1. Injection
The problem: SQL Injection
string sql = @"SELECT * FROM Memos WHERE Id = " + idString;
using (OleDbConnection cnn = new OleDbConnection(connectionString))
{
cnn.Open();
OleDbCommand cmd = new OleDbCommand(sql, cnn);
OleDbDataReader reader = cmd.ExecuteReader();
while (read.Read())
{
...
}
}
If idString comes from the user input, it can be manipulated to create unexpected SQL commands.
The fix is to use prepared statement:
string sql = @"SELECT * FROM Memos WHERE Id = ?";
using (OleDbConnection cnn = new OleDbConnection(connectionString))
{
cnn.Open();
OleDbCommand cmd = new OleDbCommand(sql, cnn);
cmd.Parameters.AddWithValue("@Id", idString);
OleDbDataReader reader = cmd.ExecuteReader();
while (read.Read())
{
...
}
}
2. Broken Authentication
The problem: Session is kept after logout
public ActionResult LogOut()
{
return RedirectToAction("LogOn");
}
The fix is to remove the user session from DB and server side:
public ActionResult LogOut()
{
string userName = Session["UserName"].ToString();
db.RemoveUserSession(userName);
Session.Abandon();
return RedirectToAction("LogOn");
}
3. Sensitive Data Exposure
The problem: Store password in plain text
var user = new User()
{
Email = email,
Login = login,
Password = password,
Name = name,
Role = role
};
The fix is to store the hash so that the password won't be stolen from the memory:
var user = new User()
{
Email = email,
Login = login,
Password = Argon2.Hash(password),
Name = name,
Role = role
};
4. XML External Entities (XXE)
var resolver = new XmlUrlResolver();
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Parse,
XmlResolver = resolver
};
XmlReader reader = XmlReader.Create("items.xml", settings);
The fix:
var resolver = new XmlUrlResolver();
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Prohibit,
XmlResolver = null
};
XmlReader reader = XmlReader.Create("items.xml", settings);
5. Broken Access Control
The problem: Unvalidated Redirects and Forwards
private ActionResult RedirectToLocal(string retureUrl)
{
if (!string.IsNullOrEmpty(returnUrl))
{
return Redirect(returnUrl);
}
return RedirectToAction("Index");
}
The fix is to validate the URL first before redirect:
private ActionResult RedirectToLocal(string retureUrl)
{
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
return RedirectToAction("Index");
}
6. Security Misconfiguration
The problem: Information Exposure of Error Details
Logger.LogError(ex.Message + ex.StackTrace);
The fix is to avoid logging stack trace unless it is in debugging:
if (Debugger.IsAttached)
Logger.LogDebug(ex.Message + ex.StackTrace);
Logger.LogError(ex.Message);
7. Cross Site Scripting (XSS)
userModel.Information = reader["Information"].ToString();
The fix:
string information = reader["Information"].ToString();
string encodedInfo = AntiXssEncoder.HtmlEncode(information, false);
userModel.Information = encodedInfo.ToString();
8. Insecure Deserialization
using (var filestream = File.Open(filename, FileMode.Open))
{
return DeserializeObject<T>(filestream, settings);
}
The fix is to use encryption/decryption during serialization/deserialization:
using (var filestream = File.Open(filename, FileMode.Open))
{
using (var cs = new CryptoStream(filestream,
CreateRijndael(password).CreateDecryptor(),
CryptoStreamMode.Read))
{
return DeserializeObject<T>(cs, settings);
}
}
private static Rijndael CreateRijndael(string password)
{
var rijndael = Rijndael.Create();
var pdb = new Rfc2898DeriveBytes(password, Pepper, 1000000);
rijndael.Key = pdb.GetBytes(32);
rijndael.IV = pdb.GetBytes(16);
return rijndael;
}
9. Using Components with Known Vulnerabilities
Linking a file from an untrusted website:
<link href="http://a.company.com/some.styles.css" rel="stylesheet" />
The fix:
<link href="https://a.trustworthy.website.com/some.styles.css"
rel="stylesheet"
integrity="sha256-......."
crossorigin="anonymous" />
10. Insufficient Logging and Monitoring
Console.WriteLine(ex.Message);
The fix:
Logger.LogError(ex.Message);
Monday, December 30, 2019
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment