8/8/2019 (1) Threats and Defenses

1/14

9/27/2010 11:58 AM

2003-2004 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1

Development of Secure WebDevelopment of Secure Web

ApplicationsApplications Threats andThreats andDefensesDefenses

Malek KemmouMalek KemmouCEO ArrabetaCEO ArrabetaMicrosoft Regional DirectorMicrosoft Regional Directorfor Middle East And Africafor Middle East And Africa

Speaker.GetBio().ToString()Speaker.GetBio().ToString()

CEO Arrabeta (consulting firm based in Casablanca Morocco)CEO Arrabeta (consulting firm based in Casablanca Morocco)

Member of the newtelligence allianceMember of the newtelligence alliance

Senior Consultant and Senior TrainerSenior Consultant and Senior Trainer

Solutions Architecture, integration, interoperabilitySolutions Architecture, integration, interoperability

Microsoft Regional Director for Middle East and AfricaMicrosoft Regional Director for Middle East and Africa

Member of Ineta MEA boardMember of Ineta MEA board

Speaker at many c onferences and eventsSpeaker at many c onferences and events

http://www.microsoft.com/rdhttp://www.microsoft.com/rd

~140 experts from all around the world~140 experts from all around the world

A little quiz for youA little quiz for youWhat is the most dangerous HTML tag ?What is the most dangerous HTML tag ?

What is the most dangerous control in a rich clientWhat is the most dangerous control in a rich client

Form?Form?

TextBoxTextBox

Threats and DefensesThreats and Defenses

Types of threatsTypes of threats

Threats against the applicationThreats against the applicationSQL injectionSQL injectionCrossCross--site scriptingsite scripting

Input tamperingInput tampering

Session hijackingSession hijacking

MoreMore

Writing secure codeWriting secure codeValidating inputValidating input

Accessing databases securely Accessing databases securely

Using forms authentication securelyUsing forms authentication securely

Storing secrets securelyStoring secrets securely

Securing session stateSecuring session state

Handling errors properlyHandling errors properly

Types of ThreatsTypes of Threats

Spoof

packet

, etc.

Bufferoverflows, illicitpat

s, etc.

SQL i

jection, XSS, input tampering, etc.

Network Host Application

Threats againstthe network

Threats against the host

Threats against the application

8/8/2019 (1) Threats and Defenses

2/14

8/8/2019 (1) Threats and Defenses

3/14

8/8/2019 (1) Threats and Defenses

4/14

8/8/2019 (1) Threats and Defenses

5/14

8/8/2019 (1) Threats and Defenses

6/14

8/8/2019 (1) Threats and Defenses

7/14

8/8/2019 (1) Threats and Defenses

8/14

8/8/2019 (1) Threats and Defenses

9/14

8/8/2019 (1) Threats and Defenses

10/14

9/27/2010 11:58 AM

2003-2004 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 10

ASP.NET View StateASP.NET View State

Great alternative to hidden fields whenGreat alternative to hidden fields when

roundround--tripping data to the clienttripping data to the clientValidated by defaultValidated by default

Encrypted if desiredEncrypted if desired

Encrypting ASP.NET view state:Encrypting ASP.NET view state:

Page.ViewStateUserKeyPage.ViewStateUserKey

Tool for keying view state to individualsTool for keying view state to individuals

Adds value of your choice to view stateAdds value of your choice to view state

Defense against "oneDefense against "one--click" attacksclick" attacks

Must be applied in Page_InitMust be applied in Page_Init

ASP.NET 1.1 onlyASP.NET 1.1 only

void Page_Init (Object sender, EventArgs e){

// Hedge against spoofed postbacksif (User.Identity.IsAuthenticated)

ViewStateUserKey = User.Identity.Name;}

Securing Session StateSecuring Session State

Limit session time-outs as much as possible

Avoid using cookieless session state if possible

Disable ASP.NET state service if you're not using it

Close port 42424 in firewall if using state service

Encrypt connection string if using SQL Server11

Close ports 1433 and 1434 if using SQL Server

Session State, Cont.Session State, Cont.

Optionally use SSL/TLS to protect sessionID cookies 1

Optionally use SSL/TLS or IPSec to secure the

connection to the database server2,9

Dont store potentially injurious data (such as

credit card numbers) in session state

Error HandlingError Handling

Anticipate errors and handle them sensibly

Use to display custom error pages

Beware mode="off" and debug="true"

Don't reveal too much information in error pages

Log unhandled exceptions

Be aggressive about logging failures

Logging UnhandledLogging Unhandled

ExceptionsExceptionsvoid Application_Error (Object sender, EventArgs e){

// Formulate message to write to event log

string msg = "Error accessing " + Request.Path +"\n" + Server.GetLastError ().ToString ();

// Write the message to Windows event logEventLog log = new EventLog ();

log.Source = "My ASP.NET Application";log.WriteEntry (msg, EventLogEntryType.Error);

}

Global.asax

8/8/2019 (1) Threats and Defenses

11/14

9/27/2010 11:58 AM

2003-2004 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 11

Additional ResourcesAdditional Resources

"How to Set UB

SSL on a Web SerC

er"

"How to Use IPSec to ProC

ide Secure

Communications Between SerC

ers"

"How to ImB

lement Patch Management"

"How to Use IISLockD

own"

http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asp

1

2

3

4

http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT18.asp

http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTImpPatch.asp

http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTlockdown.asp

"How to Use URLScan"5http://msdn.microsoft.com/library/en-us/dnnetsec/html/HT_URLScan.asp

Additional Resources, Cont.Additional Resources, Cont.

Required NTFS Permissions for ASP.NET

"10SteE

s toHelE

Secure SQL SerF

er 2000"

"How to Use SSL to Secure Communications

with SQL SerF

er 2000"

6

7

8

9

http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh19.asp?frame=true#c19618429_025

http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp

http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT19.asp

"How to Harden the TCP/IP Stack"

http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTHardTCP.asp

Additional Resources, Cont.Additional Resources, Cont.

10 "Kerberos Protocol Transition and ConstrainedG

elegation"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/plan/ConstDel.asp

"How to Use the ASP.NET Utility to EncryH

t

Credentials and Session State Connection Strings"

11

http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

"How to Create a Custom Account to Run ASP.NET"12http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT01.asp

Speaker as a RessourceSpeaker as a Ressource

kemmou@kemmou.comkemmou@kemmou.com

Slide Decks and Demos :Slide Decks and Demos :

http://www.malekkemmou.mahttp://www.malekkemmou.ma

2003-2004 MicrosoftCorporation.All rights reserved.Thispresentation isfor informational purposesonly. Microsoft makesno warranties, express orimpl ied, in thissummary.

A endix A endix

8/8/2019 (1) Threats and Defenses

12/14

8/8/2019 (1) Threats and Defenses

13/14

8/8/2019 (1) Threats and Defenses

14/14