Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Sep 6, 2012

Security through HTTP response headers

Security headers in an HTTP response
There are many things to consider when securing a web application but a definite "quick win" is to start taking advantage of the security HTTP response headers that are supported in most modern browser. It doesn't matter which development platform you use to build your application, these headers will make a notable difference for the security of your website anyway!

The screenshot shows what the security headers look like. The security headers are included in the web server's response to a browser — instructing the browser to enable (or disable) certain security features. They're invisible to the user, but you can have look at them with tools such as Fiddler or the developer tools that are built into the major browsers. In IE or Chrome press F12, in Opera (Ctrl+Shift+i), in Firefox (Ctrl+Shift+k), for Safari have a look here to enable the developer tools.

A great thing about these response headers is that they're very easy to get started with. In many cases you might not even have to change a single line of code in your application as you can set the headers either through your application's configuration, or they can likely be set by whatever web server you use.

If you're building ASP.NET applications I would like to point you to NWebsec, an ASP.NET security library that lets you easily configure these headers for your application. Go and have a look at the documentation, it explains how you can configure the headers through web.config. Don't worry, if you're the MVC kind of person you can use filter attributes instead. You'll find the library on NuGet so you'll be up and running in a matter of minutes! Disclaimer: I built it, so I think it's pretty cool.

A quick note: Last year, I gave a lightning talk at the ROOTs conference about the role browsers play for your online security. There I also discussed security headers. Slides and video are online if you want to check them out: "The browser - your best friend and worst enemy" (slides / video).

Now let's have a look at the headers and how they can improve the security of your website.

Jul 29, 2012

Generating secure Guids

Guids are used extensively throughout Microsoft systems and developers tend to turn to Guid.NewGuid() whenever they need to create a value to uniquely identify something. Guids might also be used as keys or identifiers in security critical operations — under the assumption that they are hard to guess for an attacker. I've been looking around the Internet to see if I could find some guidance on Guid security along with details on how they are generated in the .NET framework. I couldn't find much information, but I did find that Eric Lippert from the C# team recently raised some concerns about the Guids on his blog. So I started digging around to see what more I could find out.

First of all a quick background. Microsoft's Guid is their implementation of the Universally Unique IDentifier (UUID) outlined in RFC 4122. UUIDs are 128 bits, and the Guid class generates version 4 UUIDs, meaning that all bits except those defining the version and variant of the UUID are "random." Please note that 4 bits are used for the version number, and two bits are used for the variant — so it's not a 128 bit random number, it's a 122 bit random number.

May 15, 2012

Towards more secure password hashing in ASP.NET

A couple of weeks ago I was remotely involved in a discussion on password hashing in .NET with @thorsheim, @skradel, and @troyhunt. (Follow them if you're on Twitter). The background for the discussion was that password hashing using MD5/SHA-1/SHA-256 isn't quite the state of the art anymore. All the recent password breaches have triggered recommendations to make password cracking harder. The algorithms that are usually recommended are PBKDF2 (Password based key derivation function), bcrypt, or scrypt. So which of these should you choose if you're working with .NET?

I'm a conservative guy. Cryptographic algorithms are very hard to get right, as there's all sorts of things that can go wrong when you implement them. Consequently, I prefer to use whatever is available in the .NET framework. That's because Microsoft have crypto-experts on staff, and they've also pioneered the SDL which means you should expect high quality implementations of their (security critical) software. So it's really a trust thing. At the time of writing, PBKDF2 is the only algorithm of the three mentioned that's readily available in the framework. You probably see where this is leading: bcrypt and scrypt are disqualified in my book. When it comes to cryptographic functions, stick with the framework! PBKDF2 is the best alternative for now.

Following the discussion on Twitter, @skradel shared a library where he had wrapped the built-in PBKDF2 as a HashAlgorithm. That way, PBKDF2 (through his wrapper) could easily be used by other parts of the framework, such as the SqlMembershipProvider. It really was an elegant solution. He blogged about it in: Strong Password Hashing for ASP.NET, you should check it out (@thorsheim was so delighted that he had to blog about it too :).

When you're dealing with PBKDF2, you'll see that it takes a couple of parameters. @skradel's already chosen some reasonable defaults in his implementation so it's all hidden and taken care of there. But if you were to implement this yourself and explain to someone how you chose those parameters, what then?

