reference Unique identifier is used to retrieve and update data for an object. This unique identifier is an incrementing integer (or easily available). No explicit authorization check is performed to ensure current user has access to the object.

22. Authorization Issues Missing authorization in web services in multi- tier applications Web Server SQL Server Web Server (Website) (Web service)(Database)

23. Authorization Issues Countermeasures:- Perform server side authorization Use a platform provided authorization mechanism URL Authorization Declarative and Imperative checks Implement authorization controls in middle tiers

24. SQL Injection User input without sufficient validation is used to create and execute a dynamic SQL statement User can manipulate the SQL statement that gets executed

25. SQL Injection Normal execution

26. SQL Injection What attacker does

27. SQL Injection Common buggy code

28. SQL Injection Common buggy code

29. SQL Injection Countermeasures:- Validate all input Use parameterized SQL statements (in stored procedures as well, using sp_executesql) Configure SQL server with least privilege for defense in depth

30. Verbose Error messages Detailed error messages reveal inner workings of an application and make an attackers job easier

31. Verbose Error messages Common Buggy Code:-

32. Verbose Error messages Common Buggy Code:- Missing exception handling in ASMX web services

33. Verbose Error messages Leads to…

34. Verbose Error messages Common Bad Configuration:-

35. Verbose Error messages Leads to…

36. References AntiXss Library http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819- 53ff-4f82-bfaf-e11625130c25&displaylang=en ASP.NET IIS Registration Tool (Aspnet_regiis) http://msdn.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx ASP.NET Authorization http://msdn.microsoft.com/en-us/library/wce3kxhd(VS.80).aspx Using sp_executesql http://msdn.microsoft.com/en-us/library/ms175170.aspx

37. Feedback / QnA Your Feedback is Important! Please take a few moments to fill out our online feedback form Use the Question Manager on LiveMeeting to ask your questions now!

38. Contact Blog http://blogs.msdn.com/varun_sharma Email Address varun.sharma@microsoft.com

39. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.