MSDN Magazine - March 2009 - (Page 105)

BRYAN SULLIVAN SECURITY BRIEFS Protect Your Site With URL Rewriting Tim Berners-Lee once famously wrote that “cool URIs don’t change.” His opinion was that broken hyperlinks erode user confidence in an application and that URIs should be designed in such a way that they can remain unchanged for  years or more. While I understand his point, I’ll venture to guess that when he made that statement he hadn’t foreseen the ways in which hyperlinks would become a means for hackers to attack innocent users. Attacks like cross-site scripting (XSS), crosssite request forgery (XSRF), and open-redirect phishing are routinely propagated through malicious hyperlinks sent in e-mail messages. (If you’re unfamiliar with these attacks, I recommend reading about them at the Open Web Application Security Project (OWASP) Web site at owasp.org.) We could mitigate much of the risk of these vulnerabilities by frequently changing our URLs—not once every  years but once every  minutes. Attackers would no longer be able to exploit application vulnerabilities by mass e-mailing poisoned hyperlinks because the links would be broken and invalid by the time the messages reached their intended victims. With all due respect to Sir Tim, while “cool” URIs may not change, secure ones certainly do. We could mitigate much of the risk of these vulnerabilities by frequently changing our URLs. Now the attacker just needs to convince a victim to click on the link. Mass e-mails are an effective way to accomplish this, especially when a little social engineering is applied (for example, “Click here to receive your free Xbox !”). Similar malicious URLs can be constructed and e-mailed to exploit XSRF vulnerabilities: checking.aspx?action=withdraw&amount=1000&destination =badguy and open-redirect vulnerabilities: page.aspx?redirect=http://evil.contoso.com Open-redirect vulnerabilities are less well known than XSS and XSRF. They occur when an application allows a user to specify an arbitrary redirect URL in the request. This can lead to a phishing attack in which the user believes she is clicking a link that will take her to good.adatum.com, but in reality she will be redirected to evil.contoso.com. A Possible Solution: Personalized Resource Locators One possible solution to this problem is for an application to rewrite its URLs so that they are personalized for each user (or better yet, each user session). For example, an application could rewrite the URL contoso.com/page.aspx as contoso.com/{GUID}/page.aspx, where {GUID} is random and unique for each user session. Given that there are  possible GUID values, it is fantastically unlikely that an attacker would be able to guess a valid one, so presumably he would not be able to craft and e-mail a valid (and poisoned) URL. ASP.NET already has similar functionality built in as part of its cookieless session-handling capability. Because some users can’t or won’t accept HTTP cookies, ASP.NET can be configured to store the user’s session ID in the URL instead. You can enable this with a simple change to your web.config file:  Reviewing the Problem Before we get into the details of a solution, let’s take a closer look at the problem. Here’s a very simple example of some ASP.NET code vulnerable to an XSS attack: protected void Page_Load(object sender, EventArgs e) { // DO NOT USE - this is vulnerable code Response.Write(“Welcome back, “ + Request[“username”]); } The code is vulnerable because the page is writing the username parameter from the request back into the response without any validation or encoding. An attacker could easily exploit this vulnerability by crafting a URL with script injected into the username parameter, such as: page.aspx?username= On further inspection, however, we see that this approach does not really mitigate any of the security vulnerabilities that we’re concerned about, like XSS. The attacker may not be able to guess a valid session GUID, but he doesn’t actually have to. He can start Send your questions and comments to briefs@microsoft.com. March 2009 105 http://www.owasp.org http://contoso.com/page.aspx http://contoso.com/{GUID}/page/aspx Table of Contents for the Digital Edition of MSDN Magazine - March 2009ContentsMSDN Magazine - March 2009ToolboxCLR Inside OutCutting EdgeThe Polyglot ProgrammerTest RunInternet Explorer 8Silverlight PatternsSharepointDatabase Development.NET InteropSecurity