The document discusses the O2 Platform, which is a framework for automating security testing and documentation. It provides features like a scripting engine, browser automation, source code analysis tools, and APIs. The document also provides an overview of the Microsoft ASP.NET MVC framework and common vulnerabilities it faces like mass assignment. It demonstrates running an IE automation script on the Music Store sample application using the O2 Platform to test for vulnerabilities like cross-site scripting and CSRF. The presentation educates developers on security best practices like validating user input and protecting sensitive fields when using MVC frameworks.
Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities
1. The O2 Platform:
Exploiting and Fixing Microsoft ASP.net
MVC Vulnerabilities
Michael Hidalgo
michael.hidalgo@owasp.org
Chapter Leader OWASP Costa Rica
Colaborador OWASP O2 Platform Project
2. About Me
Software Developer Engineer at
Fiserv, Digital Channels- Corillian Online ASP team.
–Developing Software for Financial Institutions (FI,CU)
–Web Services, Interoperatibility
OWASP Costa Rica Chapter Leader
Participation in the OData Protocol
OWASP Projects contributor
– OWASP O2 Platform (Dinis Cruz)
– REST Security Cheat Sheet (Jim Manico)
2
4. But also because…
We Software Developers need a framework that help
us to write secure applications
4
5. Agenda
• An overview of the O2 Platform
• An overview of Microsoft ASP.net MVC Framework
• A demo running the IE automation script against
Music Store MVC Application.
5
7. The O2 Platform
The O2 Platform
The O2 platform represents a new paradigm for
how to perform, document and distribute Web
Application security reviews.
O2 is designed to Automate Security Consultants
Knowledge and Workflows and to Allow non-
security experts to access and consume Security
Knowledge
7
8. The O2 Platform
• The Project Manager is Dinis Cruz, a security
expert based in the UK. Dinis has a strong
background in the application security world and
he has performed very interesting researches.
• Some features of O2 platform:
– Scripting Engine and development environment.
– Black-Box/Browser-automation environment.
– Source Code analysis environment.
– Data Consumption and API Generation
9. The O2 Platform
The O2 Platform: More features!
• Powerful search engine
• Graphical Engines
• Multiple APIs
• Integration with third parties
9
14. The O2 Platform
Where to get O2 Platform?
• From Visual Studio Gallery :
• http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d-
ea4741905dc2
• Getting the standalone installer
• http://tiny.cc/O2Platform
• For more info on O2 see:
• O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2
Platform
• O2 Blog: https://o2platform.wordpress.com
14
15. Agenda
• An overview of the O2 Platform
• An overview of Microsoft ASP.net MVC Framework
• A demo running the IE automation script against
Music Store MVC Application.
15
16. MVC Architecture
Architecture of the World Wide Web
• Addressable resources
• Standard resource formats
• Uniform interface for interacting with
resource
• Stateless and Hyperlinking
16
17. Uniform Interface
• Retrieves a resource
GET • Safe
• Cacheable
POST • Creates a new resource.
• Unsafe, effect of this verb is not defined by HTTP
• Updates an existing resource
PUT • Used for resource creation
• Idempotent
DELETE • Removes a resource
• Call N times, same thing always happen (idempotent)
17
19. MVC Architecture
• MVC is a standard design pattern that many developers are
familiar with. Some types of Web applications will benefit
from the MVC framework..
• Some feature :
– Embrace the Web: MVC is a standard compliant architecture
that embraces the Web Architecture.
– Easy to implement: The industry is adopting MVC framework
because it provides an easy approach to create rapid
applications.
– Separation of concerns:This architecture is designed to separate
responsabilities within your application.
– Testability
Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
20. MVC Architecture
• MVC Actors:
Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview 20
21. MVC Architecture
• Models : Model Objects are the parts of the
application that implements the logic for the
application’s data domain.
• Retrieve and store model state in databases.
• An example is a Product model, a Customer
model or a Speaker model.
21
22. MVC Architecture
• Views:Components that displays application’s
user interface (UX).
• Created from Model Data.
• An example is editing a Speaker information,
dispñaying text boxes for name and address.
22
23. MVC Architecture
• Controllers:Components that handle user
interactions, work with the model and select a
view to render that displays in the UI.
• Handles and responds to user input and
interactions.
23
24. MVC Architecture
• Vulnerabilities on top of MVC Framework
• MVC applications are vulnerable to most of
the vector attacks in Web applications
(XSS,CSRF).
• Mass Assignments (Auto Binding) : This
vulnerability can be found in Spring MVC and
Microsoft ASP.NET MVC Framework.
24
25. MVC Architecture
• Mass Assignments (aka Auto Binding).
• MVC frameworks rely heavily on binding query
strings, route values and form values to in-
code objects.
• This vulnerability is a kind of parameter
tampering.
• Model Binding works by assigning HTML form
fields to object properties.
25
26. MVC Architecture
Mass Assignments (aka Auto Binding).
• Let’s take a look at the following Model Object:
public class BlogMember
{
public string Name { get; set; }
public string LastName { get; set; }
public string EmailAddress{ get; set; }
public bool IsAdmin{ get; set; }
}
26
27. MVC Architecture
What can happen?
Someone could send a HTTP request using Fiddler2 or cURL
Request URL: http://yourBlog/register
Request Method: POST
Status Code: 200 OK......
Name: Michael
LastName: Hidalgo
EmailAddress: michael.hidalgo@owasp.org
IsAdmin: true
27
28. Agenda
• An overview of the O2 Platform
• An overview of Microsoft ASP.net MVC Framework
• A demo running the IE automation script against
Music Store MVC Application.
28
30. MVC Architecture
How to protect us against Mass assignments?
• Never trust user input!!!!
• Matching incoming parameters
• Using a ViewModel
• Protect your sensitive Model properties (i.e
SSN, Id’s, Account numbers)
30
31. MVC Architecture
How to protect us against Mass assignments?
Matching incoming parameters
31
32. MVC Architecture
How to protect us against Mass assignments?
Protecting sensitive fields (using Bind Attribute)
32
33. MVC Architecture
How to protect us against Mass assignments?
• Protecting sensitive fields (using Bind
Attribute)
• BlackList
33
34. Q&A
Michael Hidalgo
michael.hidalgo@owasp.org
34