Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.

Published byAlban Hutchinson Modified over 9 years ago

Similar presentations

Presentation on theme: "©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn."— Presentation transcript:

1 ©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

2 2 ©2008 Gotham Digital Science Our Observations  The same old code-level problems –Input Validation, Parameter Manipulation, Authorization Bypass, Privilege Escalation, Reliance on Browser Security, etc, etc, etc…  Can we EVER prevent these? –Developer Training? There are always “mistakes” –Negative Security Model? Almost always can bypass –Positive Security Model? Very difficult to implement

3 3 ©2008 Gotham Digital Science What should we do?  Root Cause Analysis: –Problem: The application allowed the user to do something they shouldn't have been able to do –Solution: Only allow the user do what the application expects them to be able to do  How??? –Look at what the application presents to the user –If an option is not presented, don’t let them use it –If we don’t ask the user for it, don’t accept it!

4 4 ©2008 Gotham Digital Science Secure Parameter Filter (SPF)  What is SPF? –Embedded application “Security Filter” –Analyses incoming requests and outgoing responses –Every URL and input value requires a security token Generated on-the-fly as pages are rendered Exceptions can be defined for certain pages/inputs –Deployed at the application level No involvement from server administrator required

5 5 ©2008 Gotham Digital Science Secure Parameter Filter (SPF)  Designed to protect against: –Input Tampering & Injection Query String, Cookies, Form Inputs –URI Tampering Forced Browsing –Forgery, Hijacking / Cross-Site Attacks Session-Based Tokenization

6 6 ©2008 Gotham Digital Science How it Works  Output Filter –Analyzes HTTP output to determine what is presented –Only URLs and inputs presented to the user are permitted on subsequent requests  Append Cryptographic Token on each URL  Link HREF, Form ACTION, Script & Frame SRC  Insert unique GUID on each form and record form input profile (name, type, disabled/read-only)  Encrypt eligible embedded Form input values  ASP.NET Machine Key

7 7 ©2008 Gotham Digital Science How it Works  Input Filter –Analyzes HTTP request to ensure it is for only authorized URLs and inputs –By default, only pre-determined “entry points” are permitted without a proper request token –Inspect free-form text inputs against specified regular expressions (optional)

8 8 ©2008 Gotham Digital Science How it Works APPLICATION USERS IIS WEB/APP SERVER SPFCUSTOM CODE FRAMEWORK HANDLER INTERNAL WEB/APP SERVER PROCESSING

9 9 ©2008 Gotham Digital Science Applied Cryptography in SPF  Encrypted Inputs –16 Random Bytes Pre-Pended to Each Value  Produces Unique Cipher Text (similar to IV) –Uses ASP.NET Machine Key to Encrypt –Appends Time Stamp & SHA1 HMAC  Cipher Text  Time Stamp  Source IP Address  Source Guid (SPF Cookie)

10 10 ©2008 Gotham Digital Science Applied Cryptography in SPF  Tokenized Elements –Appends Time Stamp & SHA1 HMAC  Plain-Text (URL, Query String)  Time Stamp  Source IP Address  Source Guid (SPF Cookie)  HMAC Key derived from ASP.NET Machine Key

11 11 ©2008 Gotham Digital Science Configuration Requirements  Default Protection Settings (Required) –Protection Scope (URI, QueryString, Forms, Cookies) –Main Application Entry Point (URL)  Exceptions to Default Settings (Optional) –Global Exceptions (Form Inputs, Cookies) –URI Exceptions (URI, Query String, Form Inputs)

12 12 ©2008 Gotham Digital Science Configuration Options  Automatic Run-time Configuration Updates –Ineligible inputs are automatically granted exceptions  INPUT TYPE=TEXT, TEXAREA, etc  “Black List” Regular Expression Filter –Used to optionally block malicious input strings  Two Modes of Operation –Passive: Silent logging of all failed requests –Active: Failed requests are rejected

13 13 ©2008 Gotham Digital Science Supported Content Types  HTML Analyzer –Uses HTML Agility Pack  JavaScript Analyzer –Custom functions with arguments that include URLs and request parameters  __doPostBack(eventTarget, eventArgument) –Native properties that contain URLs  location.href, window.location, etc

14 14 ©2008 Gotham Digital Science SPF Reverse Proxy Test Cases  IIS7 Reverse Proxy allows SPF to protect any web application –Used to perform testing against several applications –Can be leveraged to determine compatibility with SPF SPF TESTER / EVALUATOR SPF REVERSE PROXY (IIS7) WEB/APP SERVER

15 15 ©2008 Gotham Digital Science Live Demonstration DEMO

16 16 ©2008 Gotham Digital Science Questions  Justin Clarke - justin @ gdssecurity. com  Andrew Carey Nairn – andrew @ gdssecurity. com  GDS Blog: –http://www.gdssecurity.com/l/b

Download ppt "©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Global Systems Division (GSD) Information and Technology Services Web Services Gateway Implementation Michael Doney Bobby Kelley Peter Lannigan John Parker.

Global Systems Division (GSD) Information and Technology Services Web Services Gateway Implementation Michael Doney Bobby Kelley Peter Lannigan John Parker.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Similar presentations

Ads by Google