Home » Best Practices » Security » Securing .NET Web Application from Common Attacks

Securing .NET Web Application from Common Attacks

in , - on Tuesday, October 14, 2014 - 5 comments
nvidia3dvision_1Web Application is so vulnerable to attacks especially if deals with money, sensitive information and/or business trade secrets. This is a big problem in the IT world and big funds are spend just to protect them from these attack.

In this article we will explore most web application attacks and how we would prevent them. I am not going to discuss on how to perform the attacks but rather I will focus more on how to prevent them.

Web Application Attacks and Prevention
  1. SQL Injection
    Description: SQL Injection is an attack where commands are inserted in SQL where only data was expected. If your web application is not protected, the attacker can easily inject queries that can expose data and table structure of your database. And can also delete data and drop table on your database.

    This has been the # 1 form of attack in 2010 and 2011.

    The attack can be injected in web form like search or direct in the URL.

    Prevention:
    • Don't Use Inline SQL Statements on your code.
    • Use parameterized queries.
    • Stored Procedure should be parameterized too.
    • Apply whitelisting. Validate data before executing query.
    • Apply Least Privilege Principle to accounts that access the web.  This is done at the SQL Security Administration.
    • Use ORM such as Entity Framework and NHibernate. These are safe against SQL Injection.
    • Use Proper Error Handling such as Error Redirection Page, Turn Off Trace and Debug (This will open a window for attackers).

  2. Cross Site Scripting (XSS)
    Description: XSS attack is a script that can come from URI, Database, Cookie or Form. This attack don't expose data from the database. It usually manipulate the DOM, hijacks cookies, steal credentials and send to remote sights.

    The major purpose of XSS attack is to sabotage websites. One of the victim of this attack was myspace.com and it has been shutdown due to this attack.

    Usually it is a JavaScript and the common strategy of the attacker is to paste scripts in the web form. Saves the data (with script), and if this is viewed by other user, the script will be executed. It might be that the script will just execute alert window but  this may annoy users and discontinue using your site.

    This script can also multiply by injecting itself to web forms and the attack will spread and you will be force to shutdown your site.

    Prevention:
    • Sanitized data before saving to database;
    • Apply output encoding. Eg: Html Encode;
    • Apply Whitelisting such as Regular Expression;
    • Use XSS complaint tools. ASP.NET MVC applies output encoding by default;
    • Don't just validate on the client side, server side validation is more important.

  3. Broken Authentication and Session Management
    Description: These kind of attack is sometimes called "Walk By Attacks" or "Shoulder Surfing". Authentication Credentials are easily hijack or stolen and use by attacker to impersonate users.

    A typical scenario that credentials are stolen is when an employee leaves his PC and another employee comes in and steal the cookies. The attacker will exploit this cookies and perform the attack.

    Causes:
    • Username and password are encoded in the URL instead of using session cookie;
    • Easily guessable passwords;
    • Weak Session Management such as no session expiration;
    • Weak Password Policies such as weak password, credential expiration policy.

    Prevention:
    • Use session cookies instead of encoding in the URL;
    • Expire Session - When no activity is conducted for certain period of time ( let's say 2 mins), session expires and log-in is required when resuming activity;
    • Implement Password Policy such as change control/expiration, strong password, and password recovery;
    • Use SSL;
    • Security Awareness in the Organization;
    • If necessary, use Bio-metric security.

  4. Insecure Direct Object References
    5. Description: This is a flaw in design. Lack of Access Control implementation wherein authorized users are allowed to gain access to someone else account. This kind of attack is perform by exploiting the parameters in the URL (Parameter Tampering) to gain access to other's record. The attacker should be authenticated to perform this attack.

    In 2011, a bank was a victim of this attack and more 200,000 account details was stolen by just merely changing the URL parameter with random account numbers.

    Prevention:
    • Implement Access Control
      This can be done by comparing Log In Credentials(Identity) against the record they are trying to access.
    • Apply Obfuscation via Random Surrogate Keys This can be achieve by incorporating AntiForgeryToken and/or AntiModelInjection.

  5. Cross Site Request Forgery (CSRF)
    Description: Attacker exploits the fact the victim is authenticated to a website. These are scripts that are usually send through email, offer, file, free installer, and free software. This attack will trick the user to submitting request to a website.

    There was a case in Brazil where CSRF was used to change router DNS on the client. By doing this, communication will be routed in a place where attacker can capture sensitive information from the user. These info might be Credit Card info, credentials, etc.

    Prevention:
    • Implement Anti-Forgery Token
      It's a one-time used matching key generated by the server. This is used by client when posting a request. It is only known to the server, it's randomly generated, it has expiration, and it is encrypted.
    • Use SSL to prevent sniffing of Anti-Forgery Tokens.

  6. Security Misconfiguration
    Description:Security Misconfiguration opens a window for an attacker. The attacker usually exploits the vulnerabilities of the web application by collecting information about internal structure of the application. This is caused by exceptions, errors, and traces that are not properly handled by developers.

    Prevention:
    • In the web.config, set the customErrors="On",provide a defaultRedirect page, and set redirectMode="ResponseRewrite" ;
    • In the web.release.config, use Config Transformation to remove trace enabled;
    • In the web.release.config, use Config Transformation to replace customErrors="On" to "RemoteOnly";
    • Encrypt web.config on the production server.

  7. Insecure Cryptographic Storage
    Description: Protected data(eg. User Credentials or Accounts that contains User Name and Password) should always be protected even they are stolen. Having weak encryption means it not secured.

    This kind of attack is from within the organization. We would like to protect the data from the people who have access with it data but we don't want them to read it.

    Facts:

    When these protected data are stolen, these can be crack with some tools such as BruteForce. Even hashing and salt were applied with it. There are lots of hash libraries/dictionaries in the net that could easily crack these kind of encryption. Tools for cracking has become sophisticated as encryption algorithm became sophisticated.

    Prevention:
    We can't stop these people from cracking but we can slow them down by adding more hash. Taking 50 days to crack is good enough to secure your data.
    • Don't be satisfied with SHA1 Hash with salt. Apply stronger hashing algorithms such as Zetetic;
    • Use Symmetric or Asymmetric for better protection;
    • If Symmetric or Asymmetric Encryption is applied, don't save the private/public key in the web.config. Use Key Management API such as DPAPI.

  8. Failure to Restrict URL Access
    Description: This security flaw is due to lack of Access Control to resources. As a result, anonymous users can gain access to private resources on the page through the URL. Prevention:

    • In the web.config apply authorization policy for the path and roles. This works well in ASP.NET web forms but be careful about custom routing in ASP.NET MVC. This does not work. I suggest using annotation to implement authorization;
    • In ASP.NET MVC, Annotate your class or controllers with "Authorize" attribute;
    • Apply authorization at method level that needs to restrict.

  9. Insufficient Transport Layer Protection Or Man-In-The-Middle Attack
    Description: Man-in-the-Middle attack happens when an attacker steals information through the network traffic. They use gadgets to intercept traffic between the victim and the server. There are many ways how do this but lets focus more on how to solve this attack.

    Prevention:
    • Use HTTPS or SSL when transferring sensitive data. This will limit capabilities of the attacker to hijack data;
    • Don't load login form over HTTP, even they post data to HTTPS;
    • Don't load HTTPS inside an IFRAME over on an HTTP page

  10. Denial of Service Attack (DoS)
    Description:
    The main purpose of DoS is to bring the site down by issuing automated failed request. It a sabotage. DoS consumes the resources of the server until it crashes. The Attack can be distributed. This kind of attack is difficult to prevent but it can be minimized.

    How to Minimized:
    • Install and configure Dynamic IP Restrictions on IIS;
    • Always have logging functionality on your application to trace those attackers;
    • Strong network layer, rules, firewall configuration;
    • Report to authorities.
Conclusion

There are many more form of attacks out there but so far these are the common and the most dangerous attacks ever recorded. When you are developing web applications include these in the Test Cases, Acceptance Criteria or Product Backlog.

Reference:

Open Web Application Security Project(OWASP)

That's all and hope I was able to share knowledge.
Labels: ,