NET from the Hacker's Perspective
Transcript of NET from the Hacker's Perspective
.NET from the HackerÕsPerspective
What Hackers DislikeRiskWhat Hackers LikeSummary
What Hackers Dislike
l .NET Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
.NET Buffer Overflows
l Managed Code
l Legacy Code
l The Developer Mind Set
.NET Buffer Overflows: ManagedCode
l Self-resizing variables
l .NET Framework keeps fixed sizedvariables from being copied to byvariable sized variables
.NET Buffer Overflows: LegacyCode
l It is still very common to use previouslycoded modules and routines
l Why reinvent the wheel?l Security?
.NET Buffer Overflows: TheDeveloperÕs Mind Set
l No buffer overflows in .NET? I no longerneed to bounds check my variable lengthvariables.
l Less could mean more
What Hackers Dislike
l Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
Role Security
l DonÕt call meÉ IÕll call you
l Framework for defining class andfunction level call security
What Hackers Dislike
l Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
CAS Code Access Security
l Mobile Code
l Default user permission settings for theInternet Zone makes hard case forignoring use in public market
l Signing Assemblies (GAC)
l Key Management (Source Safe)
What Hackers Dislike
l Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
Cryptography
l Encrypt vs. Encode vs. Hashing
l Minimal Coding Requirements
l Fast
l Easy Key Management
l XML
What Hackers Dislike
l Buffer Overflows
l Role Security
l CAS Code Access Security
l Cryptography
l Summary
What Hackers Dislike: Summary
l Buffer Overflow Protectionl Always bounds check
l Role Based Security In Codel Validate who is allowed to call functions
l Newer Code Difficult To Trojanl Avoid Trojans like ÒFunLoveÓ
l Everything Encryptedl Avoid information leakage
.NET from the HackerÕsPerspective
What Hackers DislikeRiskWhat Hackers LikeSummary
Risk
l Everyone has a deadline
l Everyone has a performancerequirement
l NEW -> Everyone has a securityrequirement
l Dollar -> Security -> Risk
.NET from the HackerÕsPerspective
What Hackers DislikeRiskWhat Hackers LikeSummary
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Cross Site Scripting
l Reaply/Hijacking
l Injection XML/SQL
Information Leakage: View State
l View Statel Base64 encoded
l Dynamic properties of server-side controls
l Map to exposures and vulnerabilities
Information Leakage: XML
l The world of plaintext
l Sniffed traffic can lead to informationleakage
l Encrypting XML can be cumbersomeand degrades performance
l Signing XML is also difficult anddegrades performance
Information Leakage: SQL errors
l Not once, not twice, but N times
l The exploitation road map to accessingyour dataÉ
l The small to medium company go-to-guy
Information Leakage: Web errors
l Programmers are logical
l Hackers are logical
l Login examplel Password Invalid
l User Invalid
l User or Password Invalid
l Enumeration functions
Information Leakage: Cookies
l Stored on client
l Modifiable
l Extents to any client side persisted stateinformation
l Serialization
l Client to server program configurationfiles (non-HTTP)
Information Leakage: URLs
l URLs tell a storyl System Administrator/Deployment Know-
How
l Incrementing variables
l Arguments to functions
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Cross Site Scripting
l Replay/Hijacking
l Injection XML/SQL
Information Leakage: EasyDevelopment leads to Easy Exploits
l If I do not incorporate security knowledgeand processing during development anddeployment of all resources, regardlessof whether the access to that resource isanonymous or authenticated, isexploitation possible? YES.
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Cross Site Scripting
l Replay/Hijacking
l Injection XML/SQL
Cross Site Scripting
l HTML inputs for everyone
l How do I validate?
l Just donÕt do it if you can avoid itÉ gooddesign makes for good security
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Cross Site Scripting
l Replay/Hijacking
l Injection XML/SQL
Replay / Hijacking
l Session Hijackingl HTTP Session IDs
l .NET Forms Authentication
l Got SSL?l Hey! Cross Site Scripting to the rescueÉ
l Validation = ( Authentication -> Session )* Each Request
What Hackers Like
l Information Leakagel View state
l XML
l SQL errors
l Web errors
l Cookies
l URLs
l Does easy todevelop mean easyto exploit?
l Replay/Hijacking
l Injection XML/SQL
Injection XML/SQL
l SOAP
l Dynamic SQL
l .NET SqlParameter
.NET from the HackerÕsPerspective
What Hackers DislikeRiskWhat Hackers LikeSummary
Summary
l Parameter validation still key to amajority of vulnerabilities
l Why authenticate when you can hijack?
l Sign code, encrypt data, or elseÉ
l Server side security much betterÉcommunication security still difficult tosecure with ease, but definitely possible