Security
Locking down your code
It’s rather strange for me reviewing Web Application Security - A Beginner's Guide given that I've written a book on the same topic, but as I know one of the authors, Bryan Sullivan and McGraw Hill offered me a copy for review it seems rather churlish not to. Bryan and Vincent Liu have produced a book which is technology agnostic, covering web security via principles rather than sample code. It is a complete beginner’s book, suitable for a developer who has never thought about security before or for a manager to try to figure out just what the heck...
Oh how I have wanted to sing about this for months, now it’s public … Due to the popularity of the Microsoft AntiXSS Library, ASP.NET 4.5 now incorporates core encoding routines from version 4.0 of that library. The encoding routines are implemented by the AntiXssEncoder type in the new System.Web.Security.AntiXss namespace. You can use the AntiXssEncoder type directly by calling any of the static encoding methods that are implemented in the type. However, the easiest approach for using the new anti-XSS routines is to configure an ASP.NET application to use the AntiXssEncoder by...
I was a guest on two podcasts last week, just in case you’re interested. The first was RunAs radio, discussing the DigiNotar hack with Richard Campbell and its consequences for IT administrators. This was followed the next day by Developer Book Club, a rather interesting idea created by Helen Emerson where developers talk about 3 books which influenced their development careers. Technorati Tags: PodCast
Hot on the tails of Rachel Appel calling me a security expert a couple of weeks ago I persuaded Scott Hanselman to destroy his reputation and record a Hanselminutes with me. As is usual with any podcasts I take part it I meander around anything meaningful, but I blather about web security, Lulzsec and more. If you want to follow real security experts on twitter the ones I follow are Window Synder Katie Moussouris Richard Johnson Jeremiah Grossman Iftach...
Now my DevSecNerdRage™ has calmed down I thought it might be guess at what went wrong with Citibank and how you, as a developer, can avoid making the same mistake. From reports in the New York Times it appears the attackers had a valid login and password for a Citibank credit card site and once in they changed the account number in the URL. This is a great example of Insecure Direct Object Access. I can imagine the code / configuration doing one thing; (all code in this post is pseudo code)if (IsAuthenticated)
{
LoadAccount(Request.QueryString["accountNumber"]);
}
Its not the first time...
Last month I was rather pleased to welcome Troy Hunt into my little band of Developer Security MVPs. He’s been doing a bunch of blog posts on the OWASP Top 10 list for ASP.NET developers. Check them out, he’s almost finished. Technorati Tags: MVP,Security,OWASP,ASP.NET
This makes me bang my head on the desk In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers. Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data. As if insecure direct object...
So late Friday two security researchers presented a side channel attack on the encryption and validation methods used on viewstate. This attack allows the attacker to derive the machine key used to encrypt viewstate and thus create their own signed viewstate, possibly compromising the web application. Side channel attacks work by analysing the response from the cryptosystem to infer information, in this case using the error responses from invalid padding. Now that the researchers have presented their work is under investigation; MSRC have an official advisory along with further information. ScottGu has also posted more details including a work around...
The Information Security Tools Team at Microsoft is hiring. Oh yes, your dream could come true, you could work with me … We have an opening for a Senior SDE to help us develop software to support Microsoft’s information security program, analysing everyone else’s software for potential flaws and helping mitigate, manage and analyse. Mad SQL and OLAP skillz will put you at the top of the queue. You can either apply though the link above, or email me your résumé/CV to my work email, bdorrans@microsoft.com (which has until now been spam free *sigh*. I promise not to...
So this sprint I’ve been playing around with AntiXSS. This makes me very nervous, changing something that quite a few folks internally and externally depend on is a heavy burden! One of the most popular requests was “Can you support language X?” and now the answer is probably yes. I say probably, because we’re covering the UTF-16 code tables – if you wanted support for Byzantine Musical Notation (really, it exists) then you’re out of luck. Now there’s a little problem in all of this – Unicode doesn’t have a concept of language, it has code tables. If you’re...
When I started off discussing where I would take the Security Runtime Engine with the Developer Security MVPs Raffaele Rialdi asked if there would be a way to inspect raw requests and responses. Whilst I can’t do requests, as I don’t see them until ASP.NET has parsed them I can do responses, via ASP.NET’s filter mechanisms so, despite him tagging someone else as me on Facebook I started to look at how best to do this and came up with IResponseInspector. The response inspector works slightly differently to the other inspectors – by the time it’s called there is no...
The WPL site on CodePlex now has the May CTP code only release for the Web Protection Library and a Word document introducing the new extensibility points for the Security Runtime Engine. I haven’t released binaries because it’s just a preview, it is in no way ready for production and I want to discourage you even thinking of that. So why did I make the source available? Simple – feedback. This represents a rewrite of the Security Runtime and a new way for you to easily write plug-ins for it. Rather than simply decide what’s best for our users...
So now our fit and finish sprint is finished (my PM, Frank, has published the results which demonstrate that, well, fit and finish is never, errr, finished) I’ve been doing some thinking and experimenting. Two things came out of the MVP summit this year, 1) we want logging which isn’t the Enterprise Library and 2) we want to write our own WPL plugins (more specifically a particular Developer Security MVP wanted to write a SQL Injection detector for MySQL). This week was scheduled to be a lazy week, as we work around planning meetings for sprint 2 so I...
This is fun. Network Solutions, not known for their wonderful hosting setup, messed up WordPress configuration, file permissions and basically allowed people hosting on their servers to read everyone else’s authentication information. When it was discovered NetSol tried to spin it as a WordPress problem. WordPress are pissed. But what’s amusing, to me anyway, is their talk of crappy configuration – which they justify with the following WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server...
And the recording, with interruptions is here Barry Dorrans’ hijacked encryption session at DDD8 on Vimeo. I’ve also seen some of the feedback. Some selected highlights include Barry was more funny than usually! I don't think I laughed so much as when the videos began in this session. Barry will be sorely missed yet he still managed to complete his session and coped well with the barrage of mickey-takes and corrective outbursts from Jon Skeet. Peerless Barry Dorrans, but why were those guys wearing Stephen Hawking T-shirts...
So by now we should all know that using user input in a web page and spitting it back out again without encoding it is a bad idea and leads to cross site scripting. Of course some web sites don’t bother, which leads to hilarity such as the Toyota Ireland recall page, as demonstrated here. All the HTML encoding in the world won’t save you if you’re not constraining and validating your input … (although Toyota aren’t even bothering with encoding – you can embed script in the r parameter for that page) Technorati Tags: Input,Security,XSS
Today was DDD8, the last DDD event I can do because the rules exclude MS employees from speak and in 10 days time I will be in that category. I presented “A Developer’s Guide to Encryption” (PowerPoint/Sample Code) running through the main options developers have in .NET for cryptography. (The powerpoint deck should have all the spelling checks fixed. I swear those weren’t there on Wednesday when I finished … but I can’t see how anyone could have knobbled it, so I must have just been very fat fingered!) I’m rather sad to leave DDD behind, I’ve presented at...
A few people have been asking for the table of contents for Beginning ASP.NET Security so here it is; CHAPTER 1: WHY WEB SECURITY MATTERS Anatomy of an Attack Risks and Rewards Building Security from the Ground Up Defense in Depth ...
Last year Wrox switched from having happy, smiling, chin posing authors on their book covers to, well, to random images with a bit of red. So for those of you that have pre-ordered you’ll be happy to know that you won’t have me smiling out from your book shelf. Instead you’ll get an image which encapsulates my interest in exercise and sports. Errr, well, someone’s interest in exercise and sports. Never fear though, I am on the inside … Note for Americans – this image is from a game called football by the rest of the world. The...
Just checked twitter and instead of the fail whale I got something different … “This Web Site Has Been Hacked By Iranian Cyber Arm”. Oh dear. At least there’s no destructive payload, no virus installers, just the vandalism. Interesting though, they’ve managed to upload pictures to the twitter servers. There doesn’t appear to be a redirect or anything that would indicate XSS, something twitter has had big problems with. When I hit refresh it’s back to normal. I’m wondering if they’ve managed to get some servers but not all, which may point to cracking the servers...
