SlideShare une entreprise Scribd logo

Protecting Vulnerable Applications with IIS7

W
webserverguard

Protecting Vulnerable Applications with IIS7

Technologie
1  sur  53
Télécharger pour lire hors ligne
Protecting Vulnerable Applications with IIS7 Brian Holyfield Source Boston 2009
Agenda • Overview • IIS7 Integrated Mode • IIS7 Modules – Request Filtering Module – Add-on Modules (from Microsoft) – Custom Modules – Case Study: SPF 2
What’s new in IIS7 • Totally New Design – File-Based Configuration – Completely Modular – Integrated Pipeline Mode – Support for non-HTTP Services (WCF) • Built-In Security Features – Request Filtering – Minimal Default Attack Surface 3
IIS7 Integrated Mode • Unified Request Processing Pipeline – Both native and managed components (modules) – Modules can be applied to all requests, regardless of handler – ASP.NET HttpModules now comparable to ISAPI (can hook into one or more IIS7 pipeline events) Integrated Pipeline + Modular Design = Major Extensibility!! 4
IIS Pipeline Events Pre-Execution Events Post-Execution Events •BeginRequest •PostRequestHandlerExecute •AuthenticateRequest •ReleaseRequestState •PostAuthenticateRequest •PostReleaseRequestState •AuthorizeRequest •UpdateRequestCache •PostAuthorizeRequest •PostUpdateRequestCache •ResolveRequestCache •LogRequest •PostResolveRequestCache •PostLogRequest •MapRequestHandler •EndRequest •PostMapRequestHandler •PreSendRequestHeaders •AcquireRequestState •PreSendRequestContent ProcessRequest •PostAcquireRequestState (Handler Execution) •PreRequestHandlerExecute 5
Case Study: Sample Application • Battle Blog Application – Free Open Source Blogging Software – Written in Classic ASP – Vulnerable to numerous common security issues • Failure to Restrict Admin URLs • Cross-Site Request Forgery • SQL Injection • Information Disclosure 6
IIS7 Request Filtering • Native Module (C++) – URLScan functionality built in to IIS7 – Called on BeginRequest Event • Effective for providing generic protection mechanism against certain attacks – Configurable for each application – Lacks granularity at the page/parameter level – No support for Regular Expressions appcmd list config -section:requestFiltering 7
IIS7 Request Filtering Request Filtering Directive Description & Options Prevents Double-encoded Requests allowDoubleEscaping Allows or rejects all requests with non-ASCII characters allowHighBitCharacters Controls permitted file extensions fileExtensions • Uses allowUnlisted option to define default behavior • Exclusions can be added with allowed=true/false Combines three features: requestLimits • maxAllowedContentLength • maxUrl • maxQueryString Controls request methods verbs • Uses allowUnlisted option to define default behavior • Exclusions can be added with allowed=true/false Does not support Regular Expressions denyUrlSequences Segments are folders that cannot be requested hiddenSegments 8
IIS7 Add-On Modules • The Microsoft IIS team is continually releasing new add-on modules for IIS7 • Some have potential security uses – Dynamic IP Restrictions – URL Rewrite – Application Request Routing 9
Dynamic IP Restrictions • Dynamic IP Restrictions Extension – Dynamically blocking of requests from IP address based on • Number of concurrent requests • Number of requests over a period of time – Configurable at the Site or Server Level – Support for permanent static allow or deny list • Domain Name • IP Address 10
URL Rewriter for IIS7 • IIS7 version of mod_rewrite – Called on BeginRequest event – Regular expression pattern matching – Access to server variables and HTTP headers – Rule actions include redirect and request abort • Not specifically designed for security, but can be used to block or validate certain requests http://learn.iis.net/page.aspx/465/url-rewrite-module-configuration-reference/ 11
Case Study: Demo • Demo: White List URLs with Rewrite Rules – Only allow requests to authorized files – Only allow valid query string values 12
Request Filter vs. URL Rewrite Request Entity Request Filtering URL Rewrite Scan requested URL path Yes (Substring) Yes (Regex) No Check URL length Yes No Scan query string Yes (Regex) No Check query string length Yes Check HTTP verbs Yes Yes No Check request content length Yes No Scan HTTP headers Yes (Regex) No Check HTTP headers length Yes No Scan server variables Yes No* Check IP address or host name Yes * The IP Restriction module in IIS 7.0 can be used for blocking requests by IP or host name 13
Application Request Routing • Similar to mod_proxy – Can perform HTTP based routing decisions based on HTTP request data – Load balancing algorithms – Client and hostname affinity 14
Custom IIS7 Modules • With IIS7 modules, it is easy to monitor, change or add every request • ASP.NET modules can now be used to protect any application running on IIS – .NET class that implements the ASP.NET System.Web.IHttpModule interface 15
Extensibility Examples • “Enhancing Applications with the IIS7 Integrated Pipeline” -- Mike Volodarsky - MSDN 2007 • Used IIS7 Managed Module to enhance QDig (PHP) – Authentication • FormsAuthenticationModule – Search Engine Friendly URLs • Inbound: Server.TransferRequest • Outbound: Response.Filter – Output Caching • ASP.NET OutputCache 16
Application Security Module • Custom module to secure outbound data and validate inbound requests – Request/Response Parsing – Data Validation – Input tracking & Parameter Encryption • Defend Against Application Attacks – Known Bad Signatures – Intelligent Authorization Defense 17
Leveraging Response Events • Goal – Only allow the user do what the application expects them to be able to do • How – Analyze what is presented to the users (response) – If an option is not presented, don’t let them use it – If we don’t ask the user for input, don’t accept it! 18
