Microsoft's Threat Model of Web Applications
These categories represent common vulnerability areas to Web applications. The categories have been derived by security experts who have examined and analyzed the top security issues across many Web applications. They have been refined with input from Microsoft consultants, product support engineers, customers, and Microsoft partners.
|Input and Data Validation
||How do you know that the input that your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing.
||Who are you? Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
||What can you do? Authorization is how your application provides access controls for resources and operations.
||Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.
||How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores.
||How does your application handle and protect user sessions? A session refers to a series of related interactions between a user and your Web application.
||How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.
||How does your application manipulate parameter values? Form fields, query string arguments, and cookie values are frequently used as parameters for an application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters.
||When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
|Auditing and Logging
||Who did what and when? Auditing and logging refer to how your application records security-related events.
ATTACKS IN EACH VULNERABILITY AREA
Input and Data Validation
Input attack occurs when an attacker discovers that the application makes unfounded assumptions about the type, length, format, or range of input data.
- Buffer Overflow: Vulnerabilities can lead to denial of service attack. A denial of service attack causes a process crash. The following code fragment illustrates a common example of a buffer overflow vulnerability.
void SomeFunction( char *pszInput )
// Input is copied straight into the buffer when no type checking is performed
. . .
An attacker can exploit a buffer overflow vulnerability to inject code. With this attack, a malicious user exploits an unchecked buffer in a process by supplying a carefully constructed input value that overwrites the program's stack and alters a function's return address. This causes execution to jump to the attacker's injected code.
- Cross-Site Scripting (XSS): An XSS attack is to cause arbitrary code to run in a user's browser while the browser is connected to a trusted Web site. The attack targets the application's users and not the application itself, but it uses the application as the vehicle for the attack. Because the script code is downloaded by the browser from a trusted site, the browser has no way of knowing that the code is not legitimate. To initiate the attack, the attacker must convince the user to click on a carefully crafted hyperlink. The link points to a vulnerable page in your application that echoes the unvalidated input back to the browser in the HTML output stream. For example, consider the following two links. Here is a legitimate link:
Here is a malicious link: www.yourwebapplication.com/logon.aspx?username=<script>alert('hacker code')</script>
- SQL Injection: A SQL injection attack exploits input vulnerabilities to run arbitrary commands in the database. It can occur when your application uses input to construct dynamic SQL statements to access the database or uses stored procedures that are passed strings that contain unfiltered user input. Consider the following code:
SELECT * FROM Users WHERE UserName ='" + txtuid.Text + "'
Attackers can inject SQL by terminating the intended SQL statement with the single quote character followed by a semicolon character to begin a new command, and then executing the command of their choice. Consider the following character string entered into the txtuid field.
'; DROP TABLE Customers '
This results in the following statement being submitted to the database for execution:
SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers--'
The authentication mechanism can expose vulnerabilities that attackers can exploit to gain access to your system.
- Network Eavesdropping: If authentication credentials are passed in plaintext from client to server, an attacker armed with rudimentary network monitoring software on a host on the same network can capture traffic and obtain user names and passwords.
- Brute Force Attacks: Brute force attacks rely on computational power to crack hashed passwords or other secrets secured with hashing and encryption.
- Dictionary Attacks: With the dictionary attack, an attacker uses a program to iterate through all of the words in a dictionary (or multiple dictionaries in different languages) and computes the hash for each word. The resultant hash is compared with the value in the data store.
- Cookie Replay Attacks:With this type of attack, the attacker captures the user's authentication cookie using monitoring software and replays it to the application to gain access under a false identity.
- Credential Theft: If your application implements its own user store containing user account names and passwords, compare its security to the credential stores provided by the platform, for example, a Microsoft Active Directory directory service or Security Accounts Manager (SAM) user store. Browser history and cache also store user login information for future use. If the terminal is accessed by someone other than the user who logged on, and the same page is hit, the saved login will be available.
Based on user identity and role membership, authorization to a particular resource or service is either allowed or denied.
- Elevation of Privilege: By elevating privilege, the attacker is able to take complete control over the application and local machine. For example, with classic ASP programming, calling the RevertToSelf API from a component might cause the executing thread to run as the local system account with the most power and privileges on the local machine.
- Disclosure of Confidential Data: The disclosure of confidential data can occur if sensitive data can be viewed by
- Data Tampering: Data tampering refers to the unauthorized modification of data.
