Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.
Vulnerability findings by Rational Appscan on Authentication Credentials using .Net Language
Hello Experts,
Our Security team is using Rational Appscan software for scanning applications from any kind of Vulnerability’s and sensitive information’s that may allow malicious users to obtain. However, the result I get from the software is classified under three categories:
Authentication.Credentials
Authentication.Credentials
Injection.DBConnectionStri
Theses Vulnerabilities or categories are pointed to line number 2 as follow:
The connection string before it is encrypted is as as follow:
Thanks.
Our Security team is using Rational Appscan software for scanning applications from any kind of Vulnerability’s and sensitive information’s that may allow malicious users to obtain. However, the result I get from the software is classified under three categories:
Authentication.Credentials
Authentication.Credentials
Injection.DBConnectionStri
Theses Vulnerabilities or categories are pointed to line number 2 as follow:
Sub Read()
Using connection As New SqlConnection(ConfigurationManager.ConnectionStrings("LocalSqlServer").ToString())
Const queryString As String = "SELECT Name from Users where SAPID = @SAPID"
Dim command As New SqlCommand(queryString, connection)
Dim parUsername As New SqlParameter("@SAPID", SqlDbType.VarChar, 20)
parUsername.Value = TextBox1.Text
command.Parameters.Add(parUsername)
command.Connection.Open()
Using reader As SqlDataReader = command.ExecuteReader(CommandBehavior.CloseConnection)
' Call Read before accessing data.
If reader.HasRows Then
While reader.Read()
Label1.Text = reader("Name")
End While
End If
End Using
End Using
End Sub
The connection string before it is encrypted is as as follow:
<connectionStrings>
<add name="LocalSqlServer"
connectionString=";Database=;User ID=;Password=;Trusted_Connection=False;"/>
</connectionStrings>
Thanks.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
This has illustration on the insecure configuration weakness
http://www.troyhunt.com/2010/12/owasp-top-10-for-net-developers-part-6.html
Web.config is the pace which we should avoid having to put unencrypted connection strings or other sensitive data. There are just too many places where the Web.config is exposed including in source control, during deployment. imagine as the author shared also even the channel having ftp channel etc is not secure with transport layer security and in backups or via a server admin (these are just a few).
Furthermore, this is quite a risk if server or app is exploited ...e.g. one past one mentioned on the "padding oracle vulnerability" e.g. if an encrypted string can be passed to the server and its response can tell you whether the padding is valid or not, the request can be manipulated to continually change the bytes in the request and reissue them to the server until a successful response is returned.
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
You never going to be totally secured but leaving lesser gap for the attacker to exploit through secure coding will deter those attempt as much as possible.
Minimally in this case, we will want to encrypt those info as you stated in ASP.NET 2.0. It introduced Protected Configuration model that allows you to encrypt data using two Protected Configuration Providers. E.g. RSAProtectedConfigurationP
http://www.beansoftware.com/ASP.NET-Tutorials/Encrypting-Connection-String.aspx
http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx
I also suggest this checking out MSDN "How To: Protect From SQL Injection in ASP.NET" or OWASP cheatsheet
http://msdn.microsoft.com/en-us/library/ff648339.aspx
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://www.troyhunt.com/2010/12/owasp-top-10-for-net-developers-part-6.html
Web.config is the pace which we should avoid having to put unencrypted connection strings or other sensitive data. There are just too many places where the Web.config is exposed including in source control, during deployment. imagine as the author shared also even the channel having ftp channel etc is not secure with transport layer security and in backups or via a server admin (these are just a few).
Furthermore, this is quite a risk if server or app is exploited ...e.g. one past one mentioned on the "padding oracle vulnerability" e.g. if an encrypted string can be passed to the server and its response can tell you whether the padding is valid or not, the request can be manipulated to continually change the bytes in the request and reissue them to the server until a successful response is returned.
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
You never going to be totally secured but leaving lesser gap for the attacker to exploit through secure coding will deter those attempt as much as possible.
Minimally in this case, we will want to encrypt those info as you stated in ASP.NET 2.0. It introduced Protected Configuration model that allows you to encrypt data using two Protected Configuration Providers. E.g. RSAProtectedConfigurationP
http://www.beansoftware.com/ASP.NET-Tutorials/Encrypting-Connection-String.aspx
http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx
I also suggest this checking out MSDN "How To: Protect From SQL Injection in ASP.NET" or OWASP cheatsheet
http://msdn.microsoft.com/en-us/library/ff648339.aspx
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Hello breadtan,
All what you mentioned is considered,
Again, whay this software known by IBM is telling me that this subroutine is Vulnerable !!!
The Classification is type 2 and the Severity is High.
All three vulnerability’s are pointing to the below line.
Authentication.Credentials
Authentication.Credentials
Injection.DBConnectionStri
All what you mentioned is considered,
Again, whay this software known by IBM is telling me that this subroutine is Vulnerable !!!
The Classification is type 2 and the Severity is High.
All three vulnerability’s are pointing to the below line.
Authentication.Credentials
Authentication.Credentials
Injection.DBConnectionStri
Using connection As New SqlConnection(ConfigurationManager.ConnectionStrings("LocalSqlServer").ToString())
Typically Appscan give you a URL or a string to show you the exploit it tried and found. This isn't always the case, but more often than not it's in the report. Sometimes there are false positives, you have to test the string it used, look in your logs or your DB to see if it did work.
The authentication weaknesses could be plain-text cookies, or perhaps base64 credentials, or a cipher/implementation that has poor entropy (like DES or 56-bit RSA etc) The report should give you links to the answers your looking for.
-rich
The authentication weaknesses could be plain-text cookies, or perhaps base64 credentials, or a cipher/implementation that has poor entropy (like DES or 56-bit RSA etc) The report should give you links to the answers your looking for.
-rich
placing the connection string in web.config is not recommended but since you are encrypting it then it seems ok
try to move your connection string into your classes also make validation on every text box to prevent special charachters
try to move your connection string into your classes also make validation on every text box to prevent special charachters
As highlighted by experts in this discussion, the scanner would have a recommendation list (e.g. Advisory, Fix Recommendation, Request/Response)stated to correspond to the findings. Also in various programming languages. It should not be far off with what was already stated in the links in my last posting esp those from owasp and msdn. I see the key is that there are needs to have input type validation beside just key length restriction on the parameter in your existing code.
Even IBM has similar recommendation
http://publib.boulder.ibm.com/infocenter/spssdc/v6r0m1/index.jsp?topic=%2Fcom.spss.ddl%2Fsecure_dc_website.htm
As for weak authentication and unprotected parameter, that depends on how those parameters are secure at rest and in channel. The recommendation in the summary finding rightfully should have it too.
Even IBM has similar recommendation
http://publib.boulder.ibm.com/infocenter/spssdc/v6r0m1/index.jsp?topic=%2Fcom.spss.ddl%2Fsecure_dc_website.htm
As for weak authentication and unprotected parameter, that depends on how those parameters are secure at rest and in channel. The recommendation in the summary finding rightfully should have it too.
Thank you all for your answers.
As I mentioned before that it is a connection string issue and not parameters or SQL Injections. Now, because we just lunched this software, only view employees have license, me and others are waiting for something called flouting license. However, as requested I managed to get a report from the security group that explains the findings along with a report for the lines in aspx page.
The report is telling us to use SqlConnectionStringBuilder
OK, I heard about this class since .Net 2.0, but never used it before so I did my workaround and I end up with same result, I will show exactly what I did in details :
In Configuration File
Then in my aspx file i called the connection as follow:
This approach i could not figure it out as there are no clear examples available except examples showing sensitive information like below:
Attached please find explanation files.
Thanks.
Vulnerabilitys.xlsx
Vulnerabilitys.docx
As I mentioned before that it is a connection string issue and not parameters or SQL Injections. Now, because we just lunched this software, only view employees have license, me and others are waiting for something called flouting license. However, as requested I managed to get a report from the security group that explains the findings along with a report for the lines in aspx page.
The report is telling us to use SqlConnectionStringBuilder
OK, I heard about this class since .Net 2.0, but never used it before so I did my workaround and I end up with same result, I will show exactly what I did in details :
In Configuration File
<configuration>
<connectionStrings>
<add name="conStr"
connectionString="Persist Security Info=False;User ID=AAAAAAA;Password=*******;Initial Catalog=XXXXXXX;Server=ZZZZZZZZZ" />
</connectionStrings>
<system.web>
<authentication mode="Windows"/>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
<authorization>
<allow roles="Domain\Group"/>
<deny users="?"/>
<deny users="*"/>
</authorization>
<customErrors mode="Off"/>
</system.web>
<configuration>
<configProtectedData>
<providers>
<!-- contents -->
</providers>
</configProtectedData>
<connectionStrings configProtectionProvider="CustomProvider">
<EncryptedData>
<!-- encrypted contents -->
</EncryptedData>
</connectionStrings>
Imports System.Configuration
Imports System.Data.SqlClient
Public Class Connections
Shared sqlClient As String = ConfigurationManager.ConnectionStrings("conStr").ConnectionString
Shared sqlConn As String = Nothing
Shared builderStr As SqlConnectionStringBuilder = Nothing
Shared connStr As SqlConnection = Nothing
Public Shared Function [get]() As SqlConnection
If sqlConn Is Nothing Then
sqlConn = sqlClient
builderStr = New SqlConnectionStringBuilder(sqlConn.ToString) -- line 22
connStr = New SqlConnection(builderStr.ConnectionString) -- line 23
End If
Return connStr
End Function
End Class
Then in my aspx file i called the connection as follow:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Const sqlQuery As String = "select * from users"
Using command As New SqlCommand(sqlQuery, Connections.[get]())
Connections.get.Open()
Dim sqlda As New SqlDataAdapter(command)
Dim ds As New DataSet()
sqlda.SelectCommand = command
sqlda.Fill(ds, "users")
GridView1.DataSource = ds
GridView1.DataMember = "users"
GridView1.DataBind()
End Using
End Sub
This approach i could not figure it out as there are no clear examples available except examples showing sensitive information like below:
Sub CreateConnectionString()
Dim builder As New SqlConnectionStringBuilder
builder.DataSource = "(local)"
builder.InitialCatalog = "Northwind"
builder.UserID = "user1"
builder.Password = "P@ssw0rd"
End Sub
Attached please find explanation files.
Thanks.
Vulnerabilitys.xlsx
Vulnerabilitys.docx
Yet to have chance to read the doc but saw for sqlconnectionstringbuilder
http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx
There is an example of readding in the username answer password at the bottom of the article...wondering if tool will complain if use without hardcoding
http://msdn.microsoft.com/en-us/library/ms254947(v=vs.80).aspx
http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx
There is an example of readding in the username answer password at the bottom of the article...wondering if tool will complain if use without hardcoding
http://msdn.microsoft.com/en-us/library/ms254947(v=vs.80).aspx
Hello breadtan,
For your first question, i tried to use windows authentication and it complained due to an attacker may inject the connection by setting Integrated Security to false or using extra semi-colons.
For the second question, i believe it is a sqlconnectionstringbuilder
Thanks.
For your first question, i tried to use windows authentication and it complained due to an attacker may inject the connection by setting Integrated Security to false or using extra semi-colons.
For the second question, i believe it is a sqlconnectionstringbuilder
Thanks.
thanks for sharing. Looks like as long as they are parameter for SQL API call (e.g. as in pt 1), Appscan will always be "not happy" with it since it flagged those option can be tampered.
Some sort of sanitisation (function to do the input validation) will still be needed so as to pass the scan as shared in pt 2.
Some sort of sanitisation (function to do the input validation) will still be needed so as to pass the scan as shared in pt 2.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial