Saturday, March 20, 2010

HaHaa Brothers Show – Lessons in Asp.Net Security

http://live.visitmix.com/MIX10/Sessions/FT05

A disturbing video with Scott Hanselman dancing to hamster on a piano and then to Beyonce!

Actually this is a good video of a MIX10 demo that shows how your coding practices can make your ASP.Net MVC app vulnerable and also instructs on best practices and ways to secure your web-app.

Demo 1: java-script injection

lesson 1: dont trust user data

lession 2: in MVC use the ValidateInput attribute

lesson 3: use “<%:” instead of “<%=” when using server variables in your front end code. This new construct is similar to calling html.encode.

Demo 2: javascript injection with defer tag on script

lesson 1: learn about the the AntiXSS library and use the AntiXSS.Encoder (which if you recall my previous post is an encoder based on a white list instead of the black list that the default encoder uses). You can set the AntiXSS encoder as the default encoder via the HttpRuntime setting in the web.config.

lesson 2: Use Ajax.JavascriptStringEncode

Demo 3: Cross-Site request forgery attack (a confused deputy attack)

This attack attempts to rely on the fact that you are already logged in to a secure site and attempts to submit a form with all the data that could lead to an unauthorized action.

lesson 1: Use the ValidateAntiForgeryToken in MVC on your controller methods and insert the token using Html.AntiForgeryToken into the html.

When the method in the controller gets called, the ValidateAntiForgeryToken will look at the hash code in the html page (inserted as a hidden field) and the hash code in the cookie and will throw an error if the 2 values do not match.

Demo 4: Javascript injection that redefines JS methods.

In this demo, a special method is called every time an ID is set on a page element. The hack depends on arrays that are being returned as JSON to a GET request.

I need to review this hack again – as I wasn't completely able to understand how the hack worked and what the fix does.

One best practice specified is that when returning data that should be secured then one should not return it as an array.

Demo 5: Hacked post values via tools like Fiddler

cool tip: to listen to messages being sent to a local HTTP server (like when you are developing an ASP.Net app), use “localhost.:” or “ip4.fiddler” so that data is passed through the fiddler proxy.

lesson: in MVC your post data is automatically bound to the controller methods parameter type. If a hacker tries to guess properties on your model type, then they might be able to send bad data to your application.

One way around this is to setup a white list (or a back list) using the Bind attribute on your parameter. The bind attribute tells MVC what data from the post can be automatically copied into your model object.

This video is definitely a good way to spend 60 minutes of your time.

No comments: