Catching up with Summer of Code 2008

June 29th, the 50% mark for Summer of Code 2008 is here.  Here’s an unofficial update of what has been done for the OWASP .NET Project for SOC 2008:

Goal 1:  OWASP .NET Site Reorganization

Pages (I’d say I’m about 50% done – there’s a ton of stuff that I *want* to add, but as far as what is useful and relevant, the content is about 50% there.)

• OWASP .NET
• .NET Security for Architects
• .NET Security for Developers
• .NET Security for IT Professionals
• .NET Penetration Testing
• .NET Incident Response
• OWASP .NET Active Projects
• OWASP .NET Vulnerability Research
• OWASP .NET Project Roadmap
• OWASP .NET Recommended Resources

Special Projects becomes Vulnerability Research

After discussions with OWASP .NET Project contributors and Dinis Cruz, added Recommended Resources

Goal 2: OWASP .NET Project Outreach

Presentation Materials for OWASP & OWASP .NET & Software Lifecycle

OWASP .NET Bullet Points

Community Outreach

• User Groups – I gave a 10 minute introduction to OWASP .NET Reorg in the OWASP EU App Sec 2nd Keynote.  I reached out to OWASP Philadelphia and New York to find time for me to present (still working on these), plan on reaching out to other groups for the 2nd half.)
• Forums - Participating in ASP.NET forum, I need to be more involved and find additional forums.
• Microsoft MVP Community – I reached out to Alex Smolen, a Security MVP who informed me that there was talk about having MVP’s participate in the OWASP .NET side.  I will continue to push for their involvement.
• Microsoft - I have a couple of contacts that I will work with at Microsoft to keep me in the loop.

Media Outreach

• ISSA Journal - I was asked to submit an abstract for an upcoming issue of ISSA.  The editor is interested in a couple of ideas that I provided.  I will be completing this in the next few weeks.
• ISC2 Blog - I was giving blogging privileges for the ISC2 Blog (CISSP folks).  I haven’t found the right content to bridge security development and the CISSP level stuff, but I have a few ideas in my backlog.
• MSDN Magazine - I e-mailed the editor and he offered to present OWASP .NET as a resource for their Toolbox section.  I volunteered to provide anything required.
• OWASP Media Guidelines - As I’m working on an article for ISSA, I’m keeping a log of what things other OWASP authors might find useful.  For example, a standard blurb about OWASP and your project as part of your author introduction.

Goal 3: OWASP Project Support

Projects that I’m working with in addition to OWASP .NET Reorganization that will allow me to continue to recruit content for OWASP .NET

• Report Generator – I found a volunteer who is interested in continuing this work.  I started a backlog of improvements and have the code running locally.  I will find some time to get this moving.
• Testing Guide – I volunteered to review articles and fill in any gaps if articles need to be added.
• Reviewer for OWASP Application Security Tool Benchmarking Environment and Site Generator refresh
• Reviewer for OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp
• Side Projects:  Linq & Sql Injection, OWASP .NET Shield

Here is the roadmap going forward for the next half of Summer of Code 2008

.NET Incident Response

Couldn't find specific .NET incident response guidance or tools, but there are a few good links to general incident response resources at .NET Incident Response.

Some of the highlights include:

• Carnegie Mellon's SEI Incident Response Handbook
• NIST Special Publication for Forensics guidance
• Helix as part of your response toolkit
• and more.

OWASP .NET Shield

I open sourced a project on CodePlex for handling SQL injection attacks.  The main piece is an httpModule that you can have check requests to the web server.  It’s very primitive at the moment, using a blacklist to filter request values (Querystring, Form and Cookies).  For example, “lend” and “Bender” both fail the validation check because the word “end” is on the black list (we will disregard the fact that we may use the word “end” somewhere).  So, what are the best practices for handling SQL statements posted to a web server?  Is there some preexecution check, or better heuristics for filtering?

The project can be found here: www.codeplex.com/shield.

