Thursday, August 16, 2018

MVC Security

1) Security Misconfiguration (Error Handling Must Setup Custom Error Page)

In this kind of attack the attacker intercepts form data which is submitted by end User and changes values and sends the modified data to the server.

So for such kind of scenarios developers do put proper validations in place but when these validations display error lot of information of the server is revealed.

So is data annotation validations more than enough to secure the page. No, that’s not enough for securing page I will show you a small demo of how these validations get bypassed.

With the help of Burp software you can modify request in middle.

Solution: -
So the solution here is we need to set some kind of error page which does not show the internal technical error but rather shows a custom error message.

We have two approaches for it :-

Create a custom Error handling Attribute.
Setting Custom Error page from Web.config file

2) Cross-Site Request Forgery (CSRF)

A CSRF vulnerability allows an attacker to force a validated and logged in user to perform actions without their consent or unknowingly.

Take this simple example.

User logs in to the bank server.
Bank authorizes and a secure session is established between user and the bank server.
The attacker sends an email with a malicious link saying “Earn 100000$ now” to the user.
User clicks on the malicious link and the site tries transfer money from your account to the attackers account. Because the secure session is established the malicious code can execute successfully.


Microsoft has recognized this threat and for preventing the same we have something called as AntiForgeryToken.

Solution:-

We need to add @Html.AntiForgeryToken()helper in your form inside form tag . And on the Action Method which handles your post ([HttpPost])Request we need to put[ValidateAntiForgeryToken] attribute which will check if the token is valid.

When we add AntiForgeryToken helper on View it creates a hidden field and assigns a unique token value to it and meanwhile a session Cookie is added to the browser.

When we post formHTML itschecksfor __RequestVerificationToken Hidden field and whether __RequestVerificationToken Cookie are present or not. If either the cookie or the form __RequestVerificationToken Hidden field values are missing, or the values don't match, ASP.NET MVC does not process the action. This is how we can prevent cross-site request forgery attack in asp.net MVC.

Cross-Site Scripting (XSS) attacks

Cross-site Scripting (XSS) is an attack in which malicious scripts is injected via input fields this attack is most common and allows an attacker to steal credentials and valuable data that can lead to a big security breach.


In this attack attacker visits a website and tries to execute a malicious scripts in form comment box. Now if website has not checked for Malicious code then the code can get executed on the server causing damage.

Lets try to understand the same using a example.Below is simple Employee form which we are trying to save data. Now in the text box I am trying to execute some malicious code using javascript using the SCRIPT tag. But if we try to submit the same MVC throws an error that something bad is happening.

Solution: -

[ValidateInput(false)]
[AllowHtml]
[RegularExpressionAttribute]
AntiXSS Library

Malicious File Upload.

Till now we have learned how to protect all your input fields from attack but still, we are missing one main field it is File upload control we need to protect from taking invalid input most attackers try to upload a malicious file which may cause a security issue. The attacker can change file extension [tuto.exe to tuto.jpeg] and the malicious script can be uploaded as an image file. The Most of the developer just look on the file extension of the file and save in folder or database but file extension is valid not file it may have a malicious script.


Solution:-

First thing we need to do is validate file uploads
Allow only access to files extension which are required
Check the file header.

Version Discloser

Version information can be used by anattacker to target specific attack on that Version which is disclosed.

Whenever browsersendsHTTP torequest to theserverin response we get response header which contains information of [Server, X-AspNet-Version,X-AspNetMvc-Version, X-Powered-By].

The server shows information of which web server is begin used.

X-AspNet-Versionshows information of which specific Asp.Net VersionUsed.

X-AspNetMvc-Versionshows information of which ASP.NET MVC version Used.

X-Powered-By shows information of which framework your website is running on.

Solution:-

For removingX-AspNetMvc-Version header
To remove response X-AspNetMvc-Versionwhich shows information of which ASP.NET MVC version used we have built in property in MVC.

Just set [MvcHandler.DisableMvcResponseHeader = true;] in Global.asaxApplication start event [Application_Start()] this will remove header it won’t be displayed any more.

6) SQL Injection Attack.

SQL Injection attack is one of the most dangerousattacks it is ranked 1 in top 10 Vulnerabilitiesby OWASP2013 [Open Web Application Security Project] . SQL injection attack can give valuable data to theattacker that can lead to abig security breach and can also take full access to thedatabase server.

In SQL Injection attacker always try to enter malicious SQL statement which will get executed in thedatabase and return unwanted data to the attacker.


Solution:-

Validate inputs
Use of low-privileged database logins
Use Parameterized queries
Use ORM (e.g. Dapper , Entity framework )
5) Use Stored Procedures

https://www.codeproject.com/Articles/1116318/Points-to-Secure-Your-ASP-NET-MVC-Applications

No comments:

Followers

Link