i Finding vulnerabilities in source code ( APS.NET) – All things in moderation

Finding vulnerabilities in source code ( APS.NET)

1. Introduction

ASP.NET is an open-source server-side web application framework designed for web deverlopment to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic web sites , web applications and web servcies. This post describles methods of aquiring user-supplied input , ways of interacting with user’s section, potentially dangersous APIs, and security-relevant configuration options on the ASP.NET plaform.

2. Identifying User-supplied data

ASP.NET applications acquire user-submitted input via System.Web.HttpRequets class, This class contains numerous properties and methods that web applications can use access user-supplied data. The APIs listed in table below from the user request.

API Description
Params Parameters within the URL query string, the body of a POST request, HTTP cookies, and miscellaneousz server variables are stored as maps of string names to string values. This property returns a combined collection of all these parameter types.
Item Returns the named item from within the Params collection.
Form Returns a collection of the names and values of form variables submitted by the user.
QueryString Returns a collection of the names and values of variables within the query string in the request.
ServerVariables Returns a collection of the names and values of a large number of ASP server variables (akin to CGI variables). This includes the raw data of the request, query string, request method, HTTP Host header, and so on.
Headers HTTP headers in the request are stored as a map of string names to string values and can be accessed using this property.
Url
RawUrl
Return details of the URL contained within the request, including the query string.
UrlReferrer Returns information about the URL specifi ed in the HTTP Referer header in the request
Cookies Returns a collection of Cookie objects, which contain details of the cookies received in the request, including their names and values.
Files Returns a collection of fi les uploaded by the user.
InputStream
BinaryRead
Return different representations of the raw request received from the client and therefore can be used to access any of the information obtained by all the other APIs.
HttpMethod Returns the method used in the HTTP request
Browser
UserAgent
Return details of the user’s browser, as submitted in the HTTP User-Agent header.
AcceptTypes Returns a string array of client-supported MIME types, as submitted in the HTTP Accept header.
UserLanguages Returns a string array containing the languages accepted by the client, as submitted in the HTTP Accept-Language header.
3. Session Interaction

ASP.NET applications can interact with the user’s session to store and retrieve information in various ways. Example :

Session[“MyName”] = txtMyName.Text;
// store user’s name
lblWelcome.Text = “Welcome “+Session[“MyName”]; // retrieve user’s name

ASP.NET profiles work much like the Session property does, except that they are tied to the user’s profile and therefore actually persist across different sessions belonging to the same user. Users are reidentified across sessions either through authentication or via a unique persistent cookie. Data is stored and retrieved in the user profile as follows:

Profile.MyName = txtMyName.Text;
// store user’s name
lblWelcome.Text = “Welcome “ + Profile.MyName; // retrieve user’s name

The System.Web.SessionState.HttpSessionState class provides another
way to store and retrieve information within the session.
It stores information as a mapping from string names to object values, which can be accessed using the APIs listed in table below:

API Desciption
Add Adds a new item to the session collection
Item Gets or sets the value of a named item in the collection.
Keys
GetEnumerator
Return the names of all items in the collection.
Copyto Copies the collection of values to an array.
4. Potentially dangerous API
File Access

System.IO.File is the main class used to access files in ASP.NET. All of its
relevant methods are static, and it has no public constructor.
Path traversal vulnerabilities may exist in every instance where user-controllable data is passed in without checking for dot-dot-slash sequences.Example( code opens a file in the root of the C:\drive on windows:

string userinput = “..\\boot.ini”;
FileStream fs = File.Open(“C:\\temp\\” + userinput,
FileMode.OpenOrCreate);

The following classes are most commonly used to read and wirte file contents :

 System.IO.FileStream
 System.IO.StreamReader
 System.IO.StreamWriter
Database Access

Numerous APIs can be used for database access within ASP.NET. the following are the main classed that can be ussed to create and execute a SQL satement:

 System.Data.SqlClient.SqlCommand
 System.Data.SqlClient.SqlDataAdapter
 System.Data.Oledb.OleDbCommand
 System.Data.Odbc.OdbcCommand
 System.Data.SqlServerCe.SqlCeCommand