BriefsExtreme ASP.NETWicked CodeTeam SystemFoundations{ End Bracket }MSDN Magazine - March 2009MSDN Magazine - March 2009 - (Page Intro)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page Cover1)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page Cover2)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 1)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 2)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 3)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 4)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 5)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 6)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 7)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 8)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 9)MSDN Magazine - March 2009 - MSDN Magazine - March 2009 (Page 10)MSDN Magazine - March 2009 - Toolbox (Page 11)MSDN Magazine - March 2009 - Toolbox (Page 12)MSDN Magazine - March 2009 - Toolbox (Page 13)MSDN Magazine - March 2009 - Toolbox (Page 14)MSDN Magazine - March 2009 - CLR Inside Out (Page 15)MSDN Magazine - March 2009 - CLR Inside Out (Page 16)MSDN Magazine - March 2009 - CLR Inside Out (Page 17)MSDN Magazine - March 2009 - CLR Inside Out (Page 18)MSDN Magazine - March 2009 - CLR Inside Out (Page 19)MSDN Magazine - March 2009 - CLR Inside Out (Page 20)MSDN Magazine - March 2009 - Cutting Edge (Page 21)MSDN Magazine - March 2009 - Cutting Edge (Page 22)MSDN Magazine - March 2009 - Cutting Edge (Page 23)MSDN Magazine - March 2009 - Cutting Edge (Page 24)MSDN Magazine - March 2009 - Cutting Edge (Page 25)MSDN Magazine - March 2009 - Cutting Edge (Page 26)MSDN Magazine - March 2009 - Cutting Edge (Page 27)MSDN Magazine - March 2009 - Cutting Edge (Page 28)MSDN Magazine - March 2009 - Cutting Edge (Page 29)MSDN Magazine - March 2009 - Cutting Edge (Page 30)MSDN Magazine - March 2009 - The Polyglot Programmer (Page 31)MSDN Magazine - March 2009 - The Polyglot Programmer (Page 32)MSDN Magazine - March 2009 - The Polyglot Programmer (Page 33)MSDN Magazine - March 2009 - The Polyglot Programmer (Page 34)MSDN Magazine - March 2009 - The Polyglot Programmer (Page 35)MSDN Magazine - March 2009 - The Polyglot Programmer (Page 36)MSDN Magazine - March 2009 - Test Run (Page 37)MSDN Magazine - March 2009 - Test Run (Page 38)MSDN Magazine - March 2009 - Test Run (Page 39)MSDN Magazine - March 2009 - Test Run (Page 40)MSDN Magazine - March 2009 - Test Run (Page 41)MSDN Magazine - March 2009 - Test Run (Page 42)MSDN Magazine - March 2009 - Test Run (Page 43)MSDN Magazine - March 2009 - Test Run (Page 44)MSDN Magazine - March 2009 - Test Run (Page 45)MSDN Magazine - March 2009 - Test Run (Page 46)MSDN Magazine - March 2009 - Test Run (Page 47)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 48)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 49)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 50)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 51)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 52)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 53)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 54)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 55)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 56)MSDN Magazine - March 2009 - Internet Explorer 8 (Page 57)MSDN Magazine - March 2009 - Silverlight Patterns (Page 58)MSDN Magazine - March 2009 - Silverlight Patterns (Page 59)MSDN Magazine - March 2009 - Silverlight Patterns (Page 60)MSDN Magazine - March 2009 - Silverlight Patterns (Page 61)MSDN Magazine - March 2009 - Silverlight Patterns (Page 62)MSDN Magazine - March 2009 - Silverlight Patterns (Page 63)MSDN Magazine - March 2009 - Silverlight Patterns (Page 64)MSDN Magazine - March 2009 - Silverlight Patterns (Page 65)MSDN Magazine - March 2009 - Sharepoint (Page 66)MSDN Magazine - March 2009 - Sharepoint (Page 67)MSDN Magazine - March 2009 - Sharepoint (Page 68)MSDN Magazine - March 2009 - Sharepoint (Page 69)MSDN Magazine - March 2009 - Sharepoint (Page 70)MSDN Magazine - March 2009 - Sharepoint (Page 71)MSDN Magazine - March 2009 - Sharepoint (Page 72)MSDN Magazine - March 2009 - Sharepoint (Page 73)MSDN Magazine - March 2009 - Sharepoint (Page 74)MSDN Magazine - March 2009 - Sharepoint (Page 75)MSDN Magazine - March 2009 - Sharepoint (Page 76)MSDN Magazine - March 2009 - Sharepoint (Page 77)MSDN Magazine - March 2009 - Sharepoint (Page 78)MSDN Magazine - March 2009 - Sharepoint (Page 79)MSDN Magazine - March 2009 - Sharepoint (Page 80)MSDN Magazine - March 2009 - Sharepoint (Page 81)MSDN Magazine - March 2009 - Sharepoint (Page 82)MSDN Magazine - March 2009 - Sharepoint (Page 83)MSDN Magazine - March 2009 - Database Development (Page 84)MSDN Magazine - March 2009 - Database Development (Page 85)MSDN Magazine - March 2009 - Database Development (Page 86)MSDN Magazine - March 2009 - Database Development (Page 87)MSDN Magazine - March 2009 - Database Development (Page 88)MSDN Magazine - March 2009 - Database Development (Page 89)MSDN Magazine - March 2009 - Database Development (Page 90)MSDN Magazine - March 2009 - Database Development (Page 91)MSDN Magazine - March 2009 - Database Development (Page 92)MSDN Magazine - March 2009 - Database Development (Page 93)MSDN Magazine - March 2009 - Database Development (Page 94)MSDN Magazine - March 2009 - Database Development (Page 95)MSDN Magazine - March 2009 - Database Development (Page 96)MSDN Magazine - March 2009 - Database Development (Page 97)MSDN Magazine - March 2009 - .NET Interop (Page 98)MSDN Magazine - March 2009 - .NET Interop (Page 99)MSDN Magazine - March 2009 - .NET Interop (Page 100)MSDN Magazine - March 2009 - .NET Interop (Page 101)MSDN Magazine - March 2009 - .NET Interop (Page 102)MSDN Magazine - March 2009 - .NET Interop (Page 103)MSDN Magazine - March 2009 - .NET Interop (Page 104)MSDN Magazine - March 2009 - Security Briefs (Page 105)MSDN Magazine - March 2009 - Security Briefs (Page 106)MSDN Magazine - March 2009 - Security Briefs (Page 107)MSDN Magazine - March 2009 - Security Briefs (Page 108)MSDN Magazine - March 2009 - Security Briefs (Page 109)MSDN Magazine - March 2009 - Security Briefs (Page 110)MSDN Magazine - March 2009 - Extreme ASP.NET (Page 111)MSDN Magazine - March 2009 - Extreme ASP.NET (Page 112)MSDN Magazine - March 2009 - Extreme ASP.NET (Page 113)MSDN Magazine - March 2009 - Extreme ASP.NET (Page 114)MSDN Magazine - March 2009 - Extreme ASP.NET (Page 115)MSDN Magazine - March 2009 - Extreme ASP.NET (Page 116)MSDN Magazine - March 2009 - Wicked Code (Page 117)MSDN Magazine - March 2009 - Wicked Code (Page 118)MSDN Magazine - March 2009 - Wicked Code (Page 119)MSDN Magazine - March 2009 - Wicked Code (Page 120)MSDN Magazine - March 2009 - Wicked Code (Page 121)MSDN Magazine - March 2009 - Wicked Code (Page 122)MSDN Magazine - March 2009 - Team System (Page 123)MSDN Magazine - March 2009 - Team System (Page 124)MSDN Magazine - March 2009 - Team System (Page 125)MSDN Magazine - March 2009 - Team System (Page 126)MSDN Magazine - March 2009 - Team System (Page 127)MSDN Magazine - March 2009 - Team System (Page 128)MSDN Magazine - March 2009 - Foundations (Page 129)MSDN Magazine - March 2009 - Foundations (Page 130)MSDN Magazine - March 2009 - Foundations (Page 131)MSDN Magazine - March 2009 - Foundations (Page 132)MSDN Magazine - March 2009 - Foundations (Page 133)MSDN Magazine - March 2009 - Foundations (Page 134)MSDN Magazine - March 2009 - Foundations (Page 135)MSDN Magazine - March 2009 - { End Bracket } (Page 136)MSDN Magazine - March 2009 - { End Bracket } (Page Cover3)MSDN Magazine - March 2009 - { End Bracket } (Page Cover4)http://www.nxtbook.com/nxtbooks/cmp/msdnmag1109http://www.nxtbook.com/nxtbooks/cmp/msdnmag1009http://www.nxtbook.com/nxtbooks/cmp/msdnmag0909http://www.nxtbook.com/nxtbooks/cmp/msdnmag0809http://www.nxtbook.com/nxtbooks/cmp/msdnmag0709http://www.nxtbook.com/nxtbooks/cmp/msdnmag0609http://www.nxtbook.com/nxtbooks/cmp/msdnmag0509http://www.nxtbook.com/nxtbooks/cmp/msdnmag0409http://www.nxtbook.com/nxtbooks/cmp/msdnmag0309http://www.nxtbook.com/nxtbooks/cmp/msdnmag0209http://www.nxtbook.com/nxtbooks/cmp/msdnmag0109http://www.nxtbook.com/nxtbooks/cmp/msdnmag1208http://www.nxtbook.com/nxtbooks/cmp/msdnmag1108http://www.nxtbook.com/nxtbooks/cmp/msdnmag1008http://www.nxtbook.com/nxtbooks/cmp/msdnmag0908http://www.nxtbook.com/nxtbooks/cmp/msdnmag0808http://www.nxtbook.com/nxtbooks/cmp/msdnmag0708http://www.nxtbook.com/nxtbooks/cmp/msdnmag0608http://www.nxtbook.com/nxtbooks/cmp/msdnmag0408http://www.nxtbook.com/nxtbooks/cmp/msdnmag0308http://www.nxtbook.com/nxtbooks/cmp/msdnmag-launch021508http://www.nxtbook.com/nxtbooks/cmp/msdnmag0208http://www.nxtbook.com/nxtbooks/cmp/msdnmag0108http://www.nxtbook.com/nxtbooks/cmp/msdnmag1207http://www.nxtbookMEDIA.com

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.