Alik Levin's

Clarity, Technology, and Solving Problems | PracticeThis.com 

July, 2008

  • Alik Levin's

    Security Code Review – String Search Patterns For Authentication Vulnerabilities

    • 0 Comments

    This post contains string search patterns that can help identifying authentication vulnerabilities during security code inspection for your ASP.NET application. Most common vulnerability is about insecurely manipulating credentials in the code. The question we want to actually ask is:

    • Are you passing clear text credentials?

    The associated threat is identity theft or identity spoof that can be achieved by disclosing the credentials or/and tampering it.

    What to Search for and Why

    Credentials are usually required when accessing a down stream resource – database, web service, active directory, MQSeries, or any other. This information can be easily obtained from the architecture document. Following are possible searches that can lead you to the hotspots to nail potential authentication vulnerabilities:

    DB Connections

    findstr /S /I ".Open( " *.cs

    Web Services

    findstr /S /I ".Credentials =" *.cs

    LogonUser API – usually used for impersonation

    findstr /S /I "LogonUser" *.cs

    IIdentity usage

    This one is my favorite. This search pattern is actually trying to spot the anti-pattern of identifying end user. The assumption here is that when there is no matches for that search then the solution either does not identifies the requests or uses home grown solution which might be potential vulnerability in both cases.

    findstr /S /I “.Identity" *.cs

    Other than above searches it is good idea to review the web.config file for potential clear text credentials.

    Got more suggestions for search patters to identify potential authentication vulnerabilities? - Please, share!

    Related posts

  • Alik Levin's

    Use FREE Tools From IIS Resource Kit To Warm Up Your ASP.NET 1.1 Application By Batch Compilation

    • 5 Comments

    Have you noticed that when ASP.NET web application is accessed for the first time the response is slow? The reason for such behavior is batch compilation that occurs on the first hit.

    ASP.NET batch compilation is the process of compiling ASP.NET markup (content of aspx files) into temporary dll’s. Compilation requires invoking compiler (csc.exe for C#) – that is pretty heavy activity. Process Explorer shows it clearly:

    ASP.NET Batch compilation

    ASP.NET batch compilation occurs on per folder basis. Said that, if your application divided into multiple sub-folders that contain ASP.NET pages each time any of the folders accessed for the first time the batch compilation is invoked.

    Note that starting with ASP.NET 2.0 compilation model has changed. Also, there is a tool Aspnet_compiler.exe that allows pre-compile your ASP.NET web application to improve performance.

    Customer’s case study

    Customer’s web application is built with ASP.NET 1.1. It is divided into multiple subfolders reflecting logical modules that are hosted across about 20 application pools. The application connects to Oracle database.

    QA team complains that the application responds slowly each time any of the modules (subfolders) accessed for the first time.

    Using Process Explorer and profiler we identified three main latency points:

    • Creating the application pool – w3wp.exe.
    • Batch compiling the application for each subfolder.
    • Creating Oracle connection pool when Oracle is accessed for the first time.

    The solution

    We decided to create a Warmer – solution that will hit each subfolder’s page in unattended manner thus warming up the application before the first user hits it.

    For the solution we used free tools from IIS resource kit:

    • LogPrser.exe to identify the URL’s of the pages to hit.
    • TinyGet.exe to actually hit the pages identified by LogParser.

    To identify what pages to hit we took IIS log files from QA environment and than we ran the following query using LogParser:

    LogParser.exe "SELECT DISTINCT STRCAT('XXX', cs-uri-stem) AS cs-uri-stem-strcat INTO 'C:\result.txt' FROM 'C:\yourIISlogFile.log' WHERE INDEX_OF(cs-uri-stem, 'aspx') > 0" -o:w3c

    Notice XXX – it has nothing to do with XXX rated content rather it is a placeholder to replace it with tinyget command.

    Open resulting yourIISlogFile.log file in Notepad, hit Ctrl+H for “Replace” and replace all occurrences of XXX with the following command:

    tinyget -srv:www.YourServer.com -uri:

    ASP.NET Batch Compilation

     

    yourIISlogFile.log before the Replace:

    image

    yourIISlogFile.log after the Replace:

    image

    Remove the header and save the file with BAT extension  - your Warmer is ready for action. Run it each time you deploy new version.

    Do not forget to remove old temporary files in ASP.NET temporary folder:

    C:\Windows\Microsoft.NET\Framework\<<NET FX VERSION>>\Temporary ASP.NET Files\

    CAUTION. This action may potentially corrupt your application if you do not provide proper exception handling. On one hand it is good check to make. on other hand – be aware of it and do not do it on production sites unless you are completely sure it will not corrupt the application.

    Related materials

  • Alik Levin's

    WLW Plugin For Blog Post Templates – New Version (Including Full Source Code)

    • 0 Comments

    What’s Blog Post Templates Plugin for WLW?

    Blog Post Template Plugin For Windows Live Writer is a productivity tool to boost every blogger efficiency.

    The plugin helps better style the blog posts and it saves time when creating and editing the blog posts.

    See more info here - Blog Post Template Plugin For Windows Live Writer

    New Feature

    I’ve updated Blog Post Template Plugin for Windows Live Writer (WLW). The feature I’ve added is ability to browse for any arbitrary template on the file system:

    Blog Post Template Windows Live Writer Plugin

    Customizing And Using Your Template

    • Create your template using WLW, just like you’d create your blog post – nothing special about that.
    • Switch to source tab.
    • Grab the contents, paste it into Notepad and save it on your file system.
    • Done.
    • Use it with the plugin by pressing on Browse button and picking it from “Open” dialog.

    Get Source Code – FREE (right price!)

    Interested? Start here - Blog Post Template Plugin For Windows Live Writer

    The full source code can be found on my SkyDrive here:

     

    Enjoy.

Page 2 of 3 (7 items) 123