I am currently working on a school assignment which requires us to perform security testing on a website created by one of our peers. The website is created using ASP.Net 3.5/4 and an MS-SQL database.
The website's main features are:
Registration & Login using Roles
Uploading documents
Sharing of uploaded documents
Leaving comments on shared documents
I already have started testing the website using:
XSS in the Register, Login and Leave Comment Sections
SQL Injection in the Register and Login pages
Upload of executables, with a different extension (I have changed an executable file to .doc to test whether the system is checking the extension of the file or the actual contents)
These tests have been carried out manually and I have access to the source code!
Can you suggest any other tests I might want to carry out?
Cheers
A good resource for things to lock-down would be OWASP - I linked to their "top ten" items as I have followed it myself for locking down apps and found it really helpful.
Drilling down into any item on their top ten list will discuss how to recognize a particular vulnerability and suggest how to remove the vulnerability. All code-agnostic stuff, high-level descriptions so it can be applied to any project be it .Net, Ruby, PHP, etc.
Check for Local File Inclusion and Remote File Inclusion vulnerabilities as well.
You can also check the login system: If the website lets you login (and you have an account or can make one), login and check to see how the login code works (i.e. check your cookies to see if they are PHP sessions [secure] or some other method [usually not secure]). If you find a vulnerability in the login system, you could elevate your privileges from regular user to admin.
Also, "Upload of executables, with a different extension." Could you clarify that for me?
The best thing to do is to use your imagination.
You should also use Cat.NET's engine (which is a free Microsoft provide security focused static analysis tool).
I have been working on making Cat.NET easier and faster to use inside VisualStudio and here is a pretty cool PoC of how it in action: Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)
If you are interested in Cat.NET you can download it from http://www.microsoft.com/en-us/download/details.aspx?id=19968
Related
Here is what I think my website should be able to provide to user.
Ability to upload file to the system. It should not blocking, user should be able to surf other pages of the website while upload is ongoing. Once upload is done user will get notified about upload.
User should be able to view of his/her uploaded files in website.
Ability to edit files in web browsers using third party APIs
Number of user are going to be around 5000, and all of them might upload files at the same time so performance should not decrease.
Where should I store this files? How to make sure that read and write of files on this directory should handle concurrent user request?
Considering above points. What should be the best way to architect this website?
Are there any existing web framework that play along with this type of architecture like rails, express?
If you want to have the ability to browse the site while a file is uploading, you'll want to use something on the front end that overrides anchor tags and asynchronously fetches the next page - there might be a library or something to accomplish this but it should be easy to implement yourself with jQuery.
To make this easier (and for many other reasons), you'll almost definitely want to structure your site with an MVC (Model View Controller) architecture. Rails is structured this way, as is almost any web framework. It doesn't sound like what you're describing is better suited to Rails over PHP or Python etc so just use whatever language or framework you (or your developers) feel most comfortable with. You might want to do some research into available plugins for editing files (it really depends on what type of files you want to edit and how) and using those to influence your decision on which language to choose as well.
With regards to storing files on your server, any logical system should suffice. Perhaps:
/username/year/month/day/myFile.txt
You'll want to do something to ensure filenames don't clash as well. And obviously you'd want a database storing the information linking files to users.
Here it is my problem:
I developed an MVC site and currently using standard method to publish which will placed files & folders inside the server. All dll files go under BIN folder and so on with the Content and Views go to Content & Views folder.
The problem is this website is an admin panel designed for commercial hardware device (embedded windows OS), so exposing the views and content as a plain text file can't be an option since it will open vulnerability of hijacking/code stealing. Even the device will be packed in a sealed box, anyone who buy it can broke the case and when they are knowing that the device run in windows environment then anything of security breach may happen, including stole the views code to be copied/changed for any purpose.
So I would need to secure the MVC files. I imagine if MVC can be published in secure files, e.g put all the content and views inside dll files.
By default there is an assumption that whoever has access to your views and DLLs is trusted. If they have your files, they can do whatever they want with them.
By the nature of HTML, there is no point in trying to conceal your content files such as javascript and CSS. These files are served to the client regardless, so they are always retrievable.
If you want to put your views into DLLs, you can look into RazorGenerator.
A Custom Tool for Visual Studio that allows processing Razor files at design time instead of runtime, allowing them to be built into an assembly for simpler reuse and distribution.
Please note that what you're doing is known as security through obscurity.
[ ... ] security through obscurity is the use of secrecy of the design or implementation to provide security
Security through obscurity is discouraged and not recommended by standards bodies.
MVC views should never contain business logic, only formatting logic and that is it. Moreover, since C# code is compiled into Intermediate Language (IL), anyone can reverse the process and get the source code.
In such case, you need an obfuscator to mingle the IL to make it difficult to hack, but that this not 100% guaranteed to prevent hackers from reverse engineer you IL (DLL and exe).
The best thing to do is to establish a comprehensive way of testing the admin panel and to facilitate a robust update process, so in case anything went wrong, you push your updates as quickly as possible.
I need to build a website that can be downloaded to a CD.
I'd like to use some CMS (wordpress,Kentico, MojoPortal) to setup my site, and then download it to a cd.
There are many program that know how to download a website to a local drive, but how to make the search work is beyond my understanding.
Any idea???
The project is supposed to be an index of Local community services, for communities without proper internet connection.
If you need to make something that can be viewed from a CD, the best approach is to use only HTML.
WordPress, for example, needs Apache and MySQL to run. And although somebody can "install" the website on his own computer if you supply the content via a CD, most of your users will not be knowledgeable enough to do this task.
Assuming you are just after the content of the site .. in general you should be able to find a tool to "crawl" or mirror most sites and create an offline version that can be burned on a CD (for example, using wget).
This will not produce offline versions of application functionality like search or login, so you would need to design your site with those limitations in mind.
For example:
Make sure your site can be fully navigated without JavaScript (most "crawl" tools will discover pages by following links in the html and will have limited or no JavaScript support).
Include some pages which are directory listings of resources on the site (rather than relying on a search).
Possibly implement your search using a client-side technology like JavaScript that would work offline as well.
Use relative html links for images/javascript, and between pages. The tool you use to create the offline version of the site should ideally be able to rewrite/correct internal links for the site, but it would be best to minimise any need to do so.
Another approach you could consider is distributing using a clientside wiki format, such as TiddlyWiki.
Blurb from the TiddlyWiki site:
TiddlyWiki allows anyone to create personal SelfContained hypertext
documents that can be published to a WebServer, sent by email,
stored in a DropBox or kept on a USB thumb drive to make a WikiOnAStick.
I think you need to clarify what you would like be downloaded to the CD. As Stennie said, you could download the content and anything else you would need to create the site either with a "crawler" or TiddlyWiki, but otherwise I think what you're wanting to develop is actually an application, in which case you would need to do more development than what standard CMS packages would provide. I'm not happy to, but would suggest you look into something like the SalesForce platform. Its a cloud based platform that may facilitate what you're really working towards.
You could create the working CMS on a small web/db server image using VirtualBox and put the virtual disk in a downloadable place. The end user would need the VirtualBox client (free!) and the downloaded virtual disk, but you could configure it to run with minimal effort for the creation, deployment and running phases.
We have ColdFusion and Active Directory running within the same domain. I'm trying to write a script that ColdFusion can run to get the sizes of client directories within the file system. However, each directory requires different windows authentication.
ColdFusion <cfdirectory> doesn't have a means to impersonate the user for each directory. Using the JavaIO is also apparently not useful as Java apparently doesn't know anything about the Windows authentication.
I found a suggestion for using APS.NET to write a COM or .NET component, but the article didn't go any further. I have since googled my heart out and not found anything more useful.
If anyone has any information or assistance to offer, you can't imagine my gratitude.
ColdFusion will, by default, run as the Local System account. This account will not have access to the network.
I would suggest running the ColdFusion service with a domain account that has read access to the client directories and you should then be able to use cfdirectory.
You may find this blogpost helpful.
It seems the problem is that each directory in question requires a different set of user permissions. So he's right I think. CF can't "impersonate" each user - though I'm not sure that I know of a system that can do that. would you have to store separate permissions for each directory? Ask for a password for each one?
I don't think you can "impersonate" an AD account without creating appropriate tokens using the key infrastructure right? So that means you have to store username and passwords to "authenticate" with. I think storing and using such "impersonate" information would certainly negates any security enhancements you hoped to gain from using a different user for each directory.
Architecturally you are better off running CF as an AD user with "read" permissions to the directories in question - then you can access the size information you are looking for but would still not be able to modify the files within the directory. That's my take.
We decided to build an ASP.net application which will access the individual client directories using in-built windows authentication to return file sizes and other data and dump them into a database. We will use windows scheduler to schedule the running of this application. ColdFUsion will be used merely to manipulate the data into reports.
Hai,
i am trying to store the user permissions for my web site.But I am little bit confused with xml and Database. For each user in site have different permissions. Have u ever faced this issue? for Example , if my site is a shopping site , for a local user , the report menu need not to display. A sales man need not to display the purchase page. and so on ..
I think you understood my problem .I have done this user management using a xml file . For each user a new node will create according to the menu and keep in the xml file . Next time the user login ,checks the permissions and and show only the allowed menus.
My boss tell me to do the same thing using the Database. by using XmlDataSource it is quite simple to bind data to the treeview (for setting permission) and binding to the menustrip also.
He is pointing the security problem . i don't think like so.
Which is better ? DB or XML
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
My advice would be to use asp.net membership and roles (written by Microsoft). It is a very good security solution - login security, roles (permissions) and is stored in a SQLServer database (not sure if it can be stored elsewhere).
I use it on my site and you can use membership controls straight out of the box (login forms, change password, etc.) or you can roll your own.
The only tricky bit I found was setting up the membership tables, views and stored procs in my dB (you download a dB script), but really it was fairly straightforward to implement.
Here's a link to asp.net membership and roles
ASP .NET Membership and Roles (part of the Provider Model introduced on ASP .NET 2) is (IMHO) nice only when you need some basic stuff. The issue is that you need to use the whole system using SQL Server, but if you are planning to move to a different DB provider (MySQL, SQLite, etc..) then you'd have to implement your own provider (which is at best painful), and learn how the whole pieces fit each other. Granted, finding a custom implementation it's quite easy, but is not a copy & paste thing.
Another bad thing of the default provider model is that you will get a ton of SQL stored procedures, also called maintainance nightmares. The issue is that if your site scales, then these SP's will make your life a living hell (been there) and if you even dare to change hostings then you're in for a treat, so my advice would be make your own permissions hierarchy and use it the way you wish. Also, look for advices and some pre-existing solutions to the permissions problem which is quite common.
Website security can be split up into to distinct parts.
Authentication: Logging in
Authroization: Roles/Permissions.
The ASP.NET Forms Authentication Provider is a great way to implement authentication. I recently created a custom provider that communicates with our companies X500 directory (LDAP). It was very straight forward.
For Authorization, we implemented the entlib security application block. It allows you to keep Roles/Permissions in a separate location that can be accessed by your UI as well as your service layers (assuming your developing a scale-able solution). You may also want to look at the Windows Itentity Foundation which is slated to supersede entlib security application block, however it is only available for .NET 4.0.