Building Secure Web Building Secure Web ApplicationsApplications

With ASP.Net MVCWith ASP.Net MVC

What is ASP.Net MVC?What is ASP.Net MVC?

An extension to ASP.Net.An extension to ASP.Net. Implements the MVC software Implements the MVC software

pattern that divides an application's pattern that divides an application's implementation into three implementation into three component roles: component roles: – modelsmodels– viewsviews– controllers.controllers.

ModelsModels

"Models" in a MVC based application "Models" in a MVC based application are the components responsible for:are the components responsible for:– Maintaining state.  Maintaining state.  – Often a database.Often a database.

ViewsViews

"Views" in a MVC based application "Views" in a MVC based application are the components responsible for:are the components responsible for:– Displaying the application's user Displaying the application's user

interface.  interface.  – Typically this UI is created off of the Typically this UI is created off of the

model data.model data.

ControllersControllers

Responsible for:Responsible for:– Handling user interactionHandling user interaction– Manipulating the modelManipulating the model– Choosing a view to render to display UI. Choosing a view to render to display UI. 

In a MVC application the view is only In a MVC application the view is only about displaying information - it is the about displaying information - it is the controller that handles and responds to controller that handles and responds to user input and interaction.user input and interaction.

Part 1: Form SecurityPart 1: Form Security

Cross Site Scripting (XSS)Cross Site Scripting (XSS) Injection FlawsInjection Flaws

Cross Site Scripting (XSS)Cross Site Scripting (XSS)

Common flaw in a web applicationsCommon flaw in a web applications Allows attackers to execute script in Allows attackers to execute script in

the victims browser.the victims browser. Caused by improper input validation Caused by improper input validation

and encoding.and encoding.

Cross Site Scripting Cross Site Scripting PreventionPrevention

Request Validation enabled by Request Validation enabled by default. default.

Server.HtmlEncode();Server.HtmlEncode(); Microsoft AntiXSS LibraryMicrosoft AntiXSS Library

Injection FlawsInjection Flaws

Common in web applications.Common in web applications. Caused when user input is evaluated as Caused when user input is evaluated as

part of a command or query.part of a command or query. SQL Injection most common.SQL Injection most common.

If _userName = “admin” and _password = If _userName = “admin” and _password = ““' OR 1 = 1 --' OR 1 = 1 --” the result would be:” the result would be:

SELECT * FROM tblUsers WHERE UserName SELECT * FROM tblUsers WHERE UserName = 'admin' and Password = '' OR 1 = 1 --'= 'admin' and Password = '' OR 1 = 1 --'

Injection PreventionInjection Prevention

MVC is built around a data ModelMVC is built around a data Model Object Relational Mappers (ORM)Object Relational Mappers (ORM)

– Linq to SQLLinq to SQL– ADO.Net Entity FrameworkADO.Net Entity Framework

Handle CRUD commands in an Handle CRUD commands in an Injection safe way.Injection safe way.

Part 2: Application SecurityPart 2: Application Security

Malicious File Execution Malicious File Execution

Occurs when an attacker is able to Occurs when an attacker is able to upload and execute code on a server.upload and execute code on a server.

The ASP.Net MVC AdvantageThe ASP.Net MVC Advantage– Classic ASP.Net served pages from their Classic ASP.Net served pages from their

corresponding location on the disk.corresponding location on the disk.– ASP.Net MVC routes requests to the ASP.Net MVC routes requests to the

appropriate controller and view.appropriate controller and view.– Attacker doesn’t know the applications Attacker doesn’t know the applications

directory structure.directory structure.

Insecure Direct Object Insecure Direct Object ReferenceReference

Occurs when an application exposes Occurs when an application exposes a direct reference to a resource.a direct reference to a resource.– FilesFiles– Primary keys for database recordsPrimary keys for database records

Attackers can edit these references Attackers can edit these references to gain access to protected data.to gain access to protected data.

Prevention:Prevention:– Encrypt any reference data when Encrypt any reference data when

passing it between pages.passing it between pages.

Cross Site Request Forgery Cross Site Request Forgery (CSRF)(CSRF)

Tricks logged-on victim's browser to Tricks logged-on victim's browser to send a pre-authenticated request to send a pre-authenticated request to a vulnerable web application.a vulnerable web application.

Can cause a user to perform an Can cause a user to perform an action they did not intend to do. action they did not intend to do.

Example:Example:

CSRF PreventionCSRF Prevention

Avoid updating user data from HTTP Avoid updating user data from HTTP Get requests.Get requests.

ASP.Net MVC ASP.Net MVC AntiForgeryTokeAntiForgeryTokenn

Attack ResultAttack Result

Information Leakage and Information Leakage and Improper Error HandlingImproper Error Handling

Improper error handling exposes Improper error handling exposes implementation detail.implementation detail.

Prevention:Prevention:– Disable debugging.Disable debugging.– Custom error pages.Custom error pages.– ASP.Net MVC ASP.Net MVC HandleErrorHandleError Attribute Attribute

Failure to Restrict URL Failure to Restrict URL AccessAccess

Web application only protects URL by Web application only protects URL by not showing them to unauthorized not showing them to unauthorized users.users.

URL can still be accesses manually.URL can still be accesses manually. Prevention:Prevention:

– ASP.Net MVC ASP.Net MVC [Authorize][Authorize] Attribute Attribute

Thank You Thank You

Kevin Watt Kevin Watt

www.list2lend.comwww.list2lend.com

Chris BrousseauChris Brousseau

www.windows7ips.cowww.windows7ips.comm