May 13, 2012

How Finnish disco killed my privacy

I noticed some unexpected activity on my Facebook wall the other day. I have a special list of "friends," who aren't really friends but more aquaintances. I have used that list to block them from seing much of what's going on on my Facebook wall (hey, we can still be "friends" right?). Now suddenly some of these people started "Liking" stuff I posted. And that struck me as..... weird.

What was going on? Turns out that I've been sharing my updates with all my "friends" since 31th of March. And I had no idea I was doing that — until I noticed that users I thought to be blocked had started interacting with my content.

After some investigation I found that ever since I shared a "Finnish disco" video on the 31th of March all my posts had been set to be shared with "Friends." That of course includes my blacklisted "friends." At first I couldn't understand how that was possible. I had read about the per post sharing settings when they first showed up, and here's Facebooks privacy policy dated 26th March 2010, explaining really well how it works. And I quote the relevant part:
Posts by Me. You can select a privacy setting for every post you make using the publisher on our site. Whether you are uploading a photo or posting a status update, you can control exactly who can see it at the time you create it. Whenever you share something look for the lock icon. Clicking on the lock will bring up a menu that lets you choose who will be able to see your post. If you decide not to select your setting at the time you post the content, your content will be shared consistent with your Posts by Me privacy setting.
Note that last sentence. If you don't select anything, it will go with your default setting! And my default setting was of course to share with "Friends," except for my blacklist. So what went wrong? Fast forward to today's privacy policy (called the Data User Policy, dated September 23, 2011). And I quote again:

Apr 17, 2012

Get the UNIX feel in Windows 7

Every once in a while I've really missed having a Unix shell on my Windows box. When your e.g. monitoring a log file, Notepad just doesn't cut it. I've been using Cygwin on and off as an alternative to get access to handy tools such as catgreplesstailvi and so on. But I haven't really been too excited about Cygwin.

I discovered recently that Microsoft provides a Subsystem for UNIX-based Applications built-in to Windows 7. Fantastic! As with many other features, you'll have to enable it in "Windows features". When it's enabled, you'll need to download and install the Utilities and SDK for Subsystem for UNIX-based Applications. Then you'll find shortcuts to a C shell and a Korn shell in your start menu. I went with the C shell, which gave me tab completion, the up/down arrow command history etc.

And there it was! tail -f on a logfile:

If you haven't yet discovered the brilliance of Unix and its common tools, you might want to check out Microsoft's familiarization video :)

Unix-Klingz out.

Mar 19, 2012

Promising new WIF tools

Vittorio Bertocci has shared some exciting news about the upcoming WIF tools for Visual Studio 11 on his blog. The tools look really nice, especially the local development STS. Here are the direct links (for future reference):

On the blog, you'll also find that the Identity team is hiring. I just checked the list of open positions at Microsoft, and they have 35 (!) open positions on their identity page. I expect we'll see more cool stuff from the identity team in the future!

If you're a .NET developer, now is the time to get on the WIF train. WIF will be an integral part of the .NET framework as of version 4.5, which is currently in beta (for those of us who went all-in on WIF last year, this is quite a relief).

Mar 6, 2012

IIS 500 errors leave clues in the log

Yesterday I was playing around with the validateIntegratedModeConfiguration="true" setting on IIS 7.5. To my surprise I got an empty response back, with no indication of what went wrong.

Looking at the response with Fiddler yields:

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 05 Mar 2012 15:59:52 GMT
Content-Length: 0

There's not much to work with here! I checked the event log, there was nothing there. So I started looking around for an error log of some sort (I used to play with Apache back in the days) turns out there's no such thing in IIS.

Some googling led me to an in-depth article: Troubleshoot IIS7 errors like a pro. I enabled detailed error messages for my website, still no luck.

Finally, I figured out that the easiest way to get an indication of what's going on is to check the IIS log. In the default setup, IIS keeps the logs for each website in: C:\inetpub\logs\LogFiles. Here's a log entry from my logfile (shortened for readability):

Mar 2, 2012

How to enable WIF token replay detection

Windows Identity Foundation (WIF) is vulnerable to replay of security tokens in its default configuration. The "Replay Detection" article on MSDN presents a good example of how things can go wrong without the replay detection (why do everyone have to use online banking as their example?):
As another example, suppose that a user opens a browser on a public kiosk, logs on to a bank account using the bank’s Web site, logs off and leaves, but does not close the browser. The response to the user’s logon page, which contains the STS token, is still in the browser’s history. Another person could then browse back to that response page and replay it, which would repost the STS token to the bank’s Web site.
This scenario is very much real and it does not involve any fancy hacking techniques. All you need is a browser and a "back" button. You'll find some scattered references on the Internet to the solution of the problem, the tokenReplayDetection configuration setting. You'll find a mention of the configuration element in the WIF FAQ on Technet and in the WIF book, but you'll find the most helpful explanation in the ACS security guidelines.

