Exceptionally simple tasks using AppSec .NET

I suggest everyone to stretch their brains after the weekend and start the work week with simple at first glance, C # programming tasks. Perhaps these tasks will force you to look at the code of your projects from a new perspective, since they all relate to the gloomy area - the area of ​​application security, Application Security. Not much is written about AppSec and the .NET platform, they say even less, some generally believe that using any managed language magically makes the application protected. I try to correct this state of affairs by telling at conferences about various aspects of the security of the .NET platform. So this week, on Thursday, our SPB .NET Community is holding a mitap in St. Petersburg entirely dedicated to the development of secure ASP .NET applications . Who cares about the details of this meeting, who wants to learn more about the .NET community of St. Petersburg developers and try their hand at solving the tasks on AppSec .NET, I invite you to the cat!

Since Habré has not yet been written about the SPB .NET Community, I will begin, perhaps, with it. In June, in St. Petersburg, a community of programmers writing on .NET gathered. Our goal is to share the experience of solving problems with which we meet during the work, to meet offline to discuss current issues and news of the .NET world. Now the platform is experiencing a development boom, here is the output of a huge amount of code in open source, and a new web platform, and a discussion of two new C # language standards, and cross-platform, which offers great opportunities and threatens a new field of rakes. As Lewis said, to stay in place, we have to run. And if you run all together, then the chances of not falling behind increase (runners will understand the metaphor). So, what has been done. We held the first meeting, organized an island at IT Global Meetup , where we made 4 reports, were able to meet and talk about future plans. Judging by the reviews, they liked the reports, and the idea to revive regular meetings of the .NET party had already been in many heads.

Now we are preparing a second meeting. It will be held on June 25, at 19.30 in the St. Petersburg office of DataArt, the main topic of the meeting was the development of protected applications . This Thursday, Vladimir Kochetkov, a well-known expert in information security in general, and on the .NET platform in particular, Vladimir Kochetkov, comes to St. Petersburg to us. He agreed to participate in our meeting, so whoever knows Volodya from blogs, webinars or his work at the RSDN Team, you have a chance to come and chat with him personally. The program of the meeting includes two reports and a lot of communication, these are “Theory of Application Security .NET” Vladimir Kochetkov and “Practice of Application Security .NET” Mikhail Scherbakov (my report). I spoke with the material on this topic at the last conferences, this is .NEXT , dotnetconf.ru , SECON . But for mitap, he prepared new examples and challenges, which we will also analyze at the meeting. And, yes, the tasks ... I will not talk more about the mitap, read the announcement in the community group spbdotnet.org , register by the link and come. The participation is of course free, only registration is necessary (the number of places is unfortunately limited, but there are free places).

And now the attention of the problem.

1. Does the security problem contain the code for the following aspx page? If so, which ones and in which lines of code? The question with an asterisk: what data should be sent to the server to demonstrate the attacks? The conditions for running the code are standard: on the IIS 8.5 server with default settings, the aspx page is included in the web project with default settings, it is built under Framework 4.5.1.
   ')
   

   <%@ Page Language="C#" AutoEventWireup="true"%> <script language="C#" runat="server"> protected void Page_Load(object sender, EventArgs e) { var text = TextBox1.Text + TextBox2.Text; if (text != String.Empty) { Label1.Text = "Input: " + text; } else { TextBox1.Text = Request["first"] + Request["second"]; } int count; if (Int32.TryParse(Request["count"], out count)) { for (int i = 0; i < count; i++) { var name = String.Format("base64_item{0}", i); var value = Request[name]; if (value != null) { RadioButtonList1.Items.Add(new ListItem(Encoding.UTF8.GetString(Convert.FromBase64String(value)), value)); } } } } </script> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> </head> <body> <!-- <asp:Label runat="server"> <%= Request["first"] + Request["second"] %> </asp:Label> --> Preview: <img src="<%= ResolveUrl("~/Content/Images/" + Request["page"] + ".png")%>"/> <form id="form1" runat="server"> <asp:Label ID="Label1" runat="server"></asp:Label><br/> <asp:RadioButtonList ID="RadioButtonList1" runat="server"/><br/> <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox> <asp:TextBox ID="TextBox2" runat="server"></asp:TextBox><br/> <asp:Button ID="Button1" runat="server" Text="Save"/> </form> </body> </html> 

   
   
2. Does the security issue include the following C # code? What ways can an attacker exploit vulnerabilities, if any? How would you fix this code? Access to the database is done through the Entity Framework classes, CoinsDB is the context class of our database, inherited from DbContext. CustomerLogin is the class of our entity from the database, its code is below. The conditions for executing the code are standard, as in the example above, the database is MS SQL.
   
   

    protected void Page_Load(object sender, EventArgs e) { using (var db = new CoinsDB()) { var where = String.Empty; var parameters = new List<object>(); var email = Request["email"]; if (email != null) { where += String.Format(" email LIKE '{0}%'", email); } var field = Request["field"]; var min = Request["min"]; var max = Request["max"]; if (field != null && min != null && max != null) { if (!String.IsNullOrEmpty(where)) { where += " AND"; } where += String.Format(" {0} >= @min AND {0} <= @max", EncodeSqlField(field)); parameters.Add(new SqlParameter("@min", min)); parameters.Add(new SqlParameter("@max", max)); } var query = "SELECT * FROM CustomerLogin"; if (!String.IsNullOrEmpty(where)) { query += " WHERE"; query += where; } var output = db.Database.SqlQuery<CustomerLogin>(query, parameters.ToArray()).ToArray(); lblOutput.Text = output.Length == 0 ? "Not found" : String.Join("<br/>", output.Select(customer => customer.login + " - " + customer.rating)); } } private string EncodeSqlField(string field) { return field.Replace("'", String.Empty) .Replace(" ", String.Empty) .Replace("\\", String.Empty) .Replace(",", String.Empty) .Replace("(", String.Empty) .Replace(")", String.Empty); } [Table("CustomerLogin")] public partial class CustomerLogin { [Key] [StringLength(100)] public string login { get; set; } [StringLength(100)] public string email { get; set; } public long raiting { get; set; } public long customerNumber { get; set; } [Required] [StringLength(40)] public string password { get; set; } public short? question_id { get; set; } [StringLength(50)] public string answer { get; set; } } 

   
   

Answers, please write in the comments under the spoiler. We will analyze all interesting cases on June 25 at a mitap.