.net 4.6.1 Vulnerabilities
Avice
Vulnerabilities in .NET Framework Allows Code Execution (MS11-028) is a high risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve or prone to being overlooked entirely.
Use of Vulnerability Management tools, like AVDS, are standard practice for the discovery of this vulnerability. The primary failure of VA in finding this vulnerability is related to setting the proper scope and frequency of network scans. It is vital that the broadest range of hosts (active IPs) possible are scanned and that scanning is done frequently. We recommend weekly. Your existing scanning solution or set of test tools should make this not just possible, but easy and affordable. If that is not the case, please consider AVDS.
The Vulnerabilities in .NET Framework Allows Code Execution (MS11-028) is prone to false positive reports by most vulnerability assessment solutions. AVDS is alone in using behavior based testing that eliminates this issue. For all other VA tools security consultants will recommend confirmation by direct observation. In any case Penetration testing procedures for discovery of Vulnerabilities in .NET Framework Allows Code Execution (MS11-028) produces the highest discovery accuracy rate, but the infrequency of this expensive form of testing degrades its value. The ideal would be to have pentesting accuracy and the frequency and scope possibilities of VA solutions, and this is accomplished only by AVDS.
AVDS is currently testing for and finding this vulnerability with zero false positives. If your current set of tools is indicating that it is present but you think it is probably a false positive, please contact us for a demonstration of AVDS.
The secret killer of VA solution value is the false positive. There was an industry wide race to find the most vulnerabilities, including Vulnerabilities in .NET Framework Allows Code Execution (MS11-028) ,and this resulted in benefit to poorly written tests that beef up scan reports by adding a high percentage of uncertainty. This may have sold a lot of systems some years ago, but it also stuck almost all VA solutions with deliberately inaccurate reporting that adds time to repairs that no administrator can afford. Beyond Security did not participate in this race to mutually assured destruction of the industry and to this day produces the most accurate and actionable reports available.
-028.mspxVulnerabilities in .NET Framework Allows Code Execution (MS11-028) is a high risk vulnerability that is also high frequency and high visibility. This is the most severe combination of security factors that exists and it is extremely important to find it on your network and fix it as soon as possible.
For years, our team has been doing threat modeling on Website projects. Part of our template includes the OWASP Top 10 plus other well-known vulnerabilities, so that when we're doing threat modeling, we always make sure that we have a documented process to addressing each of those common vulnerabilities.
On rare occasions, we develop WinForms or Windows Service applications when a web app doesn't meet the needs. I'm wondering if there is an equivalent list of commonly known security vulnerabilities for WinForms apps.
There is a big difference between a web environment and a desktop environment. When developing web sites and services, the thing you don't trust is the user (user input). When running a desktop application, the thing that isn't trusted is the application itself, or atleast, a system administrator would like to know whether the application itself doesn't do any harm, since code the runs on the local computer is a risk by itself.
So in a sense, for you as a developer of a desktop application, security rules not always apply, since the application you run is not a black box, but a white box. With a web service / site, you expect attacks to not be able to change the internal state, but with any desktop app (Java, .NET, native) it is 'quite' easy to change the state of the application while the application is running and especially with Java and .NET, debugging and decompiling an application is quite easy.
In other words, you must consider the desktop application completely compromised, and if this is a risk, you must extract everything that must be secure (authentication, authorization, validation) to an external (web) service. For this service, the 'normal' OWASP rules apply.
Things you should watch, is that it's really hard to completely secure your data layer, when a desktop application connects directly to a database. For instance, SQL injection is not an issue for your desktop application in this case, since when the application can directly connect to the database, so can the user. And if the user can connect to the database, he can execute any arbitrary query. This is an extreme form of SQL injection, but it completely skips your application.
Trying to secure a 2 tier application, often means the use of stored procedures as intermediate (service) layer (and preventing direct access to tables). Developing and maintaining stored procedures is much more costly than developing a .NET (web) service.
Another technique is to make your executable codes(i.e. codes that comes into the memory when the program is being executed) varies with time. However you must first ensure that all other codes(which is not executed then) are safe. This can be done by encryption. But you must also make sure that the encryption program is more highly secured. The encryption program is always fixed in ROM and secured by physical means.
The .NET Framework is Microsoft's principal platform for enterprise development. It is the supporting API for ASP.NET, Windows Desktop applications, Windows Communication Foundation services, SharePoint, Visual Studio Tools for Office and other technologies.
The .NET Framework constitutes a collection of APIs that facilitate the usage of an advanced type system, managing data, graphics, networking, file operations, and more - essentially covering the vast majority of requirements for developing enterprise applications within the Microsoft ecosystem. It is a nearly ubiquitous library that is strongly named and versioned at the assembly level.
The .NET Framework is kept up-to-date by Microsoft with the Windows Update service. Developers do not normally need to run separate updates to the Framework. Windows Update can be accessed at Windows Update or from the Windows Update program on a Windows computer.
The OWASP Top 10 lists the most prevalent and dangerous threats to web security in the world today and is reviewed every few yearsand updated with the latest threat data. This section of the cheat sheet is based on this list.Your approach to securing your web application should be to start at the top threat A1 below and work down;this will ensure that any time spent on security will be spent most effectively andcover the top threats first and lesser threats afterwards. After covering the Top 10 it is generally advisableto assess for other threats or get a professionally completed Penetration Test.
DO NOT: Tell someone if the account exists on LogOn, Registration or Password reset. Say something like 'Either the username or password was incorrect', or 'If this account exists then a reset token will be sent to the registered email address'. This protects against account enumeration.
The feedback to the user should be identical whether or not the account exists, both in terms of content and behavior. E.g., if the response takes 50% longer when the account is real then membership information can be guessed and tested.
The following code snippet shows an example of using AES-GCM to perform encryption/decryption of data. It is strongly recommended to have a cryptography expert review your final design and code, as even the most trivial error can severely weaken your encryption.
The following code snippet shows an example of using Eliptic Curve/Diffie Helman (ECDH) together with AES-GCM to perform encryption/decryption of data between two different sides without the need the transfer the symmetric key between the two sides. Instead, the sides exchange public keys and can then use ECDH to generate a shared secret which can be used for the symmetric encryption.
DO: Use allowlist validation on all user supplied input wherever possible. Input validation prevents improperly formed data from entering an information system. For more information please see the Input Validation Cheat Sheet.
e.g. .NET Core 2.2 and greater and .NET 5 and greater support ProcessStartInfo.ArgumentList which performs some character escaping but the object includes a disclaimer that it is not safe with untrusted input.
DO: Look at alternatives to passing raw untrusted arguments via command-line parameters such as encoding using Base64 (which would safely encode any special characters as well) and then decode the parameters in the receiving application.
Almost any characters can be used in Distinguished Names. However, some must be escaped with the backslash \ escape character.A table showing which characters that should be escaped for Active Directory can be found at the in theLDAP Injection Prevention Cheat Sheet.
Insecure design refers to security failures in the design of the application or system. This is different than the other itemsin the OWASP Top 10 list which refer to implementation failures. The topic of secure design is therefore not related to a specifictechnology or language and is therefore out of scope for this cheat sheet. See the Secure Product Design Cheat Sheet for more information.
If you are using tag-helpers, which is the default for most web project templates, then all forms will automatically send the anti-forgery token. You can check if tag-helpers are enabled by checking if your main _ViewImports.cshtml file contains:
To automatically validate all requests other than GET, HEAD, OPTIONS and TRACE you need to add a global action filter with the AutoValidateAntiforgeryToken attribute inside your Startup.cs as mentioned in the following article:
c80f0f1006