I'll cut to the chase, here's the config to enable the token replay detection. Please don't use the parameters as is, read the security considerations and tweak the values accordingly. Seriously.

Feb 20, 2012

Multiline search and replace in Visual Studio

Today I had to add a new HttpModule to A LOT of web.configs. Adding it manually would be too tedious, so I had to figure out how to search for a single line in Visual Studio 2010 and replace it with two lines of text. If I could only find a way to search for some text, and replace it with several lines of text!

Google turned up some hints about the Regex search, but no apparent solutions. After playing around a bit with the regex search in Visual studio, I found that it supports multiline text in both the search and replace strings.

When you're using "Find and Replace" in Visual Studio you can enable Regular Expressions, under "Find options", as shown in the screenshot. The regular expressions let you represent newlines in the search or replace fields, by using a \n. Cool! I've included an example below the image.

But beware, when you enable regular expressions you need to escape special characters, in my case < and >,  with a backslash. Your "Find" statement will be interpreted as a regular expression. Check out the MSDN page on regular expressions in Visual Studio to learn more about which characters are special and which are not.

Update Sep. 2012: This post deals with Visual Studio 2010. Regular expressions have changed in VS 2012, as you'll see from the link above. See the comments on this post for a new example of multiline search and replace for both VS 2010 and VS 2012.

Jan 11, 2012

How not to hash passwords in .NET

In connection with a bug in TransformTool, I've been looking into how text encoding is handled in the .NET framework. Turns out there are some caveats that can affect the correctness of a program, and when used in e.g. password validation they might turn out to be severe security issues.

This post assumes you are somewhat familiar with how character encodings work. You might want to check out my Introduction to character encoding if you're not. I wrote it mainly because I didn't want to explain the basics of encodings in this post.

The encoding issues/features I discuss here are all well documented in the article Character Encoding in the .NET Framework, but I believe that the issues aren't that well known. Stack overflow, blogs, and discussion forums are riddled with insecure code samples. Do a Google search for "ASCII.GetBytes" password, and you'll get a lot of results. I even found insecure code examples in a text book, the C# 2008 Programmer's Reference (page 344). So I definitely believe we need to raise awareness of these issues in the .NET community.

Encoding subtleties
In the MSDN article on character encoding you'll find that the first suggestion on how to use the encoding objects in .NET is: 
Use the static properties of the Encoding class, which return objects that represent the standard character encodings available in the .NET Framework (ASCII, UTF-7, UTF-8, UTF-16, and UTF-32). For example, the Encoding.Unicode property returns a UnicodeEncoding object. Each object uses replacement fallback to handle strings that it cannot encode and bytes that it cannot decode.
And people love to use the static properties! But if you don't read this carefully and pause with the "replacement fallback", you might get into trouble. "Replacement fallback" means that every character that cannot be encoded to bytes will be replaced with the "?" character silently. But what does that mean? Time for a demo using the ASCII encoding:

Jan 8, 2012

Introduction to character encoding

Text encoding is a persistent source of pain and problems, especially when you need to communicate textual information across different systems. Every time you read or create an xml-file, a text file, a web page, or an e-mail, the text is encoded in some way. If the encoding is messed up along the way, the receiver will be looking at strange characters instead of the ori�inal t□xt. (ba-da-bing :)

I've been fighting with characters sets on several occasions throughout the years. Just recently, I had a bug in TransformTool related to character encoding and how errors are handled in the .NET framework. While writing about the bug I needed a reference to a basic introduction to character encoding — only to discover that most are very technically focused and dive right into the characters' hex codes. Here, I'll try to fill that gap and explain only the basics. I'll include pointers to more detailed resources in case you decide to dig deeper into the dark world of character encodings.

How encodings work
The Unicode Consortium has a great explanation of how it really works:
Fundamentally, computers just deal with numbers. They store letters and other characters by assigning a number for each one.

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts