Archive for the ‘Security’ Category

There is a rule used in motorcycle racing: before blaming your bike for a slow lap, look at the rear view mirror and you’ll find the cause. Or, maybe better, the first enemy for your security is yourself.

I was checking code to find eventual broken authentication issues on a website and i found the way to build a public link and get as result the web.config of the application… yes, with all the passwords.

Now, DO NOT PUT YOUR PASSWORD IN A .CONFIG, but this is another story: the problem was that one page [first tier] used a service [in the second tier] to access the filesystem and get the last uploaded file… and the file name was passed in POST (https… ahahahahaah)!

The application in general was kind of secure, but this page opened the entire system to every kind of attack… and we don’t know what our coders are putting inside the pages and we know that the testers will never spot this error.

The ONLY security check on this page was this:

                    If Not Session("COMPANY") Is Nothing 

…and the website created the default Session(“COMPANY”) in the Session_Start.

So, not only the only check present was not useful at all, but there was NO CONTROL of which file was passed, if the request was Authenticated and IF THE FILE WAS VISIBLE to the authenticated user. This is the main point: when you display/modify data ALWAYS, ALWAYS, ALWAYS force a check which controls the relationship between the user and the content. And never forget to do it in the service tiers as well… a shared security header can save your system also from the most lost developer.

IF you didn’t do it yet, run a scan on “Request” parameters (.QueryString, .Params, .Form), you’ll have some strange surprises…
Just advice for today, tomorrow we talk about performances and code builders… especially for Database!

Ah, I forgot in the other posts… Comments or idea for better implementations are always welcome!

Advertisements

Love it, you have to love it. OWASP is one of my favourite “.org” and if you want to know about security, it will become also yours.

Now, this is a late night post and it’s more a reminder for me than something for you: tomorrow I will post some security issues I am working on and, clearly, some freshly baked .NET code to protect your website (and to check if it’s vulnerable or not).

In the meantime i leave you something coming huge these days: ClickJacking (did you hear about “twitter worm” or “facebook like stealer”?). The wikipedia definition is awful, but dear OWI has a good one (https://www.owasp.org/index.php/Clickjacking). Just to make it simple: ClickJacking uses iframe properties to put a mask on top of a specific page and hide the content except some part of the page (usually buttons): the result is that you press what you don’t know you’re pressing [simple enough?]

A beautiful example is here: http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

As said before, there is no complete protection against the “sleeping giant”, but this way works just fine for 99% of the known cases:

  1. put a good JS snippet: https://www.owasp.org/index.php/Clickjacking#Best-for-now_implementation
  2. add X-FRAME-OPTIONS security header.

I have a Vb example for this (you can use a simple UserControl and add it to every page you need)…


                    ' Adding X-FRAME-HEADER if configured
                    If [enable x-frame] Then
                        Response.AddHeader("X-FRAME-OPTIONS", [DENY or SAMEORIGIN])
                    End If

                    ' Adding anti-framing if configured
                    If [this page is not frameable] Then

                        ' Create JS snippet
                        Dim sb As New StringBuilder("<script language='javascript' type='text/javascript'>")
                        sb.Append("if (self == top) {")
                        sb.Append(" var theBody = document.getElementsByTagName('body')[0];")
                        sb.Append(" theBody.style.display = 'block';")
                        sb.Append(" } else { ")
                        sb.Append(" top.location = self.location; ")
                        sb.Append("}")
                        sb.Append("</script>")

                        ' Adding it, if the script is not already registered
                        If Not Page.ClientScript.IsClientScriptBlockRegistered(Page.GetType(), "FixClickJack") Then
                            Page.ClientScript.RegisterClientScriptBlock(Page.GetType(), "FixClickJack", sb.ToString())
                        End If

                    End If

(*) every time you see code, you have to substitute what’s contained in bracket with your values… and remember: when you work on existing code, always enable new behavior using a configuration, so you can control regressions!

Easy as that, and for a couple of years you should be ok.

See you tomorrow!