- Luring Attacks: A luring attack occurs when an entity with few privileges is able to have an entity with more privileges perform an action on its behalf.
Many applications support configuration management interfaces and functionality to allow operators and administrators to change configuration parameters, update Web site content, and to perform routine maintenance.
- Unauthorized Access to Administration Interfaces: Malicious users able to access a configuration management function can potentially deface the Web site, access downstream systems and databases, or take the application out of action altogether by corrupting configuration data.
- Unauthorized Access to Configuration Stores: Malicious users able to access a configuration store can alter important system parameters that cause harm to the application.
- Session Management Attack: Session management for Web applications is an application layer responsibility. Session security is critical to the overall security of the application.
- Session Hijacking: A session hijacking attack occurs when an attacker uses network monitoring software to capture the authentication token (often a cookie) used to represent a user's session with an application. With the captured cookie, the attacker can spoof the user's session and gain access to the application.
- Session Replay: Session replay occurs when a user's session token is intercepted and submitted by an attacker to bypass the authentication mechanism. For example, if the session token is in plaintext in a cookie or URL, an attacker can sniff it, the attacker then posts a request using the hijacked session token.
- Man in the Middle Attacks: A man in the middle attack occurs when the attacker intercepts messages sent
between an application and the application's intended recipient. The attacker then changes the message and sends it to the original recipient. The recipient receives the message, sees that it came from the application, and acts on it. When the recipient sends a message back to the application, the attacker intercepts it, alters it, and returns it to the application. The application and the recipient never know that you have been attacked.
Most applications use cryptography to protect data and to ensure it remains private and unaltered.
- Poor Key Generation or Key Management: Attackers can decrypt encrypted data if they have access to the encryption key or can derive the encryption key. Attackers can discover a key if keys are managed poorly or if they were generated in a non-random fashion.
- Weak or Custom Encryption: An encryption algorithm provides no security if the encryption is cracked or is
vulnerable to brute force cracking. Custom algorithms are particularly vulnerable if they have not been tested.
- Checksum Spoofing: Do not rely on hashes to provide data integrity for messages sent over networks. If an attacker intercepts the message by monitoring the network, the attacker could update the message and re-compute the hash.
Parameter manipulation attacks are a class of attack that relies on the modification of the parameter data sent between the client and Web application.
- Query String Manipulation: Users can easily manipulate the query string values passed by HTTP GET from client to server because they are displayed in the browser's URL address bar. If your application relies on query string values to make security decisions, or if the values represent sensitive data such as monetary amounts, the application is vulnerable to attack.
- Form Field Manipulation: The values of HTML form fields are sent in plaintext to the server using the HTTP POST protocol. This may include visible and hidden form fields. Form fields of any type can be easily modified and client-side validation routines bypassed. As a result, applications that rely on form field input values to make security decisions on the server are vulnerable to attack.
- Cookie Manipulation: Cookies are susceptible to modification by the client. This is true of both persistent and memory-resident cookies. A number of tools are available to help an attacker modify the contents of a memory-resident cookie. Cookie manipulation is the attack that refers to the modification of a cookie, usually to gain unauthorized access to a Web site.
- HTTP Header Manipulation: HTTP headers pass information between the client and the server. The client
constructs request headers while the server constructs response headers. If your application relies on request headers to make a decision, your application is vulnerable to attack.
Exceptions that are allowed to propagate to the client can reveal internal implementation details that make no sense to the end user but are useful to attackers. Applications that do not use exception handling or implement it poorly are also subject to denial of service attacks.
- Attacker Reveals Implementation Details: Rich exception details can greatly help the attacker exploit potential vulnerabilities and plan future attacks. The type of information that could be returned includes platform versions, server names, SQL command strings, and database connection strings.
- Denial of Service: Attackers probe a Web application usually by passing deliberately malformed input to crash the Web application process. This can occur if exceptions are not properly caught and handled.
Auditing and Logging
Auditing and logging functions and stores are subject to be attacked.
- User Denies Performing an Operation: The issue of repudiation is concerned with a user denying that he or she performed an action or initiated a transaction.
- Attackers Exploit an Application Without Leaving a Trace: System and application-level auditing is required to ensure that suspicious activity does not go undetected.
- Attackers Cover Their Tracks: Your log files must be well-protected to ensure that attackers are not able to cover their tracks.