User Group n 1 Hacking and Securing - POST Attacks

Size: px

Start display at page:

Download "User Group n 1 Hacking and Securing - POST Attacks"

Gloria Preston
5 years ago
Views:

1 User Group n 1 By Pierre-Emmanuel Dautreppe Reviewed by Damien Pinauldt 1 Agenda 1 Agenda Introduction HTML Attack What is an HTML Attack? Security evolutions between the framework versions Framework Framework Framework So we are safe? POST What is a POST attack? How to do a POST attack? Demo Using a web simulator Using a DOM Explorer (eg the FireFox one) Using a copy of the page Security evolution in the.net Framework Improvements of the framework How does it work? Protecting the web site against POST Using a Secured Button Other problems in.net 2.0: TextBoxes Showing the problem How to correct it And what about DropDownLists? Demo using the WebSimulator How does it work? Propagating the improvements to the whole web site Conclusion Will it be ensured in the next.net version? Why not? Any advice?... 8 Page 1 sur 8

2 2 Introduction This user group has been inspired by a Dino Esposito s article from MSDN Magazine and our own experience on the DH2 project while using HttpRequest, GET or POST. Its aim is to focus on risks that can exist on ASP.NET applications facing POST attacks and will cover the different improvements ASP.NET has made in this domain. 3 HTML Attack 3.1 What is an HTML Attack? - They have been inspired by the SQL Injections attacks o Note that we won t deal with the SQL Injections attacks as they are avoided very easily by using SQL parameters when dealing with queries - Trying to inject HTML code in the normal display of a page to o Change its behaviour o Provoke a DoS (by refreshing continuously the page for example) o Simply hack the site (redirecting to another one, displaying unexpected images, ) 3.2 Security evolutions between the framework versions Framework No validation is done - HTML attacks are very easy to do Framework Addition of the attribute ValidateRequest at the page level Requests are now validated and HTML attacks are blocked - What is a potentially dangerous Request.Form value? o See the code of HttpRequest.ValidateString o See the code of CrossSiteScriptingValidation.IsDangerousString Any string containing expression( (whatever the case) Any string containing < followed by a letter from a-z or A-Z Any string containing </ Any string containing <! Any string containing on But not having a letter from a-z or A-Z just before Followed by any number of letter a-z or A-Z Followed by any number of white spaces Followed by a = Any string containing script (whatever the case) Followed by any number of white spaces Followed by a : To really test these values in 1.1, share the web application into IIS and configure it to run in 1.1. After go to the page Page 2 sur 8

3 Framework The attribute ValidateRequest is now available at web site level in the web.config file - Simplification of CrossSiteScriptingValidation.IsDangerousString Any string containing &# Any string containing < followed by a letter from a-z or A-Z Any string containing <! Any string containing </ 3.3 So we are safe? - Almost - Be careful anyway if you display concatenated fields even if you have a low risk 4 POST 4.1 What is a POST attack? - Sending POST data to the server that: o Are incorrect trying to make the server crash o Are correct but that we shouldn t send trying to do things the server wants to forbid us from doing 4.2 How to do a POST attack? - There is many ways, some being o Using Telnet o Using any tool (or personal development) that is working with HTTP requests o By creating a copy of the page we want to hack and adding HTML controls that will send the fake POST arguments 4.3 Demo Using a web simulator - Import the existing project WebSimulator - Create a new Console Application DemoWebSimulator and add a reference to WebSimulator - Type the following code in the main WebSimulator web = new WebSimulator(); web.vasurpage(" web.remplitchamps("txtamount", "10000"); web.cliquesurbouton("increase Account"); - Look to the value of the field : web.lecteur.dernierereponse.pagehtml NB: Using this technique, you could click on a disabled button or on a not rendered button. However the web simulator used for the demo do not allow you to click on not rendered buttons. Page 3 sur 8

4 Using a DOM Explorer (eg the FireFox one) - Using the DOM explorer you can remove the disabled attribute of the button - Simply click on the button NB : The Firefox DOM Inspector will allow you to update existing tags, remove tags or to copy existing tags Using a copy of the page - Go to the page - View Source and Save as Html - Edit the page to change the form s action tag to give the full URL - Update the control tag you need to modify (or add a new tag) - Save the page and launch it The web site reacts normally as if the button was enabled 4.4 Security evolution in the.net Framework 2.0 Note that to show the EnableEventValidation effect, I propose to use a copy of the page and to remove all what is related to the Menu Improvements of the framework - Addition of the attribute EnableEventValidation at the page or web.config level that prevents from doing a POST attack when the button is invisible How does it work? - In AddAttributesToRender methods, the controls register themselves for event validation o Remember that a visible = false controls will NOT be rendered in HTML and so all the xxxrender or Renderxxx methods won t get called Page.ClientScript.RegisterForEventValidation(string uniqueid); Page.ClientScript.RegisterForEventValidation(PostBackOptions options); Page.ClientScript.RegisterForEventValidation(string uniqueid, string argument); - At postback (in the method LoadPostData or RaisePostBackEvent) you can validate that the postback is correct using the ValidateEvent method defined on the Control class (the base class of all controls) base.validateevent(string uniqueid); base.validateevent(string uniqueid, string eventagument); Page 4 sur 8

5 - A complex algorithm that o will compute hash keys of each control that is registered for validation o Getting hash for the uniqueid and eventargument using System.Web.Util.StringUtil.GetStringHashCode and XOR the result o Serialize as binary all the elements o Encrypt the result using the server machine key a MACKeyModifier wich depends on where the website is deployed the page s type name the view state user key Note : - MAC : Message Authentication Code - Default value for MachineKey : AutoGenerate,IsolateApps - Validation uses one of the following encryption algorithm : AES (Rijndael), MD5 (Message Digest 5), 3DES (three successive iteration of DES), SHA1 (default) - Decryption uses one of the following hashing algorithm AES, 3EDS, DES 5 Protecting the web site against POST 5.1 Using a Secured Button - Copy the PostAttack folder to the folder 2_0_Secured - Create a new DLL SecuredControls - Create a new class SecuredButton - Override the RaisePostBackEvents to add a code like: protected override void RaisePostBackEvent(string eventargument) if (this.enabled) base.raisepostbackevent(eventargument); else throw new InvalidOperationException("POST ATTACK!!"); - Update the web.config file to add the tagmapping tag with the following code and replace your asp:button with a pda:button <system.web> <pages> <controls> <add tagprefix="pda" namespace="securedcontrols" /> </controls> </pages> </system.web> - Do a new POST attack trial this time, the attack is blocked Page 5 sur 8

6 5.2 Other problems in.net 2.0: TextBoxes Showing the problem - Do the demo with the page Default.aspx - Try to add more than 3 characters blocked due to maxlength HTML attribute - Use one of the previous technique to send more than 3 characters The modification is done How to correct it - In the SecuredControls DLL, create a new class SecuredTextBox - Override (or rewrite completely) the LoadPostData method to : o Either truncate the received value o Or not to load the value if too long - If we want to truncate the value we can choose of the two following implementations, depending if we want to rewrite or modify: protected override bool LoadPostData(string postdatakey, NameValueCollection postcollection) // Truncate the value and delegate to the base class // Note : postdatakey = this.uniqueid string value = postcollection[postdatakey]; if (value!= null && this.maxlength > 0 && value.length > this.maxlength) NameValueCollection newcol = new NameValueCollection(postCollection); newcol[postdatakey] = value.substring(0, this.maxlength); return base.loadpostdata(postdatakey, newcol); return base.loadpostdata(postdatakey, postcollection); protected override bool LoadPostData(string postdatakey, NameValueCollection postcollection) // Rewrite the method // Do not forget to validate the event! this.page.clientscript.validateevent(postdatakey); string value = postcollection[postdatakey]; if (value!= null && this.maxlength > 0 && value.length > this.maxlength) value = value.substring(0, this.maxlength); if (!this.readonly &&!this.text.equals(value, StringComparison.Ordinal)) this.text = value; return true; return false; - Update the page to use the new control - Try again this time only the 3 first characters are taken into account Page 6 sur 8

7 5.3 And what about DropDownLists? Demo using the WebSimulator - Update the project DemoWebSimulator to type the following code in the main WebSimulator web = new WebSimulator(); web.vasurpage(" web.selectionnelisteparvaleur("cbolist", "5"); web.cliquesurbouton("send"); - Look to the value of the field : web.lecteur.dernierereponse.pagehtml Again the EnableValidation works to stop the POST attack How does it work? - The Dropdownlist control will register each value for event validation and the posted value is of course controlled. - See ListControl.RenderContents - See DropDownList.LoadPostData 5.4 Propagating the improvements to the whole web site - The proposed solutions apply only to the modified control You may forget to update some controls One maintenance guy may forget to use it -.NET 2.0 allows you to configure the controls use in the web.config file <system.web> <pages> <tagmapping> <add tagtype="system.web.ui.webcontrols.button" mappedtagtype="securedcontrols.securedbutton, SecuredControls"/> <add tagtype="system.web.ui.webcontrols.textbox" mappedtagtype="securedcontrols.securedtextbox, SecuredControls"/> </tagmapping> </pages> </system.web> Page 7 sur 8

8 6 Conclusion 6.1 Will it be ensured in the next.net version? - Neither in 3.0 nor in Probably never in the future 6.2 Why not? - If you can change the controls attributes in.net, you can also change them in Javascript. - If you are using the Secured Controls and some Javascript to reactivate the controls, your application won t work because for the server will still think the button is deactivated and will stop the request 6.3 Any advice? - Client side scripting like Javascript should never ever be used to ensure some business (or security) rules like forbidding a button use - These rules shall be ensured by a stronger model server-side and shall be re-tested before doing any actions - Protect your controls against POST attacks - Do not use Javascript, or use Ajax as it will execute server requests Page 8 sur 8

EXAM Web Development Fundamentals. Buy Full Product.

EXAM Web Development Fundamentals. Buy Full Product. Microsoft EXAM - 98-363 Web Development Fundamentals Buy Full Product http://www.examskey.com/98-363.html Examskey Microsoft 98-363 exam demo product is here for you to test the quality of the product.