2. Introduction
Myself
⊠Education
⊠Professional experience
Project
⊠.Net Hosted Services
⊠WCF
⊠Web API
⊠Data Services
⊠OWASP
⊠Top Ten
⊠How it applies to hosted services
BRETT NEMEC
3. Windows Communication
Foundation
Part of the .Net framework
⊠System.ServiceModel namespace
⊠Introduced in version 3.0
The Service Model
⊠Service oriented
⊠Interoperable
⊠Automatic configuration
⊠Follows security standards
⊠Supports multiple transports and encodings
⊠Extensible
Security
⊠SOAP
⊠Message integrity
⊠Authentication on service and client
⊠Integration with existing technology
BRETT NEMEC
7. Data Services
Model driven architecture
⊠Object Relational Mapping
⊠Entity Framework
Odata
⊠Open Data Protocol
Data owner has more control over data
Cloud
⊠Introduces added risk due to foreign environments
⊠Data owner can have less control
BRETT NEMEC
8. OWASP
Stands for Open Web Application Security Project
Not for profit organization
Dedicated to web security
⊠Helps raise awareness of trends in security threats
Support for most popular web technologies
⊠Java
⊠C/C++
⊠.Net
⊠PHP
Top ten security risks of 2013
BRETT NEMEC
9. OWASP Top Ten Security
Risks of 2013 RC
A1 â Injection
A2 â Broken authentication
and session management
A3 â Cross-site scripting (XSS)
A4 â Insecure direct object
references
A5 â Security
misconfigurations
A6 â Sensitive data exposure
A7 â Missing functional level
access control
A8 â Cross-site request forgery
(CSRF)
A9 â Using known vulnerable
components
A10 â Unvalidated redirects
and forwards
BRETT NEMEC
10. A1 - Injection
SQL Injection
⊠Example
⊠WCF method: GetPersonByName(string name), where name = ââ or â1â = â1â
⊠Executes SQL
⊠var query = âselect * from Person where name = ââ + p1 + âââ;
⊠Resolves to âselect * from Person where name = ââ or â1â = â1ââ
⊠One of the the most prominent classes of input validation errors
⊠Donât use command interpreters
⊠Use a parameterized interface
⊠var query = âselect * from Person where name = @nameâ;
⊠Entity Framework v5
⊠ORM
⊠SQL is generated behind the scenes
⊠Model driven
⊠Linq to SQL
BRETT NEMEC
11. A2 â Broken authentication
and session management
WCF is stateless by default
⊠Stateful session can be enabled in configuration
Message Authentication
⊠Certificate authentication over transport security
⊠Satisfies Level 1 requirements of the OWASP Application Security Verification
Standard (ASVS)
⊠Section V2, all pages and resources must be authenticated except those that
are public
⊠Certificate authentication pre-authenticates the client
⊠Authorize attribute is used for business authentication, while client is
authenticated to the service
BRETT NEMEC
12. A3 â Cross-site scripting
(XSS)
WCF is not directly vulnerable to XSS
⊠Messages are XML based, not URLs
Implement custom input/output parameter inspectors
⊠IParameterInspector interface
BRETT NEMEC
13. A4 â Insecure direct object
references
Authorize attribute
⊠Using role-based authentication
⊠When a message is sent to an endpoint, service calls custom role provider
for the requested operation
⊠Example:
[Authorize(âAdministratorsâ)]
public void GetAllUsers();
BRETT NEMEC
14. A5 â Security
misconfigurations
Donât expose metadata
⊠Can be turned on for debugging in configuration
⊠App.config or web.config, using the system.serviceModel element
⊠Must be disabled for production
⊠Custom web page
BRETT NEMEC
15. A6 â Sensitive data
exposure
Store sensitive data in itâs encrypted form
Passwords
⊠Donât actually store the password, store a hash
⊠Random salt (256 bytes)
⊠RSA Pseudo random number generator
⊠SHA-256(Salt + Password) = Salted Password Hash
⊠Every time user changes the password, a new salt is used
⊠Database table has two columns, allows for one way validation
⊠PasswordSalt, non-sensitive
⊠PasswordHash
⊠Timeout after specified number of failed attempts
⊠Stops brute force attacks
BRETT NEMEC
16. A7 â Missing functional
level access control
Related to A4, Insecure Direct Object References
WCF by default is stateless
⊠If using default, sessions are not of concern
⊠If using sessions, control with OperationContract
⊠IsInitiating property
⊠IsTerminating property
Windows Identity Foundation
⊠Supports federated claims based security
⊠Authorized claim sets
⊠Used similarly as role-based authorization
BRETT NEMEC
17. A8 â Cross-site request
forgery (CSRF)
WCF is message based, not as much of a risk
It is possible to implement controls for this risk
Windows Identity Foundation
⊠If implemented, service is already using a Security Token Service (STS)
⊠STS processes user validation request
⊠Provides a claim-set for the user
⊠When the user sends a message request to the service, the claim-set is
provided as a token, STS evaluates the token
BRETT NEMEC
18. A9 â Using known
vulnerable components
Donât use components that are untested or source is unknown
Most controls and tools are already part of the .Net framework
⊠Entity Framework v5
⊠Tight integration with existing Microsoft .Net technologies
⊠Beta versions are not a good idea
OWASP ESAPI for .Net
⊠Website states itâs not suitable for production use
⊠Good reason not to use it
BRETT NEMEC
19. A10 â Unvalidated redirects
and forwards
Redirects and forwards should be avoided
WCF not at risk like web applications are
⊠Sometimes parameters can contain the target page
⊠IParameterInspector custom inspector
BRETT NEMEC