Scribd Logo
Upload

Welcome to Scribd!

  • Hacking Net Applications - PenTestSummit - James Jardine

    Uploaded by

    NgườiLậpTrình
    77 views29 pages

    Original Title

    Hacking Net Applications_PenTestSummit - James Jardine

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    77 views29 pages

    Hacking Net Applications - PenTestSummit - James Jardine

    Uploaded by

    NgườiLậpTrình

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 29

    Hacking

    ASP.Net:
    Tips and Tricks

    2013 Secure Ideas LLC | hOp://www.secureideas.com

    James Jardine

    james@secureideas.com
    (866) 404-7837
    @JardineSoEware

    James Jardine
    Principal Security Consultant at Secure Ideas
    .Net Developer Since the Beta Release
    SANS Instructor and Author
    Dev544: Secure Coding in .Net

    Open Source Projects

    Web Cong Security Analyzer - hOp://sourceforge.net/projects/wcsa/


    EventValMod - http://sourceforge.net/projects/eventvalmod

    Podcaster

    Professionally Evil Perspec_ve


    Down the Rabbit Hole

    Blogs

    .Net Security - hOp://www.jardinesoEware.net/


    Gen. Security hOp://blog.secureideas.net

    2013 Secure Ideas LLC | www.secureideas.com

    Topics

    ASP.Net
    RequestValida_on
    ViewState
    EventValida_on
    GET/POST & Postback
    Conclusion

    2013 Secure Ideas LLC | www.secureideas.com

    ASP.Net

    Versions
    1.1
    2.0
    3.0
    3.5
    4.0
    4.5 *

    2013 Secure Ideas LLC | www.secureideas.com

    Edi+ons

    WebForms
    MVC
    Web Pages
    Web API
    WCF

    Tes_ng ASP.Net
    Similar to other technologies
    GETs/POSTs, etc
    AJAX
    Cookies, Hidden Fields, Forms
    Session State, Authen_ca_on

    Dieren_ators
    Request Valida_on
    View State
    Event Valida_on
    Other Built In Controls
    2013 Secure Ideas LLC | www.secureideas.com

    Request Valida_on
    AOempt to block XSS AOacks
    In 2.0+ only works for HTML Context
    <[char], <!, <?, </, &#

    Prior to 2.0 most likely disabled

    2013 Secure Ideas LLC | www.secureideas.com

    Request Valida_on Bypass

    Not Really!
    If database stores data as varchar (not nvarchar)
    Use unicode-wide %uFF1C (<)
    RequestValida_on doesn't detect this but...

    Database will convert it to the < character

    Of course output encoding does block this as well

    2013 Secure Ideas LLC | www.secureideas.com

    Request Valida_on Bypass 2


    Addi_on of % Character (<%tagname>)
    Reported to work in IE (I was unsuccessful)
    Reported by Zamir Pal_el (hOp://www.securityfocus.com/
    archive/1/524043)
    An older bypass was to use a null character like
    <%00tagname>
    Browser specic and doesn't really work anywhere

    Of course output encoding does block this as well


    2013 Secure Ideas LLC | www.secureideas.com

    Request Valida_on Cong


    Set in the Web.Cong File
    <system.web>
    <pages validateRequest="true" />
    </system.web>
    Set at the Page Level
    <%@ ValidateRequest="true" %>

    2013 Secure Ideas LLC | www.secureideas.com

    Yes, Its Interes_ng

    2013 Secure Ideas LLC | www.secureideas.com

    10

    10

    ViewState
    Base64 Encoded By Default
    Can be encrypted

    Vulnerabili_es
    Parameter Tampering, XSS, Info Leakage

    2013 Secure Ideas LLC | www.secureideas.com

    11

    11

    ViewState Manipula_on
    ViewStateViewer - hOp://labs.neohapsis.com/
    2009/08/03/viewstateviewer-a-gui-tool-for-
    deserializingreserializing-viewstate/

    2013 Secure Ideas LLC | www.secureideas.com

    12

    12

    ViewState - Protected

    2013 Secure Ideas LLC | www.secureideas.com

    13

    13

    The Problem
    This is wrong common advice!!

    hOp://www.codeproject.com/Ques_ons/464873/Valida_on-of-viewstate-MAC-failed
    2013 Secure Ideas LLC | www.secureideas.com

    14

    14

    ViewStateMac
    Provides Tamper Protec_on for:
    ViewState
    EventValida_on



    Web.Cong
    <pages enableViewStateMac="true"/>

    Page Level
    <%@ Page Language="C#" EnableViewStateMac="true"...
    2013 Secure Ideas LLC | www.secureideas.com

    15

    15

    Event Valida_on

    Protects Drop Down Lists


    Protects against forged post backs
    Protected by ViewStateMac
    Creates an array of numeric hashes
    Not User Specific
    Doesn't Protect against CSRF

    <input type="hidden" name="__EVENTVALIDATION"


    value="/wEWBALslL0qAu3wv7QBAqnOkfQNAoznisYG"/>

    2013 Secure Ideas LLC | www.secureideas.com

    16

    16

    Event Valida_on - EventValMod


    Modifies the Event Validation field
    Stand Alone App / Written in .Net
    http://sourceforge.net/projects/eventvalmod

    2013 Secure Ideas LLC | www.secureideas.com

    17

    17

    Event Valida_on - VEHICLE


    ViewState Hidden Event Enumerator
    Formerly known as ria-scip

    Works with ZAP


    Features

    Event Execution of Disabled/Invisible Controls


    Server Control Property Injection
    Edit the ViewState Field
    Error-Based Control Name Enum
    ViewState/EventValidation Reconstruction

    https://github.com/hacktics/vehicle

    2013 Secure Ideas LLC | www.secureideas.com

    18

    18

    EventValida_on Cong
    Set in the Web.Cong File
    <system.web>
    <pages enableEventValida+on="true" />
    </system.web>
    Set at the Page Level
    <%@ EnableEventValida+on="true" %>

    2013 Secure Ideas LLC | www.secureideas.com

    19

    19

    Bad, Bad, Bad!!

    2013 Secure Ideas LLC | www.secureideas.com

    20

    20

    ViewStateUserKey
    Protects against Cross Site Request Forgery
    Provides a user "salt" to ViewStateMac

    Not enabled by default


    Only works for requests with ViewState
    http://www.testsite.mm/deleteuser.aspx?id=5 (doesn't work)

    Recommendation:

    2013 Secure Ideas LLC | www.secureideas.com

    21

    21

    Postback
    Webforms are based around "Postbacks"
    Caused by Events (ex. buOon_click)
    Triggered by __ViewState or __EventTarget








    if (!Page.IsPostback){
    // Authoriza_on/Populate Data
    lblCopy.Text = "copy 2013";
    if(!User.IsInRole("Admin"))
    Response.Redirect("Unauthorized.aspx");
    }
    else{
    // Execute Events
    }

    2013 Secure Ideas LLC | www.secureideas.com

    22

    22

    Postback AOacks
    Authoriza_on Bypass

    if(!User.IsInRole("Admin"))

    Response.Redirect("Unauthorized.aspx");

    Recommenda_on:
    Check Authoriza_on on Every Request

    XSS (ViewState Tampering)


    lblCopy.Text = "copy 2013";

    Recommenda_on:
    Enable ViewStateMac
    Set text on every request


    2013 Secure Ideas LLC | www.secureideas.com

    23

    23

    GET/POST Exchange
    Server Control GETs and POSTs are
    Interchangeable
    TextBox
    ListBox
    ViewState/EventValida_on
    Etc.

    Based on Request Type


    Can Call POST requests with GET
    Good for CSRF
    Can Trigger Postback with GET request
    2013 Secure Ideas LLC | www.secureideas.com

    24

    24

    GET/POST Fix
    WebForms
    if(Request.RequestType == "POST")

    MVC
    [HTTPPost]
    void DoSomething()

    2013 Secure Ideas LLC | www.secureideas.com

    25

    25

    Authen_ca_on Cookie
    HTTPOnly (Hard Coded)
    Secure Flag may not be set
    Some_mes there is an error if behind a Load Balancer
    that strips SSL
    Should Recommend Manually seng this value

    Self-Contained Not tracked on server


    Timeout is key. Lives un_l the _meout expires on the
    cookie
    FormsAuthen_ca_on.Logout only removes cookie from
    the browser (doesnt kill it)
    2013 Secure Ideas LLC | www.secureideas.com

    26

    26

    Misc. Files
    Trace.axd
    Elmah.axd
    Use URL Authoriza_on in the Web.cong
    Web.cong (crown jewels) GOOD LUCK!!
    IIS is set up to not serve this le

    2013 Secure Ideas LLC | www.secureideas.com

    27

    27

    Conclusion
    ASP.Net has good security features
    You have to understand them

    ViewStateMac is IMPORTANT!
    EventValida_on
    ViewState
    ViewStateUserKey

    Developers are not up to speed on these things


    Share this info with developers

    2013 Secure Ideas LLC | www.secureideas.com

    28

    28

    Hacking ASP.Net:
    Tips and Tricks

    2013 Secure Ideas LLC | hOp://www.secureideas.com

    James Jardine

    james@secureideas.com
    (866) 404-7837
    @JardineSoEware

    You might also like