Wednesday 31 July 2013

MVC ModelBinding Vulnerability in Contoso University sample (first raw PoC)

While on the plane to Vegas, I looked at a number of ASP.NET MVC apps (ping me if you know of other good ones to look at (with publicly available source code)).

I was trying to find one that had good examples of MVC ModelBinding Vulnerabilities (aka overposting), in a real-world-kinda-way (I have found tons of MVC ModelBinding Vulnerability examples which usually get dismissed with a 'that is not the recommended way to code MVC controllers').

So I think I found a great example (of what not to do) on the Contoso University sample.

This application is explained in detail in this article Creating an Entity Framework Data Model for an ASP.NET MVC Application (1 of 10)  and can be downloaded from http://code.msdn.microsoft.com/ASPNET-MVC-Application-b01a9fe8/view/SourceCode (as shown below, you can also get this from the official ASP.NET MVC website)

Example example of SQL Injection using Database.SQLQuery from GitHub (and idea for Cat.NET workflow)

After posting Another example why SATS technology needs custom rules (re: Detecting SQL Injection on .NET Entity framework)  I did this search on GitHub, and found an example of that dangerous Database.SqlQuery API in use:
These one allows callers to create SQL Injection (which means that whoever is consuming those APIs need to be VERY careful)

Another example why SATS technology needs custom rules (re: Detecting SQL Injection on .NET Entity framework)

In Darren's great SQL Injection with Entity Framework 5 and Static Code Analysis post, he mentions how all SAST tools he used failed to find this security vulnerability:


The reason is simple: None of the tools he used had the Database.SqlQuery Method marked as a Sink (and btw last time I checked FxCop is not a SAST tool)

One of the things I wanted to do this week was to add a rules manager/editor to CAT.net (see my current research on this SAST tool from Microsoft here), and this could a good example (i.e. show how to write a custom CAT.Net rule to detect this security issue).

Email (outlook.com, gmail) should be stored on a git repository, with hashes used to detect account hijack

On the topic of being secure (and minimising account compromise) while using hostile networks (see Day 1 - made it to Vegas, start of ASP.NET MVC research  and Trying to keep secure while at BlackHat and DefCon 2013) I started using outlook.com, and was wondering how can I detect if that account is hijacked (for example by somebody who has a root SSL cert and is sitting on the same wireless network that I'm in (currently at Starbucks using the Mirage WIFI))

So what happens if somebody sends an email from this account:



How could I detect it?

Day 1 - made it to Vegas, start of ASP.NET MVC research

So after an 18h flight (with stopover in Toronto) I made it to Las Vegas. It was a really productive flight and I was finally able to spend some time focus on really learning how the ASP.NET MVC actually works.

I read a large section of Professional ASP.NET MVC 4 book (by Wrox) which is a great way to quickly learn what can be done with MVC 4. Although still very light on security, that book is actually one of the best ones (of all ASP.NET MVC books I have) on 'mentioning' security. Unfortunately, on the ModelBinding vulnerabilities (aka over-posting), there is very little to alert the reader for the dangers of MVC's ModelBinding.

Tuesday 30 July 2013

Trying to keep secure while at BlackHat and DefCon 2013

Since the BlackHat and DefCon networks are getting more and more dangerous/compromised (and SSL doesn't mean much these days), this year, I'm going to try to be more careful with my interweb and account's activities.

So:
  • I'm only taking 1 Mac Laptop which has a clean install of OSx (+ Fusion with clean window's installs), which will use this for research on the presentation I'm doing at DefCon (on Sunday) 
  • I'm not taking my real phone (I'm going to try to get a SIM cart in the US which hopefully will work on a unblocked and factory-reset iPhone 4)
  • I'm not going to check my OWASP and SI emails while there, and am only going to use the temporary diniscruz_defcon@outlook.com account (I also have an temp GitHub, twitter and blogger accounts)
So if you want to reach me, the best way is via the diniscruz_defcon@outlook.com (which I will check regularly, but will expect to be a little-bit compromised)

Any other ideas?

For the ones that are going, what other security measures are you taking?

