1. Securing
Microsoft .Net
Hosted Services
INFORMATION SECURITY PRACTICUM
CAPSTONE PROJECT
LEWIS UNIVERSITY
BRETT NEMEC

2. Introduction
Myself
◦ Education
◦ Professional experience
Project
◦ .Net Hosted Services
◦ WCF
◦ Web API
◦ Data Services
◦ OWASP
◦ Top Ten
◦ How it applies to hosted services
BRETT NEMEC

3. Windows Communication
Foundation
Part of the .Net framework
◦ System.ServiceModel namespace
◦ Introduced in version 3.0
The Service Model
◦ Service oriented
◦ Interoperable
◦ Automatic configuration
◦ Follows security standards
◦ Supports multiple transports and encodings
◦ Extensible
Security
◦ SOAP
◦ Message integrity
◦ Authentication on service and client
◦ Integration with existing technology
BRETT NEMEC

4. BRETT NEMEC
Host
WAS
ASP.NET
Windows Service
Service Model
Services
Endpoints
Contracts
Operations
Messaging
HTTP TCP Queues
Transport
Security
Message
Security
XML or
Binary
Serialization

5. MVC Web API
Formerly part of WCF
ASP.NET MVC 4
◦ Model-View-Controller pattern
◦ RESTful architecture
◦ CRUD
Security
◦ Integration with existing
technology
◦ Authentication
◦ Attributes
◦ HttpGet
◦ HttpPost
◦ Authorize
BRETT NEMEC

6. Using the Authorize attribute
BRETT NEMEC

7. Data Services
Model driven architecture
◦ Object Relational Mapping
◦ Entity Framework
Odata
◦ Open Data Protocol
Data owner has more control over data
Cloud
◦ Introduces added risk due to foreign environments
◦ Data owner can have less control
BRETT NEMEC

8. OWASP
Stands for Open Web Application Security Project
Not for profit organization
Dedicated to web security
◦ Helps raise awareness of trends in security threats
Support for most popular web technologies
◦ Java
◦ C/C++
◦ .Net
◦ PHP
Top ten security risks of 2013
BRETT NEMEC

9. OWASP Top Ten Security
Risks of 2013 RC
A1 – Injection
A2 – Broken authentication
and session management
A3 – Cross-site scripting (XSS)
A4 – Insecure direct object
references
A5 – Security
misconfigurations
A6 – Sensitive data exposure
A7 – Missing functional level
access control
A8 – Cross-site request forgery
(CSRF)
A9 – Using known vulnerable
components
A10 – Unvalidated redirects
and forwards
BRETT NEMEC

10. A1 - Injection
SQL Injection
◦ Example
◦ WCF method: GetPersonByName(string name), where name = “‟ or „1‟ = „1”
◦ Executes SQL
◦ var query = “select * from Person where name = „” + p1 + “‟”;
◦ Resolves to “select * from Person where name = „‟ or „1‟ = „1‟”
◦ One of the the most prominent classes of input validation errors
◦ Don’t use command interpreters
◦ Use a parameterized interface
◦ var query = “select * from Person where name = @name”;
◦ Entity Framework v5
◦ ORM
◦ SQL is generated behind the scenes
◦ Model driven
◦ Linq to SQL
BRETT NEMEC

11. A2 – Broken authentication
and session management
WCF is stateless by default
◦ Stateful session can be enabled in configuration
Message Authentication
◦ Certificate authentication over transport security
◦ Satisfies Level 1 requirements of the OWASP Application Security Verification
Standard (ASVS)
◦ Section V2, all pages and resources must be authenticated except those that
are public
◦ Certificate authentication pre-authenticates the client
◦ Authorize attribute is used for business authentication, while client is
authenticated to the service
BRETT NEMEC

12. A3 – Cross-site scripting
(XSS)
WCF is not directly vulnerable to XSS
◦ Messages are XML based, not URLs
Implement custom input/output parameter inspectors
◦ IParameterInspector interface
BRETT NEMEC

13. A4 – Insecure direct object
references
Authorize attribute
◦ Using role-based authentication
◦ When a message is sent to an endpoint, service calls custom role provider
for the requested operation
◦ Example:
[Authorize(“Administrators”)]
public void GetAllUsers();
BRETT NEMEC

14. A5 – Security
misconfigurations
Don’t expose metadata
◦ Can be turned on for debugging in configuration
◦ App.config or web.config, using the system.serviceModel element
◦ Must be disabled for production
◦ Custom web page
BRETT NEMEC

15. A6 – Sensitive data
exposure
Store sensitive data in it’s encrypted form
Passwords
◦ Don’t actually store the password, store a hash
◦ Random salt (256 bytes)
◦ RSA Pseudo random number generator
◦ SHA-256(Salt + Password) = Salted Password Hash
◦ Every time user changes the password, a new salt is used
◦ Database table has two columns, allows for one way validation
◦ PasswordSalt, non-sensitive
◦ PasswordHash
◦ Timeout after specified number of failed attempts
◦ Stops brute force attacks
BRETT NEMEC

16. A7 – Missing functional
level access control
Related to A4, Insecure Direct Object References
WCF by default is stateless
◦ If using default, sessions are not of concern
◦ If using sessions, control with OperationContract
◦ IsInitiating property
◦ IsTerminating property
Windows Identity Foundation
◦ Supports federated claims based security
◦ Authorized claim sets
◦ Used similarly as role-based authorization
BRETT NEMEC

17. A8 – Cross-site request
forgery (CSRF)
WCF is message based, not as much of a risk
It is possible to implement controls for this risk
Windows Identity Foundation
◦ If implemented, service is already using a Security Token Service (STS)
◦ STS processes user validation request
◦ Provides a claim-set for the user
◦ When the user sends a message request to the service, the claim-set is
provided as a token, STS evaluates the token
BRETT NEMEC

18. A9 – Using known
vulnerable components
Don’t use components that are untested or source is unknown
Most controls and tools are already part of the .Net framework
◦ Entity Framework v5
◦ Tight integration with existing Microsoft .Net technologies
◦ Beta versions are not a good idea
OWASP ESAPI for .Net
◦ Website states it’s not suitable for production use
◦ Good reason not to use it
BRETT NEMEC

19. A10 – Unvalidated redirects
and forwards
Redirects and forwards should be avoided
WCF not at risk like web applications are
◦ Sometimes parameters can contain the target page
◦ IParameterInspector custom inspector
BRETT NEMEC

20. Review
Windows Communication Foundation
ASP.NET MVC Web API
OWASP
Top Ten project
BRETT NEMEC