ASP.NET is an open-source server-side web application framework designed for web deverlopment to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic web sites , web applications and web servcies. This post describles methods of aquiring user-supplied input , ways of interacting with user’s section, potentially dangersous APIs, and security-relevant configuration options on the ASP.NET plaform.
2. Identifying User-supplied data
ASP.NET applications acquire user-submitted input via System.Web.HttpRequets class, This class contains numerous properties and methods that web applications can use access user-supplied data. The APIs listed in table below from the user request.
|Params||Parameters within the URL query string, the body of a POST request, HTTP cookies, and miscellaneousz server variables are stored as maps of string names to string values. This property returns a combined collection of all these parameter types.|
|Item||Returns the named item from within the Params collection.|
|Form||Returns a collection of the names and values of form variables submitted by the user.|
|QueryString||Returns a collection of the names and values of variables within the query string in the request.|
|ServerVariables||Returns a collection of the names and values of a large number of ASP server variables (akin to CGI variables). This includes the raw data of the request, query string, request method, HTTP Host header, and so on.|
|Headers||HTTP headers in the request are stored as a map of string names to string values and can be accessed using this property.|
|Url RawUrl||Return details of the URL contained within the request, including the query string.|
|UrlReferrer||Returns information about the URL specifi ed in the HTTP Referer header in the request|
|Cookies||Returns a collection of Cookie objects, which contain details of the cookies received in the request, including their names and values.|
|Files||Returns a collection of fi les uploaded by the user.|
|InputStream BinaryRead||Return different representations of the raw request received from the client and therefore can be used to access any of the information obtained by all the other APIs.|
|HttpMethod||Returns the method used in the HTTP request|
|Browser UserAgent||Return details of the user’s browser, as submitted in the HTTP User-Agent header.|
|AcceptTypes||Returns a string array of client-supported MIME types, as submitted in the HTTP Accept header.|
|UserLanguages||Returns a string array containing the languages accepted by the client, as submitted in the HTTP Accept-Language header.|
3. Session Interaction
ASP.NET applications can interact with the user’s session to store and retrieve information in various ways. Example :
Session[“MyName”] = txtMyName.Text; // store user’s name lblWelcome.Text = “Welcome “+Session[“MyName”]; // retrieve user’s name
ASP.NET profiles work much like the Session property does, except that they are tied to the user’s profile and therefore actually persist across different sessions belonging to the same user. Users are reidentified across sessions either through authentication or via a unique persistent cookie. Data is stored and retrieved in the user profile as follows:
Profile.MyName = txtMyName.Text; // store user’s name lblWelcome.Text = “Welcome “ + Profile.MyName; // retrieve user’s name
The System.Web.SessionState.HttpSessionState class provides another
way to store and retrieve information within the session.
It stores information as a mapping from string names to object values, which can be accessed using the APIs listed in table below:
|Add||Adds a new item to the session collection|
|Item||Gets or sets the value of a named item in the collection.|
|Keys GetEnumerator||Return the names of all items in the collection.|
|Copyto||Copies the collection of values to an array.|
4. Potentially dangerous API
System.IO.File is the main class used to access files in ASP.NET. All of its
relevant methods are static, and it has no public constructor.
