Building Secure ASP.NET Applications

Brian Dukes

We Want Your Feedback!

Download the DNN Summit  Mobile App now and take the survey at the end of the conference to be entered to win a $100 Amazon gift card!

Security

OWASP TOP 10 2017

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (new)
  5. Broken Access Control (merged)
  6. Security Misconfiguration
  7. Cross-Site Scripting
  8. Insecure Deserialization (new)
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring (new)

Additional Risks to Consider

  • Cross-Site Request Forgery
  • Uncontrolled Resource Consumption (Resource Exhaustion, AppDoS)
  • Unrestricted Upload of File with Dangerous Type
  • User Interface (UI) Misrepresentation of Critical Information (Clickjacking, etc.)
  • Unvalidated Forward and Redirects
  • Improprer Control of Interaction Frequency (Anti-Automation)
  • Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)
  • Server-Side Request Forgery

Injection

  • Exploitability: 3 (Easy)
  • Weakness Prevalence: 2 (Common)
  • Weakness Detectability: 3 (Easy)
  • Technical Impacts: 3 (Severe)

Considerations

  • Malicious input can come through many avenues
    • Form post
    • URL query string
    • Cookies
    • Other HTML headers
    • Database content (e.g. username)
  • Injection is possible in more than just SQL
    • XPath
    • NoSQL
    • LDAP
    • GraphQL
    • JSON or XML parsers

Prevention

  • Use parameters for user input
  • Use whitelist server validation
  • Escape special characters
  • Use TOP to limit disclosure

Demo

Broken Authentication

  • Exploitability: 3 (Easy)
  • Weakness Prevalence: 2 (Common)
  • Weakness Detectability: 2 (Average)
  • Technical Impacts: 3 (Severe)

Considerations

  • DNN prevents brute force attacks
  • DNN prevents session reuse
  • DNN warns about weak and well-know passwords
  • DNN defaults to hashed passwords

Prevention

  • Implement multi-factor authentication
  • Ensure custom session tokens (e.g. for SSO) expire
  • Follow evidence-based password policies (see https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret)
    • Minimum length 8 characters
    • Maximum length 64 characters
    • Allow all characters
    • No complexity requirements
    • No password expiration unless compromised

Sensitive Data Exposure

  • Exploitability: 2 (Average)
  • Weakness Prevalence: 3 (Widespread)
  • Weakness Detectability: 2 (Average)
  • Technical Impacts: 3 (Severe)

Prevention

  • Identify sensitive data
    • Financial (e.g. credit cards)
    • Health records
    • Personal information
    • Consider PCI, GDPR, etc.
  • Don't store the data at all (or store a hash)
  • Store encrypted data
  • Transmit encrypted data (e.g. HTTPS, HSTS)

XML External Entities

  • Exploitability: 2 (Average)
  • Weakness Prevalence: 2 (Common)
  • Weakness Detectability: 3 (Easy)
  • Technical Impacts: 3 (Severe)

Prevention

  • Validate XML inputs
  • Disable DTD processing when using XmlTextWriter

Broken Access Control

  • Exploitability: 2 (Average)
  • Weakness Prevalence: 2 (Common)
  • Weakness Detectability: 2 (Average)
  • Technical Impacts: 3 (Severe)

Considerations

  • Insecure Direct Object References
    • IDs and paths exposed and able to be manipulated
    • Exposure can occur through APIs, hidden fields, URLs, JWT, etc.
  • Missing Function Level Access Control
    • Failure to restrict functionality to the correct audience
    • For example, exposing admin functionality to all users, or authenticated functionality to unauthenticated users
    • CORS misconfiguration
    • Web API verbs (GET vs. DELETE)

Prevention

  • Access control must always occur server-side
  • Deny by default, unless public
  • Implement access control once and reuse
  • Minimize CORS usage
  • Enforce record ownership, don't assume everyone can edit every record
  • Disable directory browsing
  • Ensure backup & metadata (e.g. .git) aren't in web root
  • Log and alert on repeated access failures
  • Rate limit APIs
  • Invalidate JWT after logout
  • Include access control in test plans

