o2 platform and asp.net mvc, by michael hidalgo
DESCRIPTION
Presentation (still in draft) to be presented at OWASP's Latam 2012 conference in Uruguay https://www.owasp.org/index.php/AppSecLatam2012TRANSCRIPT
![Page 1: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/1.jpg)
The O2 Platform: Exploiting and Fixing Microsoft ASP.net
MVC Vulnerabilities
Michael Hidalgo [email protected]
Chapter Leader OWASP Costa Rica Colaborador OWASP O2 Platform Project
![Page 2: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/2.jpg)
About Me
Software Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software for Financial Institutions (FI,CU) –Web Services, Interoperatibility
OWASP Costa Rica Chapter Leader
Participation in the OData Protocol
OWASP Projects contributor – OWASP O2 Platform (Dinis Cruz)
– REST Security Cheat Sheet (Jim Manico)
2
![Page 3: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/3.jpg)
Software Developers need tools!
3
Why this presentation?
![Page 4: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/4.jpg)
We Software Developers need a framework that help us to write secure applications
But also because…
4
![Page 5: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/5.jpg)
• An overview of the O2 Platform
• An overview of Microsoft ASP.net MVC Framework
• A demo running the IE automation script against Music Store MVC Application.
Agenda
5
![Page 6: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/6.jpg)
What is the O2 Platform?
The O2 Platform
6
![Page 7: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/7.jpg)
The O2 Platform
The O2 platform represents a new paradigm for how to perform, document and distribute Web
Application security reviews.
O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-
security experts to access and consume Security Knowledge
7
The O2 Platform
![Page 8: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/8.jpg)
• The Project Manager is Dinis Cruz, a security expert based in the UK. Dinis has a strong background in the application security world and he has performed very interesting researches.
• Some features of O2 platform: – Scripting Engine and development environment.
– Black-Box/Browser-automation environment.
– Source Code analysis environment.
– Data Consumption and API Generation
The O2 Platform
![Page 9: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/9.jpg)
The O2 Platform: More features!
• Powerful search engine
• Graphical Engines
• Multiple APIs
• Integration with third parties
The O2 Platform
9
![Page 10: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/10.jpg)
• A comprehensive UI!
10
The O2 Platform
![Page 11: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/11.jpg)
• A look at the IE automation editor
11
The O2 Platform
![Page 12: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/12.jpg)
• IE Automation syntax • var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(false); ie.open("http://www.google.com"); ie.field("q").Value="OWASP Costa Rica"; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Tag_DontAddExtraO2Files;
12
The O2 Platform
![Page 13: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/13.jpg)
• O2 Platform inside Visual Studio IDE
13
The O2 Platform
![Page 14: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/14.jpg)
Where to get O2 Platform?
• From Visual Studio Gallery : • http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d-
ea4741905dc2
• Getting the standalone installer • http://tiny.cc/O2Platform
• For more info on O2 see: • O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2
Platform
• O2 Blog: https://o2platform.wordpress.com
14
The O2 Platform
![Page 15: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/15.jpg)
• An overview of the O2 Platform
• An overview of Microsoft ASP.net MVC Framework
• A demo running the IE automation script against Music Store MVC Application.
Agenda
15
![Page 16: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/16.jpg)
Architecture of the World Wide Web
• Addressable resources
• Standard resource formats
• Uniform interface for interacting with resource
• Stateless and Hyperlinking
MVC Architecture
16
![Page 17: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/17.jpg)
Uniform Interface
17
•Retrieves a resource
•Safe
•Cacheable GET
•Creates a new resource.
•Unsafe, effect of this verb is not defined by HTTP POST •Updates an existing resource
•Used for resource creation
• Idempotent PUT
•Removes a resource
•Call N times, same thing always happen (idempotent) DELETE
![Page 18: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/18.jpg)
Web Applications should embrace the Web!
MVC Architecture
18
![Page 19: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/19.jpg)
• MVC is a standard design pattern that many developers are familiar with. Some types of Web applications will benefit from the MVC framework..
• Some feature : – Embrace the Web: MVC is a standard compliant architecture
that embraces the Web Architecture. – Easy to implement: The industry is adopting MVC framework
because it provides an easy approach to create rapid applications.
– Separation of concerns:This architecture is designed to separate responsabilities within your application.
– Testability
MVC Architecture
Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
![Page 20: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/20.jpg)
• MVC Actors:
20
MVC Architecture
Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
![Page 21: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/21.jpg)
• Models : Model Objects are the parts of the application that implements the logic for the application’s data domain.
• Retrieve and store model state in databases.
• An example is a Product model, a Customer model or a Speaker model.
21
MVC Architecture
![Page 22: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/22.jpg)
• Views:Components that displays application’s user interface (UX).
• Created from Model Data.
• An example is editing a Speaker information, dispñaying text boxes for name and address.
22
MVC Architecture
![Page 23: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/23.jpg)
• Controllers:Components that handle user interactions, work with the model and select a view to render that displays in the UI.
• Handles and responds to user input and interactions.
23
MVC Architecture
![Page 24: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/24.jpg)
• Vulnerabilities on top of MVC Framework
• MVC applications are vulnerable to most of the vector attacks in Web applications (XSS,CSRF).
• Mass Assignments (Auto Binding) : This vulnerability can be found in Spring MVC and Microsoft ASP.NET MVC Framework.
24
MVC Architecture
![Page 25: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/25.jpg)
• Mass Assignments (aka Auto Binding).
• MVC frameworks rely heavily on binding query strings, route values and form values to in-code objects.
• This vulnerability is a kind of parameter tampering.
• Model Binding works by assigning HTML form fields to object properties.
25
MVC Architecture
![Page 26: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/26.jpg)
Mass Assignments (aka Auto Binding). • Let’s take a look at the following Model Object:
public class BlogMember { public string Name { get; set; } public string LastName { get; set; } public string EmailAddress{ get; set; } public bool IsAdmin{ get; set; }
}
26
MVC Architecture
![Page 27: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/27.jpg)
What can happen?
Someone could send a HTTP request using Fiddler2 or cURL Request URL: http://yourBlog/register
Request Method: POST Status Code: 200 OK...... Name: Michael LastName: Hidalgo EmailAddress: [email protected] IsAdmin: true
27
MVC Architecture
![Page 28: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/28.jpg)
• An overview of the O2 Platform
• An overview of Microsoft ASP.net MVC Framework
• A demo running the IE automation script against Music Store MVC Application.
Agenda
28
![Page 29: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/29.jpg)
Running a O2 Demo!!!
29
MVC Architecture
![Page 30: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/30.jpg)
How to protect us against Mass assignments?
• Never trust user input!!!!
• Matching incoming parameters
• Using a ViewModel
• Protect your sensitive Model properties (i.e SSN, Id’s, Account numbers)
30
MVC Architecture
![Page 31: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/31.jpg)
How to protect us against Mass assignments?
Matching incoming parameters
31
MVC Architecture
![Page 32: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/32.jpg)
How to protect us against Mass assignments?
Protecting sensitive fields (using Bind Attribute)
32
MVC Architecture
![Page 33: O2 platform and ASP.NET MVC, by Michael Hidalgo](https://reader034.vdocuments.net/reader034/viewer/2022051611/549f710eac7959504c8b4861/html5/thumbnails/33.jpg)
How to protect us against Mass assignments?
• Protecting sensitive fields (using Bind Attribute)
• BlackList
33
MVC Architecture