So about an hour ago the last edits to the proof went off to the proof reader, which hopefully means, after a year, it’s all done. You may be pleased to learn that, as I’ve taken so long, it will be published using the new, better quality paper and will not have my mug shot on the cover. (When discovering this my smart assed nephew said “That’s good, people won’t judge the book by its cover”.) The final details are as follows: Beginning ASP.NET Security Wrox Press ISBN : 978-0470743652 Pages :...
I don’t know if I should laugh or cry. The Register this morning screamed the headline “IE bug leaks private details from 50m PDF files”. Bad Microsoft! Naughty Microsoft! Errr no, bollocks really. The information leak in question comes from the fact that IE puts a footer in documents which have the URL the document was from. if you’ve loaded an HTML file from a local directory on your machine, or a network path then that URL is used in the footer. I can’t make up my mind if the problem...
Mark Curphey has obviously been whipping his team into a frenzy and a new version of CAT.NET, along with WPL and WACA have been announced. They’re all in CTP and available from Connect. WPL is the evolution of AntiXSS, which is turning into a nice basis for a web application firewall (ok, it’s a stupid marketing term I know, but with the Security Runtime Engine and the new extensibility features it will allow you to build something that sits between your app and the evil internet and protects you. That’s not an excuse for getting it right in the...
Now you’re at university it’s time to protect yourself. No, this is not that cringeworthy conversation you had with your parents about where babies come from but some notes on data security. First up your laptop. That network in the halls of residence? It’s going to contain at least one budding hacker, so make sure you run anti-virus software (that includes you Mac users, there’s malware out there specifically targeting Macs), use a firewall (either the one built into your OS or a third party one) and keep your anti-virus and operating system up to date (that includes you...
For the last few months I’ve been using the beta of Microsoft Security Essentials, Microsoft’s own free anti-virus and anti-spyware program for Windows 7, Vista and XP. It’s now out and available for everyone to download and use. It’s hard to know if you can recommend anti-virus programmes – it’s not as if I run into many viruses (although on some of the darker sites I visit (security people, not porn)) I do occasionally see an attempt to drop spyware or adware, usually through Adobe Acrobat (thanks for that Adobe). In the last three months Security Essentials has caught...
To accompany WebsiteSpark (do MS have an internal app called SparkSpark which creates these programmes?) seven Web Application Toolkits have been released. Dinis Cruz asked on twitter if anyone had some spare time to look at them from a security perspective. I was bored, and needed a break from editing the book (that’s right folks it’s nearly done), so I thought I’d download one. I chose the FAQ toolkit (because I need to do something with the securingasp.net domain at some point). Fired up Visual Studio, took a quick look at the code. Nice surprises ...
Version 3.1 of the Microsoft AntiXSS library (binary download) was released on the 15th September and now comes with HTML sanitation. Not content with dropping a new release of the library Anil’s wife also dropped a release of her own and he’s now on paternity leave, which means the new functionality is undocumented for now. A quick look in the help file shows two new methods, GetSafeHtml and GetSafeHtmlFragment. Both methods have the same three overloads, GetSafeHtml(string) – which takes a string containing the HTML to be made safe GetSafeHtml(TextReader, Stream)...
Jeffery Dallman on the SDL tools blog introduces MiniFuzzer, a baby fuzz testing tool for folks who’ve never fuzz tested before. Fuzz testing takes a template of known good input files and starts to fuzz them, playing with them, changing bits and bytes, doing all sorts of weird stuff and then firing them into your program to see if it can cause a crash, which it normally does. More “grown up” Fuzz Testers (like Peach) work from a specification of valid input and uses the spec to provide good, bad, and mostly good inputs, again feeding it into an application...
Scott “Red Shirt” Guthrie announced today that the jQuery and the Microsoft AJAX scripts would be hosted on the Microsoft content delivery network (CDN) – which should speed up the initial loading of these script libraries and save you bandwidth, as you won’t have to host them any more. Being an untrusting soul, errr, security person, I thought I’d take a quick look at how its delivered. The scripts are hosted on http://ajax.microsoft.com/ which presents the first problem – it’s a microsoft.com domain. When you do any serious browsing to the normal microsoft.com sites you’re going to get a...
