On the web side of things, C # (and, more generally, ASP.NET) is usually vulnerable to the following elements (elements listed by OWASP Top 10 2013 ). I understand that you are mostly interested in the shell functions, of which I cover some, however you did ask how people accidentally create dangerous C # code, so I hope I have provided some insight here.
A1-injection
SQL injection
Query generation by concatenating strings.
var sql = "SELECT * FROM UserAccount WHERE Username = '" + username "'"; SqlCommand command = new SqlCommand(sql , connection); SqlDataReader reader = command.ExecuteReader();
This can often be solved with parameterized queries , but if you use the IN clause, this is currently not possible without string concatenation.
LDAP Injection
Code for example
searcher.Filter = string.Format("(sAMAccountName={1})", loginName);
may make the application vulnerable. More details here .
OS Command Injection
This code is vulnerable to entering commands, because the second parameter Process.Start may have additional commands passed to it using the & symbol to batch process several commands
string strCmdText= @"/C dir c:\files\" + Request.QueryString["dir"]; ProcessStartInfo info = new ProcessStartInfo("CMD.exe", strCmdText); Process.Start(info);
eg. foldername && ipconfig
A2-Broken Authentication and Session Management
Log off
By default, the SignOut authentication method does not update the server side, allowing you to continue using the captured autostart.
Calling the SignOut method only removes the forms authentication cookie. The web server does not save valid and expired authentication tickets for later comparison. This makes your site vulnerable to re-attack if an attacker receives a valid authentication cookie.
Using Session State for Authentication
A session commit might be vulnerable if the user used session state for authentication .
Scripts A3-Cross-Site (XSS)
Response.Write (and the label <%= => ) are vulnerable by default if the developer does not remember the HTML encoding of the output. A later label <%: HTML is encoded by default, although some developers can use it to insert values in JavaScript, where an attacker can avoid this. Even using the modern Razor engine , it is difficult to do it right:
var name = '@Html.Raw(HttpUtility.JavaScriptStringEncode(Model.Name))';
ASP.NET by default includes Request Validation , which blocks any input from cookies, query strings, and POST data that could potentially be malicious (like HTML tags). This seems to do well with input coming through a particular application, but if the database has content that has been added from other sources, for example, from an application written using other technologies, it is possible that the malicious script code may still be deduced. Another weakness is that the data is inserted inside the attribute value. eg.
<% alt = Request.QueryString["alt"]; %> <img src="http://example.com/foo.jpg" alt="<%=alt %>" />
This can be used without running a query check:
If alt -
" onload="alert('xss')
then it does
<img src="http://example.com/foo.jpg" alt="" onload="alert('xss')" />
In older versions of .NET, this was a bit of a mine-field for the developer to ensure that their output was correctly encoded using some default web controls.
Unfortunately, the data binding syntax does not yet contain a built-in encoding syntax; its appearance in the next version of ASP.NET
eg. not vulnerable:
<asp:Repeater ID="Repeater1" runat="server"> <ItemTemplate> <asp:TextBox ID="txtYourField" Text='<%# Bind("YourField") %>' runat="server"></asp:TextBox> </ItemTemplate> </asp:Repeater>
vulnerable:
<asp:Repeater ID="Repeater2" runat="server"> <ItemTemplate> <%# Eval("YourField") %> </ItemTemplate> </asp:Repeater>
A4-Insecure Direct Object Links
Linking the MVC model may allow parameters added to the POST data to map to the data model. This may happen unintentionally, because the developer did not understand that an attacker could change the settings in this way. The Bind attribute can be used to prevent this .
Incorrect A5 configuration
There are many configuration options that can weaken application security. For example, set customErrors to On or enable tracing.
Scanners such as ASafaWeb can check for these common incorrect configurations.
A6-sensitive data exposure
Default Hashing
The default hashing methods in ASP.NET are sometimes not the best.
Access Control to Functional Level A7
URL restriction disclaimer
In integrated pipeline mode, .NET can see every request, and descriptors can resolve each request even for non-.NET resources (such as .js and images). However, if the application I am running in classic mode, .NET only sees requests for files, such as .aspx , so other files may be accidentally unsecured. See this answer for more details.
eg. www.example.com/images/private_photograph_user1.jpg is likely to be vulnerable in an application that runs in classic mode, although there are workarounds .
A8-Cross-Site Request Subroutine (CSRF)
Although legacy web form applications are generally more secure for CSRFs because an attacker must fake View State and Event Validation , newer MVC applications may be vulnerable if the developer did not manually execute anti-fake tokens . Note that I am not saying that web forms are not vulnerable, it’s just more difficult to simply pass a few basic parameters - there are corrections, although, for example, integration of the user key into the value of “View state”.
If the EnableEventValidation property is set to true, ASP.NET verifies that the control event originated from the user interface that was rendered by this control. The control registers its events during rendering, and then checks for events during postback or callback processing. For example, if the list control includes parameters numbered 1, 2, or 3, when the page is displayed, and if a return request is received that sets parameter 4, ASP.NET throws an exception. All event-driven controls in ASP.NET use this feature by default.
Function[EnableEventValidation] reduces the risk of unauthorized or malicious callbacks and callbacks. It is highly recommended that you disable event checking.
A10-Unvalidated - Forwarding and Forwarding
Adding code, for example
Response.Redirect(Request.QueryString["Url"]);
will make your site vulnerable. An attack can be triggered by sending a phishing email to the user containing the link. If the user is vigilant, he can double check the domain URL before clicking. However, since the domain will correspond to your domain, which the user trusts, he clicks the link, not suspecting that the page will redirect the user to the domain of the attacker.
Verification should be done on Url to ensure that it is either a relative, allowed URL, or an absolute URL for one of your own allowed domains and pages. You can verify that someone is not redirecting your users to /Logout.aspx , for example. Although there could be nothing to prevent an attacker from directly linking to http://www.example.com/Logout.aspx , they could use redirection to hide the URL, so it’s more difficult for the user to figure out which page they are accessing ( http://www.example.com/Redirect.aspx?Url=%2f%4c%6f%67%6f%75%74%2e%61%73%70%78 ).
Other
Other categories of OWASP:
- A9 - Use of components with known vulnerabilities
about which I can’t think of anything, which is typical for C # / ASP.NET. I will update my answer if I think of any (if you think they are relevant to your question).