Secure Parameter Filter (SPF) • IIS Secure Parameter Filter (SPF) – Protects Non-Editable Data from Manipulation • ASP.NET HttpModule (C#) • Does not require any changes to underling application – Response & Request Filter • Output Tracking • Request Validation – Free and available for download • http://www.gdssecurity.com/l/spf/ 19
How it Works • Response Filter – Analyzes HTML (HTML Agility Pack) • Embedded URLs • HTML Form Data • Cookies • JavaScript Functions – Tracks Form “State” • Editable vs. non-editable input – Correlates Forms & Links to each session 20
How it Works • Request Filter – Analyzes HTTP requests to ensure only “authorized” URLs and inputs are accepted • User sessions are tracked with a unique ID – Only configured “entry points” are permitted without authorization – Inspect editable-data against configurable Regular Expressions (Black List) 21
SPF Pipeline Events Pre-Execution Events Post-Execution Events •BeginRequest •PostRequestHandlerExecute •AuthenticateRequest •ReleaseRequestState •PostAuthenticateRequest •PostReleaseRequestState •AuthorizeRequest •UpdateRequestCache •PostAuthorizeRequest •PostUpdateRequestCache •ResolveRequestCache •LogRequest •PostResolveRequestCache •PostLogRequest •MapRequestHandler •EndRequest •PostMapRequestHandler •PreSendRequestHeaders •AcquireRequestState •PreSendRequestContent ProcessRequest •PostAcquireRequestState (Handler Execution) •PreRequestHandlerExecute 22
Installing a Module • IIS7 modules can be installed in of two ways – Configuration file (web.config) – IIS7 Management Console • Module must be registered globally • Custom Configuration Settings – Minimal Configuration – Configure default behavior & define exceptions to the default 23
Case Study: Demo • Demo: Failure to Restrict URL Access – Application fails to restrict access to some administrator URLs – These URLs are not linked from un-authenticated pages • “Security through Obscurity” 24
URL Access Protection • Cryptographic “token” appended to every protected URL rendered to the user – Verifies integrity of Query String values – Verifies authorization to access page • Required for protected URL access USER APPLICATION SPF /ShowArticle.aspx?ArticleId=123 25
URL Access Protection • Cryptographic “token” appended to every protected URL rendered to the user – Verifies integrity of Query String values – Verifies authorization to access page • Required for protected URL access USER APPLICATION SPF /ShowArticle.aspx?ArticleId=123&UrlToken=182734:A7A9369D50B2E185F54A Time Stamp 26
URL Access Protection • Cryptographic “token” appended to every protected URL rendered to the user – Verifies integrity of Query String values – Verifies authorization to access page • Required for protected URL access USER APPLICATION SPF /ShowArticle.aspx?ArticleId=123&UrlToken=182734:A7A9369D50B2E185F54A SHA1HMAC ( URL + Query String + Time Stamp + Session Cookie + Source IP ) HMAC key derived from ASP.NET Machine Key 27
Case Study: Demo • Demo: Cross-Site Request Forgery (CSRF) – Administrative user-management requests are vulnerable to CSRF • Add Users • Change Password • Elevate Privileges 28
CSRF Protection • The same cryptographic “token” automatically protects against CSRF exploits – Tied to session cookie & source IP SPF /ShowArticle.aspx?ArticleId=123&UrlToken=182734:A7A9369D50B2E185F54A SHA1HMAC ( URL + Query String + Time Stamp + Session Cookie + Source IP ) 29
Case Study: Demo • Demo: SQL Injection – Website search filter is vulnerable to SQL Injection • Anonymously Accessible • Supports POST and GET 30
HTML Form Protection Two Types of Protection – Form State Protection Ensures each form submission includes only the correct input name & value combinations – Input Value Protection Protects Inputs from being viewed by users Non-editable Form inputs cannot be altered – TYPE=HIDDEN | RADIO | CHECKBOX, SELECT – Read-Only Text Inputs 31
HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> <input type=“textquot; name=quot;queryquot;> <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 32
HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> Action: /search.aspx <input type=“textquot; name=quot;queryquot;> <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 33
HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> Action: /search.aspx <input type=“textquot; name=quot;queryquot;> Owner: 25574bb9-792d-4c4b-9873-c9fae1631485 <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> (Session Cookie) <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 34
HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> <input type =quot;hiddenquot; name=quot;FormTokenquot; value= Action: /search.aspx quot;3F2504E0-4F89-11D3-9A0C-0305E82C3301quot;> Owner: 25574bb9-792d-4c4b-9873-c9fae1631485 Form-Id: 3F2504E0-4F89-11D3-9A0C- <input type=“textquot; name=quot;queryquot;> 0305E82C3301 (New GUID) <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 35
HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> <input type =quot;hiddenquot; name=quot;FormTokenquot; value= Action: /search.aspx quot;3F2504E0-4F89-11D3-9A0C-0305E82C3301quot;> Owner: 25574bb9-792d-4c4b-9873-c9fae1631485 Form-Id: 3F2504E0-4F89-11D3-9A0C- <input type=“textquot; name=quot;queryquot;> 0305E82C3301 <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> Input Name Editable Value <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> query Y - <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> find N { FIND } src N { web } <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> scope N { world , us } <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> lang N { all , en-sp } <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 36
HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> <input type =quot;hiddenquot; name=quot;FormTokenquot; value= Action: /search.aspx quot;3F2504E0-4F89-11D3-9A0C-0305E82C3301quot;> Owner: 25574bb9-792d-4c4b-9873-c9fae1631485 Form-Id: 3F2504E0-4F89-11D3-9A0C- <input type=“textquot; name=quot;queryquot;> 0305E82C3301 <input type =quot;submitquot; name=quot;findquot; value=quot;1quot;> Input Name Editable Value <input type =quot;hiddenquot; name=quot;srcquot; value=quot; 1quot;> query Y - <input type =quot;radioquot; name=quot;scopequot; value=quot; 1quot;> find N { FIND } src N { web } <input type =quot;radioquot; name=quot;scopequot; value=quot;2quot;> scope N { world , us } <input type =quot;radioquot; name=quot;langquot; value=quot;1quot;> lang N { all , en-sp } <input type =quot;radioquot; name=quot;langquot; value=quot;2quot;> </form> 37
Case Study: Demo • Demo: Information Disclosure – The comment submission CAPTCHA value is disclosed within a hidden HTML form field 38
JavaScript Protection • Quoted string assignment to common JavaScript property values are treated as URLs (UrlToken) – window.location – location.href • JS Functions can also be defined for protection – Function Name & Arguments • Protect (Y/N) • URL / Form Input – INPUT NAME – TARGET URL 39
JavaScript Protection • Example JavaScript Function function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } 40
JavaScript Protection • Example JavaScript Function function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } 41
JavaScript Protection • Example JavaScript Function function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } 42
JavaScript Protection • Example JavaScript Function function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } 43
JavaScript Protection • Protecting this function with SPF <scriptProtection functionName=quot;__doPostBackquot;> <functionArguments> <add argumentName=quot;eventTargetquot; protect=quot;truequot; targetName=quot;__EVENTTARGETquot; /> <add argumentName=quot;eventArgumentquot; protect=quot;truequot; targetName=quot;__EVENTARGUMENTquot; /> </functionArguments> </scriptProtection> 44
JavaScript Protection <a href=quot;javascript:__doPostBack('ctl00$MainContent$gvwThreads' ,'Sort$LastPostDate')quot;> <a href=quot;javascript:__doPostBack('b/xEVUeEDOCnhiKu0jS5USUs6N 4Qu1VH5OqHOwF146wSPlA87g==:1829384:61D26FD0849FF93D67B8489CF A76','b/xEVUeEDOBfdZR3UM0Ds212HDDwHY3KoYyc/+/JULiDcjQ=:1829384: 83BF9D18B5C34CE2FC0541F954C093B43F0C3EA5')quot;> 45
JavaScript Protection <a href=quot;javascript:__doPostBack('ctl00$MainContent$gvwThreads' ,'Sort$LastPostDate')quot;> <a href=quot;javascript:__doPostBack('b/xEVUeEDOCnhiKu0jS5USUs6N 4Qu1VH5OqHOwF146wSPlA87g==:1829384:61D26FD0849FF93D67B8489CF A76','b/xEVUeEDOBfdZR3UM0Ds212HDDwHY3KoYyc/+/JULiDcjQ=:1829384: 83BF9D18B5C34CE2FC0541F954C093B43F0C3EA5')quot;> BASE64(ENCRYPT(Random 8 Bytes + Argument Value)) ASP.NET Machine Key AES by default in ASP.NET 2.0 (configurable) RNGCryptoServiceProvider for Random Bytes 46
JavaScript Protection <a href=quot;javascript:__doPostBack('ctl00$MainContent$gvwThreads' ,'Sort$LastPostDate')quot;> <a href=quot;javascript:__doPostBack('b/xEVUeEDOCnhiKu0jS5USUs6N 4Qu1VH5OqHOwF146wSPlA87g==:1829384:61D26FD0849FF93D67B8489CF A76','b/xEVUeEDOBfdZR3UM0Ds212HDDwHY3KoYyc/+/JULiDcjQ=:1829384: 83BF9D18B5C34CE2FC0541F954C093B43F0C3EA5')quot;> Time Stamp 47
JavaScript Protection <a href=quot;javascript:__doPostBack('ctl00$MainContent$gvwThreads' ,'Sort$LastPostDate')quot;> <a href=quot;javascript:__doPostBack('b/xEVUeEDOCnhiKu0jS5USUs6N 4Qu1VH5OqHOwF146wSPlA87g==:1829384:61D26FD0849FF93D67B8489CF A76','b/xEVUeEDOBfdZR3UM0Ds212HDDwHY3KoYyc/+/JULiDcjQ=:1829384: 83BF9D18B5C34CE2FC0541F954C093B43F0C3EA5')quot;> SHA1HMAC (CipherText + Time Stamp + GUID Cookie + Source IP + [Input Name] + [Target URL] ) HMAC key derived from ASP.NET Machine Key 48
Configuring SPF • Minimal Configuration (Exception Based) – Default Protection Settings (Required) • Protection Scope (URI, QueryStrings, Forms, Cookies) • Main Application Entry Point (URL) – Exceptions to Default Settings (Optional) • Global Exceptions (Form Inputs, Cookies) • URI Exceptions (URI, Query String, Form Inputs) – Several alternate configuration options • Send state information to client (encrypted) • Active vs. Passive mode • BlackList Regexes 49
OWASP Top 10 Coverage A1 - Cross Site Scripting (XSS) • Request tokens should thwart reflected XSS exploits A2 - Injection Flaws A3 - Malicious File Execution A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) • Request tokens provide CSRF protection A6 - Information Leakage and Improper Error Handling • Input protection can mitigate information leakage through application inputs (hidden fields, cookies, etc) 50
OWASP Top 10 Coverage A7 - Broken Authentication & Session Management • Cookie protection will mitigate weak/predictable session IDs A8 - Insecure Cryptographic Storage A9 - Insecure Communications A10 - Failure to Restrict URL Access • Request tokens prevent forced browsing 51
Conclusion • IIS7 is now more extensible than ever – Modules in native or managed code • Vulnerable legacy apps can be secured on IIS7 infrastructure – Built-in Features – Add-On Modules – Custom Modules Protecting Vulnerable Applications with IIS7 52 Source Boston 2009
Questions? • GDS Blog – http://www.gdssecurity.com/l/b • SPF Download Page – http://www.gdssecurity.com/l/spf • SPF Demo Site (.NET StockTrader) – http://trade-spf.gdsdemo.com • Official Microsoft IIS Site – http://www.iis.net 53