At the end of the month I’ll be in Dublin delivering “Stop your website being stung” – a guide to the OWASP Top Ten project and how you can secure your ASP.NET site against them at epicenter. There’s a few other MVPs speaking as well including Craig Murphy, the Black Marble boys Richard Fennell and Robert Hogg and that damned Jon “I’m going to answer everything on StackOverflow” Skeet. Two DDD Belfast speakers are reprising their topics, Alex Mackay is giving his standing room only session on VS2010 and Andrea Magnorsky is covering the Monorail MVC package. Tickets are...
Today saw Microsoft release an out of band update for Visual Studio correcting a vulnerability in the Active Template Library. Any control which has been compiled with previous versions of ATL may allow remote code execution and must be recompiled and a corrected version distributed as soon as possible. This vulnerability affects Visual Studio 2003, 2005 and 2008. Microsoft have a dedicated page to the problem on the Microsoft Security site. The Security Research and Defense blog also has an overview of the release along with a great list of further resources: MS09-034: Internet Explorer bulletin ...
Yes, I know, it’s painful. You have to run a cryptic command line tool from the .NET framework directory. You have to mess around with RSA keys and export them if you’re load balancing, or want to encrypt on one machine and use it on another. Or you could use a handy tool from Hugo Bonacci. I know, he has a goatee, so he may in fact be evil, but you pays your money and you takes your choice. Point the tool at your server, choose the section you want to encrypt and press, well, press encrypt. There’s even...
AntiXSS, the open source encoding library from the Microsoft Security Tools folks has gone live, and the binaries are available from the MS download centre. I’ve been recommending this for quite a while over the framework’s HttpEncode and UrlEncode simply because it offers more options (JavaScript, VBScript Xml Encoding) and has a visible test suite – plus if something does go wrong it’ll be easier to patch it quickly, rather than wait for a patched version of the .NET framework. There’s also a runtime module which will try to encode on the fly in case you forget to … ...
I gave my OSWAP presentation to Vista Squad last Wednesday, where Ian Smith kindly (?) videoed it. The other speaker for that evening dropped out, meaning the poor attendees had just me to listen to as I stretched it out to about 100 minutes. The length meant that the video is in two halves. Part 1 from Vista Squad on Vimeo. Part 2 from Vista Squad on Vimeo. The presentation is the same one I gave at WebDD so the slides and code are the same. The feedback on twitter was amusing; ...
Vittorio has a new starring role in a shampoo and conditioner commercial Channel9 show, The ID Element. The first episode has Stuart Kwan, the Federated Identity PM talking about Geneva in all its glory, server, framework and client. I know, none of you aside from Dominick and Travis will care, but you should. Honestly. (because it’ll give me another presentation to do at DDDs if nothing else!) Technorati Tags: Geneva,Federated Identity,Big Hair
In my WebDD09 talk on Saturday I mentioned SQL injection and LINQ. I’ve had a query about what exactly is the problem with LINQ as I was constrained by time and only mentioned it in passing. Microsoft asserts that LINQ stops SQL injection attacks: LINQ to SQL avoids such injection by using SqlParameter in queries. User input is turned into parameter values. This approach prevents malicious commands from being used from customer input. This is generally true, however LINQ has a problem method – ExecuteQuery. This methodexecutes queries directly on the server which...
After DDD Belfast came WebDD09 where I was presenting on the OWASP Top Ten Project (well I could hardly present at DDD Belfast, I was organising, that seems just a little too egotistical *grin*). You can download the PowerPoint [905kb] and the sample code [432k]. For the person who asked you can download Fritz Onion’s ViewState Decoder. For further reading on XSS Russ McRee republishes his Anatomy of an XSS attack article from the ISSA journal and NG Software have two PDFs, Advanced SQL Injection and More Advanced SQL Injection. With the added bonus of discovering coffee beans...
Alex Mackey tweeted yesterday that his book was available for pre-order on Amazon so vanity got the best of me – so I checked and mine is available too. It grows ever more real and scary, although not as scary as the cover (which is now on its third iteration but I still can't convince them to use Oliver's alternative version) … Pre-order from Amazon UK Pre-order from Amazon US Technorati Tags: ASP.NET,Wrox,Vanity
It’s been reported that Labour would like the proposed UK ID cards to plug into the Chip and Pin network. This is a commercial network that has security that has never been verified, and a bunch of folks at Cambridge reverse engineered and showed massive cryptographic flaws in it, such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. This is the same network that a leaked report showed had higher instances of fraud associated with it that were expected. This was a system designed, not for security, but for moving the consequences of...
