[Owasp-dotnet] Top Vulnerability in ASP.NET

Mark Curphey mark at curphey.com
Wed Aug 10 21:34:34 EDT 2005 

Watch for a nice whitepaper / advisory Foundstone will release next week or
week after ;-)

  _____  

From: owasp-dotnet-admin at lists.sourceforge.net
[mailto:owasp-dotnet-admin at lists.sourceforge.net] On Behalf Of Dharmesh
Mehta
Sent: Tuesday, August 09, 2005 12:06 AM
To: owasp-dotnet at lists.sourceforge.net
Subject: [Owasp-dotnet] Top Vulnerability in ASP.NET


Hi,

Below is what I consider:


The Top Most Vulnerability remains same as Data Tampering or Unvalidated
Input according to OWASP.

3 Major Forms of Data Tampering exist in ASP.NET <http://asp.net/>  

1.      Various forms exists in ASP.NET <http://asp.net/> . The ASP.NET
<http://asp.net/>  ViewState is most vulnerable to Data Tampering. The
EnableViewStateMac attribute (when set to true) indicates that the view
state is encrypted and checked, on postback from the client, to determine if
the viewstate has been tampered with between the client and server. The
viewstate is essentially a hidden variable on a Web page that contains the
values of that page's fields.

 

  <%@ Page EnableViewState="true" EnableViewStateMac="true" %>

 

Note: You must explicitly set the EnableViewStateMac attribute to true,
otherwise it will default to false.

 

2.      Inheritance Threats. If a type is defined as public or protected but
not sealed (in 

VB.NET <http://vb.net/>  Public or Protected but not NotInheritable), then
malicious code could inherit from this type. This inheritance could allow
the malicious code to access or override the base class' privileged members.
In doing so, an attacker can circumvent security measures in the software
and perform unwanted actions with the code.

 

If possible, limit the threat by limiting the accessibility of this type to
either private or internal (in VB.NET <http://vb.net/>  Private or Friend).
If this will not work consider making this type sealed (in VB.NET
<http://vb.net/>  NotInheritable), or use an InheritanceDemand on this type,
to prevent unauthorized code from inheriting from this type.

 

//C# Example

[PermissionSetAttribute(SecurityAction.InheritanceDemand, Name="FullTrust")]

public class Secured  {}

 

'VB.NET <http://vb.net/>  Example 

<PermissionSetAttribute(SecurityAction.InheritanceDemand,
Name:="FullTrust")> _ 

Public Class Secured  {}

 

3.      Method Call from a partial to a fully trusted assembly: Code in this
partially-trusted assembly is calling code in a fully-trusted assembly. An
attacker could try passing malicious input into the partially-trusted
assembly, which, in turn, gets passed into the fully-trusted assembly. If
the fully-trusted assembly does not check the parameters being passed to it,
the malicious input might be allowed to run in the fully-trusted assembly.
Another situation is where the partially-trusted assembly could be spoofed
and given access to the fully-trusted assembly. Now, the partially-trusted
assembly has access to an assembly with full-trust. In this case, the
spoofed partially-trusted assembly can use the fully-trusted assembly to
perform actions that it otherwise could not.

 

Verify that the fully-trusted assembly is validating all passed-in
parameters correctly. For example, if the input is a SSN, the input should
have only numeric characters. If the input is a name, it should only contain
alphabetic characters. Other things to test for are input length and null or
empty values.





Thanks & Regards,
Dharmesh Mehta
Technology Cell,
Mastek Ltd.
dharmeshmm at mastek.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-dotnet/attachments/20050810/02d1e30b/attachment.html

More information about the Owasp-dotnet mailing list