Udostępnij za pośrednictwem


CAT.NET Data Flow Rules

Syed Aslam Basha here from the Information Security Tools Team.

This blog posts and the next one gives idea about data flow rules and configuration rules of CAT.NET. The following table describes the data flow rules;

Rule Name

Title

Description

Resolution

SqlInjectionRule

Untrusted input in dynamic SQL can result in SQL Injection vulnerabilities

A SQL injection attack exploits vulnerabilities in input validation to run arbitrary commands in the database. It can occur when your application uses input to construct dynamic SQL statements to access the database. It can also occur if your code uses stored procedures that are passed strings that contain raw user input. Using the SQL injection attack, the attacker can execute arbitrary commands in the database. The issue is magnified if the application uses an over-privileged account to connect to the database. In this instance it is possible to use the database server to run operating system commands and potentially compromise other servers, in addition to being able to retrieve, manipulate, and destroy data.

Use parameterized SQL instead of dynamic SQL. Parameterized SQL statements will accept characters that have special meaning to SQL (like single quote) without breaking the SQL statement and causing SQL injection. Parameterized sql statements automatically escape characters which cause SQL injection. More information can be found at https://msdn.microsoft.com/en-us/library/ms998271.aspx.

XSSDataFlowRule

Untrusted input should be encoded to avoid potential Cross Site Scripting vulnerabilities

User input when used in web outputs without sanitization or encoding can result in Cross Site Scripting vulnerabilities. Cross-site scripting (XSS) attacks can occur whenever users input is echoed back to the browser without adequate validation, sanitization or encoding, enabling an attacker to supply input which the victim's browser interprets as client-side script originating from the vulnerable application.

Encode the input before rendering it on the page. Anti-XSS Library is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. User appropriate method in the library to encode input for specific context. More information can be found at https://msdn.microsoft.com/en-us/library/aa973813.aspx.

FileCanonicalizationRule

Untrusted input in file handling routines can cause File Canonicalization vulnerability

User input used in the file handling routines can potentially lead to File Canonicalization vulnerability. Code is particularly susceptible to canonicalization issues if it makes any decisions based on the name of a resource that is passed to the program as input. Files, paths, and URLs are resource types that are vulnerable to canonicalization because in each case there are many different ways to represent the same name.

Sanitize the file path prior to passing it to file handling routines. Use Path.GetInvalidFileNameChars or Path.GetInvalidPathChars to get the invalid characters and remove them from the input. More information can be found at https://msdn.microsoft.com/en-us/library/system.io.path.getinvalidfilenamechars.aspx.

InformationDisclosureRule

Always return generic error information to the user

Unsafe exception handling can result in information disclosure vulnerability which can reveal application components.

Ensure that all exceptions are caught and only generic messages are returned to the user.

LdapInjectionRule

Untrusted input in LDAP Queries can result in LDAP Injection vulnerabilities

User input used in constructing LDAP queries can result in LDAP Injection vulnerabilities. A LDAP (Lightweight Directory Access Protocol) injection attack exploits vulnerabilities in input validation to run arbitrary LDAP statements against information directories. It can occur when your application uses input to construct dynamic LDAP statements to access directory services. Using the LDAP injection attack, the attacker can execute arbitrary statements against the directory services.

Input should be validated against an inclusion list. Either sanitize or encode the input before constructing the LDAP query. When handling non-DN values use WPL library's Encoder.LdapEncode method to properly encode the input. For each input, define what is acceptable through either a regular expression, a list of acceptable characters, domain constrains or type casting and enforce this validation on the server side.

ProcessCommandExecutionRule

Untrusted input in process execution routines can result in Command Injection vulnerabilities

User input when used to run system level command can result in Command Injection vulnerabilities. It is also commonly known as Shell Injection vulnerability which could allow an attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input. A remote attacker could send a specially-crafted request to inject and execute malicious commands with the privileges of the application.

Sanitize the input prior to constructing the command. For each input, define what is acceptable through either a regular expression, a list of acceptable characters, domain constrains or type casting and enforce this validation on the server side.

UserControlledRedirectionRule

Untrusted input in user redirection can result in uncontrolled redirection

User input when used directly to redirect can cause this vulnerability.

Do not allow off-site redirections to absolute URLs that can be specified by the user.

XPathInjectionRule

Untrusted input in XPATH Queries can result in XPATH Injection vulnerabilities

User input used to construct XPATH queries can result in XPATH injection vulnerabilities. If an application uses run-time XPath query construction, embedding unsafe user input into the query, it may be possible for the attacker to inject data into the query such that the newly formed query will be parsed in a way differing from the programmer's intention.

Sanitize the user controlled input before using it in an XPath query. For each input, define what is acceptable through either a regular expression, a list of acceptable characters, domain constrains or type casting and enforce this validation on the server side.

XmlInjectionRule

Untrusted input should be encoded to avoid potential Xml Injection vulnerabilities

User input when used to construct dynamic XML without encoding can result in XML injection vulnerabilities. An XML injection attack exploits vulnerabilities in input validation to create a new node to alter the program decision/flow. It can also be used to insert malicious characters into XML and break functionality. It occurs when the application uses input from the user to construct dynamic XML to send it to the backend database or does transformation to display it back to the user.

Encode the input before using it to construct XML nodes. Anti-XSS Library is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. Use the XmlEncode method to encode input. More information can be found at https://msdn.microsoft.com/en-us/library/aa973813.aspx.

-Syed Aslam Basha ( syedab@microsoft.com )

Microsoft Information Security Tools (IST) Team

Test Lead