The UK .NET Community’s favourite redheaded step child Phil Winstanley just emailed me to say I’ve been picked to talk at WebDD. I’ll be presenting “P0wn3d! (Or how to redirect your friend's website to katyperry.com)”. This takes the outings of my OWASP Top Ten Web Vulnerabilities talk to 5 outings over the next couple of months: WebDD09 18 April 2009 DDD Scotland 2 May 2009 VBug London 26 May 2009 DevEvening Woking 4 June 2009 Vista Squad London 17 June...
This morning Click, the BBC’s “magazine” programme about technology proudly announced it had created its own botnet. In a new twist on “allegedly” (an infamous phrase used to skirt libel laws on Have I Got News For You and other satirical programmes) Click believe they’re legal because If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals. Tosh. The Computer Misuse Act (1990) states that deliberately obtaining access is...
I was emailed the second draft of the book cover today, which makes it scarily real. But not half as scary as what Oliver did with it. Ah the MVP community – we’re a tight bunch of nits … Technorati Tags: Wrox,Book Cover,Books,ASP.NET,Security,MVP
How may of you practice what you preach? Run as a non-administrative user? Use separate, strong passwords for all your internet accounts? I’ve been guilty of doing neither – I blame Visual Studio for not being able to run as a limited account, but not using strong passwords and individual usernames has been done to laziness and a bad memory. lastpass.com to the rescue. lastpass is a browser plugin and web site that replaces the “Remember username and password” functionality of Firefox and IE, on Windows, Mac and Linux (there’s even alpha support for IE 64-bit). This is nothing...
As part of the book I've been developing some sample code for each chapter; and for chapter 4 the code has taken far more time than the chapter itself. That chapter deals with query strings and forms and covers Cross Site Request Forgery (CSRF). CSRF is a exploit where a form request comes from another site and your site proceeds to act upon it because a user is already authenticated. I’ve covered this in more detail previously and released AntiCSRF to codeplex to help you protect against it. One of the things Alex and I discovered whilst going...
Following up AntiXSS Mark Curphey also announces the first public release of CAT.NET. CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team do thousands of code reviews for the internal line of business applications and for our external customers and have provided a...
Those of us using FxCop or Visual Studio's code analysis are well used to seeing the plaintive plea to strong name our assemblies. Strong names provide versioning and verification as well as allowing assemblies to be placed into the global assembly cache. They are generally a good thing. But there's a problem. Like any type of code or message signing they require a keyset and that keyset should be kept secret. What happens in open source projects or in corporate environments? Ideally the strong naming should become part of the build process; but that requires the key files to be...
As part of the book currently under way I cover Cross Site Request Forgery, a rather fun exploit that numerous web sites have been vulnerable to. In September of this year researchers from Princeton announced the discovery of four major web sites where were susceptible which included ING Direct, a vulnerability which would allow an attacker to transfer money between accounts. CSRF works via persistent authentication. When you logon to a web site an authentication cookie is left on your machine (or if you're using HTTP Authentication your browser remembers and sends the username and password with each request). An...
For the last copy of weeks I've been playing with the new version of Microsoft's AntiXSS package. AntiXSS provides more encoding methods and better implementations of the base HtmlEncode and UrlEncode that comes with the framework.
However there's something new this time around - the Security Runtime Engine. This is an HTTP module which will automatically provide encoding for your legacy apps and act as a second line of defence if you forget to encode your outputs.
It was released on codeplex last night; you can get v3 beta, installers and source from http://www.codeplex.com/AntiXSS - it's well work looking at, they've even...
The Microsoft SDL website has been updated with three new pages the SDL Optimization Model page from which you can download the SDL Optimisation Model the SDL Pro Network page linking to your SDL Pro Network webpage the SDL Threat Modelling Tool page from which you can download the SDL Threat Modelling Tool v3 beta. Having seen the Threat Modelling Tool at the MVP Summit last year I've been looking forward to this one; it's improved a lot. It now uses Visio under the hood for a lovely interface, automation and guidance in your modelling as well as a...