480 likes | 636 Vues
Overcoming your web insecurity. Kirk Jackson Xero www.xero.com pageofwords.com kirkj@paradise.net.nz. This talk. Introduce some common threats Quick wins Best practice Not a comprehensive treatment. Demo. Classifieds Web Site Starter Kit Rebranded:
E N D
Overcoming yourweb insecurity Kirk Jackson Xero www.xero.com pageofwords.com kirkj@paradise.net.nz
This talk • Introduce some common threats • Quick wins • Best practice • Not a comprehensive treatment
Demo • Classifieds Web Site Starter Kit • Rebranded: • A couple of small tweaks for demo purposes
Demo Users Kirk Site Admin Chrome Marge Regular User IE Bob Naughty User Firefox
Threats • Employees / students / other authenticated users • Malicious third parties • Malware • Phishing • Anonymous users
Things we shouldn’t trust • GET’s • POST’s • Headers • Cookies • Any user content
GETurl It’s very easy to edit a url • Nothing sensitive • Nothing destructive • No updates or deletes (idempotent) http://google.com/?q=codecamp GET /search?q=codecamp
POST data • Send data in the body of the request, rather than the url • Still just as easy to fake POST /path/foo.aspx HTTP/1.0 User-Agent: EvilHacker/2.0 Content-Type: application/x-www-form-urlencoded id=7&title=Hello
Redirects • Don’t redirect to untrustedurls
Cookie data • Use ASP.NET forms auth for authentication • Secure, non-predictable • Use Session for state • Only store unimportant stuff in cookies (theme choice vs username)
Session • Not as bad as you might think! • Encrypting, transmitting, round-tripping probably worse than server memory usage • ASP.NET Session ID is hard to guess
Storing and using data • Authorisation / Role: Server side only • Navigation data: In the url is fine (check access on server side) • Presentation flags / theme / lang: fine in cookies • Hidden fields: preferably change to server-side • Validate every request • Application secrets: Never visible to client
SQL Injection • Use parameterised SQL so that arguments are escaped
Phishing • A fake version of your website • Really hard to protect against! • User education is our best protection • Train to look at url bar (yeah, right!) • Never send links via email • Always address emails with their name
Phishing – demo http://sideshowbob.local/fakelogin.aspx
Framebusting • Many attacks wrap your page inside a frameset to trick the user • Bust out of your frame if (parent.frames.length > 0) { parent.location.replace( self.document.location); }
Framebusting - demo http://sideshowbob.local/iframe.aspx
XSS – Cross site scripting Displaying untrusted user input • Often used to steal a cookie
XSS – Cross site scripting Displaying untrusted user input • Sanitise all input • Encode all output • HTTP Headers – don’t insert untrusted content • Some ASP.NET controls don’t encode output • Use Anti-XSS Library rather than HttpUtility
CDRF – Cross domain request forgery Posting a form from one website to another
CDRF – Cross domain request forgery Posting a form from one website to another • Cookie checks aren’t enough • ViewState isn’t enough • Check referer • Use a token in the POST data / ViewState to validate
Clickjacking • E.g.Content hidden behind a flash animation • Flash, CSS, PDF • Newly disclosed
Clickjacking demo Here: http://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/
Clickjacking • E.g.Content hidden behind a flash animation • Flash, CSS, PDF • Newly disclosed
IIS / Windows • It all starts with the server • Patching • Hardening • File permissions • Open ports / network access • Other users
Authentication / Authorisation • Use platform features wherever possible • Forms Authentication • Role based security • Web.config <authorization> • Every non-anonymous entry point should have an access control check • Every on-click, validator or update • AJAX libraries may side-step some of the page lifecycle
Validation • Always remember to (re)validate data on the server side • If a multi-step process: • After every request • On final step
ASP.NET Controls • The base ASP.NET controls come from a simpler era... • Some controls encode their Text, others don’t • Be careful! • Security Runtime Engine (coming) may help
Protect static files / temporary files • Use file permissions on Windows • Store temporary files outside of the webroot • Ideally generate on the fly rather than off disk
Protect your web.config • Use integrated database authentication • Encrypt connection strings • Permission files so that the website user(s) can’t modify them • Turn on custom errors • Don’t send stack trace to users
Session attacks • Replay attacks • Man in the middle • Request forgery
ViewState • Understand how ViewState works in ASP.NET • Evaluate your use of it for storing values • Is Session a safer choice? • Encrypt / tamper protection • Be mindful of the round-trip costs
Fail safe • In case of failure, make sure the default state is secure • What if logs are full or can’t be written to?
Logs • Logs should be write-once, read-many • Logs should be rotated, backed up securely, disposed of securely, confidential • Many uses: • General debugging • Forensic evidence • Attack detection • Quality of Service • Proof of validity – app working correctly • Each has different requirements • Always archive, rather than empty logs
Mixing Administration • Administrators are not normal users – segregate them • Keep admin cookies on a different domain if possible
Take-aways • Don’t trust anything given to you by the user’s browser • Be careful where you store sensitive stuff • XSS, CDRF, Clickjacking
References • Clickjacking: http://ha.ckers.org/blog/20081007/clickjacking-details/ • Framebusting:http://pageofwords.com/blog/2008/10/06/FrameBustingInJavascript.aspx • ASP.NET Controls that need encoding: http://blogs.msdn.com/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx • AntiXSS library • Security Runtime Engine (coming) • OWASP – The Open Web Application Security Project – http://www.owasp.org
More info http://pageofwords.com – my blog Come along to the Microsoft Unplugged day: • Tuesday 11 Nov, 1-5pm • Christchurch Convention Centre • WPF3.5 SP1 • Visual Studio Tips and Tricks