Secure Code Warrior OWASP Web Top 10 2017 A1-A2 injection flaws and broken authentication vulnerabilities
Let's start with the most critical application weaknesses.
These challenges get you the foundations of
1: Injection Flaws and
2: Broken Authentication vulnerabilities
1.LdapFilterEncode
var sAMAccountName =
Microsoft.Security.Application.Encoder.LdapFilterEncode(username);
searcher.Filter = string.Format("(sAMAccountName={0})", sAMAccountName);
c# - LDAP Filter Encoder Replacement - Stack Overflow
I was looking for the answer to this and came across your question. I found it here, it has been moved to a Nuget package here: https://www.nuget.org/packages/AntiXSS/ and taken out of the core framework.
According to this blog post: https://archive.codeplex.com/?p=wpl the project will continue to be updated with security updates, however the last time it was updated on Nuget was 2014.
I installed the package, the namespace you need is still:
Microsoft.Security.Application.Encoder.LdapFilterEncode(value)2.参数化sql
string query = $@"SELECT [Id], [EmailAddress], [DisplayName], [UserName] FROM {userTable} " +
"WHERE UserName = @UserName";
using (SqlCommand cmd = new SqlCommand(query))
{
cmd.Connection = connection;
connection.Open();
A query string to search for orders is created incorrectly. Also, an SQL query template is stored improperly on the server. As soon as an adversary gains access to the file system and modifies file content, the integrity of the database will be at risk of defeat. In this case, an application will load an SQL query from the modified file and perform it without any restriction.
Stored procedures should be used to store SQL queries outside the codebase. Compared to regular SQL queries, they have an advantage in performance and SQL injection resistance since the parameters are encoded, if necessary. Therefore, a stored procedure is used to search for orders by e-mail, and the
SqlParameterCollection class is used to include a search option. So, any attempt to inject SQL injection will fail.Injection Flaws - OS Command Injection
The file name included in the command line is obtained from a user request. An adversary can spoof a file name by adding OS commands to perform them on the server-side.
public NoteVM GetNote(string name)
{
if (!IsNoteExists(name))
{
return null;
}
try
{
var process = new System.Diagnostics.Process();
process.StartInfo = new System.Diagnostics.ProcessStartInfo()
{
Arguments = $"/C MORE \"{FullFilePath(name)}\"",
FileName = "cmd.exe",
UseShellExecute = false,
RedirectStandardOutput = true
};
process.Start();
process.WaitForExit();
var content = process.StandardOutput.ReadToEnd();
return new NoteVM { Name = name, Content = content };
}
catch
{
return null;
}
}Cleaning user input with a denylist containing prohibited command-line operators and commands is incorrect since the denylist is not fully completed. An adversary can include allowed commands and operators into data to perform them on the server-side. Also, user-entered data may be erroneously changed due to an invalid checking method. Consider finding a way to use built-in platform tools to interact with the OS, if possible.
The built-in platform tools provide sufficient protection against OS Command Injection attacks. The
File.ReadAllText(string) method provided by the .NET Framework reads the contents of files with correct parameterization for the option. So, any attempts to implement unauthorized OS commands will fail.ADO.NET components provided by .NET platform includes tools for creating and executing SQL queries to the DBMS. The SqlParameterCollection class contains the
AddWithValue() method, which performs character encoding, thereby eliminating the possibility of SQL injection. So, any attempt to inject SQL commands will fail since they will be plain text as a part of the query string.Entity Framework allows developer to query using LINQ with the help of entity classes which mitigates SQL injection vulnerability.
Authentication - Insufficient Anti-Automation
This application does not keep track of the number of failed login attempts for users. This makes the application vulnerable to password enumeration attacks. An attacker can brute force the password using different combinations of values to eventually guess the correct password. The risk is even greater for weak passwords.
To mitigate the risk of password enumeration attack, the application maintains the number of failed login attempts made by a user. When the number of failed login attempts reaches a system configured limit, the user account is locked. Once the user account is locked, all further login attempts made for the user account is denied by the application till the system administrator unlocks the account. This prevents attackers from making unlimited numbers of login attempts to guess the correct password. It is recommended for applications to notify users via their registered e-mail address when their account is locked. Additionally, enforcing strong password policy is advisable because it makes it difficult for attackers to guess the correct password.
It’s not recommended to provide specific feedback on what went wrong during the authentication process. When giving too much information an adversary could exploit the functionality and guess existing usernames.
Now the system will temporarily block access to the account after several attempts of incorrect login for some minutes to prevent the passwords enumeration. The user will receive a message that the account may have been temporarily blocked and ask it to wait for a while.
Authentication - Insecure Password Change Function
In the process of changing a password, the current password must be requested and verified. Otherwise, an attacker, when in control of the session, could change another user's password.
The password change mechanism must request the user's current password to re-authenticate the user. Only after successful verification with the stored password, the user's newly chosen password will replace the current one.
