Improving Web Application Security Threats and Countermeasures Forewords by Mark Curphey, Joel Scambray, and Erik Olson Improving Web Application Security Threats and Countermeasures patterns & practices J.D. Meier, Microsoft Corporation Alex Mackman, Content Master Srinath Vasireddy, Microsoft Corporation Michael Dunner, Microsoft Corporation Ray Escamilla, Microsoft Corporation Anandha Murukan, Satyam Computer Services Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BizTalk, IntelliSense, MSDN, Visual Basic, Visual C#, Visual C++, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. © 2003 Microsoft Corporation. All rights reserved. Version 1.0 6/30/2003 The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Contents Forewords xliii Foreword by Mark Curphey xliii Foreword by Joel Scambray xlv Foreword by Erik Olson xlvi Introduction xlix Why We Wrote This Guide xlix What Is a Hack-Resilient Application? l Scope of This Guide li Securing the Network, Host, and Application li Technologies in Scope lii Who Should Read This Guide lii How to Use This Guide liii Applying the Guidance to Your Role liii Applying the Guidance to Your Product Life Cycle liv Microsoft Solutions Framework lv Organization of This Guide lv Solutions at a Glance lv Fast Track lv Parts lvi Checklists lvii “How To” Articles lviii Approach Used in This Guide lviii Secure Your Network, Host, and Application lviii Focus on Threats lix Follow a Principle-Based Approach lx Positioning of This Guide lx Volume I, Building Secure ASP.NET Applications lx Volume II, Improving Web Application Security lxi Feedback and Support lxii Feedback on the Guide lxii Technical Support lxii Community and Newsgroup Support lxii The Team Who Brought You This Guide lxiii Contributors and Reviewers lxiii Tell Us About Your Success lxiv Summary lxiv vi Improving Web Application Security: Threats and Countermeasures Solutions at a Glance lxv Architecture and Design Solutions lxv Development Solutions lxvi Administration Solutions lxx Fast Track — How To Implement the Guidance lxxv Goal and Scope lxxv The Holistic Approach lxxvi Securing Your Network lxxvii Securing Your Host lxxvii Securing Your Application lxxviii Identify Threats lxxix Applying the Guidance to Your Product Life Cycle lxxxi Implementing the Guidance lxxxii Who Does What? lxxxiii RACI Chart lxxxiii Summary lxxxiv Part I Introduction to Threats and Countermeasures 1 Chapter 1 Web Application Security Fundamentals 3 We Are Secure — We Have a Firewall 3 What Do We Mean By Security? 4 The Foundations of Security 4 Threats, Vulnerabilities, and Attacks Defined 5 How Do You Build a Secure Web Application? 5 Secure Your Network, Host, and Application 6 Securing Your Network 7 Network Component Categories 7 Securing Your Host 7 Host Configuration Categories 8 Securing Your Application 9 Application Vulnerability Categories 9 Security Principles 11 Summary 12 Additional Resources 12 Chapter 2 Threats and Countermeasures 13 In This Chapter 13 Overview 13 Contents vii How to Use This Chapter 14 Anatomy of an Attack 14 Survey and Assess 15 Exploit and Penetrate 15 Escalate Privileges 15 Maintain Access 16 Deny Service 16 Understanding Threat Categories 16 STRIDE 16 STRIDE Threats and Countermeasures 17 Network Threats and Countermeasures 18 Information Gathering 18 Sniffing 19 Spoofing 19 Session Hijacking 19 Denial of Service 20 Host Threats and Countermeasures 20 Viruses, Trojan Horses, and Worms 21 Footprinting 21 Password Cracking 22 Denial of Service 22 Arbitrary Code Execution 23 Unauthorized Access 23 Application Threats and Countermeasures 23 Input Validation 24 Buffer Overflows 25 Cross-Site Scripting 26 SQL Injection 27 Canonicalization 28 Authentication 29 Network Eavesdropping 29 Brute Force Attacks 30 Dictionary Attacks 30 Cookie Replay Attacks 31 Credential Theft 31 Authorization 31 Elevation of Privilege 32 Disclosure of Confidential Data 32 Data Tampering 32 Luring Attacks 33 Configuration Management 33 Unauthorized Access to Administration Interfaces 33 Unauthorized Access to Configuration Stores 34 Retrieval of Plaintext Configuration Secrets 34 Lack of Individual Accountability 34 Over-privileged Application and Service Accounts 34 viii Improving Web Application Security: Threats and Countermeasures Sensitive Data 35 Access to Sensitive Data in Storage 35 Network Eavesdropping 35 Data Tampering 35 Session Management 36 Session Hijacking 36 Session Replay 36 Man in the Middle Attacks 37 Cryptography 37 Poor Key Generation or Key Management 38 Weak or Custom Encryption 38 Checksum Spoofing 38 Parameter Manipulation 39 Query String Manipulation 39 Form Field Manipulation 40 Cookie Manipulation 40 HTTP Header Manipulation 40 Exception Management 40 Attacker Reveals Implementation Details 41 Denial of Service 41 Auditing and Logging 41 User Denies Performing an Operation 42 Attackers Exploit an Application Without Leaving a Trace 42 Attackers Cover Their Tracks 42 Summary 42 Additional Resources 43 Chapter 3 Threat Modeling 45 In This Chapter 45 Overview 45 Before You Begin 45 How to Use This Chapter 46 Threat Modeling Principles 47 The Process 47 The Output 48 Step 1. Identify Assets 49 Step 2. Create an Architecture Overview 49 Identify What the Application Does 50 Create an Architecture Diagram 50 Identify the Technologies 51 Contents ix Step 3. Decompose the Application 52 Identify Trust Boundaries 53 Identify Data Flow 53 Identify Entry Points 54 Identify Privileged Code 54 Document the Security Profile 55 Step 4. Identify the Threats 56 Identify Network Threats 57 Identify Host Threats 58 Identify Application Threats 58 Using Attack Trees and Attack Patterns 59 Step 5. Document the Threats 62 Step 6. Rate the Threats 62 Risk = Probability * Damage Potential 63 High, Medium, and Low Ratings 63 DREAD 63 What Comes After Threat Modeling? 65 Generating a Work Item Report 66 Summary 66 Additional Resources 66 Part II Designing Secure Web Applications 67 Chapter 4 Design Guidelines for Secure Web Applications 69 In This Chapter 69 Overview 69 How to Use This Chapter 70 Architecture and Design Issues for Web Applications 70 Deployment Considerations 72 Security Policies and Procedures 73 Network Infrastructure Components 73 Deployment Topologies 73 Intranet, Extranet, and Internet 74 Input Validation 74 Assume All Input Is Malicious 75 Centralize Your Approach 75 Do Not Rely on Client-Side Validation 76 Be Careful with Canonicalization Issues 76 Constrain, Reject, and Sanitize Your Input 77 In Practice 79 x Improving Web Application Security: Threats and Countermeasures Authentication 80 Separate Public and Restricted Areas 81 Use Account Lockout Policies for End-User Accounts 81 Support Password Expiration Periods 81 Be Able to Disable Accounts 82 Do Not Store Passwords in User Stores 82 Require Strong Passwords 82 Do Not Send Passwords Over the Wire in Plaintext 82 Protect Authentication Cookies 82 Authorization 83 Use Multiple Gatekeepers 83 Restrict User Access to System Level Resources 83 Consider Authorization Granularity 83 Configuration Management 86 Secure Your Administration Interfaces 86 Secure Your Configuration Stores 86 Separate Administration Privileges 87 Use Least Privileged Process and Service Accounts 87 Sensitive Data 87 Secrets 87 Sensitive Per User Data 89 Session Management 90 Use SSL to Protect Session Authentication Cookies 90 Encrypt the Contents of the Authentication Cookies 90 Limit Session Lifetime 91 Protect Session State from Unauthorized Access 91 Cryptography 91 Do Not Develop Your Own Cryptography 92 Keep Unencrypted Data Close to the Algorithm 92 Use the Correct Algorithm and Correct Key Size 92 Secure Your Encryption Keys 92 Parameter Manipulation 93 Encrypt Sensitive Cookie State 93 Make Sure that Users Do Not Bypass Your Checks 93 Validate All Values Sent from the Client 94 Do Not Trust HTTP Header Information 94 Exception Management 94 Do Not Leak Information to the Client 94 Log Detailed Error Messages 95 Catch Exceptions 95 Auditing and Logging 95 Audit and Log Access Across Application Tiers 95 Consider Identity Flow 96 Log Key Events 96 Secure Log Files 96 Back Up and Analyze Log Files Regularly 96 [...]... 199 Link Demands 199 Luring Attacks 200 Performance and Link Demands 201 Calling Methods with Link Demands 201 Mixing Class and Method Level Link Demands 201 Interfaces and Link Demands 202 Structures and Link Demands 202 Virtual Methods and Link Demands 203 Assert and RevertAssert 203 Use the Demand / Assert... Security Resources 681 Related Microsoft patterns & practices Guidance 681 Security- Related Web Sites 681 Microsoft Security- Related Web Sites 681 Third-Party, Security- Related Web Sites 682 Microsoft Security Services 682 Partners and Service Providers 682 Communities and Newsgroups 683 Newsgroup Home Pages 683 Patches and. .. Exception Management 699 Auditing and Logging 699 Configuration File Settings 699 Web Farm Considerations 702 Hosting Multiple Applications 703 ACLs and Permissions 703 Application Bin Directory 704 xxxvi Improving Web Application Security: Threats and Countermeasures Checklist Securing Web Services 705 How to Use This Checklist... Do You Handle Exceptions? 619 Do You Use Cryptography? 620 Do You Store Secrets? 621 Do You Use Delegates? 622 xxxii Improving Web Application Security: Threats and Countermeasures Code Access Security 622 Do You Support Partial-Trust Callers? 622 Do You Restrict Access to Public Types and Members? 623 Do You Use Declarative Security. .. 211 xvi Improving Web Application Security: Threats and Countermeasures Environment Variables 211 Constraining Environment Variable Access 211 Requesting EnvironmentPermission 211 Web Services 212 Constraining Web Service Connections 212 Sockets and DNS 213 Constraining Socket Access 213 Requesting SocketPermission and DnsPermission... 314 Summary 316 Additional Resources 317 Chapter 12 Building Secure Web Services 319 In This Chapter 319 Overview 319 How to Use This Chapter 320 xx Improving Web Application Security: Threats and Countermeasures Threats and Countermeasures 320 Unauthorized Access 321 Parameter Manipulation 322... Auditing and Logging 365 Using a Custom Channel Sink 365 Code Access Security (CAS) Considerations 365 Summary 365 Additional Resources 366 Chapter 14 Building Secure Data Access 367 In this Chapter 367 Overview 367 How to Use This Chapter 368 xxii Improving Web Application Security: Threats and Countermeasures Threats. .. 662 662 663 Web Services 663 Enterprise Services 664 Accounts 665 Files and Directories 665 Authentication 666 Authorization 667 Remote Serviced Components 668 xxxiv Improving Web Application Security: Threats and Countermeasures Remoting ... ISAPI Filters 459 xxvi Improving Web Application Security: Threats and Countermeasures Step 14 IIS Metabase 460 Restrict Access to the Metabase Using NTFS Permissions 460 Restrict Banner Information Returned by IIS 460 Step 15 Server Certificates 461 Step 16 Machine.Config 462 Map Protected Resources to HttpForbiddenHandler 462 Verify That Tracing... Additional Considerations 518 xxviii Improving Web Application Security: Threats and Countermeasures Step 5 Files and Directories 519 Verify Permissions on SQL Server Install Directories 519 Verify Everyone Group Does Not Have Permissions for SQL Server Files 520 Secure Setup Log Files 520 Secure or Remove Tools, Utilities, and SDKs 520 Additional Considerations . Improving Web Application Security Threats and Countermeasures Forewords by Mark Curphey, Joel Scambray, and Erik Olson Improving Web Application Security. Building Secure Web Services 319 In This Chapter 319 Overview 319 How to Use This Chapter 320 xx Improving Web Application Security: Threats and Countermeasures Threats and Countermeasures. to Threats and Countermeasures 1 Chapter 1 Web Application Security Fundamentals 3 We Are Secure — We Have a Firewall 3 What Do We Mean By Security? 4 The Foundations of Security 4 Threats,