Security overview

[Arturo Buonanni]

I'm a programmer new to ASP.NET and web development in general.

I'm going to code a web application and I'm concerned about the
security issues that arise on this field (that's new to me).

I'm using VWD2005 Express Ed. and I've read the online help about
security.

Now I've a doubt about one thing. The online help states that you have
to validate every user input against script exploit and SQL injection
and that's quite fair. But it also states that ASP.NET validates every
"request" against potentially harmfull values (ie. scripts).
Now, if ASP.NET doesn't allows dangerous values in the request for
pages, how can one use scrips exploit? Why code against script expliot
in every page if dangelous values are not meant to ever reach the page?

I'm new to web development as I've said so I'm probably missing
something and I'd like to know what it is.

Thanks.

 

[Paolo De Nictolis, Eng. [441410]]

Hi Arturo,
please check AntiXSS Library:
http://www.programmazione.it/index.php?entity=eitem&idItem=33147.

Paolo

 

[Arturo Buonanni]

Hi Paolo,

Thanks for your reply.

I foud the article very interesting but it failed to answer my former
question.
For what I understand XSS attack consist in the attacker redirecting a
visitor to a victim web site while inserting his own script in a field
(hidden on unnoticed) of the web site so that when user interacts with
the web site the code is executed.

If this is correct then my question rise again. If the ASP.NET
framework validate all form's fields input for harmfull values (let's
says script identifiers) how can be the attacker's code executed?

That's my point.

From what I read form the article it seems that the ASP.NET protection
could be faulty being based in "black lists" instead of "white lists"
and being so unable to handle new script identifiers of new harmfull
code. Is that the reason?

Anyway I still don't understand why MS advise you in the online help to
validate all user input against special carachters if the ASP.NET
framework already does it. In this way they are covertly saying that
the ASP.NET protection doesn't always works.

I'm still a bit confused about this.

 

[Dominick Baier [DevelopMentor]]

hi,

reasons are

a) black vs. white listing
b) the ValidateRequest feature was bugged in the past - don't rely on it
c) only the most obvious characters are blocked, like '<' otherwise there
would be too many false positives
d) you may need to accept characters which are considere illegal - and you
have to turn off the automatic validation
e) does not find more subtle attacks

ValidateRequest is a defense-in-depth measure meant to augment *not* replace
input validation.

 

[Arturo Buonanni]

Ok, so it seems that the ASP.NET protection against malicius code is
just a basic one that need to be enanched with coder work.

Given that I've no need to allow any HTML tag and that my users only
need to input plain text, would HTMLEncode() and URLEncode() be enough
for this?

Are there any other countermeasure that must be omplemented in order to
build a secure site (apart from authentication and authorization that
I give as assumptions)?

 

[Dominick Baier [DevelopMentor]]

hi,

building secure sites is not only about throwing in some counter measure
- it is a combination of

- Threat Modeling leading to

- prevention
- detection
- reaction

good input validation is a prereq - but there is more

auth & authZ, least privilege, server hardening, error handling, logging
& instrumentation, data & communication protection etc...

HtmlEncode is OK if you are emitting the output to HTML - if you are concatenating
input into script blocks - this won't help you.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Ok, so it seems that the ASP.NET protection against malicius code is
just a basic one that need to be enanched with coder work.

Given that I've no need to allow any HTML tag and that my users only
need to input plain text, would HTMLEncode() and URLEncode() be enough
for this?

Are there any other countermeasure that must be omplemented in order
to build a secure site (apart from authentication and authorization
that I give as assumptions)?

hi,

reasons are

a) black vs. white listing
b) the ValidateRequest feature was bugged in the past - don't rely
on it
c) only the most obvious characters are blocked, like '<'
otherwise there would be too many false positives
d) you may need to accept characters which are considere illegal -
and you have to turn off the automatic validation
e) does not find more subtle attacks
ValidateRequest is a defense-in-depth measure meant to augment *not*
replace input validation.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi Paolo,

Thanks for your reply.

I foud the article very interesting but it failed to answer my
former question.
For what I understand XSS attack consist in the attacker
redirecting a visitor to a victim web site while inserting his
own script in a field (hidden on unnoticed) of the web site so
that when user interacts with the web site the code is executed.
If this is correct then my question rise again. If the ASP.NET
framework validate all form's fields input for harmfull values
(let's says script identifiers) how can be the attacker's code
executed?
That's my point.

From what I read form the article it seems that the ASP.NET
protection could be faulty being based in "black lists" instead of
"white lists" and being so unable to handle new script identifiers
of new harmfull code. Is that the reason?

Anyway I still don't understand why MS advise you in the online help
to validate all user input against special carachters if the ASP.NET
framework already does it. In this way they are covertly saying that
the ASP.NET protection doesn't always works.

I'm still a bit confused about this.

Paolo De Nictolis, Eng. [441410] wrote:

Hi Arturo,
please check AntiXSS Library:
http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
Paolo
"Arturo Buonanni" <[email protected]>
wrote in message

I'm a programmer new to ASP.NET and web development in general.

I'm going to code a web application and I'm concerned about the
security issues that arise on this field (that's new to me).

I'm using VWD2005 Express Ed. and I've read the online help about
security.

Now I've a doubt about one thing. The online help states that you
have to validate every user input against script exploit and SQL
injection and that's quite fair. But it also states that ASP.NET
validates every "request" against potentially harmfull values (ie.
scripts). Now, if ASP.NET doesn't allows dangerous values in the
request for pages, how can one use scrips exploit? Why code
against script expliot in every page if dangelous values are not
meant to ever reach the page?

I'm new to web development as I've said so I'm probably missing
something and I'd like to know what it is.

Thanks.

 

[Arturo Buonanni]

Hi Dominick,

Thanks for your reply.

I understand that. I've already read most of the documentation
concerning security present on the VWD online help and downloaded some
more.

I'm now facing the usual coder "dilemma". From one side, my boss asks
me to "produce" something in the shortest term possible. In the other
side I don't want to release a "security" weak solution.

Given that I don't have the time to extend my knowledge to fully
include all securty aspects related to web application development, I
need to know wich action I, as a coder, can put on to build the most
secure solution possible.

Also consider that this solution will be probably hosted by someone
else web server so all issues related to the server's configuration
are out of my reach. I can only assume (and maybe verify) that our
host is putting on all effort to secure his servers.

From what I've read, related to coding, I must take care of:
- authentication;
- authorization (restricting users access to resource to the least
needed);
- input and output validation;
- error handling;
- securing configuration.

Is there anything else can I take care of not being able to configure
the web server to my own needs?

While we are in the topics, I've a question about configuration
encryption.

If I encrypth sections of my web.config on my dev. machine using
aspnet_regiis, will the server be able to decrypth them?

Aren't encription keys specific to each asp.net installation?

Thanks for thehelp.

hi,

building secure sites is not only about throwing in some counter measure
- it is a combination of

- Threat Modeling leading to

- prevention
- detection
- reaction

good input validation is a prereq - but there is more

auth & authZ, least privilege, server hardening, error handling, logging
& instrumentation, data & communication protection etc...

HtmlEncode is OK if you are emitting the output to HTML - if you are concatenating
input into script blocks - this won't help you.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Ok, so it seems that the ASP.NET protection against malicius code is
just a basic one that need to be enanched with coder work.

Given that I've no need to allow any HTML tag and that my users only
need to input plain text, would HTMLEncode() and URLEncode() be enough
for this?

Are there any other countermeasure that must be omplemented in order
to build a secure site (apart from authentication and authorization
that I give as assumptions)?

hi,

reasons are

a) black vs. white listing
b) the ValidateRequest feature was bugged in the past - don't rely
on it
c) only the most obvious characters are blocked, like '<'
otherwise there would be too many false positives
d) you may need to accept characters which are considere illegal -
and you have to turn off the automatic validation
e) does not find more subtle attacks
ValidateRequest is a defense-in-depth measure meant to augment *not*
replace input validation.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Paolo,

Thanks for your reply.

I foud the article very interesting but it failed to answer my
former question.
For what I understand XSS attack consist in the attacker
redirecting a visitor to a victim web site while inserting his
own script in a field (hidden on unnoticed) of the web site so
that when user interacts with the web site the code is executed.
If this is correct then my question rise again. If the ASP.NET
framework validate all form's fields input for harmfull values
(let's says script identifiers) how can be the attacker's code
executed?
That's my point.

From what I read form the article it seems that the ASP.NET
protection could be faulty being based in "black lists" instead of
"white lists" and being so unable to handle new script identifiers
of new harmfull code. Is that the reason?

Anyway I still don't understand why MS advise you in the online help
to validate all user input against special carachters if the ASP.NET
framework already does it. In this way they are covertly saying that
the ASP.NET protection doesn't always works.

I'm still a bit confused about this.

Paolo De Nictolis, Eng. [441410] wrote:

Hi Arturo,
please check AntiXSS Library:
http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
Paolo
"Arturo Buonanni" <[email protected]>
wrote in message

I'm a programmer new to ASP.NET and web development in general.

I'm going to code a web application and I'm concerned about the
security issues that arise on this field (that's new to me).

I'm using VWD2005 Express Ed. and I've read the online help about
security.

Now I've a doubt about one thing. The online help states that you
have to validate every user input against script exploit and SQL
injection and that's quite fair. But it also states that ASP.NET
validates every "request" against potentially harmfull values (ie.
scripts). Now, if ASP.NET doesn't allows dangerous values in the
request for pages, how can one use scrips exploit? Why code
against script expliot in every page if dangelous values are not
meant to ever reach the page?

I'm new to web development as I've said so I'm probably missing
something and I'd like to know what it is.

Thanks.

 

[Dominick Baier [DevelopMentor]]

Hi,

yeah - that's the usual dilemma - you will learn a lot in your first "secure
application" - maybe you should reserve some budget for penetration testing.

Logging and Instrumentation is an important one too.

re encrypted config

it depends which provider you use - DPAPI is machine specific - RSA keys
can be exported and installed on different machines.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi Dominick,

Thanks for your reply.

I understand that. I've already read most of the documentation
concerning security present on the VWD online help and downloaded some
more.

I'm now facing the usual coder "dilemma". From one side, my boss asks
me to "produce" something in the shortest term possible. In the other
side I don't want to release a "security" weak solution.

Given that I don't have the time to extend my knowledge to fully
include all securty aspects related to web application development, I
need to know wich action I, as a coder, can put on to build the most
secure solution possible.

Also consider that this solution will be probably hosted by someone
else web server so all issues related to the server's configuration
are out of my reach. I can only assume (and maybe verify) that our
host is putting on all effort to secure his servers.

From what I've read, related to coding, I must take care of:
- authentication;
- authorization (restricting users access to resource to the least
needed);
- input and output validation;
- error handling;
- securing configuration.
Is there anything else can I take care of not being able to configure
the web server to my own needs?

While we are in the topics, I've a question about configuration
encryption.

If I encrypth sections of my web.config on my dev. machine using
aspnet_regiis, will the server be able to decrypth them?

Aren't encription keys specific to each asp.net installation?

Thanks for thehelp.

hi,

building secure sites is not only about throwing in some counter
measure - it is a combination of

- Threat Modeling leading to

- prevention
- detection
- reaction
good input validation is a prereq - but there is more

auth & authZ, least privilege, server hardening, error handling,
logging & instrumentation, data & communication protection etc...

HtmlEncode is OK if you are emitting the output to HTML - if you are
concatenating input into script blocks - this won't help you.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Ok, so it seems that the ASP.NET protection against malicius code is
just a basic one that need to be enanched with coder work.

Given that I've no need to allow any HTML tag and that my users only
need to input plain text, would HTMLEncode() and URLEncode() be
enough for this?

Are there any other countermeasure that must be omplemented in order
to build a secure site (apart from authentication and authorization
that I give as assumptions)?

Dominick Baier [DevelopMentor] wrote:

hi,

reasons are

a) black vs. white listing
b) the ValidateRequest feature was bugged in the past - don't rely
on it
c) only the most obvious characters are blocked, like '<'
otherwise there would be too many false positives
d) you may need to accept characters which are considere illegal -
and you have to turn off the automatic validation
e) does not find more subtle attacks
ValidateRequest is a defense-in-depth measure meant to augment
*not*
replace input validation.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Paolo,

Thanks for your reply.

I foud the article very interesting but it failed to answer my
former question.
For what I understand XSS attack consist in the attacker
redirecting a visitor to a victim web site while inserting his
own script in a field (hidden on unnoticed) of the web site so
that when user interacts with the web site the code is executed.
If this is correct then my question rise again. If the ASP.NET
framework validate all form's fields input for harmfull values
(let's says script identifiers) how can be the attacker's code
executed?
That's my point.
From what I read form the article it seems that the ASP.NET
protection could be faulty being based in "black lists" instead of
"white lists" and being so unable to handle new script identifiers
of new harmfull code. Is that the reason?

Anyway I still don't understand why MS advise you in the online
help to validate all user input against special carachters if the
ASP.NET framework already does it. In this way they are covertly
saying that the ASP.NET protection doesn't always works.

I'm still a bit confused about this.

Paolo De Nictolis, Eng. [441410] wrote:

Hi Arturo,
please check AntiXSS Library:
http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
Paolo
"Arturo Buonanni" <[email protected]>
wrote in message
I'm a programmer new to ASP.NET and web development in general.

I'm going to code a web application and I'm concerned about the
security issues that arise on this field (that's new to me).

I'm using VWD2005 Express Ed. and I've read the online help
about security.

Now I've a doubt about one thing. The online help states that
you have to validate every user input against script exploit and
SQL injection and that's quite fair. But it also states that
ASP.NET validates every "request" against potentially harmfull
values (ie. scripts). Now, if ASP.NET doesn't allows dangerous
values in the request for pages, how can one use scrips exploit?
Why code against script expliot in every page if dangelous
values are not meant to ever reach the page?

I'm new to web development as I've said so I'm probably missing
something and I'd like to know what it is.

Thanks.

 

[Arturo Buonanni]

Hi Dominick,

Thank you for your quick reply.

So I'm now ready to start (like a lamb to the wolves).

About penetration testings, how can I arrange for that?

Are there some services that offer it?

Hi,

yeah - that's the usual dilemma - you will learn a lot in your first "secure
application" - maybe you should reserve some budget for penetration testing.

Logging and Instrumentation is an important one too.

re encrypted config

it depends which provider you use - DPAPI is machine specific - RSA keys
can be exported and installed on different machines.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi Dominick,

Thanks for your reply.

I understand that. I've already read most of the documentation
concerning security present on the VWD online help and downloaded some
more.

I'm now facing the usual coder "dilemma". From one side, my boss asks
me to "produce" something in the shortest term possible. In the other
side I don't want to release a "security" weak solution.

Given that I don't have the time to extend my knowledge to fully
include all securty aspects related to web application development, I
need to know wich action I, as a coder, can put on to build the most
secure solution possible.

Also consider that this solution will be probably hosted by someone
else web server so all issues related to the server's configuration
are out of my reach. I can only assume (and maybe verify) that our
host is putting on all effort to secure his servers.

From what I've read, related to coding, I must take care of:
- authentication;
- authorization (restricting users access to resource to the least
needed);
- input and output validation;
- error handling;
- securing configuration.
Is there anything else can I take care of not being able to configure
the web server to my own needs?

While we are in the topics, I've a question about configuration
encryption.

If I encrypth sections of my web.config on my dev. machine using
aspnet_regiis, will the server be able to decrypth them?

Aren't encription keys specific to each asp.net installation?

Thanks for thehelp.

hi,

building secure sites is not only about throwing in some counter
measure - it is a combination of

- Threat Modeling leading to

- prevention
- detection
- reaction
good input validation is a prereq - but there is more

auth & authZ, least privilege, server hardening, error handling,
logging & instrumentation, data & communication protection etc...

HtmlEncode is OK if you are emitting the output to HTML - if you are
concatenating input into script blocks - this won't help you.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Ok, so it seems that the ASP.NET protection against malicius code is
just a basic one that need to be enanched with coder work.

Given that I've no need to allow any HTML tag and that my users only
need to input plain text, would HTMLEncode() and URLEncode() be
enough for this?

Are there any other countermeasure that must be omplemented in order
to build a secure site (apart from authentication and authorization
that I give as assumptions)?

Dominick Baier [DevelopMentor] wrote:

hi,

reasons are

a) black vs. white listing
b) the ValidateRequest feature was bugged in the past - don't rely
on it
c) only the most obvious characters are blocked, like '<'
otherwise there would be too many false positives
d) you may need to accept characters which are considere illegal -
and you have to turn off the automatic validation
e) does not find more subtle attacks
ValidateRequest is a defense-in-depth measure meant to augment
*not*
replace input validation.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Paolo,

Thanks for your reply.

I foud the article very interesting but it failed to answer my
former question.
For what I understand XSS attack consist in the attacker
redirecting a visitor to a victim web site while inserting his
own script in a field (hidden on unnoticed) of the web site so
that when user interacts with the web site the code is executed.
If this is correct then my question rise again. If the ASP.NET
framework validate all form's fields input for harmfull values
(let's says script identifiers) how can be the attacker's code
executed?
That's my point.
From what I read form the article it seems that the ASP.NET
protection could be faulty being based in "black lists" instead of
"white lists" and being so unable to handle new script identifiers
of new harmfull code. Is that the reason?

Anyway I still don't understand why MS advise you in the online
help to validate all user input against special carachters if the
ASP.NET framework already does it. In this way they are covertly
saying that the ASP.NET protection doesn't always works.

I'm still a bit confused about this.

Paolo De Nictolis, Eng. [441410] wrote:

Hi Arturo,
please check AntiXSS Library:
http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
Paolo
"Arturo Buonanni" <[email protected]>
wrote in message
I'm a programmer new to ASP.NET and web development in general.

I'm going to code a web application and I'm concerned about the
security issues that arise on this field (that's new to me).

I'm using VWD2005 Express Ed. and I've read the online help
about security.

Now I've a doubt about one thing. The online help states that
you have to validate every user input against script exploit and
SQL injection and that's quite fair. But it also states that
ASP.NET validates every "request" against potentially harmfull
values (ie. scripts). Now, if ASP.NET doesn't allows dangerous
values in the request for pages, how can one use scrips exploit?
Why code against script expliot in every page if dangelous
values are not meant to ever reach the page?

I'm new to web development as I've said so I'm probably missing
something and I'd like to know what it is.

Thanks.