The document discusses various techniques for hacking ASP.Net applications including bypassing request validation, manipulating viewstate, and tampering with event validation. It provides examples of tools that can be used to test these vulnerabilities and recommendations for secure configuration.
The document discusses various techniques for hacking ASP.Net applications including bypassing request validation, manipulating viewstate, and tampering with event validation. It provides examples of tools that can be used to test these vulnerabilities and recommendations for secure configuration.
Original Title
Hacking Net Applications_PenTestSummit - James Jardine
The document discusses various techniques for hacking ASP.Net applications including bypassing request validation, manipulating viewstate, and tampering with event validation. It provides examples of tools that can be used to test these vulnerabilities and recommendations for secure configuration.
The document discusses various techniques for hacking ASP.Net applications including bypassing request validation, manipulating viewstate, and tampering with event validation. It provides examples of tools that can be used to test these vulnerabilities and recommendations for secure configuration.
James
Jardine
Principal
Security
Consultant
at
Secure
Ideas
.Net
Developer
Since
the
Beta
Release
SANS
Instructor
and
Author
Dev544:
Secure
Coding
in
.Net
Open
Source
Projects
Web
Cong
Security
Analyzer
-
hOp://sourceforge.net/projects/wcsa/
ASP.Net
RequestValida_on
ViewState
EventValida_on
GET/POST
&
Postback
Conclusion
2013
Secure
Ideas
LLC
|
www.secureideas.com
ASP.Net
Versions
1.1
2.0
3.0
3.5
4.0
4.5
*
2013
Secure
Ideas
LLC
|
www.secureideas.com
Edi+ons
WebForms
MVC
Web
Pages
Web
API
WCF
Tes_ng
ASP.Net
Similar
to
other
technologies
GETs/POSTs,
etc
AJAX
Cookies,
Hidden
Fields,
Forms
Session
State,
Authen_ca_on
Dieren_ators
Request
Valida_on
View
State
Event
Valida_on
Other
Built
In
Controls
2013
Secure
Ideas
LLC
|
www.secureideas.com
Request
Valida_on
AOempt
to
block
XSS
AOacks
In
2.0+
only
works
for
HTML
Context
<[char],
<!,
<?,
</,
&#
Prior
to
2.0
most
likely
disabled
2013
Secure
Ideas
LLC
|
www.secureideas.com
Request
Valida_on
Bypass
Not
Really!
If
database
stores
data
as
varchar
(not
nvarchar)
Use
unicode-wide
%uFF1C
(<)
RequestValida_on
doesn't
detect
this
but...
Database
will
convert
it
to
the
<
character
Of
course
output
encoding
does
block
this
as
well
2013
Secure
Ideas
LLC
|
www.secureideas.com
Request
Valida_on
Bypass
2
Addi_on
of
%
Character
(<%tagname>)
Reported
to
work
in
IE
(I
was
unsuccessful)
Reported
by
Zamir
Pal_el
(hOp://www.securityfocus.com/ archive/1/524043)
An
older
bypass
was
to
use
a
null
character
like
<%00tagname>
Browser
specic
and
doesn't
really
work
anywhere
Of
course
output
encoding
does
block
this
as
well
2013
Secure
Ideas
LLC
|
www.secureideas.com
Request
Valida_on
Cong
Set
in
the
Web.Cong
File
<system.web>
<pages
validateRequest="true"
/>
</system.web>
Set
at
the
Page
Level
<%@
ValidateRequest="true"
%>
2013
Secure
Ideas
LLC
|
www.secureideas.com
Yes,
Its
Interes_ng
2013
Secure
Ideas
LLC
|
www.secureideas.com
10
10
ViewState
Base64
Encoded
By
Default
Can
be
encrypted
Vulnerabili_es
Parameter
Tampering,
XSS,
Info
Leakage
EventValida_on
Cong
Set
in
the
Web.Cong
File
<system.web>
<pages
enableEventValida+on="true"
/>
</system.web>
Set
at
the
Page
Level
<%@
EnableEventValida+on="true"
%>
2013
Secure
Ideas
LLC
|
www.secureideas.com
19
19
Bad,
Bad,
Bad!!
2013
Secure
Ideas
LLC
|
www.secureideas.com
20
20
ViewStateUserKey
Protects against Cross Site Request Forgery Provides a user "salt" to ViewStateMac
Not enabled by default
Only works for requests with ViewState http://www.testsite.mm/deleteuser.aspx?id=5 (doesn't work)
Recommendation:
2013
Secure
Ideas
LLC
|
www.secureideas.com
21
21
Postback
Webforms
are
based
around
"Postbacks"
Caused
by
Events
(ex.
buOon_click)
Triggered
by
__ViewState
or
__EventTarget
if
(!Page.IsPostback){
//
Authoriza_on/Populate
Data
lblCopy.Text
=
"copy
2013";
if(!User.IsInRole("Admin"))
Response.Redirect("Unauthorized.aspx");
}
else{
//
Execute
Events
}
2013
Secure
Ideas
LLC
|
www.secureideas.com
22
22
Postback
AOacks
Authoriza_on
Bypass
if(!User.IsInRole("Admin"))
Response.Redirect("Unauthorized.aspx");
Recommenda_on:
Check
Authoriza_on
on
Every
Request
XSS
(ViewState
Tampering)
lblCopy.Text
=
"copy
2013";
Recommenda_on:
Enable
ViewStateMac
Set
text
on
every
request
2013
Secure
Ideas
LLC
|
www.secureideas.com
23
23
GET/POST
Exchange
Server
Control
GETs
and
POSTs
are
Interchangeable
TextBox
ListBox
ViewState/EventValida_on
Etc.
Based
on
Request
Type
Can
Call
POST
requests
with
GET
Good
for
CSRF
Can
Trigger
Postback
with
GET
request
2013
Secure
Ideas
LLC
|
www.secureideas.com
Authen_ca_on
Cookie
HTTPOnly
(Hard
Coded)
Secure
Flag
may
not
be
set
Some_mes
there
is
an
error
if
behind
a
Load
Balancer
that
strips
SSL
Should
Recommend
Manually
seng
this
value
Self-Contained
Not
tracked
on
server
Timeout
is
key.
Lives
un_l
the
_meout
expires
on
the
cookie
FormsAuthen_ca_on.Logout
only
removes
cookie
from
the
browser
(doesnt
kill
it)
2013
Secure
Ideas
LLC
|
www.secureideas.com
26
26
Misc.
Files
Trace.axd
Elmah.axd
Use
URL
Authoriza_on
in
the
Web.cong
Web.cong
(crown
jewels)
GOOD
LUCK!!
IIS
is
set
up
to
not
serve
this
le
2013
Secure
Ideas
LLC
|
www.secureideas.com
27
27
Conclusion
ASP.Net
has
good
security
features
You
have
to
understand
them
ViewStateMac
is
IMPORTANT!
EventValida_on
ViewState
ViewStateUserKey