Cya in Vegas

Tuesday 23 July 2013

Version of O2Platform 5.3 released

I just pushed to GitHub a new version of the O2 Platform which has a massive Namespace rename and a number of new features


The NuGet packages can be consumed from http://www.nuget.org/packages?q=fluentSharp 

And the code is at https://github.com/o2platform  (with for example the FluentSharp commits available at: https://github.com/o2platform/FluentSharp/commits/master )

Let me know your views on it or if you find probs running it

Thanks

Friday 19 July 2013

Nice business logic vulnerability and CSRF on the ASP.NET MVC Design Patterns book sample

Following a comment on this reddit threadt I did a search for 'ASP.NET MVC Design' patterns and found the site https://aspnetdesignpatterns.codeplex.com which is from the Wrox Professional ASP.NET Design Patterns book.

Since it looked like a nice MVC application, I grabbed a copy of the source code, upgraded it to .NET 4.0/MVC 4.0 (now on GitHub here) and had a quick look for MVC ModelBinding vulnerabilities.

And although it looks like the app is NOT vulnerable to MVC Model injections, that is mainly because there are very few controllers that use ModelBinding (i.e. that Design Pattern was not used (which ironically is my main recommendation to deal with MVC ModelBinding Vulnerabilities: don't use Model Binding :)  )).

Thursday 18 July 2013

Research on Azure WebSite security: Process Execution (cmd.exe, git.exe, node.exe, xyz.exe) and Folder Browsing (outside azure root)

Following the presentation I did a couple weeks ago at the UK Azure user-group event (http://ukwaug.net/events/security-compliance/), here are my rough notes on my research (for a couple hours/days before the event)

Using  DotNet_ANSA (see end of post for more info about this tool) I was able to show a number of security issues that exist with Azure Websites

BUT (Important disclaimer):
  • I was not able to see data from other Azure websites hosted on the same server (since I was limited by the IIS user account used)
  • This happens because of running .NET code under Full Trust (which is the default in most ASP.NET apps, since partial trust is dead now)
  • Although this is nothing new, I was surprised by the number of ASP.NET Azure specialists that were not aware that it was possible to (for example) browse files/folders outside the allocated folder and start new processes on the azure server
  • These are ‘Security Issues’ and ‘Areas of concern’ for Azure (and other) deployed websites.
  • These are not ‘Security Vulnerabilities’ since they happen by ‘design’
  • The key is to make sure that all parties understand that this is possible (namely remove process execution on cloud/hosted services)
  • I didn’t upload any exploits or metasploit-like tools (since that would be pushing my Azure testing a bit too far), but as far as I can see, they should work 
  • I didn't spent a lot of time on this, and there are a number of other research areas that should be pursued

Wednesday 17 July 2013

Can you spot the security implications/vulnerability of a small change to an ASP.NET MVC 3.0+ Model Binder?

This post contains an example of a serious security vulnerability that is common on ASP.NET MVC applications.

There are two versions of a Model Binder (CartModelBinder) class shown below, one or both are vulnerable.

Your job is to find out how to exploit them :)

Ideally you should provide your answer/results/proof using UnitTests :)

Note 1: The vulnerability shown in this post is a variation of real-world vulnerability that I helped to find a couple weeks ago (on an UK-based financial services company).

Note 2: I’m yet to to look/review/see a large MVC application that doesn’t have similar vulnerabilities (on both ASP.NET MVC or Spring MVC)

Note 3: the code is from the http://sportsstoremvc3.codeplex.com/ sample application, which is used as an ‘real-world application’ example by the Pro ASP.NET MVC 4 book (the code was compiled using .NET 4.0 and executed using the ASP.NET MVC 3.0 and ASP.NET MVC 4.0 versions).


Tuesday 16 July 2013

Code Club - Video with Scratch Games created by the Kids I was teaching at a local school

For the last couple months (May till June 2013) I have been running a  Code Club session at my daughter school.

Every wednesday at 3:30pm, I went there for 1h and taught 14 kids (Y3 till Y6) how to program Scratch (with a brave one doing some Python)

To wrap up the year, we did a presentation to the Key Stage 2 assembly, where we presented the video below (to show some examples of their efforts and creativity):