Security Tools

Microsoft Security Bulletin MS12-007– Vulnerability in AntiXSS Library Could Allow Information Disclosure

cisg — Tue, 10 Jan 2012 18:04:37 GMT

Today sees the release of AntiXSS v4.2 in order to address MS12-007. As AntiXSS is a developer tool developers need to download the latest version, test, then deploy the web sites using the library. nuget has also updated – if you’ve added AntiXSS via nuget you’ll need to update the package.

It is recommended you test and apply the new version as soon as possible.

The vulnerability only affects the HTML sanitizer. The sanitizer has been changed to remove all CSS it encounters, this new behaviour means that if you were expect CSS formatting to remain after sanitization this is no longer the case.

In addition to the change necessary to correct the vulnerability there are a few new features;

Minimum Requirements.
You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.

Invalid Unicode no longer throws an exception.
Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.

UrlPathEncode added.
The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.

.NET 4.0 encoder support.
There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

The nuget package does not swap out the encoder as nuget configuration transforms can’t be made framework version specific yet so you will have to do that manually. Source code will uploaded to codeplex within the next few days.

Remember that downloading the new version is not enough – you will need to update your projects to use the new version then publish them to your web servers.

This release has also merged code from the .NET framework, taking some of their hard work in integrating the core AntiXSS functions into v4.5. There are some performance improvements in encoding.

CAT.NET and our fiscal year end

cisg — Mon, 11 Apr 2011 16:56:28 GMT

At this point in time we are accepting recommendations, suggestions and new features. However, we do not have any planned updates for the remainder of the fiscal year. We are going through our FY12 planning and CAT.NET is on the list of requests for next year. We will know by the end of June if funding has be approved. At that time we’ll notify people of the budgetary decisions.

CAT.NET Update – Long Overdue

cisg — Mon, 21 Feb 2011 19:00:21 GMT

Frank Brisse here…

I wanted to provide an update to the CAT.NET project since it’s been a while since my last communication. Internally we have version 2.0 of CAT.NET running. Unfortunately, some of the features we relied on in Visual Studio’s code analysis did not make it into the final product. We are working with the Visual Studio team to include the features needed.

In the meantime our team has been investigating options to bypass the missing libraries. This is not an ideal solution because we’ll be omitting the seamless integration with Visual Studio. We believe we have a solution and have provided estimates to fix this problem. Because this effort was not planned, we are investigating how to fit this effort into our current work load. We should have some news by the end of March if not sooner.

AntiXSS 4.0 Released

cisg — Thu, 30 Sep 2010 22:42:25 GMT

AntiXSS 4.0 has been released and is available from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651. The new source will be published to CodePlex within the next few days.

Minimum Requirements

.NET Framework 3.5

Return Values

If you pass a null as the value an encoding function the function will now return null. The previous behavior was to return String.Empty.

Medium Trust Support

The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code.

Adjustable safe-listing for HTML/XML Encoding

The safe list for HTML and XML encoding is now adjustable. The UnicodeCharacterEncoder.MarkAsSafe() method allows to you choose from the Unicode Code Charts which languages your web application normally accepts. Safe-listing a language code chart leaves the defined characters in their native form during encoding, which increases readability in the HTML/XML document and speeds up encoding. Certain dangerous characters will also be encoded.

The language code charts are defined in the Microsoft.Security.Application.LowerCodeCharts, Microsoft.Security.Application.LowerMidCodeCharts, Microsoft.Security.Application.MidCodeCharts, Microsoft.Security.Application.UpperMidCodeCharts and Microsoft.Security.Application.UpperCodeCharts enumerations.

It is suggested you safe list your acceptable languages during your application initialization.

Invalid unicode character detection

If any of the HTML or XML encoding methods encounter a character with a character code of 0xFFFE or 0xFFFF, the characters used to detect byte order at the beginning of files an InvalidUnicodeValueException will be thrown.

Surrogate Character Support in HTML and XML encoding

Support for surrogate character pairs for Unicode characters outside the basic multilingual plane has been improved. Such character pairs are now combined and encoded as their &xxxxx; value. If a high surrogate pair character is encountered which is not followed by a low surrogate pair character, or a low surrogate pair character is encountered which is not preceded by a high surrogate pair character an InvalidSurrogatePairException is thrown.

HTML 4.01 Named Entity Support

A new overload of the HtmlEncode method, Encoder.HtmlEncode(string input, bool useNamedEntities) allows you to specify if the named entities from the HTML 4.01 specification should be used in preference to &#xxxx; encoding when a named entity exists. For example if useNamedEntities parameter is set to true the copyright entity would be encoded as ©.

HtmlFormUrlEncode

A new encoding type suitable for using in encoding Html POST form submissions is now available via Encoder.HtmlFormUrlEncode. This encodes according to the W3C specifications for application/x-www-form-urlencoded MIME type.

LDAP Encoding changes

The LdapEncode function has been deprecated in favor of two new functions, Encoder.LdapFilterEncode(string) and Encoder.LdapDistinguishedNameEncode(string)

Encoder.LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to \XX where XX is the representation of the unsafe character

Encoder.LdapDistinguishedNameEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (\X). In addition to this a space or octothorpe (#) at the beginning of the input string is \ escaped as is a space at the end of a string.

LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.

MarkOutput

The ability to mark output using an HtmlEncode overload and query string parameter has been removed.

The Security Runtime Engine developer continues in parallel to my other work, but we’ve now separated the two libraries so you don’t have to wait for AntiXSS updates. The WPL will continue to be available as source only from codeplex until we’re happy with the code model and quality. Once that happens you can expect to see a binary release, but there are no planned release dates as yet.

How to View a Report in WACA?

cisg — Fri, 24 Sep 2010 16:03:17 GMT

Web Application Configuration Analyzer v1.0 is the latest tool released by our team that scans a machine for deployment best practices. Here is how you can use this tool to view a scan report which provides resolution details for failed rules.

1. From the presented Launchpad under the “Quick Actions” Section screen click on the “View scan results” link or go to “File” menu and select “View scan results”. You can also get to this screen by clicking on the “View Report” button after a scan, which will automatically select that scan for the report.

2. From the first drop down box, select a server to view a scan result. The drop down box displays all the server names for which results have been generated by the tool. Upon selecting the server name, the list box displays the scanned dates and times starting with latest date and timestamp.

3. The report is divided into multiple sections. You can navigate to corresponding section by clicking the links in summary table. There are four sections for every report. First is the Summary, which tells you about the machine and its specific attributes. This section also serves as the index allowing you to select a link to jump to that specific section. The next section is the General application Rules. This is where all rules pertaining to a machine regardless to the machines purpose. The next section contains the IIS Application rules. If a user knows this machine is an IIS box then this section should have all the security rules for IIS in one contained section. The last section is for SQL server. Assuming the server is a SQL server machine all rules pertaining to SQL Server will be in this section.

4. Results from scanning a machine falls into one of four states: Passed, Failed, Indeterminate and Not Applicable. Passed indicates the rules was tested and based on WACA’s scan discovery the rule passed. Failed indicates after the rule was scanned for the discovery was the rule failed the test. Not Applicable state is used when specific application such as IIS or SQL Server is not present on the target machine. Indeterminate state is applied when a specific rule cannot find the underlying data due to missing information to process the rule. For example, Indeterminate state could be returned for the “Unnecessary service (Alerter) is not running” rule if the service itself is not present on the target machine. Investigate indeterminate rules by using the descriptions and resolutions from Excel export.

5. Severity and resolution provide additional context to the rule and only failed rules include resolutions to fix the violation. Context may determine whether a failure in WACA is a bug to be fixed. Some checks, for example, are applicable for servers facing the extranet, but would be considered false positives for any other environment. The description for the checks provides guidance for these scenarios.

6. Exporting to Excel and using the Filter feature can help with quickly identifying and managing failures.

Thanks
Anil RV

How to Scan a Server using WACA?

cisg — Fri, 24 Sep 2010 16:03:02 GMT

Web Application Configuration Analyzer v1.0 is the latest tool released by our team that scans a machine for deployment best practices. Here is how you can use this tool to scan a machine for these best practices.

1. Launch the application by going to Windows Start Menu and selecting “Microsoft Information Security”, “Web Application Configuration Analyzer v1.0” and “Web Application Configuration Analyzer”.

2. From the presented Launchpad screen under the “Quick Actions” Section click on the “Scan a machine” link or go to “File” menu and select “Scan a machine”.

3. Enter the fully qualified domain name of the target machine and click “Scan” button to start the scan. You can also enter the SQL instance name to scan a SQL server on that machine.

Note that you need administrative permissions on the target machine along with remote registry and WMI services. The tool will perform prerequisite scanning first to determine server existence, administrative access, IIS and SQL versions and remote services availability. If WACA is unable to connect to the SQL Server either because of network or permission issues, the user will be prompted to continue the scan.

4. It is not required that the target machine have either IIS or SQL installed, WACA will recognize this and report its results accordingly.

5. A message is displayed indicating that the scan is completed. Click on the “View Report” button to view the report.

Thanks
Anil RV

Web Application Configuration Analyzer v1.0 RTW is live!

cisg — Mon, 20 Sep 2010 20:58:50 GMT

I am excited to announce the release of Web Application Configuration Analyzer v1.0 tool. The following is the quick overview of the tool and its features.

Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production and production servers. It can also be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers). The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available at: http://msdn.microsoft.com/en-us/library/ms994921.aspx. It uses an agent-less scan that requires the user to have admin privileges on the target server, as well as any SQL Server instances running on that machine.

Scan a machine for more than 140 rules
Generate HTML based reports
Compare two scans to view the differences
Export results to Excel
Export results to Team Foundation Server

You can download the tool from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=60585590-57df-4fc1-8f0c-05a286059406. You can view a demo of the tool in this channel9 screencast.

Thanks
Anil RV

CAT.NET v2.0 Update

cisg — Tue, 29 Jun 2010 23:00:50 GMT

Frank Brisse here… I wanted to provide an update on CAT.NET v2.0. We were looking to release CAT.NET v2.0 in June but ran into a design issue at the last moment causing us to delay the release. At this point we are working with internal teams to determine how to best fix this concern. Once we have a solution and a definitive timeframe we’ll announce the new release date.

While we’re looking to resolve this issue we still want to hear your feedback about features needed in future releases. Shortly we’ll release a list of features that will be included in CAT.NET v2.0 and items on the product backlog for future releases.

The May 2010 Security Runtime Engine Preview is now available on CodePlex

cisg — Thu, 27 May 2010 17:18:08 GMT

The WPL site on CodePlex now has the May CTP code only release for the Web Protection Library and a Word document introducing the new extensibility points for the Security Runtime Engine.

We haven’t released binaries because it’s just a preview, it is in no way ready for production.

So why make the source available? We want feedback. This represents a rewrite of the Security Runtime and a new way for you to easily write plug-ins for it. Rather than simply decide what’s best for our users we wanted to show you the direction we’re taking and give you a change to influence it.

Missing from the sure are any tests – they do exist and will be published in the next source drop. There are no inspectors or logging plug-ins – because we would like you to work through the tutorial, then look through the code, think about how you would use them and try to write your own. If we supplied some example inspectors the temptation would be there to use those as a starting template for your own.

So please download, read the source, play around (on a test web site) and do leave feedback and bug reports/issues for us on CodePlex.

Barry

Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

cisg — Tue, 30 Mar 2010 00:40:20 GMT

Mark Curphey here…..

It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles in big and small companies for the last 15 years and so it is very much a new chapter in my life as I follow my passions of modern development practices, online community and user experience. I call it Curphey 2.0!

The work of the Security Tools team will not change or be affected in any way. There is great work continuing including CAT.NET, WPL and WACA (as well as a whole lot more internal implementation engineering on Identity Management and other related security management tools). There is a LONG overdue release of CISF and updates due on the Security BI and Risk Tracker work we have been cranking out. The team will continue to use this blog to communicate public releases and share their work and learning's.

It has been an honor and a pleasure to work with the team. It is a very talented bunch of folks who have made work fun! You can follow my new adventures at my new personal blog http://www.curphey.com and as usual on Twitter using @curphey (or http://www.twitter.com/curphey). I will be posting some notes over on the BlueHat blog about my talk in Beunos Aires next week and have one final security keynote “10 Crazy Ideas That Might Actually Change the State of Information Security”

One of the things I have been blown away by at Microsoft is the Corporate Citizenship and the culture of giving. It’s a part of our corporate culture that I think we can be very proud of. As I transition to my new role I wanted to share something personal. Before I move on I have a personal plea. Yes it’s a plea, a plea to your kind hearts and good nature. Last week I signed up to run the Seattle Rock’N’Roll Marathon with The Leukemia & Lymphoma Society’s (LLS) Team In Training. The run is on June 26th, 2010 and I am raising money to help fight blood cancer. I am not going for pace, I just want to finish and raise money for a good cause. I just want to do something good. For a few years I have wanted to do a marathon as one of those things to tick off of the “been there and done that in Life” list but more importantly I know a few people who have been in dealing with cancer of various forms. One friend has a 9 year old son who has been dealing with a brain and a spine tumor for most of his life (I am not going to tug on your heart strings too much but it’s a heart breaking story) and another good friend (my age) is now recovering from Lupus. The chemotherapy has literally disintegrated his bones to the point where he has had to have his hips replaced so he can walk. He will never be able to run with his kids like I can. My minor skin cancer scares pale into insignificance when you see what others go through and a little bit of pain on a 26 mile run will be negligible in order to help advance the research and prevent others from suffering. I am healthy and alive; getting fit and a few blisters will be a breeze in comparison to what others go through.

PLEASE SPONSOR ME!

Please, please consider sponsoring me and raising money to flight blood cancer. I am happy to accept sponsorship if you want to induce pain in me or help relieve if from others!

