If you can't read please download the document
Upload
siddharth-bezalwar
View
116
Download
7
Embed Size (px)
Citation preview
Secure Programming
in C#
Siddharth Bezalwar@[email protected]
Agenda
Common mistakes(Insecure coding practice).
Illustrations based on OWASP Top 10 Web vulnerabilities.
Secure code practices.
Secure Coding?
Developing practice to guard against the accidental introduction of vulnerabilities.
Quick Look
C #Simple, modern, general-purpose, object-oriented programming language.
Developed by Microsoft within its .NET initiative led by Anders Hejlsberg.
Very much based on C and C++ programming language
Vulnerabilities
OWASP Top 10 2013 VulnerabilitiesA1-Injection(SQL Injection)
A2- Broken Authentication And Session Mgt.(Password Storage)
A3-Cross-site scripting
A5-Security Misconfiguration
A8-CSRF
A1-Injection(SQL Injection)
SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
Vulnerable Code
Normal input:
SELECT * FROM ProductDB where id =' 1 ' AND name=' XYZ ' and cost=' 123 ';
Malicious input('or'='1'='1):
SELECT * FROM ProductDB where id=' 1or'1='1 ' AND name = ' XYZ 'or'1'='1 ' AND cost =' 123'or'1'='1 ';
Incorrect Mitigation
Client side validations.
Blacklisting of SQL keywords
Checking number of rows returned.
Secure Code
Parameterized sql query and its working:
Parameters i.e. user inputs are never inserted directly into the statement.
A system stored procedure called sp_executesql is called with given SQL statement and parameters.
Parameters are treated as data instead of parsing out as a SQL statement string.
Leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Developers frequently build custom authentication and session management schemes, but building these correctly is hard.
A2- Broken Authentication and Session Management.
Secure Implementation
Do not store passwords in plain text.
Don't attempt to implement your own hashing schemes, use strong and valid, time proven and tested cryptography algorithms such as ASP.NET's Identity (be aware of the low 1000 iteration count).
For scenario's where implementation is required, use a unique salt with a high level of entropy with each password hash. Hash with a valid hashing algorithm such as PBKDF2 and Bcrypt with a high level of hashing rounds.
https://cmatskas.com/-net-password-hashing-using-pbkdf2/
Password Storage:
Wacky Hash Functions
md5(sha1(password))
md5(md5(salt) + md5(password))
sha1(sha1(password))
sha1(str_rot13(password + salt))
md5(sha1(md5(md5(password) + sha1(password)) + md5(password)))
A3-Cross-site Scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Vuln. Code (Reflected)
Sanitization(encoding) of user input is missing.
Users input is included in web page and treated as code by the victims browser.
User Input:alert(Hacked)
Secure Implementation
ValidateRequest="true"rejects the input because it includes potentially dangerous HTML characters.On .aspx file
Encode HTML OutputServer.HmlEncode(HttpServerUtility)
HttpUtility.HtmlEncode
Encode URL OutputServer.UrlEncode(HttpServerUtility)
HttpUtility.UrlEncode
Secure Implementation contd.
To safely allow restricted HTML inputDisable ASP.NET request validation by the adding the ValidateRequest="false" attribute to the @ Page directive.
Encode the string input with the HtmlEncode method.
Use a StringBuilder and call its Replace method to selectively remove the encoding on the HTML elements that you want to permit
Secure Implementation Contd.
HTML-encoding of user input.
Vuln. Code (DOM)
HTMLcontent is set without validation and sanitization.
Secure Code
Creates text node and appends it to the DOM element.
HTML escape then JavaScript escape in HTML subcontext.
URL escape then JavaScript escape in URL attribute subcontext.
JavaScript escape in HTML and CSS attribute context.For HTML attribute ,escape the untrusted input and then set the attribute of DOM element.
For CSS attributedocument.body.style.backgroundImage = "url()"
Secure Implementation
Use ESAPI ( https://www.owasp.org/index.php/ESAPI )
A5-Security Misconfiguration
Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform. It is equally important to have the software up to date.
Web.Config File
Debug settings:
Request Processing:
Cookie Settings:
Trace Settings:
Web Application settings ()
Directory Browsing Setting:
Web server settings ()
Custom Header Setting:The element of the element specifies custom HTTP headers
Web.Config File
A8- Cross-site request forgery
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
Wrong Assumptions
Assuming that SSL/TLS will thwart CSRF attacks just because the cookie is marked "Secure" and/or "HTTPOnly"
Referer header verification as the only protection
Any CSRF protection is null and void given the presence of XSS
Cookie double-submission when the cookie utilized is the session cookie.
Secure Implementation
Use Anti-Forgery Tokens
1.Generate the security token (or grab it from the session state) and send the token as a session cookie (again, managed in the session state, unique per session) as well as within a hidden value in each form.
2.Once the user submits the form, validate the token stored in the session state against the token included in the submitted form value. On failure, disregard form.
Rendering token as a hidden field on aspx page.
Secure Implementation
Secure Implementation
Method for generating random token and response handling
Secure Implementation
Generating token and saving it in session
Secure Implementation
Validating token received from request against the token saved in session state
Thank you!!!