Recently I was involved in developing a financial web application. Other than verify that the application meets all the functional requirements, the application was put to stringent hacking tests. Several penetration tests were carried out by professionals to help identify any potential risks. The intent was to see to what extent an external attacker could penetrate the systems. This test focused on identifying technical vulnerabilities that a competent external hacker could exploit to gain privileged access to the application and server. Inspite that we were using HTTPS for the entire site, I was surprised to hear that these guys were able to hijack the sessions and perform Cross site request forgery.
In the next few posts I will like to post the key and high vulnerabilities that the attackers look for and the ways to mitigate them.
Some of the minor vulnerablities that could potentially lead to system compromise are:
- Weak SSL Cipher Support – SSL Cipher keys of length less than 128bit are considered as weak. The information encrypted can possibly be decrypted easily and can lead to further exploits. When a man in middle attack occurs this flaw can provide access of private information. The solution lies in IIS config settings. Make sure cipher less than 128 bits are not allowed. Please read more on the following Microsoft knowledge base: How to control the ciphers for SSL and TLS.
- Form AutoComplete Enabled – While this functionality is desired by users, you may not want it for all the form fields. The problem lies in fact that many recent browsers like IE, firefox have features that will save form field content entered by users and then automatically complete form entry the next time the fields are encountered. This feature is enabled by default and could leak sensitive information since it is stored on the hard drive of the local computer. The risk of this issue is greatly increased if users are accessing the application from a shared environment. If AutoComplete is enabled on a login field then an attacker may be able to gain access to usernames and
passwords from local system caches. The solution is simple. To turn off auto-complete for your entire form, all you need to do is add an attribute to your form tag, like this:
<form id=”Form1″ method=”post” runat=”server” autocomplete=”off”>
Easy enough. Now you won’t get the auto complete on any of the controls on the form, works for any browser that supports auto-complete. If however you want to have auto complete on for some textboxes and off for the others, ASP.Net does provide in mechanism to control it at granular level. to turn off autocomplete for a textbox use this:
<asp:TextBox Runat=”server” ID=”Textbox1″ autocomplete=”off”></asp:TextBox>
or at runtime:
Simple and you are done. Over the next few blogs I will put in more on web vulnerablities and steps that you can take to prevent them. Watch out!