Recommandé

F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchLior Rotkovitch
 
21 05-2018
21 05-201821 05-2018
21 05-2018Praaveen Vr
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Webinar slides: MySQL & MariaDB load balancing with ProxySQL & ClusterControl...
Webinar slides: MySQL & MariaDB load balancing with ProxySQL & ClusterControl...Webinar slides: MySQL & MariaDB load balancing with ProxySQL & ClusterControl...
Webinar slides: MySQL & MariaDB load balancing with ProxySQL & ClusterControl...Severalnines
 
CTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowCTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowSpiffy
 
Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2SergeyChernyshev
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 

Recommandé

F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchLior Rotkovitch
 
21 05-2018
21 05-201821 05-2018
21 05-2018Praaveen Vr
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Webinar slides: MySQL & MariaDB load balancing with ProxySQL & ClusterControl...
Webinar slides: MySQL & MariaDB load balancing with ProxySQL & ClusterControl...Webinar slides: MySQL & MariaDB load balancing with ProxySQL & ClusterControl...
Webinar slides: MySQL & MariaDB load balancing with ProxySQL & ClusterControl...Severalnines
 
CTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowCTU June 2011 - Things that Every ASP.NET Developer Should Know
CTU June 2011 - Things that Every ASP.NET Developer Should KnowSpiffy
 
Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2SergeyChernyshev
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Ea Presentation
Ea PresentationEa Presentation
Ea PresentationEastGate630
 
Smart Geometry
Smart GeometrySmart Geometry
Smart GeometryDuncan Wilson
 
Sabr 39 Team Trivia Preliminary
Sabr 39 Team Trivia PreliminarySabr 39 Team Trivia Preliminary
Sabr 39 Team Trivia PreliminarySABR Office
 
Parents And Caregivers Information Evening Thursday 23 July
Parents And Caregivers Information Evening Thursday 23 JulyParents And Caregivers Information Evening Thursday 23 July
Parents And Caregivers Information Evening Thursday 23 JulyAngie Simmons
 
TöRéKeny öNbecsüLéS ElőAdáS
TöRéKeny öNbecsüLéS ElőAdáSTöRéKeny öNbecsüLéS ElőAdáS
TöRéKeny öNbecsüLéS ElőAdáSJulcsilany
 
Charlottes Web Characters
Charlottes Web CharactersCharlottes Web Characters
Charlottes Web CharactersAngie Simmons
 
RCA ICT week
RCA ICT weekRCA ICT week
RCA ICT weekDuncan Wilson
 
Ta3rifat jurjani
Ta3rifat jurjaniTa3rifat jurjani
Ta3rifat jurjanizulfawardi S.Pd.I., MA
 
Ancient Greece
Ancient GreeceAncient Greece
Ancient GreeceJonathan_Tyus
 
Volcán Etna
Volcán EtnaVolcán Etna
Volcán Etnadeliaa
 
5 Essential Reed Diffusers
5 Essential Reed Diffusers5 Essential Reed Diffusers
5 Essential Reed DiffusersSteve 5
 
Media Management
Media ManagementMedia Management
Media ManagementDanielpaul
 
Gala08-09
Gala08-09Gala08-09
Gala08-09Moisés Á. Jorge
 
Performance & Scalability in Drupal
Performance & Scalability in DrupalPerformance & Scalability in Drupal
Performance & Scalability in DrupalMukesh Agarwal
 
Final
FinalFinal
Finaljls13
 
Biodiversity games day manuka dc
Biodiversity games day manuka dcBiodiversity games day manuka dc
Biodiversity games day manuka dcAngie Simmons
 
Beach Coordinator Training
Beach Coordinator TrainingBeach Coordinator Training
Beach Coordinator Trainingdlindau
 
Ehistöörakised
EhistöörakisedEhistöörakised
Ehistöörakisedandryki
 
Sos
SosSos
SosZuri Pabon
 
Testpresentatie
TestpresentatieTestpresentatie
Testpresentatieauditio
 
PHP on Windows 2008
PHP on Windows 2008PHP on Windows 2008
PHP on Windows 2008jorke
 
Harish Understanding Aspnet
Harish Understanding AspnetHarish Understanding Aspnet
Harish Understanding Aspnetrsnarayanan
 

Contenu connexe

En vedette

Sabr 39 Team Trivia Preliminary
Sabr 39 Team Trivia PreliminarySabr 39 Team Trivia Preliminary
Sabr 39 Team Trivia PreliminarySABR Office
 
Parents And Caregivers Information Evening Thursday 23 July
Parents And Caregivers Information Evening Thursday 23 JulyParents And Caregivers Information Evening Thursday 23 July
Parents And Caregivers Information Evening Thursday 23 JulyAngie Simmons
 
TöRéKeny öNbecsüLéS ElőAdáS
TöRéKeny öNbecsüLéS ElőAdáSTöRéKeny öNbecsüLéS ElőAdáS
TöRéKeny öNbecsüLéS ElőAdáSJulcsilany
 
Charlottes Web Characters
Charlottes Web CharactersCharlottes Web Characters
Charlottes Web CharactersAngie Simmons
 
Volcán Etna
Volcán EtnaVolcán Etna
Volcán Etnadeliaa
 
5 Essential Reed Diffusers
5 Essential Reed Diffusers5 Essential Reed Diffusers
5 Essential Reed DiffusersSteve 5
 
Media Management
Media ManagementMedia Management
Media ManagementDanielpaul
 
Performance & Scalability in Drupal
Performance & Scalability in DrupalPerformance & Scalability in Drupal
Performance & Scalability in DrupalMukesh Agarwal
 
Final
FinalFinal
Finaljls13
 
Biodiversity games day manuka dc
Biodiversity games day manuka dcBiodiversity games day manuka dc
Biodiversity games day manuka dcAngie Simmons
 
