Secure Code Warrior C# Basic OWASP Web Top 10 2017 3: Sensitive Data Exposure and 4: XXE vulnerabilities

Let's continue with some other very common application weaknesses. This set of levels will focus on 3: Sensitive Data Exposure and 4: XXE vulnerabilities

A3: Sensitive Data Exposure

Insecure Cryptography - Insecure Randomness

Seeding the RNG with DateTime.UtcNow.Ticks will not provide an output that is random enough. An adversary could easily crack it. 

 private void NextBytes(byte[] bytes)

        {

            for (var i = 0; i < bytes.Length; i++)

            {

                bytes[i] = (byte)(DateTime.UtcNow.Ticks % 256);

            }

        }

Using BouncyCastle's SecureRandom provides a cryptographically strong random number generator (RNG). It can have up to 128 bits. In addition, SecureRandom uses random data from your OS (for example, the interval between keystrokes, etc.) and uses that as a seed.

 

Sensitive Data Storage - Plain Text Storage of Sensitive Information

Confidential user data is encrypted via concatenation with an encryption key. However, the key itself is too simple and is stored directly in the code. An adversary could compromise the application and get hold of the key. 

User confidential notes are encrypted using AES. Advanced Encryption Standard (AES), also known as Rijndael, is the successor to DES. AES accepts 128, 192, or 256 bit keys. It has a fixed block size of 128 bits, and it is suitable to be implemented for both software and hardware. AES implemented in combination with GCM mode greatly improves protection against distortion, active man-in-the-middle attacks and Padding Oracle Attacks.

 

Insufficient Transport Layer Protection - Unprotected Transport of Credentials

The server certificate is not verified and the transfer protocol itself is outdated. An adversary can create a phishing server or use MITM attacks.

   enableServerCertValidation: false,

      enabledSslProtocols: System.Security.Authentication.SslProtocols.Ssl2,

The server-provided certificate should be verified, and in case of errors, the connection has to be terminated to prevent phishing. The encryption protocol itself has to be as modern as possible. So, the server certificate validation errors are taken into account before the connection is established, and TLS 1.2 is used. An adversary won't be able to use either a phishing server or MITM attacks to hijack credentials.

 

A4: XXE vulnerabilities

XML External Entities (XXE) - XML External Entities (XXE)

The XmlReaderSettings has DtdProcessing set to Parse. Next to that, a nonnull XmlResolver object will allow parsing of external entities. These settings make the XmlReader unsafe, and consequently, make the application vulnerable to XXE attacks.

有问题的代码

 var resolver = new XmlUrlResolver();

            var settings = new XmlReaderSettings

                               {

                                   DtdProcessing =

                                       DtdProcessing.Parse,

                                   XmlResolver = resolver

                               };

XmlReader is safe by default. DtdProcessing is set to Prohibit and the XmlResolver is set to null. Untrusted XML input will not be accepted, and consequently, attackers will not get access to sensitive information in this manner.

正确配置是

            var settings = new XmlReaderSettings

                                       {

                                           DtdProcessing =

                                               DtdProcessing.Prohibit,

                                           XmlResolver = null

                                       };

 

 

 

XML External Entities (XXE) - XML External Entities (XXE)

An XML string is deserialized insecurely; any commands and references will be interpreted and executed. An adversary can inject XML commands into data that can compromise the server's secrets.

An XML serializer uses client data, so DTD header processing has to be disabled, and no link handler has to be provided. The XmlReaderSettings instance is configured to disable these features since their use is not provided. There is no way for an adversary to reveal the server secrets since the XML commands will not be interpreted.

 

 

XML External Entities (XXE) - XML External Entities (XXE)

Using an insecure configuration when parsing XML data may allow an adversary to include a reference to an external entity to carry out unauthorized operations like sensitive data disclosure, denial of service, etc.

                new XmlReaderSettings

                {

                    DtdProcessing = DtdProcessing.Ignore,

                    XmlResolver = null

                }))

设置成ignore也可以

 

It is recommended to completely disable DTDs (External Entities) completely if possible. The application is ensuring that System.Xml.XmlReader configuration is set to disable DtdProcessing and set XmlResolver to null. In this way, External as no External Entities will be processed, the application will not be vulnerable to XXE attacks.

 

作者:Chuck Lu    GitHub