Sunday, August 28, 2011

SIM305 - The Attackers are Coming!

Kirk Jackson, Andy Prow
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
TechEd Online
OWASP Top 10
Open Web Security Application Project

SQL Injection

Allowing untrusted user input to reach the database.
In the statement rather than the parameters

Look for:

Parametrise queries with SqlParameneters

use sp_execute_sql with parameters @ParamName

Cross Site Scripting

Allow untrusted user input to reach the web page

Defence in depth
 Block data on the way in to your server
 And escape on the way on to your page


HTML Context
Javascript contact
HTML attribute context

Encoding must be done close to the view.

Use HttpUtility or AntiXSS Html and Attribute Encode
Consider the Security Runtime Engine - Safety Net

 Use Razor views @value
 Encode using <%: value %> in webforms rather then <%=


Auth & Session Management

Don't roll your own
  ASP.NET SessionID and FormsAuth cookies are pretty good
Enforce logout on the server-side **** Expire session on the server rather than just remove the client cookie.
Set 'httponly' and 'secure' flags on cookies ****
SharePoint SPHttpUtility
Prevent user name and password brute-force - temporary suspend account after 5 failed attempts
Logging and alerts to system admins - look at logging messages.

Insecure Direct Object References

Users can only access some content:

 location/authorization tags in web.config

Cross Site Request Forgery

Attackers data is posted by the user

Use a CSRF token - info the attacker doesn't know. Hidden form field so that they can't assemble the same post data.

 ViewStateUserKey set in the OnInit in the base page. Used in addition to the MAC Key to hash the ViewState.
 HtmlHelper.AntiForgeryToken to every form
 [ValidateAntiFOrgergyToken] attribute on each action method
 Use the FormDigest field on every request
 Call ValidationFormDigest to check it is set correctly

Security Misconfiguration

 Windows Update
 Keep everything up to date
 Close un-used ports, uninstall / disable unused software
 Run Best Practice Analyser
 Encrypt sensitive info in your web config

aspnet_regiss -pef

Failure to Restrict URL access

Put the admin site with in the private network.

Transport Layer Protection

Use SSL / TLS for:
 Login, password change, signup
 Credit Card

Don't include HTTP resources in HTTPS pages
Turn off SSLv2, weak ciphers (system admin)

Unvalidated redirects

Ensure that any Redirects or Transfers only go to white-listed domains
Check RedirectUrl handling on login pages doesn't allow other URL's

File Uploads

Send the following HTTP headers
 Content-Disposition: Attachment
 X-Download-Options: noopen
 X-Content-Type-Options: nosniff
 Content-Type: [mime-type]


Set Content-Security-Policy

Server headers