If user-controllable input is part of the string being executed as a query, the
application is probably vulnerable to SQL injection. For example:

string username = “admin’ or 1=1--”;
string password = “foo”;
OdbcCommand c = new OdbcCommand(“SELECT * FROM users WHERE username = ‘”
+ username + “’ AND password = “’ + password + “’”, connection);
c.ExecuteNonQuery()

f
used as intended, this mechanism is not vulnerable to SQL injection. For example:

string username = “admin’ or 1=1--”;
string password = “foo”;
OdbcCommand c = new OdbcCommand(“SELECT * FROM users WHERE username =
@username AND password = @password”, connection);
c.Parameters.Add(new OdbcParameter(“@username”, OdbcType.Text).Value =
username);
c.Parameters.Add(new OdbcParameter(“@password”, OdbcType.Text).Value =
password);
c.ExecuteNonQuery();

result in a query that is equivalent to the following:

SELECT * FROM users WHERE username = ‘admin’’ or 1=1--’
AND password = ‘foo’
Dynamic Code Execution

The functions Execute and ExecuteGlobal take a string containing ASP code,
which they execute just as if the code appeared directly within the script itself.
The colon delimiter can be used to batch multiple statements. If user-controllable
data is passed into the Execute function, the application is probably vulnerable
to arbitrary command execution.

OS Command Execution

The following APIs can be used in various ways to launch an external process from within an ASP.NET application:

 System.Diagnostics.Start.Process  
 System.Diagnostics.Start.ProcessStartInfo

A filename string can be passed to the static Process.Start method, or the
StartInfo property of a Process object.
If the user controls only part of the string passed to Start , the application
may still be vulnerable. For example:

string userinput = “..\\..\\..\\Windows\\System32\\calc”;
Process.Start(“C:\\Program Files\\MyApp\\bin\\” + userinput);
URL Redirection

The following APIs can be used to issue an HTTP redirect in ASP.NET:

System.Web.HttpResponse.Redirect
System.Web.HttpResponse.Status
System.Web.HttpResponse.StatusCode
System.Web.HttpResponse.AddHeader
System.Web.HttpResponse.AppendHeader
Server.Transfer

You should also be sure to review any uses of the Status/StatusCode properties and the AddHeader/AppendHeader methods. Given that a redirect simply involves a 3xx response containing an HTTP Location header, an application may implement redirects using these APIs.

Sockets

The System.Net.Sockets.Socket class is used to create network sockets. After a
Socket object has been created, it is connected via a call to the Connect method,
which takes the IP and port details of the target host as its parameters.

5. Configuring the ASP.NET enviroment

The Web.config XML fi le in the web root directory contains confi guration
settings for the ASP.NET environment. Following table below to know how application behave:

SETTING DESCRIPTION
httpCookies Determines the security settings associated with cookies. If the httpOnlyCookies attribute is set to true, cookies are flagged as HttpOnly and therefore are not directly accessible from client-side scripts. If the requireSSL attribute is set to true, cookies are fl agged as secure and therefore are transmitted by browsers only within HTTPS requests.
sessionState Determines how sessions behave. The value of the timeout attribute determines the time in minutes after which an idle session will be expired. If the regenerateExpiredSessionId element is set to true (which is the default), a new session ID is issued when an expired session ID is received.
compilation Determines whether debugging symbols are compiled into pages, resulting in more verbose debug error information. If the debug attribute is set to true, debug symbols are included
customErrors Determines whether the application returns detailed error messages in the event of an unhandled error. If the mode attribute is set to On or RemoteOnly, the page identifi ed by the defaultRedirect attribute is displayed to application users in place of detailed system-generated messages.
httpRuntime Determines various runtime settings. If the enableHeaderChecking attribute is set to true (which is the default), ASP.NET checks request headers for potential injection attacks, including cross-site scripting. If the enableVersionHeader attribute is set to true (which is the default), ASP.NET out- puts a detailed version string, which may be of use to an attacker in researching vulnerabilities in specifi c versions of the platform.

If sensitive data such as database connection strings is stored in the confi guration
fi le, it should be encrypted using the ASP.NET “protected confi guration” feature.

Leave a Reply