Sql Injection Vector for Linq

I was going to name this blog post “You’re only as strong as your weakest Linq,” but I thought that would be trite (but funny enough not to not mention).

Here it is: Linq is not impervious to Sql Injection, as claimed in Eliminate SQL Injection Attacks Painlessly with LINQ. While I agree with the statement in the article that to eliminate SQL Injection, eliminate SQL; the reality for Linq is not so cut and dried. The author states that “every SQL query that Linq executes on your behalf is parameterized.” This is not true. In fact, inline SQL is recommended to improve the performance of certain Linq queries:

· see http://shrinkster.com/z2q for improved performance

· see http://shrinkster.com/z2p for bulk updating issues with Linq

· and here’s a fun one – passing the query to a function, http://shrinkster.com/z2o ).

It should be easy to see that the use of the DataContext ExecuteQuery and ExecuteCommand functions are problematic. Here is my proof of concept code using a simple example – a LinqDataSource and a web page with unvalidated input:

I am using Visual Studio 2008 and SQL Server 2005. For the datasource I needed to create a DataContext. I created a database with a table named Trade to query against:

Then I created the DBML for the DataContext by adding LINQ to SQL Classes and added my table to the design surface :

I created a simple page (includes a LinqDataSource, a ListView, a TextBox and a Button):

Default.aspx

<%@ Page Language="C#" AutoEventWireup="true" 
CodeFile="Default.aspx.cs" Inherits="_Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
   <title>Untitled Page</title>
</head>
<body>
   <form id="form1" runat="server">
   <div>

       <asp:Literal ID="Literal1" runat="server"></asp:Literal>
       <br />
       <br />
       <asp:ListView ID="lstTrades" runat="server" DataKeyNames="TradeID"
           DataSourceID="LinqDataSource1"> … template markup removed …
        </asp:ListView>
       <br />
       <br />
       <asp:TextBox ID="txtParams" runat="server" Width="352px"></asp:TextBox>
       <br />
       <br />
       <asp:Button ID="btnExecuteQuery" runat="server" onclick="btnExecuteQuery_Click"
           Text="Execute Query" />
       <asp:LinqDataSource ID="LinqDataSource1" runat="server"
           ContextTypeName="DriveHaxDataContext" TableName="Trades">
       </asp:LinqDataSource>

   </div>
   </form>
</body>
</html>

Default.aspx.cs

using System;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Diagnostics;

public partial class _Default : System.Web.UI.Page
{
   protected void Page_Init(object sender, EventArgs e)
   {
       this.LinqDataSource1.Selecting += new EventHandler<LinqDataSourceSelectEventArgs>(LinqDataSource1_Selecting);
  
   }

   void LinqDataSource1_Selecting(object sender, LinqDataSourceSelectEventArgs e)
   {
       DriveHaxDataContext driveHax = new DriveHaxDataContext();

       if (this.txtParams.Text.Length > 0)
       {

string sql = "select * from Trade where DealMember='" + this.txtParams.Text + "'";

            var trades = driveHax.ExecuteQuery<Trade>(sql);
           e.Result = trades.ToList();
       }

   }

   protected void btnExecuteQuery_Click(object sender, EventArgs e)
   {
       this.lstTrades.DataSourceID = this.LinqDataSource1.ID;
   }
}

Here’s a quick look at results and how SQL injection causes more data to be returned.

No Parameters:

Use a name that I know has a trade, and return data:

Use a simple SQL injection statement, and return more data:

I only did a query statement for this post; I have repeated this with ExecuteCommand with DML operations.

As you can see, while Linq has probably reduced the scope of SQL injection vulnerabilities for those who use it, it is certainly not impervious. What hacks and shortcuts have you done for performance? Or because it was too time consuming to learn a new syntax. Linq and its functional programming aspects will be new to many developers. I personally like Linq and think it is a very useful technology, but you should be aware of both its strengths and its weaknesses.