CS296N Web Development 2: ASP.NET             
                                

Web Security

Topics by week
1. Intro to course and input validation
6. Load Testing and Performance
2. Identity and user account administration
7. Creating a Web Service
3. Authentication and Authorization 8. Consuming a Web Service, Async / Await
4. Web Security
9. Docker Containers
5. Publishing to a server
10.  Term Project


Introduction

  • Quiz?


Testing with ZAP

OWASP Zed Attack Proxy Project
Official Open Web Application Security Project, ZAP web site.

Getting Started with ZAP
Introduction to security testing and to installing and using the Zed Attack Proxy.

Overview of ZAP

Two modes of operation
  • Active scanning: ZAP fires HTTP requests at your web app using known attack techniques and scans the responses.
  • Passive scanning: ZAP watches your web app while you navigate between pages and enter data.  ZAP scans all HTTP messages (requests and responses) sent to the web app for vulnerabilities.
    Note: manual, passive scanning is the most effective form of security testing.
How to do an automated, passive  scan
  1. Start ZAP.
  2. In the dialog that asks about persisting a session, select no. (Yes, will record the scan session to a database file.)
  3. Start your web app in Visual Studio.
  4. In ZAP, on the Quick Start tab:
    • Click on "Automated Scan".
    • Enter your site's URL.
    • Check the "Use traditional spider" check box.
  5. Click attack.
    ZAP will passively scan all HTTP requests and responses as the spider navigates your site.
How to do a manual, passive  scan
  1. Start your web app in Visual Studio.
  2. In ZAP, on the Quick Start tab:
    • Click on "Manual Explore".
    • Enter the URL.
    • Check the "Enable HUD" check box. (Heads Up Display--provides access to ZAP through a launched browser.)
  3. Click "Launch Browser".
    As you navigate your site and enter data in forms, ZAP will passively scan all HTTP requests and responses.

How to do an active scan
You need to have done a passive scan first and either saved your passive scan session or not close ZAP.

  1. Start your web app in Visual Studio.
  2. In ZAP, select the Active Scan tab in the bottom pane:
    • Click on "New Scan".
    • To the right of "Starting Point", click "Select" and choose the URL where you want to start the scan.
    • Click "Start Scan"
The scan could take several minutes or more. You can see the progress at the top of the bottom pane.

Result of passive scan of BookInfo2

High priority Path Traversal (2)
High priority Remote OS Command Injection
High poriority SQL Injection

Medium priority X-Frame-Options Header Not Set (5)
Medium priority Application Error Disclosure (5)
Medium priority Cookie No HttpOnly Flag (6)

Low priority Web Browser XSS Protection Not Enabled (7)
Low priority X-Content-Type-Options Header Missing (9)

Result of Active Scan

Medium priority   X-Frame-Options Header Not Set (17)
Low priority Web Browser XSS Protection Not Enabled (18)

Low priority X-Content-Type-Options Header Missing (20)


Discussion of Alerts

X-Frame-Options Header Not Set

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. (Clickjacking - Wikipedia)

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Set X-FRAME OPTIONS in ASP.NET Core

Combating ClickJacking With X-Frame-Options


Conclusion

  • Review lab due dates on Moodle
  • Next time we will...