Ovely permissive CORS

Origin header is sent by the browser in a CORS request and indicates that origin request. It may be spoofed outside the browser, so need to check that application-level protocols for protect sensitive data.

Access-Control-Allow-Origin is a response header used by a server to indicate which domains are allowed to read the response.

Insecure configurations as for example using '*' wildcard as value of the Access-Control-Allow-Origin header means all domains are allowed. Other insecure example is when the server returns back the Origin header without any additional checks, what can lead to access of sensitive data. This configuration is very insecure, and is not acceptable, except in case of a public API that is intended to be accessible by everyone.

add_header Access-Control-Allow-Origin $cors_header;

add_header Access-Control-Allow-Credentials true;

Web Application Source Code Disclosure Pattern Found

It is possible to retrieve the source code from server side script and also may possible to expose the business logic or sensitive information such as username and password.

Possible Causes

· Patches for 3rd. party products were not installed

· Temporary files were left in production environment

· Debugging information was left by the programmer in web pages

Application source code should not be accessible to web users, as it may contain sensitive application information and back-end logic.

It can give an attacker useful guidance for future exploitation. Leakage of sensitive information may carry various levels of risk and should be limited whenever possible.

Recommendation

There are many ways to revealing application source code. To ensure that your application does not allow web users access to source code. [1] Check that all system patches related to source code disclosure are installed. [2] Check that no application source code is left in HTML comments. [3] Check that all source code files are removed from the production environment

Authentication and Authorization

· Authentication is the process of verifying who you are. When you log on to a PC with a user name and password you are authenticating.

· Authorization is after verifying that you have access to something. Gaining access to a resource because the permissions configured on it allow you access is authorization.

Authentication can be done using the following methods:

• Local Code42 platform directory
• LDAP
• Single Sign-On (SSO)
• RADIUS

Authorization can be done using the following methods:

· Local Code42 platform directory

• LDAP

Symmetric & Asymmetric Encryption

Symmetric Encryption

Symmetric encryption is the best-known technique. Use a secret key, which can be a number, word, or string of random letters, is applied on a message to change the content in a particular way. It is very simple as shifting each letter by a number of places in the alphabet. Both sender and recipient know the secret key, Secret key can encrypt and decrypt all messages.

Asymmetric Encryption

When secret keys is exchanging over the Internet might be going the wrong hands. After kept the secret key anyone decrypt the message. Solution is asymmetric encryption, in which there are two related keys--a key pair. A public key is easily available to anyone who want to send a message. A second, private key is kept secret, so that only you know it.

Encrypt message by using the public key can only be decrypt by applying the same algorithm, but by using the matching private key. If message encrypt by using the private key can only be decrypt by using the matching public key.

Validation Rule

You can add input validation to Web Forms pages by using validation controls.

To make sure that all the required parameters exist in a request, use the "RequiredFieldValidator" validation control. This control ensures that the user does not skip an entry in the web form.

To make sure user input contains only valid values, you can use one of the following validation controls:

[1] "RangeValidator": checks boundary value in between specified lower and upper boundaries. You can check ranges within pairs of numbers, alphabetic characters, and dates.

[2] "RegularExpressionValidator": checks that the entry matches a pattern defined by a regular expression. Validation allows to check for predictable sequences of characters, such as those in social security numbers, e-mail addresses, telephone numbers, postal codes, and so on.

Anti-CSRF and AJAX

The Form token is make problem for AJAX request, Ajax is send the JASON data not a HTML form because of this form token not be validated in this form. So, the solution is send the token in a custom header in HTTP. Code use Razor syntax to generate the token, and add token in AJAX request. This token is generated by calling AntiForgery.GetTokens.

string cookieToken, formToken;

    Antiery.GetTokens(null, out cookieToken, out formToken);

    var responseCookie = new HttpCookie("__AJAXAntiXsrfToken")

    {

        HttpOnly = true,

        Value = cookieToken

    };

    if(FormsAuthentication.RequireSSL && HttpContext.Current.Request.IsSecureConnection)

    {

        responseCookie.Secure = true;

    }

    HttpContext.Current.Response.Cookies.Set(responseCookie);

    return formToken;

AntiForgery.Validate method validate the tokens and throws an exception if the tokens are not valid.

void ValidateRequestHeader(HttpRequestMessage request)

{

    string cookieToken = "";

    string formToken = "";

    IEnumerable<string> tokenHeaders;

    if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))

    {

        string[] tokens = tokenHeaders.First().Split(':');

        if (tokens.Length == 2)

        {

            cookieToken = tokens[0].Trim();

            formToken = tokens[1].Trim();

        }

    }

    AntiForgery.Validate(cookieToken, formToken);

}

Content security policy header

Currently, OWASP update the Header issue

To protect against Cross-Site Scripting, set the 'default-src' policy, or 'script-src' AND 'object-src' with proper values. Insecure values such as '*', 'data:', 'unsafe-inline', or 'unsafe-eval' should be avoided.

