Five common ASP.NET security defects

xiaoxiao2021-03-06  93

Guarantee the security of the application should start from writing the first line of code, the reason is simple, with the development of application scale, the cost of repairing security vulnerabilities is also growing rapidly. According to the IBM's Systems Science Association, the price is equivalent to defects during the development period if the software deployment is repaired after the software deployment. In order to protect the safety of the application with the smallest cost, the developer should take more responsibility in terms of the security of the code itself, the ability to resist the attack. However, to ensure the security of the program from the development of the initial stage, it is necessary to have the corresponding skills and tools, and developers who truly master these skills and tools are not a lot. Although learning to write a safe code is a complex process, it is best to complete at universities, internal training sessions, and industry conferences, but as long as they have mastered the following five common ASP.NET application security defects and recommended revision programs, they can lead One step, incorporate an indispensable security factor into the birth of the application. First, can not blindly believe that the user input in web application development, developers' biggest mistakes are often unconditionally trustworthy user input, assuming that the user (even malicious users) is always limited by the browser, always interacts through browsers and servers Thereby opening the gate of the attack web application. In fact, there are many tools for hackers attack and operating the web site. It is not necessarily limited to the browser, from the original interface of the lowest character mode (such as Telnet), to the CGI script scanner, web agent, web application scanner, malicious There are many attack patterns and means that users may adopt. Therefore, only the legitimacy of the user input is strictly validated to effectively resist the hacker attack. The application can perform verification with a variety of methods (or even a method overlap overlap), for example, verify before approved user input, ensuring that the user input contains only legal characters, and all the contents of all input domains have no exceeding range ( To prevent possible buffer overflow attacks), on this, other validations are performed, ensuring that the data input by the user is not only legal, but also reasonable. It is necessary to take a mandatory length restriction strategy, but also perform verification on the input content in accordance with the characteristic set of clearly defined. The following suggestions will help you correctly verify the user input data: (1) Always perform verification on all user inputs, and verification must be performed on a reliable platform, and should be performed on multiple layers of the application. (2) Do not allow anything else in addition to the data necessary to input and output function. (3) Setting up the "Trust Code Base", allowing the data to enter the trust environment to perform thorough verification. ⑷ Check the data type before logging in to the data. ⑸ Detailed define each data format, such as buffer length, integer type, etc. ⑹ Strictly define legitimate user requests to reject all other requests. ⑺ Test whether the data meets the legitimate conditions, rather than testing the conditions for non-legal. This is because the data is not legal, it is difficult to list more. Second, five common ASP.NET safety defects give five examples, explain how to enhance the security of applications as described above. These examples demonstrate the possible defects in the code, as well as the security risks they bring, how to rewrite the minimum code to effectively reduce the risk of attacks. 2.1 Tamper Parameters ◎ Using the ASP.NET Domain Verifier Blind Trust User Enter is the first enemy that guarantees the security of Web application. The main source of users entered is the parameters submitted in the HTML form. If the legality of these parameters cannot be strictly verified, it is possible to endanger the security of the server.

The following C # code query the backend SQL Server database, assuming the value of the user and password variables directly from the user input: sqldataadapter my_query = new SqldataAdapter ("SELECT * ACCOUNTS WHERE ACC_USER = '" user "' and ACC_Password = '" Password, the_connection; From the surface, these lines of code are unplenished, but in fact, it may attract SQL injection attacks. Attackers enter "OR 1 = 1" in the USER input field, you can successfully log in to the system, or as long as you add the appropriate call after the query, you can perform any shell command: '; exec master..xp_cmdshell (Oshell Command Here ') - ■ Risk Analysis When writing these lines of code, the developer has made such assumptions in unintentional: the user's input content contains only "normal" data - the username, password, password, password, However, it is not a special character such as quotation marks, which is the root cause of SQL injection attacks. Hackers can use some of the original meaning of the query with some special meaning characters, and then call any function or process. ■ Solution Domain Verifier is a mechanism that allows the ASP.NET developer to perform restrictions, for example, to limit the domain value entered by the user to match a specific expression. It is necessary to prevent the above attack behavior, the first method is to prohibit special character inputs such as quotation marks, the second method is more stringent, that is, the contents of the defined input domain must belong to a collection of legal characters, such as "[A-ZA- Z0-9] * ". 2.2 Tampering Parameters 2 ◎ Avoid validation of the vulnerability, however, only introducing the validator for each input domain or prevents all attacks implemented by modifying parameters. When performing a numerical range check, specify the correct data type. That is, when checking the control using ASP.NET, the appropriate Type property should be specified according to the data type required by the input domain, because the default value of Type is String. ■ Risk analysis Due to the specified Type property value The above code will assume that the type of input value is String, so the RangeValidator verifier can only ensure that the string begins between 0-9 characters, "0Abcd" will also be recognized. ■ Solution To ensure that the input value is indeed an integer, the correct way is to specify the Type property as an integer:

■ Risk Analysis By default, __ viewState data will include: (1) Dynamic data from page controls. (2) The developer is fully saved in ViewState. (3) The password of the above data is signed. ■ Solution Setting EnableViewStatmac = "true", enable __viewstate data encryption function. Then, set the MachineKey Verification Type to 3DES, requiring ASP.NET to encrypt ViewState data with the Triple DES symmetrical encryption algorithm. 2.4 SQL Injection Attack ◎ Using SQL Parameters API as described in the "Tamper Parameters" section of the foregoing, attackers can insert special characters in the input domain, change the intention of SQL queries, and deceive the database server to perform malicious queries. ■ Risk Analysis malicious query is possible to get any information saved by the backend database, such as the list of customer credit card numbers. ■ Solution In addition to the previous introduction method - Make sure the input content contains only a valid character, another more robust approach is to use the SQL parameter API (such as API provided by ADO.NET), so that the underlying API of the programming environment Instead of programmers) to construct queries. When using these APIs, developers or provide a query template, or provide a stored procedure, then specify a series of parameter values, embed the parameter value to the query template by the underlying API, and then submit the constructed query to the server query. The advantage of this approach is to ensure that the parameters can be embedded correctly, for example, the system will transform the quotation marks, fundamentally eliminate the occurrence of SQL injection attacks. At the same time, quotation marks in the form is still a valid character that allows input, which is also an advantage of using the underlying API. Modification Example "tamper Parameters" section earlier in this idea, the following results: SqlDataAdapter my_query = new SqlDataAdapter ( "SELECT * FROM accounts WHERE acc_user = @user AND acc_password = @ pass", the_connection); SqlParameter userParam = my_query.Select_Command. Parameters.Add ( "@ user", SqlDb.VarChar, 20); userParam.Value = user; SqlParameter passwordParam = my_query.Select_Command.Parameters.Add ( "@", SqlDb.VarChar, 20); passwordParam.Value = password; 2.5 Cross-station script Perform ◎ Code cross-station script execution in the external data (cross-site scripting) refers to an embedded user input to a response (HTML) page.

For example, although the following ASP.NET page is simple, it includes a major security defect: <% @ page language = "VB"%> tab text

Please enter the feedback information here