Hack proof your ASP NET Applications
2 likes969 views
The document discusses various security vulnerabilities in ASP.NET applications, focusing on attacks such as content spoofing, XPath injection, XML External Entity (XXE) attacks, and brute force attacks. It provides prevention strategies for each vulnerability, including input validation, using secure data transmission methods, and employing robust authentication mechanisms. Additionally, it highlights tools for security testing and emphasizes the importance of securing sensitive data within web applications.
![XPath Injection
• XPath is used to navigate through elements and attributes in an XML document.
• Exploit : Lets suppose your login screen validating from XML and your XML is as follows :
<?xml version="1.0" encoding="utf-8" ?>
<Users>
<user> <id>Sarvesh</id> <password>12345</password> <age> 80</age> </user>
<user> <id>Thor</id> <password>asgard</password> <age>100</age> </user>
</Users>
Now an attacker can pass login and password values as follows to make your code condition true.
„ or „1‟ = „1‟
XmlDocument XmlDoc = new XmlDocument();
XmlDoc.Load("...");
XPathNavigator nav = XmlDoc.CreateNavigator();
XPathExpression expr =
nav.Compile("string(//user[id/text()='"+TextBox1.Text+"'
and
password/text()='"+TextBox2.Text+"']/account/text())")'
String account=Convert.ToString(nav.Evaluate(expr));
if (account=="") { }
Prevention :
• Precompile your xpath expression (XPathExpression.Compile)
• Use MVP.XML (Precompiled and AddVariable)
• Use of parameterized XPath queries
• Use of custom error pages(Don‟t disclose too much
information)
• Use replace method to replace “‟” sign
• Validate user input
• Use XPathExpression.SetContext() for variable use](https://image.slidesharecdn.com/hackproofyouraspnetapplications-161002122949/85/Hack-proof-your-ASP-NET-Applications-3-320.jpg)
![XXE (XML External Entity)
An XML External Entity attack is a type of attack against an application that parses XML input. This attack
occurs when XML input containing a reference to an external entity is processed by a weakly configured
XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side
request forgery, port scanning from the perspective of the machine where the parser is located, and other
system impacts. [OWASP]
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ //Using DTD
<!ENTITY xxeattack SYSTEM "file:///system/FinancialData"> ]>
<xxx>&xxeattack;</xxx>
Now In HTTPResposne you can see the password file
Prevention from XXE Attack :
• Prior to .NET 4.0 set prohibitDTD property to true for XMLReaderSettings , set XMLResolver to null for XMLDocument
• After .NET 4.0 use DTDProcessing.prohibit for XmlReaderSettings, set XMLResolver to null for XMLDocument
• Use configurable XML Parser and configure it to ignore certain entities
• Validate your XML Data
• For More Detail Visit OWASP CheatSheet](https://image.slidesharecdn.com/hackproofyouraspnetapplications-161002122949/85/Hack-proof-your-ASP-NET-Applications-4-320.jpg)
Hack proof your ASP NET Applications
- 1. Hack Proof Your ASP.NET Applications By Sarvesh Kushwaha
- 2. Content Spoofing • Content Spoofing is an attack technique that allows an attacker to inject a malicious payload that is later misrepresented as legitimate content of a web application. • Text Only Content Spoofing (Dynamic pages build from query string values e.g. error pages, story websites, news) Example : http://foo.com/news?id=123&title=company+stock+rises http://foo.com/news?id=123&title=company+filing+bankrupcy • HTML Markup Reflected Content spoofing (Change the dynamic src tag on a website (iframe src,img src) ) Example : http://foo.com/Sarvesh?ProfileImage=http://validGravatar.com/abc.jpeg http:// foo.com/Sarvesh?ProfileImage=http://naughty.com/abc.jpeg • Prevent content spoofing • For Data transmission use post (sensitive data should be transmit in POST request) • Validate user input (Avoid URL from diff sources) • Encode user input • Encrypt sensitive data in query string (Not recommended)
- 3. XPath Injection • XPath is used to navigate through elements and attributes in an XML document. • Exploit : Lets suppose your login screen validating from XML and your XML is as follows : <?xml version="1.0" encoding="utf-8" ?> <Users> <user> <id>Sarvesh</id> <password>12345</password> <age> 80</age> </user> <user> <id>Thor</id> <password>asgard</password> <age>100</age> </user> </Users> Now an attacker can pass login and password values as follows to make your code condition true. „ or „1‟ = „1‟ XmlDocument XmlDoc = new XmlDocument(); XmlDoc.Load("..."); XPathNavigator nav = XmlDoc.CreateNavigator(); XPathExpression expr = nav.Compile("string(//user[id/text()='"+TextBox1.Text+"' and password/text()='"+TextBox2.Text+"']/account/text())")' String account=Convert.ToString(nav.Evaluate(expr)); if (account=="") { } Prevention : • Precompile your xpath expression (XPathExpression.Compile) • Use MVP.XML (Precompiled and AddVariable) • Use of parameterized XPath queries • Use of custom error pages(Don‟t disclose too much information) • Use replace method to replace “‟” sign • Validate user input • Use XPathExpression.SetContext() for variable use
- 4. XXE (XML External Entity) An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. [OWASP] <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [ //Using DTD <!ENTITY xxeattack SYSTEM "file:///system/FinancialData"> ]> <xxx>&xxeattack;</xxx> Now In HTTPResposne you can see the password file Prevention from XXE Attack : • Prior to .NET 4.0 set prohibitDTD property to true for XMLReaderSettings , set XMLResolver to null for XMLDocument • After .NET 4.0 use DTDProcessing.prohibit for XmlReaderSettings, set XMLResolver to null for XMLDocument • Use configurable XML Parser and configure it to ignore certain entities • Validate your XML Data • For More Detail Visit OWASP CheatSheet
- 5. Brute Force Attack • It‟s a try try until you succeed attack by applications to decode encrypted data , keys, sensitive data. • Popular tools for Brute Force Attack ; • Aircrack-ng (For wifi) • John The Ripper (For passwords) • Rainbow Crack • Cain and Abel • Lopht crack (For windows) • Crack • Prevention from Brute Force Attack • Locking accounts (Like any Bank do) • Use Captcha • Block suspicious IP • Dynamic IP Restrictions Extension for IIS • Diff Login username and passwords • Forcing secure passwords (1Usabcd@) dictionary attacker will cry
- 6. Hack Proof Your ASP.NET Applications • Hack Proof Your ASP.NET Applications From SQL Injection • Hack Proof Your ASP.NET Application From Cross Site Scripting (XSS) • Hack Proof Your ASP.NET Application Part 3 (Cross Site Request Forgery) • Hack proof your ASP.NET applications from Sensitive Data Exposure and Information Leakage • Hack proof your asp.net applications from Session Hijacking • Hack proof your JavaScript using JavaScript Obfuscation in ASP.NET applications
- 7. Security Testing for ASP.NET Applications • OWASP Zed Attack Proxy (ZAP) • Fiddler with Watcher and X5S extensions • Wapiti • W3af • Skip fish • Arachni • OWASP Vulnerability Testing Tools • OWASP Phoenix tools List
- 8. Sarvesh Kushwaha | | | | | |