Protect against Cross-Frame Scripting or clickjacking, set the 'frame-ancestors' policy with proper values. Insecure values such as '*' or 'data:' should be avoided.

b     base-uri controls the protected resource’s ability to specify the document base URL.

       child-src deprecates and replaces frame-src, controlling the protected resource’s ability to embed frame

F     Form-action controls the protected resource’s ability to submit forms

       frame ansector controls the protected resource’s ability be embedded in other documents.

A protected resource’s ability to load Workers is now controlled via child-src rather than script-src

Content-Security-Policy: frame-ancestors 'self' example.com *.example.net ;

To prevent all framing of your content use:

Content-Security-Policy: frame-ancestors 'none';

To allow for your site only, use:

Content-Security-Policy: frame-ancestors 'self';

To allow for your site only, use:

Content-Security-Policy: frame-ancestors 'self';

<add name="Content-Security-Policy" value="frame-ancestors 'self' child-src 'self' *URL you website" />

Denial of Service (DoS)

Denial of service attacks are most common to take website and servers down. It is easy to attack and hard to protect. The way to prevent of an attack is to block the response to the attackers. Catch the attacker as early as possible after the request has been received by the web server.

There are two challenges to blocking the attacks

               Identify the attackers

               Block the response only to the attackers

First to catch the request as early as possible, an HttpModule is the right place. It is executed before any page or any other handler so the impact on the server can be minimized. This HttpModule monitors all requests and block requests coming from IP addresses that make many requests in a short period of time. After a while the attacking IP address gets released from blocking.

Implementation

Download the DosAttackModule.cs file below and put it into the App_Code folder of your website. Then add the following lines to the web.config’s <system.web> section:

< httpModules >

< add type = " DosAttackModule " name = " DosAttackModule " />

</ httpModules >

SQL Injection

Nowadays SQL injection is a common attack that use malicious SQL injection code for database manipulation to access information.

                                                                                OR

When exploiting SQL injection, the web application display error message from the database. Database complaining that the query syntax is incorrect.

                                                                                OR

Gain the unauthorized access to the website through the SQL Injection and take the information.

How to exploit:-

EX

Take a simple username (admin) and password we choose

‘ OR ‘a’=’a

From users WHERE user=’admin’ AND password=’ ‘ OR ’a’=’a’

‘a’ = ‘a is a true value

Let's analyze

Username=’admin’ AND Password=’’ OR ‘a’=’a’

Means username password true

Use Burp suite tool and inject the customize attack through Intruder

Here we introduce some SQL attack.

 or 1=1
or 1=1--
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'# ………….etc

How to Fix:-

1.       Use stored procedure

2.       Use parameterize query

3.       Limit database permission and privilege

4.       Avoid display database error directly to the user

5.       Use the regular expression to identify the text block and sql statements

Clickjacking Attack and Prevention

Clickjacking:-

This type of attack requires an attacker to use javascript. Attacker insists a user perform an undesired action by clicking on a concealed link. The attacker loads another page on it in a transparent layer.

                                                                                                OR

The attacker hijacks the click event of their page and routing them to another page.

<HTML>

                <head>

                                <title>click</title>

                </head>

                <body>

                <p>website vulnerable clickjacking</p>

                <iframe src=”url” width=”500” height=”500”></iframe>

                </body>

</HTML>

Defend:-

Use clear click functionality in No script. You can use the relaxed setting but make sure you can enable the clear click. This prevents the clickjacking attacks.

Server-side: Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers

The two most popular are X-Frame-Options: Deny and X-Frame-Options: SameOrigin.

Client-side: Most commonly use frame busting code typically consists of a "conditional statement" and a "counter-action" statement. The aim of this technique is to prevent a site from functioning when it is loaded inside a frame.