Web Platform Security
Vimal Rajyaguru
Security Engineer
Microsoft ACE Security Team
Need for Security
• Web applications are most vulnerable to attacks.
• Popular web development platforms are ASP.Net, LAMP
and J2EE platform
• All these platforms offer certain security features to
mitigate against common security vulnerabilities.
• However it is up to the developers to use these features
effectively and develop secure applications.
Agenda
• ASP.NET Security
• IIS Security
• Summary
Common attacks
• Code injection
• Session hijacking
• Identity spoofing
• Parameter manipulation
• Network eavesdropping
ASP.NET Security
Why ASP.NET?
• ASP.NET as a Web Platform consists of security as an
in-built mechanism for many of the common
requirements.
• The built-in architecture and APIs help in developing
secure web applications quickly
ASP.NET Security
• Secured by Design– Form Validation
– View State Tampering
– Input Validation
• Secured by Default– Web Configuration
– Authentication / Authorization Techniques
– Membership Provider
• Secured by Deployment– Precompiled Deployment in ASP.NET 2.0
– PE Verification
Protection against XSS
• ValidateRequest: Checks request for potentially
dangerous content like javascript, html etc.
• Enabled by default.
• Can be toggled at application level in web.config
<pages validateRequest="true" />
• Can also be toggled at page level also
<%@ Page Language="C#" ValidateRequest="true"
*Use output encoding to effectively defend against Cross-Site scripting attacks. Use Microsoft Anti-Xss library
(http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-bfaf-
e11625130c25&displaylang=en) to encode output.
Protection against XSS contd…
• Encode all user-controllable output using Microsoft Anti-
XSS Library’s approriate encoding methods.– Anti-Xss Library can be downloaded from
http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-
bfaf-e11625130c25&displaylang=en
• Use XSSDetect – A freely available tool from MSDN to
analyze .Net code for XSS vulnerabilities.– XssDetect can be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyID=19A9E348-BDB9-
45B3-A1B7-44CCDCB7CFBE&displaylang=en
Protection against XSRF/One-Click attack
• One-click attack relies on the ability of an attacker to
create a prefilled form which a user submits
unknowingly.
• Page.ViewStateUserKey ensures that the viewstate
cannot be calculated which prevents an attacker from
preparing a prefilled form.
override protected void OnInit(EventArgs e){// ...
Page.ViewStateUserKey = Session.SessionID;// ...}
ViewState Protection
• ViewState is tamper-proof by default. This is controlled
by the key
<pages enableViewStateMac="true"/>
• An HMAC is calculated and appended to the ViewState
to ensure integrity. The key and algorithm used is
defined in the element
<machineKey validationKey="AutoGenerate,IsolateApps“ validation="SHA1" />
• Viewstate can also be encrypted to ensure
confidentiality.
<pages viewStateEncryptionMode="Always">
Protecting Forms Authentication cookie
• Authentication cookie can be protected.
<forms loginUrl="Login.aspx”
protection="All“
timeout=“20“
slidingExpiration="false“
requireSSL="true“
*Authentication cookies are httpOnly by default in ASP.Net 2.0
Event Validation in ASP.Net 2.0
• Event Validation verifies that arguments to postback or
callback events originate from the server control that
originally rendered them.
• Can be toggled at page level by
<%@ Page EnableEventValidation=“true" %>
• Also at application level by
<pages enableEventValidation=“true"/>
ASP.NET Validation Controls
• Framework provides a variety of controls for common
validation tasks
– Required Field Validator
– Compare Validator
– Range Validator
– Regular Expression Validator
– Custom Validator
• Validates at client and server side. However
Page.IsValid property of the control needs to be checked
to ensure that server validation has succeeded.
Authentication & Authorization
Authentication
Authorization
File authorization
URL authorization
Windows
Passport
Forms
Impersonation
Who did the
request come
from?
What is the caller
allowed to do?
Use process identity
or caller identity?
Configuring Authentication
<configuration><system.web><!-- mode="Windows|Passport|Forms|None" --><authentication mode="Windows" />
</system.web></configuration>
Web.config
ASP.NET Authorization
• File authorization
– Typically combined with Windows auth
– Uses NTFS permissions to control access to resources based on
caller's Windows identity
• URL authorization
– Typically combined with forms authentication
– Controls access to resources based on caller's Windows,
Passport, or forms identity
– Applied in Web.config
Role and Membership providers
• Provide features to implement authentication and
authorization quickly and securely.
• ASP.Net comes with SqlMembershipProvider and
ActiveDirectoryMembershipProvider
• Provides a lot of security features like password length
and complexity, storing hashed or encrypted passwords,
configuring account lockouts, password retrieval etc.
Protected Configuration Provider
• Protected Configuration Provider helps improve the
security of an application by letting you encrypt sensitive
information that is stored in a web.config file.
• Sections that contains sensitive information
– <appSettings>
– <connectionStrings>
– <identity>
– <sessionState>
IIS Security
Authentication
Authorization
Windows Access Controls Lists
Authorization rules (IIS 7)
Anonymous
Basic
Digest
SSL/TLS
Who did the request
come from?
What is the caller
allowed to do?
IP Restrictions Are calls from this
IP address allowed?
X.509 Certificates
Integrated Windows
Passport (IIS 6)
Forms (IIS 7)
Protection and PoolingWhere should the
code execute?
Should traffic be
encrypted?
Au
dit
ing
/Req
uest
Tra
cin
gIIS Security Architecture
Application pools in IIS
• Application pools separate applications by process
boundaries to prevent an application from affecting
another application on the server.
• Each application pool can be configured to run under a
separate service account.
*Application pools are available only in IIS 6 and IIS 7.
Worker Process Identity
• On IIS 5, ASP.NET runs as ASPNET by default.
– Weak local account with limited privileges
– Created at install time
– Password autogenerated
• On IIS 6 & IIS 7, ASP.NET runs as Network Service
(machine$) by default.
– Weak account with limited privileges
– Has network credentials
– Built into Windows 2003 Server
IIS 7 Security Enhancements
• Integrated Request Pipeline
– Authentication and Authorization modules available to all types
of content like ASP, static files etc.
– Can use features like .Net Role or membership providers for any
content.
– Can configure Authorization rules for all types of content in IIS.
Request filtering
• A tool like URLScan which can be used to filter requests
based on rules like URL patterns, content lengths,
encodings, verbs etc.
• Hidden Namespaces/Segments: Used to prevent IIS
from serving certain sections of url.
e.g. web.config, bin, App_code, App_Data etc.
This can be used to protect sections of website which should not be
accessible to user.
Web Development Best Practices
• Don't trust user input.
• Encode all user-controllable outputs before displaying.
• Use parameterized SQL statements and stored
procedures.
• Employ the Principle of Least Privilege.
• Reduce attack surface by locking down web server and
application.
• Use structured exception handling.
Summary
• ASP.Net provides a large number of security features to enable developers to write secure code– Familiarize yourself with the security features offered by the
framework.
– Use these features wisely according to your needs.
• Use IIS security features to lock down your web applications against intrusion.– Use appropriate authentication methods.
– Isolate applications to minimize damage due to a rouge or compromised application.
Resources
• Security Developer Center: http://msdn.microsoft.com/security
• Threats & Countermeasures: http://msdn2.microsoft.com/en-us/library/ms994921.aspx
• Building Secure ASP.NET Applications http://msdn2.microsoft.com/en-us/library/Aa302415.aspx
• http://www.iis.net
• http://blogs.msdn.com/ace_team/
Application Security Consulting Services
• Services offered by Microsoft ACE Services:– Application Security Code Reviews
– Threat Modeling/Design Reviews
– Training:
• Secure Application Development
• Threat Modeling
– Assistance with developing and deploying SDL-IT within your environment
• Contact– [email protected]
Top Related