Category: Security

My latest ASP Alliance article has been published today:

Preventing Page Review after Logout with Forms Authentication

The inclusion of Forms Authentication in the .NET Framework has been a significant benefit to developers securing web-based applications. While pages can be secured server-side, local caching by browsers and proxy servers may allow a user to review information even after they have logged out. In some cases, this may present a risk to the user’s confidential information. This article discusses three HTTP headers that can be used to prevent local caching of web pages, adding some protection to the user’s data.

Read more: http://aspalliance.com/694

“The biggest challenge to developing secure applications is that most programmers don’t know they’re writing insecure applications. Let’s look at a simple example, a forum-type application. However, any application that displays data entered by a user is a potential target.“ –Brad McCabe, XSS Happens

For an introduction to securing ASP.NET sites, check out Dino Esposito’s article “Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks“.

Dino summarizes the most common types of Web attacks and describes how Web developers can use built-in features of ASP.NET to increase security.

Perhaps one of the most dangerous and overlooked attacks is the SQL Injection attack.  It’s very easy to overlook how an attacker can exploit seemingly harmless SQL code, especially if a developer’s experience and understanding of SQL is less than expert.  There are a number of articles available, including:

Stop SQL Injection Attacks Before They Stop You (MSDN Magazine, Sep 2004)
source: http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx
This article discusses:

• How SQL injection attacks work
  
• Testing for vulnerabilities
  
• Validating user input
  
• Using .NET features to prevent attacks
  
• Importance of handling exceptions

Preventing SQL Injection Attacks
source: http://www.wwwcoder.com/main/parentid/258/site/2966/68/default.aspx

Keep your code secure against intruders. In this article we provide examples of SQL injection attacks and how you can write code to prevent them. Stop people from getting information from your database.

Are you still vulnerable to a SQL Injection attack?
source: http://www.spidynamics.com/whitepapers.html

SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems!
Despite being remarkably simple to protect against, there are an astonishing number of production systems connected to the Internet “fixed” the problem by hiding error data from the users but were left vulnerable to this type of attack!

Advanced SQL Injection In SQL Server Applications
source: http://www.nextgenss.com/papers/advanced_sql_injection.pdf

This document discusses in detail the common ‘SQL injection’ technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be ‘injected’ into the application and addresses some of the data validation and database lockdown issues that are related to this class of attack. The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications.

(more) Advanced SQL Injection
source: http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

This paper addresses the subject of SQL Injection in a Microsoft SQL Server/IIS/Active Server Pages environment, but most of the techniques discussed have equivalents in other database environments. It should be viewed as a “follow up”, or perhaps an appendix, to the previous paper, “Advanced SQL Injection”.

The paper covers in more detail some of the points described in its predecessor, providing examples to clarify areas where the previous paper was perhaps unclear. An effective method for privilege escalation is described that makes use of the openrowset function to scan a network. A novel method for extracting information in the absence of ‘helpful’ error messages is described; the use of time delays as a transmission channel. Finally, a number of miscellaneous observations and useful hints are provided, collated from responses to the original paper, and various conversations around the subject of SQL injection in a SQL Server environment.  

One method to prevent SQL injection attacks is to use parameterized SQL queries.  This technique can be used for Access as well as SQL Server, and any other DB system that supports parameterized queries.  The example below demonstrates .NET with SQL Server, but the underlying examples should be easily adapatbale to whatever system you’re using.

Using parameterized SQL queries
source: http://www.uberasp.net/getarticle.aspx?id=46

Save yourself from SQL injection attacks and other nasty problems by passing along data in parameters.

The Curse and Blessing of Dynamic SQL
source: http://www.sommarskog.se/dynamic_sql.html

In this article I will discuss the of use dynamic SQL in stored procedures in MS SQL Server, and I will show that this is a powerful feature that you should use with care. I first discuss why we use stored procedures at all, before I explain the feature as such. I then look at the conflicts between the virtues of stored procedures and the effects of dynamic SQL. I also point to the common security issue known as SQL injection. I then move on to suggest some good coding practices. I conclude by reviewing a number of cases where dynamic SQL often is suggested as a solution, both where dynamic SQL is the way to go, and where it is a poor choice. For the latter cases, I suggest alternative strategies.

Dynamic Search Conditions in T-SQL
source: http://www.sommarskog.se/dyn-search.html

This article details the ways to use dynamic SQL in a stored procedure for searching Sql Server databases.  Written by a Microsoft MVP, there are a few topics that will be over the head of beginnning SQL programmers, but this is still an important read.  This is a follow-up to “The Curse and Blessing of Dynamic SQL“.

It is important to have a full understanding of all the risks that your web application faces.  For this, Microsoft has released a guide for developers and administrators.  You can purchase the guide from Amazon by clicking the links below, or click this link to download for free from Microsoft.

	Improving Web Application Security: Threats And Countermeasures This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient.
	Web Applications (Hacking Exposed) This work covers all major Web applications platforms and focuses on vulnerabilities across different programming languages, including PHP, ASP, Perl, JavaScript and Java. It includes examples of security attacks and countermeasures in Web application software.
	Hacking Exposed: Network Security Secrets & Solutions, Fourth Edition (Hacking Exposed) This text unveils the methods hackers use to break into systems, networks, and software, and suggest steps administrators can take to secure their computers at the different layers. The fourth edition covers the latest hacking methods and adds a chapter on 802.11 wireless networks. The DVD-ROM contains a video presentation with PowerPoint slides.

Microsoft MVP Susan “The SBS Diva” Bradley gives a short overview about sending encrypted e-mails.  In her post, she says you have to purchase a digital certificate.  From some certificate authorities, you may have to do so, but Thawte offers free certificates for e-mail through their Web of Trust program.  When your certificate is issued, the name on the certificate is “Thawte Freemail Member”.  In order to have your name appear on the certificate, you need to get yourself notarized.  Basically, you meet up with a Thawte notary (I am one), who looks at two forms of identification and assigns you points.  You need 50 points to be notarized (I can assign up to 35, the maximum allowed), and then your certificates will contain your name.  There’s more information at the WOT site at http://www.thawte.com.wot.

In a recent posting to the aspnet-security group at ASP Advice, Julie Lerman asked:

Since the site is hosted on someone else’s server, I don’t believe that I can use DPAPI to encrypt the connection strings

Actually, you can, and I use DPAPI on a number of sites in shared hosting environments.  I typically use the machine store as the data protection store, rather than the user store, but that’s a personal habit when looking at the shared hosting environment.

One downside to the machine store is that anyone who has access to the same server can decrypt your application settings, unless you set an entropy value.  In my sample project, I set the entropy when the DPAPI helper is instantiated.

I mentioned I had a small project I use to encrypt connection strings using Carl Franklin’s DPAPI helper.  All I do is upload two DLLs and my ASPX to the site I’m working on, enter the connection string (or whatever), click Encrypt, and copy the output to the web.config.  When I’m done, I delete the DLLs and page so no one accidentally finds them.  You can find my little project at http://rjdudley.com/projects/dpapi_example.zip.

To use my little project:

1. Download and unzip Carl’s DPAPI helper from http://franklins.net/dotnet/.
   
2. Download my dpapi example from http://rjdudley.com/projects/dpapi_example.zip.  Unzip it to c:\inetpub\wwwroot\dpapi.
   
3. Create an IIS application named dpapi (address will be http://localhost/dpapi) that points to c:\inetpub\wwwroot\dpapi. 
   
4. Open the solution file in VS
   
5. Add a reference to the DPAPI Helper DLL, found at <install>\DPAPIHelper\bin\DPAPIHelper.dll.  Make sure to use the dpapihelper.dll!  There is also a dpaphelper.dll (missing an ‘i’ in the name), and I’m not sure what that’s for.
   
6. Recompile the project.
   
7. Deploy the dpapihelper.dll and dpapi.dll to the site’s BIN folder, and dpapi.aspx to the site’s root folder.
   
8. Load the dpapi.aspx page, and encrypt on!

Drop me a line or leave comments with any Q’s.

<update 2005-06-16>To use the DPAPI encrypted strings in your application, you need to include two lines of code, one is the constructor that starts “DIM dp…”, and the other is the dp.decrypt method call.  In the constructor, there is a short string passed in as a function argument.  This argument(sometimes called an “initialization vector“ or “secondary entropy“ or just “key“, I’m not 100% sure of the exact correct term so anyone works for me) has to be exactly the same in your app as in the DLL used to encrypt your strings.  Otherwise, you won’t be able to properly decrypt the information in your app.  I recommend changing the entropy if you use this example, and use a different one for each site.  Remember also to leave the DPAPIHelper.dll on your site if you plan to decrypt the encrypted values.</update>

The Wall St. Journal has an article today about one step Bank of America is taking to thwart phishing attacks:

First, the bank allows customers to “register” frequently-used machines, such as a home or office PC, with its online system. When customers use one of those computers to access the site, they are shown a picture after entering a username. If the picture matches the image the user chose when setting up the account, the customer knows they are in the right place, and then enters a password to access accounts.
 
When customers try to access accounts from a computer that Bank of America doesn’t recognize, the image doesn’t appear. Instead, users must answer a challenge question, like “What was your high school mascot?” The bank tracks computer IP addresses and also uses cookies to identify PCs.

The on-line article has a nice graphic that shows the UI part of the process.  It looks like if you save the cookie in your computer, you’ll go straight to the photo or challenge question, after which you can enter your passcode.  Otherwise, you’ll have an additional step of entering your user ID.

I have a love/hate relationship with those CAPTCHA tests on websites.  I understand why, and am fascinated at just how good the human mind is at pattern resolution.  Yet, they’re additional typing.  Anything to foil a spambot I guess.

I was looking into adding a test into a project of my own, and I came across these references.  Examples of the first article are shown beneath it.

15 Seconds : Fighting Spambots with .NET and AI

This article explains how intelligent applications from Carnegie Mellon University and Berkeley researchers counter auto registration spam programs and how to build your own using ASP.NET & XML Web services.

A Generic CAPTCHA Image Tester

What’s unique here is my implementation – it’s generic enough to use in a classic ASP page, or in an ASP.NET page, it does NOT require the use of Session State, and that’s what makes it more useful. The key here is that we use an aspx page to generate the image, and we simply make our image tag’s src property point to this page.

The Code Project – CAPTCHA Image – ASP.NET

This article demonstrates how to create such an image and employ it within an ASP.NET web form.

The CAPTCHA Project Website – CMU School of Computer Science

CAPTCHA.NET is the homepage of CMU’s CAPTCHA Project

Formshield is a free .NET CAPTCHA control available at http://dotnetfreak.co.uk/blog/archive/2004/11/06/166.aspx.

Many thanks to Kevin Gearing!  There are some samples as well–very cool.

FormShield started out as a simple project with just one aim – to prevent automated form submission using dynamically generated images.

Not exactly a new idea – dynamically generated images requiring the user to enter the text found on the image have been around for quite a while (see http://www.captcha.net/), preventing automated sign-ups to free e-mail services such as HotMail and Yahoo, and automated whois lookups on domain names on sites such as Network Solutions.

Whilst some code exists on Code Project (http://www.codeproject.com/aspnet/CaptchaImage.asp), there didn’t however seem to be a free, easy-to-use and customisable control for ASP.NET with full designer integration that could generate the relevant images. So, looking for an excuse to delve into GDI+, FormShield was born and my idea of a ‘simple’ control was dropped…