My Team in Training Sponsorship page can be found here. If you work for Microsoft it has directions on how to ensure that Microsoft matches your donation so together we can double the donation for employees.

All donations help. Anything helps! It’s for a great cause!

As I live in a “Connected World” you can even track my run stats on the Garmin Connect site here using an RSS reader to see just how tough I am finding it!

Thanks for your support!

PS : I am also happy to do speaking events, write articles, consider endorsements or wear your company logo in return for donations. You can write to me at mark at curphey dot com with suggestions.

The Web Protection Library – plans and processes.

cisg — Wed, 24 Mar 2010 22:22:20 GMT

First off let me introduce myself; my name is Barry Dorrans, I’m a recent transplant from the UK and I finally joined the Information Security tools team 6 weeks ago after the long and involved process of visa acquisition. Before joining Microsoft I was a consultant in the UK working with various companies on developer security issues, I was a Developer Security MVP and an active member of the UK .NET technical community, running a user group in Oxford and writing “Beginning ASP.NET Security” for Wrox Press.

One of the things that attracted me to the role was the tools the team produces and in particular the open source status of the Web Protection Library and so it’s with great pleasure I am taking on the development of WPL, along with Frank, the new PM for WPL and Randy Evans, my co-developer and Jessika the team’s tester. As part of the process we’re going to share more with you about what we’re doing, what we’re planning and hopefully give you a chance to engage with us as we plan development sprints, gather feature requirements and fix bugs.

We kicked off our first sprint on Monday 21st March, a sprint we’re describing as “fit and finish”. We’re spending a lot of time documenting the code and adding tests. We’re also addressing what has been a pain point for a lot of you – medium trust. The original AntiXSS library performed nothing but encoding and didn’t have any special requirements for hosting. When the first WPL beta was released we added HTML sanitization, which came from another team. Sanitization is rather computationally expensive and the code uses unsafe array manipulation in an effort to cut down the time it takes; however for obvious reasons a lot of shared hosters don’t allow unsafe code to run in their shared environments. With the next release of WPL we’re putting AntiXSS back into its own assembly and marking it with AllowPartiallyTrusterCallers so you won’t have to strong name your web assemblies to use it. This does mean if you want to use the HTML sanitization functions you’ll need to add a reference to the new assembly into your project.

One other change that will become obvious when we release the code is the move to VS2010. We’re doing this to provide support for ASP 4.0’s ability to switch out HTML encoding engine and we’ll be providing a pre-built class for this. In order to keep support those of you who are on .NET 2.0 - 3.5 this will be made available in yet another assembly or of course you simple take the class and add it into your own project.

It’s unlikely we’ll release the results of this sprint publically as this is these are the only functional changes we’re making and we’d like to wait till we to release under we have some actual bug fixes – but if you feel we should then leave us a comment!

Talking of bug fixes once this sprint has finished we’ll start going through the bug list and feature requests. In case you’re wondering bugs and features from the Connect programme make it into our internal systems automagically. We also had a lot of feedback at the MVP summit from the Developer Security MVPs which we’re planning to address. If you’ve added a bug onto the AntiXSS codeplex site then we manually triage those and bring them into our internal systems on a regular basis.

As we near the end of this sprint Frank will be sharing with you our priorities and tasks for the next sprint and I plan to start sharing our new Threat Models as we prepare them and any mistakes we’ve made with the threat modeling process – something I hope will enable everyone to learn how to model effectively.

Silverlight 3.0 Datagrid - How to change a cell state?

cisg — Sat, 13 Feb 2010 00:32:28 GMT

Hi Syam Pinnaka, Sr. SDE in Infosec tools team.

Silverlight 3.0 datagrid can be used to bind to any enumerable collection and display the data in the grid. The data changes in the grid can be propagated back to the bound data using a special type in silverlight called ObservableCollection. We will discuss more about ObservableCollection in a separate post. In this post Lets see how to change a datagrid cell state based on certain condition. For example lets say there are two DataGridCheckBoxColumn columns and first check box column state will need to change to read-only based on the value of second check box column.

We can accomplish this by handling datagrid events like BeginningEdit or CellEditEnded. In our example, we can use BeginningEdit to check for checkbox whether the checkbox being clicked is first one, if so check the state of second check box to allow the click or not. Example code below.

#region selectUsersGrid_BeginningEdit
private void selectUsersGrid_BeginningEdit(object sender, DataGridBeginningEditEventArgs e)
{
    if (e.Column.DisplayIndex == 0) //First DataGridCheckBoxColumn
    {
        User u = e.Row.DataContext as User; //fetch the row data.
        if (u.IsMember == false) //examine the second checkbox data, do not allow if its false
        {
            e.Cancel = true;
        }
    }
}
#endregion

The same effect can be accomplished in some other ways. For example we can use CellEditEnded instead of BeginningEdit. In CellEditEnded, check for second check box state and mark first one as read-only when required. Example code below.