Beach Coordinator Training
Beach Coordinator TrainingBeach Coordinator Training
Beach Coordinator Trainingdlindau
 
Ehistöörakised
EhistöörakisedEhistöörakised
Ehistöörakisedandryki
 
Testpresentatie
TestpresentatieTestpresentatie
Testpresentatieauditio
 

En vedette (20)

Ea Presentation
Ea PresentationEa Presentation
Ea Presentation
 
Smart Geometry
Smart GeometrySmart Geometry
Smart Geometry
 
Sabr 39 Team Trivia Preliminary
Sabr 39 Team Trivia PreliminarySabr 39 Team Trivia Preliminary
Sabr 39 Team Trivia Preliminary
 
Parents And Caregivers Information Evening Thursday 23 July
Parents And Caregivers Information Evening Thursday 23 JulyParents And Caregivers Information Evening Thursday 23 July
Parents And Caregivers Information Evening Thursday 23 July
 
TöRéKeny öNbecsüLéS ElőAdáS
TöRéKeny öNbecsüLéS ElőAdáSTöRéKeny öNbecsüLéS ElőAdáS
TöRéKeny öNbecsüLéS ElőAdáS
 
Charlottes Web Characters
Charlottes Web CharactersCharlottes Web Characters
Charlottes Web Characters
 
RCA ICT week
RCA ICT weekRCA ICT week
RCA ICT week
 
Ta3rifat jurjani
Ta3rifat jurjaniTa3rifat jurjani
Ta3rifat jurjani
 
Ancient Greece
Ancient GreeceAncient Greece
Ancient Greece
 
Volcán Etna
Volcán EtnaVolcán Etna
Volcán Etna
 
5 Essential Reed Diffusers
5 Essential Reed Diffusers5 Essential Reed Diffusers
5 Essential Reed Diffusers
 
Media Management
Media ManagementMedia Management
Media Management
 
Gala08-09
Gala08-09Gala08-09
Gala08-09
 
Performance & Scalability in Drupal
Performance & Scalability in DrupalPerformance & Scalability in Drupal
Performance & Scalability in Drupal
 
Final
FinalFinal
Final
 
Biodiversity games day manuka dc
Biodiversity games day manuka dcBiodiversity games day manuka dc
Biodiversity games day manuka dc
 
Beach Coordinator Training
Beach Coordinator TrainingBeach Coordinator Training
Beach Coordinator Training
 
Ehistöörakised
EhistöörakisedEhistöörakised
Ehistöörakised
 
Sos
SosSos
Sos
 
Testpresentatie
TestpresentatieTestpresentatie
Testpresentatie
 

Similaire à Protecting Vulnerable Applications with IIS7

PHP on Windows 2008
PHP on Windows 2008PHP on Windows 2008
PHP on Windows 2008jorke
 
Harish Understanding Aspnet
Harish Understanding AspnetHarish Understanding Aspnet
Harish Understanding Aspnetrsnarayanan
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performanceHimanshu Desai
 
Lecture 2: Servlets
Lecture 2: ServletsLecture 2: Servlets
Lecture 2: ServletsFahad Golra
 
10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps Faster10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps FasterBrij Mishra
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescueMarko Heijnen
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyAmit Aggarwal
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postvamsitricks
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postvamsi krishna
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postvamsitricks
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesDeeptiJava
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...Ivanti
 
Building & Testing Scalable Rails Applications
Building & Testing Scalable Rails ApplicationsBuilding & Testing Scalable Rails Applications
Building & Testing Scalable Rails Applicationsevilmike
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능Hyperledger Korea User Group
 
Java Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet BasicJava Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet BasicIMC Institute
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 

Similaire à Protecting Vulnerable Applications with IIS7 (20)

PHP on Windows 2008
PHP on Windows 2008PHP on Windows 2008
PHP on Windows 2008
 
Harish Understanding Aspnet
Harish Understanding AspnetHarish Understanding Aspnet
Harish Understanding Aspnet
 
Advanced Asp.Net Concepts And Constructs
Advanced Asp.Net Concepts And ConstructsAdvanced Asp.Net Concepts And Constructs
Advanced Asp.Net Concepts And Constructs
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performance
 
Lecture 2: Servlets
Lecture 2: ServletsLecture 2: Servlets
Lecture 2: Servlets
 
10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps Faster10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps Faster
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescue
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,post
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,post
 
Servletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,postServletarchitecture,lifecycle,get,post
Servletarchitecture,lifecycle,get,post
 
Servlet
ServletServlet
Servlet
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status Codes
 
Web server
Web serverWeb server
Web server
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 
Building & Testing Scalable Rails Applications
Building & Testing Scalable Rails ApplicationsBuilding & Testing Scalable Rails Applications
Building & Testing Scalable Rails Applications
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
Java Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet BasicJava Web Programming [2/9] : Servlet Basic
Java Web Programming [2/9] : Servlet Basic
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 

Dernier

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Dernier (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Protecting Vulnerable Applications with IIS7

