Return to
HomePage
Note:
This document is now live on MSDN! See
Cheat Sheet: Web Application Security Frame at
http://msdn.microsoft.com/library/en-us/dnpag2/html/TMWAcheatsheet.asp
Web Application Security Frame
J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley
Microsoft Corporation
May 2005
Overview
The Web Application Security Frame defines a set of categories for Web applications. These categories are areas where mistakes are most often made and they represent those areas where you should focus most attention.
The categories defined by the Web Application Security Frame have been derived by security experts who have examined and analyzed the top security issues across many Web applications. They have been refined with input from consultants, product support engineers, customers, and partners.
Categories
| Category | Description |
| Input and Data Validation | How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. |
| Authentication | Who are you? Authentication is the process that an entity uses to identify another entity, typically through credentials such as a user name and password. |
| Authorization | What can you do? Authorization is the process that an application uses to control access to resources and operations. |
| Configuration Management | Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues. |
| Sensitive Data | How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores. |
| Session Management | How does your application handle and protect user sessions? A session refers to a series of related interactions between a user and your Web application. |
| Cryptography | How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity. |
| Parameter Manipulation | How does your application manipulate parameter values? Form fields, query string arguments, and cookie values are frequently used as parameters for an application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters. |
| Exception Management | When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully? |
| Auditing and Logging | Who did what and when? Auditing and logging refer to how your application records security-related events. |
Vulnerabilities Organized by Web Application Security Frame
Table 2 lists vulnerabilities for each Web Application Security Frame category.
Table 2: Web Application Security Frame Vulnerabilities
| Category | Vulnerabilities |
| Input/Data Validation | * Using non-validated input in the Hypertext Markup Language (HTML) output stream. * Using non-validated input used to generate SQL queries * Relying on client-side validation. * Using input file names, URLs, or user names for security decisions. * Using application-only filters for malicious input. * Looking for known bad patterns of input. |
| Authentication | * Using weak passwords. * Storing clear text credentials in configuration files. * Passing clear text credentials over the network. * Permitting over-privileged accounts. * Permitting prolonged session lifetime. * Mixing personalization with authentication |
| Authorization | * Relying on a single gatekeeper. * Failing to lock down system resources against application identities. * Failing to limit database access to specified stored procedures. * Using inadequate separation of privileges. |
| Configuration Management | * Using insecure administration interfaces. * Using insecure configuration stores. * Storing clear text configuration data. * Having too many administrators. * Using over-privileged process accounts and service accounts |
| Sensitive Data | * Storing secrets when you do not need to. * Storing secrets in code. * Storing secrets in clear text. * Passing sensitive data in clear text over networks. |
| Session Management | * Passing session identifiers over unencrypted channels. * Permitting prolonged session lifetime. * Having insecure session state stores. * Placing session identifiers in query strings. |
| Cryptography | * Using custom cryptography. * Using the wrong algorithm or too small a key size * Failing to secure encryption keys. * Using the same key for a prolonged period of time. * Distributing keys in an insecure manner. |
| Parameter Manipulation | * Failing to validate all input parameters. * Storing sensitive data in unencrypted cookies. * Storing sensitive data in query strings and form fields. * Trusting HTTP header information. * Using unprotected view state. |
| Exception Management | * Failing to use structured exception handling. * Revealing too much information to the client. |
| Auditing and Logging | * Failing to audit failed logons. * Failing to secure audit files. * Failing to audit across application tiers. |
Threats and Attacks Organized by Web Application Security Frame
Table 3 lists threats and attacks for each Web Application Security Frame category.
Table 3: Web Application Security Frame Threats and Attacks
| Category | Threats / Attacks |
| Input/Data Validation | * Buffer overflows. * Cross-site scripting. * SQL injection. * Canonicalization attacks. |
| Authentication | * Network eavesdropping. * Brute force attacks. * Dictionary attacks. * Cookie replay attacks. * Credential theft. |
| Authorization | * Elevation of privilege. * Disclosure of confidential data. * Data tampering. * Luring attacks. |
| Configuration Management | * Unauthorized access to administration interfaces. * Unauthorized access to configuration stores. * Retrieval of clear text configuration secrets. * Lack of individual accountability. * Over-privileged process and service accounts. |
| Sensitive Data | * Accessing sensitive data in storage. * Accessing sensitive data in memory (including process dumps). * Network eavesdropping. * Information disclosure. |
| Session Management | * Session hijacking. * Session replay. * Man-in-the-middle attacks. |
| Cryptography | * Loss of decryption keys. * Encryption cracking. |
| Parameter Manipulation | * Query string manipulation. * Form field manipulation. * Cookie manipulation. * HTTP header manipulation. |
| Exception Management | * Revealing sensitive system or application details. * Denial of service attacks. |
| Auditing and Logging | * User denies performing an operation. * Attacker exploits an application without trace. * Attacker covers his tracks |
Countermeasures Organized By Web Application Security Frame
Table 4 lists the countermeasures for each Web Application Security Frame category.
Table 4: Web Application Security Frame Countermeasures
| Category | Countermeasures |
| Input/Data Validation | * Do not trust input. * Validate input: length, range, format, and type. * Constrain, reject, and sanitize input. * Encode output. |
| Authentication | * Use strong password policies. * Do not store credentials. * Use authentication mechanisms that do not require clear text credentials to be passed over the network. * Encrypt communication channels to secure authentication tokens. * Use HTTPS only with forms authentication cookies. * Separate anonymous from authenticated pages. |
| Authorization | * Use least privilege accounts. * Consider granularity of access. * Enforce separation of privileges. * Use multiple gatekeepers. * Secure system resources against system identities. |
| Configuration Management | * Use least privileged service accounts. * Do not store credentials in clear text. * Use strong authentication and authorization on administrative interfaces. * Do not use the Local Security Authority (LSA). * Avoid storing sensitive information in the Web space. * Use only local administration. |
| Sensitive Data | * Do not store secrets in software. * Encrypt sensitive data over the network. * Secure the channel. |
| Session Management | * Partition site by anonymous, identified, and authenticated users. * Reduce session timeouts. * Avoid storing sensitive data in session stores. * Secure the channel to the session store. * Authenticate and authorize access to the session store. |
| Cryptography | * Do not develop and use proprietary algorithms (XOR is not encryption. Use platform-provided cryptography). * Use the RNGCryptoServiceProvider method to generate random numbers. * Avoid key management. Use the Windows Data Protection API (DPAPI) where appropriate. * Periodically change your keys. |
| Parameter Manipulation | * Do not trust fields that the client can manipulate. These include query strings, form fields, cookie values, and HTTP headers. |
| Exception Management | * Use structured exception handling (by using try-catch blocks). * Catch and wrap exceptions only if the operation adds value/information. * Do not reveal sensitive system or application information. * Do not log private data such as passwords. |
| Auditing and Logging | * Identify malicious behavior. * Know your baseline (know what good traffic looks like). * Use application instrumentation to expose behavior that can be monitored. |
| Cryptography | * Using custom cryptography * Using the wrong algorithm or too small a key size * Failing to secure encryption keys. * Using the same key for a prolonged period of time. * Distributing keys in an insecure manner. |
| Parameter Manipulation | * Failing to validate all input parameters. * Storing sensitive data in unencrypted cookies. * Storing sensitive data in query strings and form fields. * Trusting HTTP header information. |
| Exception Management | *Failing to use structured exception handling. *Revealing too much information to the client. |
| Auditing and Logging | Failing to audit failed logons. * Failing to secure audit files. * Failing to audit across application tiers. |
Return to
HomePage
Channel 10: Black Friday Deals on Windows 7 Machines
ASP.NET: Presenting in Europe Next Week
WindowsClient: You know your post rate has gone down...
Silverlight: Geek Profiles – Scott Guthrie