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
    if (e.Column.DisplayIndex == 1) //Second check box state changed.
    {
        User u = e.Row.DataContext as User; //fetch the row data
        if (u.IsMember == false) //This is not a member, Clear IsDeny (make first check box as read-only)
            u.IsDeny = false;
    }
}
#endregion

One point to note in the above two code snippets is that, we are modifying the data (binding) to alter the cell state instead of cell itself. This becomes essential when we waned to change state that is not related to data, for example lets say background color of the cell. this can be accomplished as below.

#region selectUsersGrid_CellEditEnded
private void selectUsersGrid_CellEditEnded(object sender, DataGridCellEditEndedEventArgs e)
{
if (e.Column.DisplayIndex == 1) //Second check box state changed.
{

FrameworkElement firstCheckbox = e.Column.GetCellContent(e.Row);
if (firstCheckbox is CheckBox)
{
CheckBox c = firstCheckbox as CheckBox;
c.Background = new SolidColorBrush(Colors.Red);
}

}
}
#endregion

This is about it for now, We will talk more silverlight during coming posts. Feel free to contact me at syamp@microsoft.com if you have any questions about the above post.

Happy coding!

How To: Use CAT.NET 2.0 Beta

cisg — Fri, 05 Feb 2010 18:17:19 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

After the installation open up Visual Studio 2010 command prompt in *Administrator* mode by going to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio 2008 Command Prompt. At the command prompt type “sn -Vr *,b03f5f7f11d50a3a” to skip strong name verification for fxcop assemblies.

*Note sn this step will be fixed in a an incremental build very soon*

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

3. Click on the “Rules” tab to select appropriate rules.

Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

6. You can also run the analysis using the FxCop command line tool. Open FxCop Command line tool by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop Command Prompt. This will run the command line tool and display all the existing command line switches.

7. You can start analysis by using /console and /file switches. /console switch displays error in the console and /file switch specifies which file to analyze. Ex: FxCopCmd.exe /console /file:"C:\AntiXss\Sample Application\bin\SampleApp.dll"

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Use CAT.NET V2.0 Beta

cisg — Fri, 05 Feb 2010 00:24:21 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools Team responsible for testing CAT.NET.

You can download the current Beta of CAT.NET 2.0 from https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

* You must have Visual studio 2010 Beta 2 for this tool to work. There are known issues if you have previous issues installed so please be aware.*

You can run CAT.NET as FXcop rules from FXCop GUI or FXCopcmd.exe

1. Start FxCop by going to Start -> All Programs -> Microsoft Information Security -> Code Analysis Tool for .NET (CAT.NET) v2.0 -> FxCop. This will bring up the UI with CAT.NET rules loaded.

2. Right click “My FxCop Project” and select “Add Targets” to browse and add a target to analyze.

3. Click on the “Rules” tab to select appropriate rules.

Note: Sometimes FxCop UI does not display any results after selecting both rules. Workaround is to select configuration rules or data flow rules and alternate the selection after analysis.

4. After selecting a target, click the “Analyze” button in toolbar or just press F5 to start the analysis.

5. Review the results in the window on the right.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

CAT.NET 2.0 - Beta

cisg — Thu, 04 Feb 2010 00:42:16 GMT

Mark Curphey here…

Please to announce a beta of the upcoming CAT.NET 2.0. This beta program will last for approximately 1 month. The final released version is scheduled to release shortly after VS 2010 RTM. The goal of this beta program is to garner feedback from the user community. Please send all feedback to ist-cat@microsoft.com. There have been some significant changes to the code. These changes include;

User Experience

Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules.
Easy analysis using FxCop command line or UI interface or VSTS Team Build.
Currently beta includes FxCop UI and Command prompt.

Core Analysis

Total of 55 rules have been added. There are 9 data flow rules and 46 configuration rules are included in this version.
Updated tainted data flow analysis engine to track both tainted operands and source symbols.
Reduced false positives and false negatives.
Accomplished by detecting sanitizers, constant variables and instructions that affect the data flow.
New Data flow rule to detect XML Injection attacks
Updated configuration rules engine detecting clear text connection strings and credentials.
Rules to detect insecure defaults.
Example minRequiredPasswordLength attribute of membership providers add element.
Configuration rules updated to detect @page directive configuration overrides.

Known Issues

All current known issues have been included in the CAT.NET V2.0 Beta guide document. The items listed in this document will be resolved prior to final release.

Download

You can download the bits at Connect (link below)

https://connect.microsoft.com/site734/Downloads/DownloadDetails.aspx?DownloadID=26086&wa=wsignin1.0

Enjoy!

How To: View The Header of an EXE/DLL

cisg — Thu, 28 Jan 2010 17:39:23 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools Team.

At times we may want to know the target platform (i.e. x86 or x64) of an EXE/DLL. Visual studio provides a corflags.exe tool to identify the target platform.

Launch visual Studio command prompt in admin mode
Type CorFlags Assembly File Path and press enter
Example
C:\Windows\system32>corflags "C:\Program Files\Microsoft Information Security\Microsoft Code Analysis Tool for .NET (CAT.NET) v2.0\FxCopCmd.exe"
Microsoft (R) .NET Framework CorFlags Conversion Tool. Version 3.5.21022.8
Copyright (c) Microsoft Corporation. All rights reserved.

Version      : v4.0.21008
CLR Header: 2.5
PE              : PE32
CorFlags     : 3
ILONLY       : 1
32BIT         : 1
Signed       : 1
The PE and 32BIT flags gives details about type of the assembly;
Any CPU : PE = PE32 and 32BIT = 0
x86 : PE = PE32 and 32BIT = 1
x64 : PE = PE32+ and 32BIT = 0

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

Delay Between Actions Feature in CUIT

cisg — Mon, 18 Jan 2010 22:12:51 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools Team.

The CUIT code is executed at a very fast pace, at times you may want to execute the code a bit slow or with a delay between actions.

We have playback API which helps to achieve this as shown below;

Playback.PlaybackSettings.DelayBetweenActions = 1000;

The value is in milliseconds, use the above code as the first line in your CUIT methods to get a delay between actions of one milliseconds during playback.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Data Drive CUIT Scripts

cisg — Mon, 18 Jan 2010 22:11:31 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools Team.

One of the major feature for any automation tool is support for data driven test cases, CUIT too supports data driven testing. Let me show an example of data driving CUIT scripts.

Suppose you want to validate login feature of an application with different users.

Select test menu and click on windows –> Test View
Select the required test name say validatehomepage

Click on ellipse button next to data connection string in properties window
You can configure the required data source, select CSV file, click on Next

Click on Finish

Click on yes for “Copy the database file into the current project and add as deployment item”

You can see data source code being added to the Validatehomepage file
[DataSource("Microsoft.VisualStudio.TestTools.DataSource.CSV", "|DataDirectory|\\UserNames.csv", "UserNames#csv", DataAccessMethod.Sequential), DeploymentItem("PortalAutomation\\UserNames.csv"), TestMethod]

public void ValidateHomePage()
Data source is added to the project, now assign the values from data source to parameters of CUIT
this.UIMap.LoginAdminParams.UsernameEditText = testContextInstance.DataRow[0].ToString();
Run the tests, it runs for two iterations and shows the results

Likewise you can data drive any of the test cases, if you think out of the box you can apply the concept to validate all links present in web page.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Customize CUIT scripts

cisg — Mon, 18 Jan 2010 22:08:29 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools Team.

In the previous blog posts I have shown how to automate functional test cases using CUIT and adding check points/ assertions to CUITs. Lets see with an example “how to customize the CUIT scripts”.

Lets take a close look at the files that are generated after recording;

codedUITest1.cs file which has the method calls which we have recorded
UIMap.cs at this stage it has nothing much than empty UIMap class which we will modify in the due course
UIMap.Designer.cs contains code generated by CUIT builder
UserControls.cs contains definitions of specialized classes used in CUIT

UIMap.Designer.cs and UIMap.cs contains partial UIMap class. The designer file contains auto-generated code. As with any of the designer file, the modifications done to it would be lost if the code is regenerated.

// ------------------------------------------------------------------------------
//  <auto-generated>
//      This code was generated by coded UI test builder.
//      Version: 10.0.0.0
//
//      Changes to this file may cause incorrect behavior and will be lost if
//      the code is regenerated.
//  </auto-generated>
// ------------------------------------------------------------------------------

Suppose we have recorded sanity test cases and like to use to test production site. All you need is to modify the UIMap.cs file as shown below. Here we are updating the launch portal site params variable BlankPageWindowsInteWindowUrl to https://productionSite.

       1: public partial class UIMap

       2:     {

       3:  

       4:         public void ProductionValues()

       5:         {

       6:             this.LaunchPortalSiteParams.BlankPageWindowsInteWindowUrl = "https://productionSite";

       7:         }

       8:     }

Call this function from CUIT before any other function is called as;

       1: public void CodedUITest1()

       2:         {

       3:  

       4:             // To generate code for this test, select "Generate Code for Coded UI Test" from the shortcut menu and select one of the menu items.

