2. Introduction
Myself
◦ Education
◦ Professional experience
Project
◦ .Net Hosted Services
◦ WCF
◦ Web API
◦ Data Services
◦ OWASP
◦ Top Ten
◦ How it applies to hosted services
BRETT NEMEC
3. Windows Communication
Foundation
Part of the .Net framework
◦ System.ServiceModel namespace
◦ Introduced in version 3.0
The Service Model
◦ Service oriented
◦ Interoperable
◦ Automatic configuration
◦ Follows security standards
◦ Supports multiple transports and encodings
◦ Extensible
Security
◦ SOAP
◦ Message integrity
◦ Authentication on service and client
◦ Integration with existing technology
BRETT NEMEC
7. Data Services
Model driven architecture
◦ Object Relational Mapping
◦ Entity Framework
Odata
◦ Open Data Protocol
Data owner has more control over data
Cloud
◦ Introduces added risk due to foreign environments
◦ Data owner can have less control
BRETT NEMEC
8. OWASP
Stands for Open Web Application Security Project
Not for profit organization
Dedicated to web security
◦ Helps raise awareness of trends in security threats
Support for most popular web technologies
◦ Java
◦ C/C++
◦ .Net
◦ PHP
Top ten security risks of 2013
BRETT NEMEC
9. OWASP Top Ten Security
Risks of 2013 RC
A1 – Injection
A2 – Broken authentication
and session management
A3 – Cross-site scripting (XSS)
A4 – Insecure direct object
references
A5 – Security
misconfigurations
A6 – Sensitive data exposure
A7 – Missing functional level
access control
A8 – Cross-site request forgery
(CSRF)
A9 – Using known vulnerable
components
A10 – Unvalidated redirects
and forwards
BRETT NEMEC
10. A1 - Injection
SQL Injection
◦ Example
◦ WCF method: GetPersonByName(string name), where name = “‟ or „1‟ = „1”
◦ Executes SQL
◦ var query = “select * from Person where name = „” + p1 + “‟”;
◦ Resolves to “select * from Person where name = „‟ or „1‟ = „1‟”
◦ One of the the most prominent classes of input validation errors
◦ Don’t use command interpreters
◦ Use a parameterized interface
◦ var query = “select * from Person where name = @name”;
◦ Entity Framework v5
◦ ORM
◦ SQL is generated behind the scenes
◦ Model driven
◦ Linq to SQL
BRETT NEMEC
11. A2 – Broken authentication
and session management
WCF is stateless by default
◦ Stateful session can be enabled in configuration
Message Authentication
◦ Certificate authentication over transport security
◦ Satisfies Level 1 requirements of the OWASP Application Security Verification
Standard (ASVS)
◦ Section V2, all pages and resources must be authenticated except those that
are public
◦ Certificate authentication pre-authenticates the client
◦ Authorize attribute is used for business authentication, while client is
authenticated to the service
BRETT NEMEC
12. A3 – Cross-site scripting
(XSS)
WCF is not directly vulnerable to XSS
◦ Messages are XML based, not URLs
Implement custom input/output parameter inspectors
◦ IParameterInspector interface
BRETT NEMEC
13. A4 – Insecure direct object
references
Authorize attribute
◦ Using role-based authentication
◦ When a message is sent to an endpoint, service calls custom role provider
for the requested operation
◦ Example:
[Authorize(“Administrators”)]
public void GetAllUsers();
BRETT NEMEC
14. A5 – Security
misconfigurations
Don’t expose metadata
◦ Can be turned on for debugging in configuration
◦ App.config or web.config, using the system.serviceModel element
◦ Must be disabled for production
◦ Custom web page
BRETT NEMEC
15. A6 – Sensitive data
exposure
Store sensitive data in it’s encrypted form
Passwords
◦ Don’t actually store the password, store a hash
◦ Random salt (256 bytes)
◦ RSA Pseudo random number generator
◦ SHA-256(Salt + Password) = Salted Password Hash
◦ Every time user changes the password, a new salt is used
◦ Database table has two columns, allows for one way validation
◦ PasswordSalt, non-sensitive
◦ PasswordHash
◦ Timeout after specified number of failed attempts
◦ Stops brute force attacks
BRETT NEMEC
16. A7 – Missing functional
level access control
Related to A4, Insecure Direct Object References
WCF by default is stateless
◦ If using default, sessions are not of concern
◦ If using sessions, control with OperationContract
◦ IsInitiating property
◦ IsTerminating property
Windows Identity Foundation
◦ Supports federated claims based security
◦ Authorized claim sets
◦ Used similarly as role-based authorization
BRETT NEMEC
17. A8 – Cross-site request
forgery (CSRF)
WCF is message based, not as much of a risk
It is possible to implement controls for this risk
Windows Identity Foundation
◦ If implemented, service is already using a Security Token Service (STS)
◦ STS processes user validation request
◦ Provides a claim-set for the user
◦ When the user sends a message request to the service, the claim-set is
provided as a token, STS evaluates the token
BRETT NEMEC
18. A9 – Using known
vulnerable components
Don’t use components that are untested or source is unknown
Most controls and tools are already part of the .Net framework
◦ Entity Framework v5
◦ Tight integration with existing Microsoft .Net technologies
◦ Beta versions are not a good idea
OWASP ESAPI for .Net
◦ Website states it’s not suitable for production use
◦ Good reason not to use it
BRETT NEMEC
19. A10 – Unvalidated redirects
and forwards
Redirects and forwards should be avoided
WCF not at risk like web applications are
◦ Sometimes parameters can contain the target page
◦ IParameterInspector custom inspector
BRETT NEMEC