Welcome to MSDN Blogs Sign in | Join | Help

News

URL Rewriting Session at Black Hat

Hi everyone, Bryan here. I wanted to make a quick (and shameless) plug for my session at Black Hat this week. I’ll be talking about the use of URL rewriting as a defense against XSS, XSRF, open-redirect phishing and browser history theft that I’ve discussed in the past both on this blog and in MSDN magazine.

In conjunction with my talk, I’d also like to announce availability of a proof-of-concept URL rewriting tool that implements the concepts illustrated in the talk. The rewriter is implemented as an HttpModule for ASP.NET applications – activating this module for use in your own code will typically require one new line of code and one change to your web.config file.

You can download the tool here, but again I’d like to stress that this is a proof-of-concept and should not be used for any production code. Please do feel free to test it out and even decompile it if you like – just let us know where it works, where it doesn’t, and how it can be improved.

Posted: Monday, July 27, 2009 2:20 PM by sdl

Comments

Greg Turner said:

Bryan,

A few things to consider:

1. It appears to only work with serialized HTTP requests.  That is, if you have multiple async requests (ie. AJAX) then the request tokens will be overwritten and they remaining requests will give a false positive because they don't have the new token.

2. I haven't looked into it but I would expect RNGCryptoServiceProvider to produce a more secure random number than Guid.NewGuid().  It’s not how big it is, but rather how hard to guess it.  If NewGuid() is easy to guess, than it doesn’t matter how big it is.

One technique I haven't explored fully but appears that it may be able to solve the multiple async issue and bookmarkability.

Private key encrypt (expiry date time + a session ID + target URL) and store in ViewState.  

This won’t work with MVC architectures; they’ll have to put it onto the query string.

Keep up the great work!

- Greg

# August 4, 2009 1:40 PM
Anonymous comments are disabled
Page view tracker