       5:             this.UIMap.ProductionValues();

       6:             this.UIMap.LaunchPortalSite();

       7:             this.UIMap.ValidateHomePageLinks();

       8:             this.UIMap.ClosePortalSite();

       9:         }

Now you are good to test production site, likewise you can set values to any of the variables defined in UIMap.Designer.cs.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How Do I: Configure Runtime Version

cisg — Fri, 15 Jan 2010 23:09:58 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools Team.

At times I need to test an application with different versions of the .NET framework. You can configure the application config file to force the application to use the .NET version specified in the config file.

For example, suppose we have application built with .NET 3.5 and want to check the compatibility with .NET 4.0 follow the below steps;

Open applicationname.exe.config file which will be under application path
If its not present create a one
Add the following xml node

        1: <configuration>

       2:   <startup>

       3:       <supportedRuntime version="v4.0.21006"/>

       4:   </startup>

       5: </configuration>

Save the file
Now run the application, it runs on .NET 4.0

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Add Assertions in Coded UI Tests

cisg — Fri, 15 Jan 2010 23:08:10 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools Team.

As continuation to my previous post, I want to show how to add assertions to coded UI test scripts. An example maybe that after launching a portal site you want to validate the user name.

Press enter after this.UIMap.LaunchPortalSite(); (continuation from the previous blog post) , right click and select first option “use coded UI test builder”

Click on the cross hair (third button) and drag and drop on the control you want to validate

Add assertions form will be shown, you can navigate through the controls and reach the top most control or form and see its properties. You can add assertion to any of the properties shown.

Right click on the inner text which we are interested in and click on add assertion

Select comparator and comparison value and click on Ok

Click on generate code button. Enter appropriate method name say ValidateUser and you are ready to validate the user name.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

How To: Functional Testing Automation Using Visual Studio 2010

cisg — Thu, 14 Jan 2010 18:04:39 GMT

Syed Aslam Basha here. I am a tester on the Information Security Tools Team. I want to share my first hand experience of automating functional test cases using coded UI Test, a feature in visual studio (VS) 2010 in my next coupple of blog posts.

In this blog post I will show an example of recording a scenario where I;

launch a web browser
open the portal site
Navigate within the portal site
Close the browser

and then of course play it all back using VS 2010. Here goes;

Launch VS 2010
Select File –> New Project
Select Visual C#, Test and Test project, give appropriate project name as shown below and click on ok

This will create my portal automation project along with default cs files
Right click on portal automation project name and select add coded UI Test

It will launch Generate code for coded UI test select the first option and click on ok

A small form called coded UI test builder is shown at the right hand bottom corner of your screen. Now you can record actions, add assertion (we will discuss in upcoming blog posts) and generate code

Click on start recording button in the coded UI Test Builder, launch browser.
Type in the site name and press enter
Click on pause recording in Coded UI test Builder. You can view the steps recorded and edit by clicking on show recorded steps button in coded UI test builder
Click on Generate code, enter method name as “LaunchSite”. Its always a good practice to have modular reusable steps (we can record all steps till the end of the test case, but we will divide test steps into modular reusable components to increase reusability) You can call this function wherever required.
Click on start recording and record actions. Click on links in home page.
Click on pause recording in coded UI test builder. Click on Generate Code, enter appropriate method name.
Click on start recording and close the browser
Click on pause recording in coded UI test builder. Click on Generate Code, enter appropriate method name.

Lets see the code generated. You can see

public void CodedUITest1()
        {

            // To generate code for this test, select "Generate Code for Coded UI Test" from the shortcut menu and select one of the menu items.
            this.UIMap.LaunchPortalSite();
            this.UIMap.ValidateHomePageLinks();
            this.UIMap.ClosePortalSite();
        }

Rename codedUITest1 to ValdiateHomePageLinks, to make it more meaningful and easy to understand. From your code you can clearly make out you are launching portal site, validating homepage links and closing thte site.
Press F5 or right click above LaunchPortalSite method and select run tests to run/ playback.
You will see the output in test results as passed or failed.

-Syed Aslam Basha (syedab@microsoft.com)

Microsoft Information Security Tools (IST) Team

Test Lead

One Story At A Time

cisg — Wed, 06 Jan 2010 05:09:50 GMT

Hey everyone, this is Marius Grigoriu, PM leading the Risk Tracker and Security BI projects and portal and notifications components. One of the challenges we encountered on our path to Agility was that our testers were getting squeezed at the end of each sprint. What I heard from our testers was that we could simply not perform all the desired testing and fixes in the last week or a four week sprint. This was a sign that we were doing something incorrectly. I started digging into the problem and asking questions. What I was told was that we couldn’t drop to test earlier in the cycle because code was still in progress or undergoing unit testing by the authors. I looked at our task list and found that all of our stories for the sprint were started, but none were fully completed (for us that means tested). This was actually a frightening discovery. We ran the risk of having nothing ready for our sprint demo if any last second issues were to appear!

As we planned the next sprint, I convinced my teams to try something different. What we did was fully plan and assign tasks for a story before moving onto the next. Rather than having only one developer per story, we applied the entire team to each story. If our schedule were to slip or something else go wrong, chances are that we would still have at least one story ready for demo. Planning our sprint this way showed us that we also had some bottlenecks in test. Although we do have automation in our regression suite, we found that our drop and deployment procedures were taking too long. Now that we were dropping and deploying several times per sprint, and often a few times per day this source of pain became obvious.

Our next step in continuous improvement will be to automate our deployments to test environments. I can see where this is heading, but don’t tell my team this. My guess is that next we will want to start connecting our builds jobs and automated tests on either end of the deployment automation to get a daily automated test report. And as pressure grows for frequent rollout to production and installation errors due to manual deployments, I could see us eventually making an effort automate ourselves all the way to production.

WCF Authorization with Custom Principal

cisg — Mon, 04 Jan 2010 20:39:40 GMT

Hi, I am Syam Pinnaka, Sr. SDE in InfoSec tools team.

In AuthZ component of CISF, we have a requirement to perform authorization checks in a WCF service. Since CISF AuthZ module has a custom implementation of IPrincipal called as CISFPrincipal, Its looks little tricky to use the CISFPincipal in a WCF client. but WCF makes it easy with IAuthorizationPolicy interface as explained below.

In order to integrate a custom Principal with WCF, we need to set the “PrincipalPermissionMode” property to “Custom”. In addition, we also need to set the authorization policy that will be used to create the custom principal objet and supply it to WCF plumbing.

Here is a sample implementation.

Authorization Policy:

    public class CISFAuthorizationPolicy: IAuthorizationPolicy
    {
        // this method gets called after the authentication stage
        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {            
                // Get the authenticated client identity
                IIdentity client = GetClientIdentity(evaluationContext);
                
                Microsoft.InformationSecurity.CISF.Security.AuthZServices.AuthZService auth = new AuthZService();
                User singleuser = auth.GetUserInformation(client.Name, ConfigurationManager.AppSettings["ApplicationName"]);

                // Set the custom principal
                evaluationContext.Properties["Principal"] = new CISF.Security.Principal.CISFPrincipal(client, singleuser);                            
                return true;
        }
     }

Configuration:

<behaviors>
    <serviceBehaviors>
    <behavior name='CISFCustomBehavior'>       
      <serviceAuthorization principalPermissionMode='Custom'>
        <authorizationPolicies>
          <add policyType='Service.CISFAuthorizationPolicy, Service' />
        </authorizationPolicies>
      </serviceAuthorization>
    </behavior>
  </serviceBehaviors>
</behaviors>

Once the custom Principal is set in evalutationContext, regular authorization checks can be carried out based on custom principal. If custom principal implements Roles, PrincipalPermission.Demand can be used for imperative security check.

Alternatively, ServiceAuthorizationManager can be used to centralize the authorization logic instead of spreading the authorization logic all over the WCF service code. We can override the “CheckAccess” method to carry out our custom authorization check. One shortcoming of this method would be to modify this logic as new methods are added to or removed from the WCF service.

Feel free to contact me at syamp@microsoft.com if you need more details about any of the above approaches.

Happy coding and Happy New year, 2010!

What’s happening with CAT.NET 2.0?

cisg — Wed, 30 Dec 2009 17:23:35 GMT

RV here...

Our pre alpha release included a command line tool showcasing newer version of CAT.NET based on tainted data flow analysis engine using Phoenix compiler infrastructure. It also included a configuration analysis engine which was capable of identifying insecure configuration in .config files. We are actively working on the potential beta release of CAT.NET tool focusing mainly on the core analysis and user experience areas. Here is a quick update on changes.

User Experience
- Integration with Visual Studio 2010 code analysis infrastructure as FxCop rules
- Easy analysis using FxCop command line or UI interface or VSTS Team Build.
Core Analysis
- Updated tainted data flow analysis engine to track both tainted operands and source symbols
- Lesser false positives and false negatives by detecting sanitizers and constant variables and instructions that affect the data flow.
- New Data flow rule to detect XML Injection attacks
- Updated configuration rules engine to detect clear text connection strings and credentials
- Updated rules to detect insecure defaults, for example minRequiredPasswordLength attribute of membership providers add element.
- Configuration rules updated to detect @page directive configuration overrides.

Here is a list of FxCop CAT.NET data flow rules.

Here is a list of FxCop CAT.NET configuration rules.

With tighter integration with visual studio code analysis the changes are going to make it much more easier to use CAT.NET analysis to detect application level security issues.

Happy New Year!