Brian Dukes
Work at Engage Software, developing websites on the DNN Platform (a DNN MVP). I also serve Jesus at City Lights Church.
Building Secure ASP.NET Applications
Brian Dukes
We Want Your Feedback!
Download the DNN Summit Mobile App now and take the survey at the end of the conference to be entered to win a $100 Amazon gift card!
Security
OWASP TOP 10 2017
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (new)
- Broken Access Control (merged)
- Security Misconfiguration
- Cross-Site Scripting
- Insecure Deserialization (new)
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring (new)
Additional Risks to Consider
- Cross-Site Request Forgery
- Uncontrolled Resource Consumption (Resource Exhaustion, AppDoS)
- Unrestricted Upload of File with Dangerous Type
- User Interface (UI) Misrepresentation of Critical Information (Clickjacking, etc.)
- Unvalidated Forward and Redirects
- Improprer Control of Interaction Frequency (Anti-Automation)
- Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)
- Server-Side Request Forgery
Injection
- Exploitability: 3 (Easy) ■
- Weakness Prevalence: 2 (Common) ■
- Weakness Detectability: 3 (Easy) ■
- Technical Impacts: 3 (Severe) ■
Considerations
- Malicious input can come through many avenues
- Form post
- URL query string
- Cookies
- Other HTML headers
- Database content (e.g. username)
- Injection is possible in more than just SQL
- XPath
- NoSQL
- LDAP
- GraphQL
- JSON or XML parsers
Prevention
- Use parameters for user input
- Use whitelist server validation
- Escape special characters
- Use
TOPto limit disclosure
Demo
Broken Authentication
- Exploitability: 3 (Easy) ■
- Weakness Prevalence: 2 (Common) ■
- Weakness Detectability: 2 (Average) ■
- Technical Impacts: 3 (Severe) ■
Considerations
- DNN prevents brute force attacks
- DNN prevents session reuse
- DNN warns about weak and well-know passwords
- DNN defaults to hashed passwords
Prevention
- Implement multi-factor authentication
- Ensure custom session tokens (e.g. for SSO) expire
- Follow evidence-based password policies (see https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret)
- Minimum length 8 characters
- Maximum length 64 characters
- Allow all characters
- No complexity requirements
- No password expiration unless compromised
Sensitive Data Exposure
- Exploitability: 2 (Average) ■
- Weakness Prevalence: 3 (Widespread) ■
- Weakness Detectability: 2 (Average) ■
- Technical Impacts: 3 (Severe) ■
Prevention
- Identify sensitive data
- Financial (e.g. credit cards)
- Health records
- Personal information
- Consider PCI, GDPR, etc.
- Don't store the data at all (or store a hash)
- Store encrypted data
- Transmit encrypted data (e.g. HTTPS, HSTS)
XML External Entities
- Exploitability: 2 (Average) ■
- Weakness Prevalence: 2 (Common) ■
- Weakness Detectability: 3 (Easy) ■
- Technical Impacts: 3 (Severe) ■
Prevention
- Validate XML inputs
- Disable DTD processing when using
XmlTextWriter
Broken Access Control
- Exploitability: 2 (Average) ■
- Weakness Prevalence: 2 (Common) ■
- Weakness Detectability: 2 (Average) ■
- Technical Impacts: 3 (Severe) ■
Considerations
-
Insecure Direct Object References
- IDs and paths exposed and able to be manipulated
- Exposure can occur through APIs, hidden fields, URLs, JWT, etc.
-
Missing Function Level Access Control
- Failure to restrict functionality to the correct audience
- For example, exposing admin functionality to all users, or authenticated functionality to unauthenticated users
- CORS misconfiguration
- Web API verbs (GET vs. DELETE)
Prevention
- Access control must always occur server-side
- Deny by default, unless public
- Implement access control once and reuse
- Minimize CORS usage
- Enforce record ownership, don't assume everyone can edit every record
- Disable directory browsing
- Ensure backup & metadata (e.g.
.git) aren't in web root - Log and alert on repeated access failures
- Rate limit APIs
- Invalidate JWT after logout
- Include access control in test plans
Demo
Security Misconfiguration
- Exploitability: 3 (Easy) ■
- Weakness Prevalence: 3 (Widespread) ■
- Weakness Detectability: 3 (Easy) ■
- Technical Impacts: 2 (Moderate) ■
Prevention
- Automate creating hardened environments
- Remove unnecessary features, components, documentation, samples, frameworks, etc.
- Schedule review of configuration, updates, patches, and permissions
- Segment application by component or tenant
- Send secure headers
- Keep detailed errors turned off
- Remove or disable default accounts
Secure Headers
See OWASP Secure Headers Project
- HTTP Strict Transport Security
- Public Key Pinning Extension for HTTP
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy
- X-Permitted-Cross-Domain-Policies
- Referrer-Policy
- Expect-CT
- Feature-Policy
Cross-Site Scripting
- Exploitability: 3 (Easy) ■
- Weakness Prevalence: 3 (Widespread) ■
- Weakness Detectability: 3 (Easy) ■
- Technical Impacts: 2 (Moderate) ■
Prevention
- Reject invalid input
- Escape content by default
- Escape content based on context (URL, JavaScript, HTML body, HTML attribute, etc.)
- Use
AntiXssEncoder - Enable a Content Security Policy
Insecure Deserialization
- Exploitability: 1 (Difficult) ■
- Weakness Prevalence: 2 (Common) ■
- Weakness Detectability: 2 (Average) ■
- Technical Impacts: 3 (Severe) ■
Considerations
- Serialized inputs can come from a variety of sources
- Remote Process Communication
- Inter-Process Communication
- Web services
- Caching/Persistence
- File systems
- HTTP cookies, parameters, auth tokens
- Deserializing JSON in JavaScript with
evalcan cause code execution - JSON and XML deserializing in .NET can specify type names
- Also includes regular data tampering
Prevention
- Don't accept serialized input from untrusted sources
- Only deserialize into primitive types
- Use digital signatures to provide trust
- Use a whitelist of expected types
- Use a low privilege process to deserialize
- Log & monitor deserialization failures and abuses
Using Components with Known Vulnerabilities
- Exploitability: 2 (Average) ■
- Weakness Prevalence: 3 (Widespread) ■
- Weakness Detectability: 2 (Average) ■
- Technical Impacts: 2 (Moderate) ■
Considerations
- Vulnerabilities can surface in components you use directly or in their dependencies
- Vulnerabilities can surface in every level of the stack, from the OS to the database to libraries and APIs
- Monthly or quarterly patching may not be soon enough
Prevention
- Regular dependency scanning
- Remove unused dependencies
Every organization must ensure that there is an ongoing plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio.
Insufficient Logging & Monitoring
- Exploitability: 2 (Average) ■
- Weakness Prevalence: 3 (Widespread) ■
- Weakness Detectability: 1 (Difficult) ■
- Technical Impacts: 2 (Moderate) ■
Considerations
- DNN provides a logging framework based on Log4Net
- DNN provides a configurable event log
Prevention
- Ensure all logins, access control failures, and input validation failures are logged with enough context and sufficiently retained
- Use a centralized log management system
- Log all details about high-value transactions
- Implement alerts for suspicious events and patterns
- Use penetration testing to validate your logging and monitoring
Other Risks
Other Risks
- Cross-Site Request Forgery
- Unvalidated Redirects
Resources
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project
https://cwe.mitre.org/
Building Secure ASP.NET Applications Brian Dukes
Building Secure ASP.NET Applications
By Brian Dukes
Building Secure ASP.NET Applications
It can be hard to keep up-to-date on the latest best practices for web security, as well as to understand how they affect a shared environment like DNN. As our development approaches change to take web services into account, we need to adjust our security practices to continue protecting our clients and users. This presentation will review a number of practices that you can undertake to increase the security of your web application, highlighting common errors in applications as well as newer vulnerabilities that have come to light.
- 2,431
