Preparing an ASP.Net website for penetration testing

Question

Over the years I have had a few of the websites I have developed submitted for penetration testing by clients. Most of the time the issues that are highlighted when the results return relate to the default behaviour of ASP .Net such as possible cross site scripting attacks etc.

Are there any good articles on which vulnerabilities exist by default in an ASP .Net application and secondly are there any good checklists to follow which will help prepare a site in advance?

Answer 1

I think that the check list changes by the time and its theory with experience together. I always check my log files and see new ways that they try to penetrate my site - like scans on "non existing" files, or try to run random queries.

A good page that have many articles on penetration: http://www.cgisecurity.com/pentest.html

Some of the ways that try to penetrate on my sites.

Most common

• sql injections, so I check and block users that call my sites with the "select" command on the url line. I check also for other sql commands.
• Forgoten javascript filebrowser I see that lately they search for links like : wwwmysite.com/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=

To find them I monitor the "Page not found" event. Of course if page found then they penetrate. How ever its more possible to see failed tries and see what they are looking for.

Oracle attack

These days also I see a lot of oracle attacks. I find them and block the full ip of attacker using this code: CryptographicException: Padding is invalid and cannot be removed and Validation of viewstate MAC failed

Stealing cookies

I also follow the answers from this question: Can some hacker steal the cookie from a user and login with that name on a web site?
Main points: always use ssl encryption on login cookies (requireSSL=true), and not place roles on cookies (cacheRolesInCookies=false).

Block in advanced

I also block black listed ips from inside the system/program/iis, but in the past I have used PeerGuardian. Also there you can find a lot of bad ip lists that you can block in advanced. My only note on these bad ips is that I do not block them for ever, but only for some days. The block of bad ips helps me also with the hundred of spam emails. http://phoenixlabs.org/pg2/

Investigate the Log

I think that there are many ways that people can think and try to penetrate on your site. The point is how you can predict them and log them before that happens and make always a better mechanism to avoid them. As I say, I monitor the page not found, and the inside error that pages throws. These 2 methods show me a lot of penetration attempts.

Uploading scripts.

If you have give access to uploading files, images and other stuff make sure that they can not be run on the uploading directory. This can be done ether by double checking the extension of the file and also by disabling the running of programs and script on that directory, from the server itself, but also by placing a web.config on the upload directory with :

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

Read one case: I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼

Answer 2

Checklist:

Web Application Security Guide/Checklist

Also, Many free tools are available for testing web application security, you can try out these:

• Netsparker: Netsparker Community Edition is a SQL Injection Scanner.
• Websecurify
• Watcher : Watcher is a Fiddler addon which aims to assist penetration testers in passively finding Web-application vulnerabilities.
• Wapiti: Web application vulnerability scanner / security auditor
• N-Stalker
• skipfish : Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
• Scrawlr
• x5s: x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It's main goal is to help you identify the hotspots where XSS might occur by: 1. Detecting where safe encodings were not applied to emitted user-inputs. 2. Detecting where Unicode character transformations might bypass security filters. 3. Detecting where non-shortest UTF-8 encodings might bypass security filters
• Exploit-Me: Exploit-Me is a suite of Firefox web application security testing tools designed to be lightweight and easy to use.

Free Web Application Security Testing Tools

Answer 3

Don't want to mask the good answer of Aristos with a link but Google released a codelab to show the possible web applications exploits : its (new)-called google-gruyere.

Its more a learning way to understand the possible exploits than a checklist but the table of content can help you to do your checklist.

Here are some categories to take into account :

• Cross-Site Scripting (XSS)
  • File Upload XSS
  • Reflected XSS
  • Stored XSS
  • Stored XSS via HTML Attribute
  • Stored XSS via AJAX
  • Reflected XSS via AJAX
• Client-State Manipulation
  • Elevation of Privilege
  • Cookie Manipulation
• Cross-Site Request Forgery (XSRF)
• Cross Site Script Inclusion (XSSI)
• Path Traversal
  • Information disclosure via path traversal
  • Data tampering via path traversal
• Denial of Service
  • DoS - Quit the Server
  • DoS - Overloading the Server
• Code Execution (remote)
• Configuration Vulnerabilities (Information disclosure)
• AJAX vulnerabilities
  • DoS via AJAX
  • Phishing via AJAX
• Buffer Overflow and Integer Overflow
• SQL Injection