  • 1. Protecting Vulnerable Applications with IIS7 Brian Holyfield Source Boston 2009
  • 2. Agenda • Overview • IIS7 Integrated Mode • IIS7 Modules – Request Filtering Module – Add-on Modules (from Microsoft) – Custom Modules – Case Study: SPF 2
  • 3. What’s new in IIS7 • Totally New Design – File-Based Configuration – Completely Modular – Integrated Pipeline Mode – Support for non-HTTP Services (WCF) • Built-In Security Features – Request Filtering – Minimal Default Attack Surface 3
  • 4. IIS7 Integrated Mode • Unified Request Processing Pipeline – Both native and managed components (modules) – Modules can be applied to all requests, regardless of handler – ASP.NET HttpModules now comparable to ISAPI (can hook into one or more IIS7 pipeline events) Integrated Pipeline + Modular Design = Major Extensibility!! 4
  • 5. IIS Pipeline Events Pre-Execution Events Post-Execution Events •BeginRequest •PostRequestHandlerExecute •AuthenticateRequest •ReleaseRequestState •PostAuthenticateRequest •PostReleaseRequestState •AuthorizeRequest •UpdateRequestCache •PostAuthorizeRequest •PostUpdateRequestCache •ResolveRequestCache •LogRequest •PostResolveRequestCache •PostLogRequest •MapRequestHandler •EndRequest •PostMapRequestHandler •PreSendRequestHeaders •AcquireRequestState •PreSendRequestContent ProcessRequest •PostAcquireRequestState (Handler Execution) •PreRequestHandlerExecute 5
  • 6. Case Study: Sample Application • Battle Blog Application – Free Open Source Blogging Software – Written in Classic ASP – Vulnerable to numerous common security issues • Failure to Restrict Admin URLs • Cross-Site Request Forgery • SQL Injection • Information Disclosure 6
  • 7. IIS7 Request Filtering • Native Module (C++) – URLScan functionality built in to IIS7 – Called on BeginRequest Event • Effective for providing generic protection mechanism against certain attacks – Configurable for each application – Lacks granularity at the page/parameter level – No support for Regular Expressions appcmd list config -section:requestFiltering 7
  • 8. IIS7 Request Filtering Request Filtering Directive Description & Options Prevents Double-encoded Requests allowDoubleEscaping Allows or rejects all requests with non-ASCII characters allowHighBitCharacters Controls permitted file extensions fileExtensions • Uses allowUnlisted option to define default behavior • Exclusions can be added with allowed=true/false Combines three features: requestLimits • maxAllowedContentLength • maxUrl • maxQueryString Controls request methods verbs • Uses allowUnlisted option to define default behavior • Exclusions can be added with allowed=true/false Does not support Regular Expressions denyUrlSequences Segments are folders that cannot be requested hiddenSegments 8
  • 9. IIS7 Add-On Modules • The Microsoft IIS team is continually releasing new add-on modules for IIS7 • Some have potential security uses – Dynamic IP Restrictions – URL Rewrite – Application Request Routing 9
  • 10. Dynamic IP Restrictions • Dynamic IP Restrictions Extension – Dynamically blocking of requests from IP address based on • Number of concurrent requests • Number of requests over a period of time – Configurable at the Site or Server Level – Support for permanent static allow or deny list • Domain Name • IP Address 10
  • 11. URL Rewriter for IIS7 • IIS7 version of mod_rewrite – Called on BeginRequest event – Regular expression pattern matching – Access to server variables and HTTP headers – Rule actions include redirect and request abort • Not specifically designed for security, but can be used to block or validate certain requests http://learn.iis.net/page.aspx/465/url-rewrite-module-configuration-reference/ 11
  • 12. Case Study: Demo • Demo: White List URLs with Rewrite Rules – Only allow requests to authorized files – Only allow valid query string values 12
  • 13. Request Filter vs. URL Rewrite Request Entity Request Filtering URL Rewrite Scan requested URL path Yes (Substring) Yes (Regex) No Check URL length Yes No Scan query string Yes (Regex) No Check query string length Yes Check HTTP verbs Yes Yes No Check request content length Yes No Scan HTTP headers Yes (Regex) No Check HTTP headers length Yes No Scan server variables Yes No* Check IP address or host name Yes * The IP Restriction module in IIS 7.0 can be used for blocking requests by IP or host name 13
  • 14. Application Request Routing • Similar to mod_proxy – Can perform HTTP based routing decisions based on HTTP request data – Load balancing algorithms – Client and hostname affinity 14
  • 15. Custom IIS7 Modules • With IIS7 modules, it is easy to monitor, change or add every request • ASP.NET modules can now be used to protect any application running on IIS – .NET class that implements the ASP.NET System.Web.IHttpModule interface 15
  • 16. Extensibility Examples • “Enhancing Applications with the IIS7 Integrated Pipeline” -- Mike Volodarsky - MSDN 2007 • Used IIS7 Managed Module to enhance QDig (PHP) – Authentication • FormsAuthenticationModule – Search Engine Friendly URLs • Inbound: Server.TransferRequest • Outbound: Response.Filter – Output Caching • ASP.NET OutputCache 16
  • 17. Application Security Module • Custom module to secure outbound data and validate inbound requests – Request/Response Parsing – Data Validation – Input tracking & Parameter Encryption • Defend Against Application Attacks – Known Bad Signatures – Intelligent Authorization Defense 17
  • 18. Leveraging Response Events • Goal – Only allow the user do what the application expects them to be able to do • How – Analyze what is presented to the users (response) – If an option is not presented, don’t let them use it – If we don’t ask the user for input, don’t accept it! 18
