INTERACTIVE SAUDI ARABIA LTD.
ISA Web Application Security Security Guidelines and Checklist Ahmed Abdulhamid 3/10/2009
© 2008, Interactive Saudi Arabia Limited. All rights reserved. This document or any part thereof may not, without the written consent of Interactive Saudi Arabia Limited (ISA), be copied, reprinted, or reproduced in any material from, including but not limited to photocopying, tanscribing, transmitting, or sorting it in any medium or translationg it into any language, in any form or by any means, be it electronic, mechanical, xerographic, optical, magnatic or otherwise.The information contained in this document is proprietry and confidential; all copyrights, trademarks, trade names, patents and other intellectual property rights in the documentation are the exclusive propery of ISA unless otherwise specified. The information (including but not limited to data, drawings, specification and documentation) shall not at any time, be disclosed directly or indirectly to any third party without the prior written consent of ISA. The information contained herein is believed to be accurate and reliable. ISA accepts no repsonsibility for its use by any means or in any way whatsoever.The indormation contained herein is subject to change without notice.
Table of Contents Security Guidelines....................................................................................................................... 3 Input/Data Validation ................................................................................................................ 3 Authentication ........................................................................................................................... 3 Authorization ............................................................................................................................. 3 Code access security .................................................................................................................. 4 Data Access ................................................................................................................................ 4 Exception Management ............................................................................................................. 4 Impersonation/Delegation ........................................................................................................ 4 Parameter Manipulation ........................................................................................................... 5 Sensitive Data ............................................................................................................................ 5 Session Management ................................................................................................................ 5 Security Checklist ......................................................................................................................... 6 Authentication ........................................................................................................................... 6 Authorization ............................................................................................................................. 6 Client Side Attack ....................................................................................................................... 7 Command Execution .................................................................................................................. 7 Error Handling ........................................................................................................................... 7 Logical Attacks ........................................................................................................................... 8
Prepared by: Ahmed Abdulhamid
Page 2
Security Guidelines Input/Data Validation
Do not rely on ASP.NET request validation Validate input for length, range, format, and type Validate input from all sources like QueryString, cookies, and HTML controls Do not rely on client-side validation Avoid user-supplied file name and path input Do not echo untrusted input If you need to write out untrusted data, encode the output
Authentication Forms Authentication
Use membership providers instead of custom authentication Use SSL to protect credentials and authentication cookies If you cannot use SSL, consider reducing session lifetime Validate user login information Do not store passwords directly in the user store Enforce strong passwords Protect access to your credential store Do not persist authentication cookies Restrict authentication tickets to HTTPS connections Consider partitioning your site to restricted areas and public areas Use unique cookie names and paths
Windows Authentication
Choose Windows authentication when you can Enforce strong password policies
Authorization
Use URL authorization for page and directory access control Configure ACLs on your Web site files Use ASP.NET role manager for roles authorization
Prepared by: Ahmed Abdulhamid
Page 3
If your role lookup is expensive, consider role caching Protect your authorization cookie
Code Access Security
Consider code access security for partial trust applications Choose a trust level that does not exceed your application's requirements Create a custom trust policy if your application needs additional permissions Use Medium trust in shared hosting environments
Data Access
Encrypt your connection strings Use least-privileged accounts for database access Use Windows authentication where possible If you use Windows authentication, use a trusted service account If you cannot use a domain account, consider mirrored accounts When using SQL authentication, use strong passwords When using SQL authentication, protect credentials over the network When using SQL authentication, protect credentials in configuration files Validate untrusted input passed to your data access methods When constructing SQL queries, use type safe SQL parameters Avoid dynamic queries that accept user input
Exception Management
Use structured exception handling Do not reveal exception details to the client Use a global error handler to catch unhandled exceptions
Impersonation/Delegation
Know your tradeoffs with impersonation Avoid Calling LogonUser Avoid programmatic impersonation where possible If you need to impersonate, consider threading issues If you need to impersonate, clean up appropriately Avoid losing impersonation tokens
Prepared by: Ahmed Abdulhamid
Page 4
Parameter Manipulation
Do not make security decisions based on parameters accessible on the client-side Validate all input parameters Avoid storing sensitive data in ViewState Encrypt ViewState if it must contain sensitive data
Sensitive Data
Avoid plaintext passwords in configuration files Use platform features to manage keys where possible Do not pass sensitive data from page to page Protect sensitive data over the wire Do not cache sensitive data
Session Management
Do not rely on client-side state management options Protect your out-of-process state service Protect SQL Server session state
Prepared by: Ahmed Abdulhamid
Page 5
Security Checklist Authentication 1. Brute Force A Brute Force attack is an automated process of trial and error used to guess a person’s username, password, credit-card number or cryptographic key.
2. Insufficient Authentication Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate.
3. Weak Password Recovery Validation Weak Password Recovery Validation is when a web site permits an attacker to illegally obtain, change or recover another user’s password.
Authorization 4. Credential/Session Prediction Credential/Session Prediction is a method of hijacking or impersonating a web site user.
5. Insufficient Authorization Insufficient Authorization is when a web site permits access to sensitive content or functionality that should require increased access control restrictions.
6. Insufficient Session Expiration Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
Prepared by: Ahmed Abdulhamid
Page 6
7. Session Fixation Session Fixation is an attack technique that forces a user's session ID to an explicit value.
Client-side Attacks 8. Content Spoofing Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source.
9. Cross-site Scripting Cross-site Scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user’s browser.
Command Execution 10. Buffer Overflow Buffer Overflow exploits are attacks that alter the flow of an application by overwriting parts of memory.
11. Format String Attack Format String Attacks alter the flow of an application by using string formatting library features to access other memory space.
12. SSI Injection SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server.
Error Handling 13. Directory Indexing
Prepared by: Ahmed Abdulhamid
Page 7
Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file is not present.
14. Information Leakage Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.
15. Path Traversal The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
16. Predictable Resource Location Predictable Resource Location is an attack technique used to uncover hidden web site content and functionality.
Logical Attacks 17. Abuse of Functionality Abuse of Functionality is an attack technique that uses a web site's own features and functionality to consume, defraud, or circumvents access controls mechanisms.
18. Denial of Service Denial of Service (DoS) is an attack technique with the intent of preventing a web site from serving normal user activity.
19. Insufficient Anti-automation Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually.
20. Insufficient Process Validation Insufficient Process Validation is when a web site permits an attacker to bypass or circumvent the intended flow control of an application.
Prepared by: Ahmed Abdulhamid
Page 8