Path traversal vulnerabilities may exist in every instance where user-controllable data is passed in without checking for dot-dot-slash sequences.Example( code opens a file in the root of the C:\drive on windows:
string userinput = “..\\boot.ini”; FileStream fs = File.Open(“C:\\temp\\” + userinput, FileMode.OpenOrCreate);
The following classes are most commonly used to read and wirte file contents :
System.IO.FileStream System.IO.StreamReader System.IO.StreamWriter
Numerous APIs can be used for database access within ASP.NET. the following are the main classed that can be ussed to create and execute a SQL satement:
System.Data.SqlClient.SqlCommand System.Data.SqlClient.SqlDataAdapter System.Data.Oledb.OleDbCommand System.Data.Odbc.OdbcCommand System.Data.SqlServerCe.SqlCeCommand
If user-controllable input is part of the string being executed as a query, the
application is probably vulnerable to SQL injection. For example:
string username = “admin’ or 1=1--”; string password = “foo”; OdbcCommand c = new OdbcCommand(“SELECT * FROM users WHERE username = ‘” + username + “’ AND password = “’ + password + “’”, connection); c.ExecuteNonQuery()
used as intended, this mechanism is not vulnerable to SQL injection. For example:
string username = “admin’ or 1=1--”; string password = “foo”; OdbcCommand c = new OdbcCommand(“SELECT * FROM users WHERE username = @username AND password = @password”, connection); c.Parameters.Add(new OdbcParameter(“@username”, OdbcType.Text).Value = username); c.Parameters.Add(new OdbcParameter(“@password”, OdbcType.Text).Value = password); c.ExecuteNonQuery();
result in a query that is equivalent to the following:
SELECT * FROM users WHERE username = ‘admin’’ or 1=1--’ AND password = ‘foo’
Dynamic Code Execution
The functions Execute and ExecuteGlobal take a string containing ASP code,
which they execute just as if the code appeared directly within the script itself.
The colon delimiter can be used to batch multiple statements. If user-controllable
data is passed into the Execute function, the application is probably vulnerable
to arbitrary command execution.
OS Command Execution
The following APIs can be used in various ways to launch an external process from within an ASP.NET application:
A filename string can be passed to the static Process.Start method, or the
StartInfo property of a Process object.
If the user controls only part of the string passed to Start , the application
may still be vulnerable. For example:
string userinput = “..\\..\\..\\Windows\\System32\\calc”; Process.Start(“C:\\Program Files\\MyApp\\bin\\” + userinput);
The following APIs can be used to issue an HTTP redirect in ASP.NET:
System.Web.HttpResponse.Redirect System.Web.HttpResponse.Status System.Web.HttpResponse.StatusCode System.Web.HttpResponse.AddHeader System.Web.HttpResponse.AppendHeader Server.Transfer
You should also be sure to review any uses of the Status/StatusCode properties and the AddHeader/AppendHeader methods. Given that a redirect simply involves a 3xx response containing an HTTP Location header, an application may implement redirects using these APIs.
The System.Net.Sockets.Socket class is used to create network sockets. After a
Socket object has been created, it is connected via a call to the Connect method,
which takes the IP and port details of the target host as its parameters.
5. Configuring the ASP.NET enviroment
The Web.config XML fi le in the web root directory contains confi guration
settings for the ASP.NET environment. Following table below to know how application behave:
|httpCookies||Determines the security settings associated with cookies. If the httpOnlyCookies attribute is set to true, cookies are flagged as HttpOnly and therefore are not directly accessible from client-side scripts. If the requireSSL attribute is set to true, cookies are fl agged as secure and therefore are transmitted by browsers only within HTTPS requests.|
|sessionState||Determines how sessions behave. The value of the timeout attribute determines the time in minutes after which an idle session will be expired. If the regenerateExpiredSessionId element is set to true (which is the default), a new session ID is issued when an expired session ID is received.|
|compilation||Determines whether debugging symbols are compiled into pages, resulting in more verbose debug error information. If the debug attribute is set to true, debug symbols are included|
|customErrors||Determines whether the application returns detailed error messages in the event of an unhandled error. If the mode attribute is set to On or RemoteOnly, the page identifi ed by the defaultRedirect attribute is displayed to application users in place of detailed system-generated messages.|
|httpRuntime||Determines various runtime settings. If the enableHeaderChecking attribute is set to true (which is the default), ASP.NET checks request headers for potential injection attacks, including cross-site scripting. If the enableVersionHeader attribute is set to true (which is the default), ASP.NET out- puts a detailed version string, which may be of use to an attacker in researching vulnerabilities in specifi c versions of the platform.|
If sensitive data such as database connection strings is stored in the confi guration
fi le, it should be encrypted using the ASP.NET “protected confi guration” feature.