  • 19. Secure Parameter Filter (SPF) • IIS Secure Parameter Filter (SPF) – Protects Non-Editable Data from Manipulation • ASP.NET HttpModule (C#) • Does not require any changes to underling application – Response & Request Filter • Output Tracking • Request Validation – Free and available for download • http://www.gdssecurity.com/l/spf/ 19
  • 20. How it Works • Response Filter – Analyzes HTML (HTML Agility Pack) • Embedded URLs • HTML Form Data • Cookies • JavaScript Functions – Tracks Form “State” • Editable vs. non-editable input – Correlates Forms & Links to each session 20
  • 21. How it Works • Request Filter – Analyzes HTTP requests to ensure only “authorized” URLs and inputs are accepted • User sessions are tracked with a unique ID – Only configured “entry points” are permitted without authorization – Inspect editable-data against configurable Regular Expressions (Black List) 21
  • 22. SPF Pipeline Events Pre-Execution Events Post-Execution Events •BeginRequest •PostRequestHandlerExecute •AuthenticateRequest •ReleaseRequestState •PostAuthenticateRequest •PostReleaseRequestState •AuthorizeRequest •UpdateRequestCache •PostAuthorizeRequest •PostUpdateRequestCache •ResolveRequestCache •LogRequest •PostResolveRequestCache •PostLogRequest •MapRequestHandler •EndRequest •PostMapRequestHandler •PreSendRequestHeaders •AcquireRequestState •PreSendRequestContent ProcessRequest •PostAcquireRequestState (Handler Execution) •PreRequestHandlerExecute 22
  • 23. Installing a Module • IIS7 modules can be installed in of two ways – Configuration file (web.config) – IIS7 Management Console • Module must be registered globally • Custom Configuration Settings – Minimal Configuration – Configure default behavior & define exceptions to the default 23
  • 24. Case Study: Demo • Demo: Failure to Restrict URL Access – Application fails to restrict access to some administrator URLs – These URLs are not linked from un-authenticated pages • “Security through Obscurity” 24
  • 25. URL Access Protection • Cryptographic “token” appended to every protected URL rendered to the user – Verifies integrity of Query String values – Verifies authorization to access page • Required for protected URL access USER APPLICATION SPF /ShowArticle.aspx?ArticleId=123 25
  • 26. URL Access Protection • Cryptographic “token” appended to every protected URL rendered to the user – Verifies integrity of Query String values – Verifies authorization to access page • Required for protected URL access USER APPLICATION SPF /ShowArticle.aspx?ArticleId=123&UrlToken=182734:A7A9369D50B2E185F54A Time Stamp 26
  • 27. URL Access Protection • Cryptographic “token” appended to every protected URL rendered to the user – Verifies integrity of Query String values – Verifies authorization to access page • Required for protected URL access USER APPLICATION SPF /ShowArticle.aspx?ArticleId=123&UrlToken=182734:A7A9369D50B2E185F54A SHA1HMAC ( URL + Query String + Time Stamp + Session Cookie + Source IP ) HMAC key derived from ASP.NET Machine Key 27
  • 28. Case Study: Demo • Demo: Cross-Site Request Forgery (CSRF) – Administrative user-management requests are vulnerable to CSRF • Add Users • Change Password • Elevate Privileges 28
  • 29. CSRF Protection • The same cryptographic “token” automatically protects against CSRF exploits – Tied to session cookie & source IP SPF /ShowArticle.aspx?ArticleId=123&UrlToken=182734:A7A9369D50B2E185F54A SHA1HMAC ( URL + Query String + Time Stamp + Session Cookie + Source IP ) 29
  • 30. Case Study: Demo • Demo: SQL Injection – Website search filter is vulnerable to SQL Injection • Anonymously Accessible • Supports POST and GET 30
  • 31. HTML Form Protection Two Types of Protection – Form State Protection Ensures each form submission includes only the correct input name & value combinations – Input Value Protection Protects Inputs from being viewed by users Non-editable Form inputs cannot be altered – TYPE=HIDDEN | RADIO | CHECKBOX, SELECT – Read-Only Text Inputs 31
  • 32. HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> <input type=“textquot; name=quot;queryquot;> <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 32
  • 33. HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> Action: /search.aspx <input type=“textquot; name=quot;queryquot;> <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 33
  • 34. HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> Action: /search.aspx <input type=“textquot; name=quot;queryquot;> Owner: 25574bb9-792d-4c4b-9873-c9fae1631485 <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> (Session Cookie) <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 34
  • 35. HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> <input type =quot;hiddenquot; name=quot;FormTokenquot; value= Action: /search.aspx quot;3F2504E0-4F89-11D3-9A0C-0305E82C3301quot;> Owner: 25574bb9-792d-4c4b-9873-c9fae1631485 Form-Id: 3F2504E0-4F89-11D3-9A0C- <input type=“textquot; name=quot;queryquot;> 0305E82C3301 (New GUID) <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 35
  • 36. HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> <input type =quot;hiddenquot; name=quot;FormTokenquot; value= Action: /search.aspx quot;3F2504E0-4F89-11D3-9A0C-0305E82C3301quot;> Owner: 25574bb9-792d-4c4b-9873-c9fae1631485 Form-Id: 3F2504E0-4F89-11D3-9A0C- <input type=“textquot; name=quot;queryquot;> 0305E82C3301 <input type =quot;submitquot; name=quot;findquot; value=quot;FINDquot;> Input Name Editable Value <input type =quot;hiddenquot; name=quot;srcquot; value=quot;webquot;> query Y - <input type =quot;radioquot; name=quot;scopequot; value=quot;worldquot;> find N { FIND } src N { web } <input type =quot;radioquot; name=quot;scopequot; value=quot;usquot;> scope N { world , us } <input type =quot;radioquot; name=quot;langquot; value=quot;allquot;> lang N { all , en-sp } <input type =quot;radioquot; name=quot;langquot; value=quot;en-spquot;> </form> 36