Demo

Security Misconfiguration

  • Exploitability: 3 (Easy)
  • Weakness Prevalence: 3 (Widespread)
  • Weakness Detectability: 3 (Easy)
  • Technical Impacts: 2 (Moderate)

Prevention

  • Automate creating hardened environments
  • Remove unnecessary features, components, documentation, samples, frameworks, etc.
  • Schedule review of configuration, updates, patches, and permissions
  • Segment application by component or tenant
  • Send secure headers
  • Keep detailed errors turned off
  • Remove or disable default accounts

Secure Headers

See OWASP Secure Headers Project

  • HTTP Strict Transport Security
  • Public Key Pinning Extension for HTTP
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy
  • X-Permitted-Cross-Domain-Policies
  • Referrer-Policy
  • Expect-CT
  • Feature-Policy

Cross-Site Scripting

  • Exploitability: 3 (Easy)
  • Weakness Prevalence: 3 (Widespread)
  • Weakness Detectability: 3 (Easy)
  • Technical Impacts: 2 (Moderate)

Prevention

  • Reject invalid input
  • Escape content by default
  • Escape content based on context (URL, JavaScript, HTML body, HTML attribute, etc.)
  • Use AntiXssEncoder
  • Enable a Content Security Policy

Insecure Deserialization

  • Exploitability: 1 (Difficult)
  • Weakness Prevalence: 2 (Common)
  • Weakness Detectability: 2 (Average)
  • Technical Impacts: 3 (Severe)

Considerations

  • Serialized inputs can come from a variety of sources
    • Remote Process Communication
    • Inter-Process Communication
    • Web services
    • Caching/Persistence
    • File systems
    • HTTP cookies, parameters, auth tokens
  • Deserializing JSON in JavaScript with eval can cause code execution
  • JSON and XML deserializing in .NET can specify type names
  • Also includes regular data tampering

Prevention

  • Don't accept serialized input from untrusted sources
  • Only deserialize into primitive types
  • Use digital signatures to provide trust
  • Use a whitelist of expected types
  • Use a low privilege process to deserialize
  • Log & monitor deserialization failures and abuses

Using Components with Known Vulnerabilities

  • Exploitability: 2 (Average)
  • Weakness Prevalence: 3 (Widespread)
  • Weakness Detectability: 2 (Average)
  • Technical Impacts: 2 (Moderate)

Considerations

  • Vulnerabilities can surface in components you use directly or in their dependencies
  • Vulnerabilities can surface in every level of the stack, from the OS to the database to libraries and APIs
  • Monthly or quarterly patching may not be soon enough

Prevention

  • Regular dependency scanning
  • Remove unused dependencies
  • Every organization must ensure that there is an ongoing plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio.

Insufficient Logging & Monitoring

  • Exploitability: 2 (Average)
  • Weakness Prevalence: 3 (Widespread)
  • Weakness Detectability: 1 (Difficult)
  • Technical Impacts: 2 (Moderate)

Considerations

  • DNN provides a logging framework based on Log4Net
  • DNN provides a configurable event log

Prevention

  • Ensure all logins, access control failures, and input validation failures are logged with enough context and sufficiently retained
  • Use a centralized log management system
  • Log all details about high-value transactions
  • Implement alerts for suspicious events and patterns
  • Use penetration testing to validate your logging and monitoring

Other Risks

Other Risks

  • Cross-Site Request Forgery
  • Unvalidated Redirects

Resources

  • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project

  • https://cwe.mitre.org/

Building Secure ASP.NET Applications

By Brian Dukes

Building Secure ASP.NET Applications

It can be hard to keep up-to-date on the latest best practices for web security, as well as to understand how they affect a shared environment like DNN. As our development approaches change to take web services into account, we need to adjust our security practices to continue protecting our clients and users. This presentation will review a number of practices that you can undertake to increase the security of your web application, highlighting common errors in applications as well as newer vulnerabilities that have come to light.

  • 2,284