  • 37. HTML Form Protection Form State Information <form action= quot;/search.aspxquot;> <input type =quot;hiddenquot; name=quot;FormTokenquot; value= Action: /search.aspx quot;3F2504E0-4F89-11D3-9A0C-0305E82C3301quot;> Owner: 25574bb9-792d-4c4b-9873-c9fae1631485 Form-Id: 3F2504E0-4F89-11D3-9A0C- <input type=“textquot; name=quot;queryquot;> 0305E82C3301 <input type =quot;submitquot; name=quot;findquot; value=quot;1quot;> Input Name Editable Value <input type =quot;hiddenquot; name=quot;srcquot; value=quot; 1quot;> query Y - <input type =quot;radioquot; name=quot;scopequot; value=quot; 1quot;> find N { FIND } src N { web } <input type =quot;radioquot; name=quot;scopequot; value=quot;2quot;> scope N { world , us } <input type =quot;radioquot; name=quot;langquot; value=quot;1quot;> lang N { all , en-sp } <input type =quot;radioquot; name=quot;langquot; value=quot;2quot;> </form> 37
  • 38. Case Study: Demo • Demo: Information Disclosure – The comment submission CAPTCHA value is disclosed within a hidden HTML form field 38
  • 39. JavaScript Protection • Quoted string assignment to common JavaScript property values are treated as URLs (UrlToken) – window.location – location.href • JS Functions can also be defined for protection – Function Name & Arguments • Protect (Y/N) • URL / Form Input – INPUT NAME – TARGET URL 39
  • 40. JavaScript Protection • Example JavaScript Function function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } 40
  • 41. JavaScript Protection • Example JavaScript Function function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } 41
  • 42. JavaScript Protection • Example JavaScript Function function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } 42
  • 43. JavaScript Protection • Example JavaScript Function function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } 43
  • 44. JavaScript Protection • Protecting this function with SPF <scriptProtection functionName=quot;__doPostBackquot;> <functionArguments> <add argumentName=quot;eventTargetquot; protect=quot;truequot; targetName=quot;__EVENTTARGETquot; /> <add argumentName=quot;eventArgumentquot; protect=quot;truequot; targetName=quot;__EVENTARGUMENTquot; /> </functionArguments> </scriptProtection> 44
  • 45. JavaScript Protection <a href=quot;javascript:__doPostBack('ctl00$MainContent$gvwThreads' ,'Sort$LastPostDate')quot;> <a href=quot;javascript:__doPostBack('b/xEVUeEDOCnhiKu0jS5USUs6N 4Qu1VH5OqHOwF146wSPlA87g==:1829384:61D26FD0849FF93D67B8489CF A76','b/xEVUeEDOBfdZR3UM0Ds212HDDwHY3KoYyc/+/JULiDcjQ=:1829384: 83BF9D18B5C34CE2FC0541F954C093B43F0C3EA5')quot;> 45
  • 46. JavaScript Protection <a href=quot;javascript:__doPostBack('ctl00$MainContent$gvwThreads' ,'Sort$LastPostDate')quot;> <a href=quot;javascript:__doPostBack('b/xEVUeEDOCnhiKu0jS5USUs6N 4Qu1VH5OqHOwF146wSPlA87g==:1829384:61D26FD0849FF93D67B8489CF A76','b/xEVUeEDOBfdZR3UM0Ds212HDDwHY3KoYyc/+/JULiDcjQ=:1829384: 83BF9D18B5C34CE2FC0541F954C093B43F0C3EA5')quot;> BASE64(ENCRYPT(Random 8 Bytes + Argument Value)) ASP.NET Machine Key AES by default in ASP.NET 2.0 (configurable) RNGCryptoServiceProvider for Random Bytes 46
  • 47. JavaScript Protection <a href=quot;javascript:__doPostBack('ctl00$MainContent$gvwThreads' ,'Sort$LastPostDate')quot;> <a href=quot;javascript:__doPostBack('b/xEVUeEDOCnhiKu0jS5USUs6N 4Qu1VH5OqHOwF146wSPlA87g==:1829384:61D26FD0849FF93D67B8489CF A76','b/xEVUeEDOBfdZR3UM0Ds212HDDwHY3KoYyc/+/JULiDcjQ=:1829384: 83BF9D18B5C34CE2FC0541F954C093B43F0C3EA5')quot;> Time Stamp 47
  • 48. JavaScript Protection <a href=quot;javascript:__doPostBack('ctl00$MainContent$gvwThreads' ,'Sort$LastPostDate')quot;> <a href=quot;javascript:__doPostBack('b/xEVUeEDOCnhiKu0jS5USUs6N 4Qu1VH5OqHOwF146wSPlA87g==:1829384:61D26FD0849FF93D67B8489CF A76','b/xEVUeEDOBfdZR3UM0Ds212HDDwHY3KoYyc/+/JULiDcjQ=:1829384: 83BF9D18B5C34CE2FC0541F954C093B43F0C3EA5')quot;> SHA1HMAC (CipherText + Time Stamp + GUID Cookie + Source IP + [Input Name] + [Target URL] ) HMAC key derived from ASP.NET Machine Key 48
  • 49. Configuring SPF • Minimal Configuration (Exception Based) – Default Protection Settings (Required) • Protection Scope (URI, QueryStrings, Forms, Cookies) • Main Application Entry Point (URL) – Exceptions to Default Settings (Optional) • Global Exceptions (Form Inputs, Cookies) • URI Exceptions (URI, Query String, Form Inputs) – Several alternate configuration options • Send state information to client (encrypted) • Active vs. Passive mode • BlackList Regexes 49
  • 50. OWASP Top 10 Coverage A1 - Cross Site Scripting (XSS) • Request tokens should thwart reflected XSS exploits A2 - Injection Flaws A3 - Malicious File Execution A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) • Request tokens provide CSRF protection A6 - Information Leakage and Improper Error Handling • Input protection can mitigate information leakage through application inputs (hidden fields, cookies, etc) 50
  • 51. OWASP Top 10 Coverage A7 - Broken Authentication & Session Management • Cookie protection will mitigate weak/predictable session IDs A8 - Insecure Cryptographic Storage A9 - Insecure Communications A10 - Failure to Restrict URL Access • Request tokens prevent forced browsing 51
  • 52. Conclusion • IIS7 is now more extensible than ever – Modules in native or managed code • Vulnerable legacy apps can be secured on IIS7 infrastructure – Built-in Features – Add-On Modules – Custom Modules Protecting Vulnerable Applications with IIS7 52 Source Boston 2009
  • 53. Questions? • GDS Blog – http://www.gdssecurity.com/l/b • SPF Download Page – http://www.gdssecurity.com/l/spf • SPF Demo Site (.NET StockTrader) – http://trade-spf.gdsdemo.com • Official Microsoft IIS Site – http://www.iis.net 53