This question is similar to Exploitable PHP Functions.
Tainted data comes from the user, or more specifically an attacker. When a tainted variable reaches a sink function, then you have a vulnerability. For instance a function that executes a sql query is a sink, and GET/POST variables are sources of taint.
What are all of the sink functions in C#? I am looking for functions that introduce a vulnerability or software weakness. I am particularly interested in Remote Code Execution vulnerabilities. Are there whole classes/libraries that contain nasty functionally that a hacker would like to influence? How do people accidentally make dangerous C# code?
On the web based side of things, C# (and more generally, ASP.NET) is commonly vulnerable to the following (items listed by OWASP Top 10 2013). I realise you were mainly interested in sink functions, of which I cover some, however you did ask how people accidentally make dangerous C# code so hopefully I've provided some insight here.
A1-Injection
SQL Injection
Generating queries by string concatenation.
var sql = "SELECT * FROM UserAccount WHERE Username = '" + username "'";
SqlCommand command = new SqlCommand(sql , connection);
SqlDataReader reader = command.ExecuteReader();
This can often be solved by parameterised queries, but if you are using an IN
condition it currently isn't possible without string concatenation.
LDAP Injection
Code such as
searcher.Filter = string.Format("(sAMAccountName={1})", loginName);
can make the application vulnerable. More information here.
OS Command Injection
This code is vulnerable to command injection because the second parameter to Process.Start
can have extra commands passed to it using the &
character to batch multiple commands
string strCmdText= @"/C dir c:\files\" + Request.QueryString["dir"];
ProcessStartInfo info = new ProcessStartInfo("CMD.exe", strCmdText);
Process.Start(info);
e.g. foldername && ipconfig
A2-Broken Authentication and Session Management
Sign Out
The default Forms Authentication SignOut method does not update anything server side, allowing a captured auth token to be continued to be used.
Calling the SignOut method only removes the forms authentication cookie. The Web server does not store valid and expired authentication tickets for later comparison. This makes your site vulnerable to a replay attack if a malicious user obtains a valid forms authentication cookie.
Using Session State for Authentication
A session fixation vulnerability could be present if a user has used session state for authentication.
A3-Cross-Site Scripting (XSS)
Response.Write
(and the shortcut <%= =>
) are vulnerable by default, unless the developer has remembered to HTML encode the output. The more recent shortcut <%:
HTML encodes by default, although some developers may use this to insert values into JavaScript where they can still be escaped by an attacker. Even using the modern Razor engine it is difficult to get this right:
var name = '@Html.Raw(HttpUtility.JavaScriptStringEncode(Model.Name))';
ASP.NET by default enables Request Validation, which will block any input from cookies, the query string and from POST data that could potentially be malicious (e.g. HTML tags). This appears to cope well with input coming through the particular app, but if there is content in the database that is inserted from other sources like from an app written using other technologies, then it is possible that malicious script code could still be output. Another weakness is where data is inserted within an attribute value. e.g.
<%
alt = Request.QueryString["alt"];
%>
<img src="http://example.com/foo.jpg" alt="<%=alt %>" />
This can be exploited without triggering Request Validation:
If alt
is
" onload="alert('xss')
then this renders
<img src="http://example.com/foo.jpg" alt="" onload="alert('xss')" />
In old versions of .NET it was a bit of a mine-field for a developer to ensure that their output was correctly encoded using some of the default web controls.
Unfortunately, the data-binding syntax doesn’t yet contain a built-in encoding syntax; it’s coming in the next version of ASP.NET
e.g. not vulnerable:
<asp:Repeater ID="Repeater1" runat="server">
<ItemTemplate>
<asp:TextBox ID="txtYourField" Text='<%# Bind("YourField") %>'
runat="server"></asp:TextBox>
</ItemTemplate>
</asp:Repeater>
vulnerable:
<asp:Repeater ID="Repeater2" runat="server">
<ItemTemplate>
<%# Eval("YourField") %>
</ItemTemplate>
</asp:Repeater>
A4-Insecure Direct Object References
MVC model binding can allow parameters added to POST data to be mapped onto the a data model. This can happen unintentionally as the developer hasn't realised that a malicious user may amend parameters in this way. The Bind
attribute can be used to prevent this.
A5-Security Misconfiguration
There are many configuration options that can weaken the security of an application. For example setting customErrors
to On
or enabling trace.
Scanners such as ASafaWeb can check for this common misconfigurations.
A6-Sensitive Data Exposure
Default Hashing
The default password hashing methods in ASP.NET are sometimes not the best.
- HashPasswordForStoringInConfigFile() - this could also be bad if it is used to hash a plain password with no added salt.
- Article "Our password hashing has no clothes" regarding the ASP.NET membership provider in .NET 4.
A7-Missing Function Level Access Control
Failure to Restrict URL Access
In integrated pipeline mode .NET can see every request and handles can authorise each request, even to non .NET resources (e.g. .js
and images). However, if the application i running in classic mode, .NET only sees requests to files such as .aspx
so other files may be accidentally unsecured. See this answer for more detail on the differences.
e.g. www.example.com/images/private_photograph_user1.jpg
is more likely to be vulnerable in an application that runs in classic mode, although there are workarounds.
A8-Cross-Site Request Forgery (CSRF)
Although the legacy web forms applications are usually more secure against CSRF due to requiring the attacker to forge the View State and Event Validation values, newer MVC applications could be vulnerable unless the developer has manually implemented anti forgery tokens. Note I am not saying that web forms is not vulnerable, just that it is more difficult that simply passing on a few basic parameters - there are fixes though, such as integrating the user key into the View State value.
When the EnableEventValidation property is set to true, ASP.NET validates that a control event originated from the user interface that was rendered by that control. A control registers its events during rendering and then validates the events during postback or callback handling. For example, if a list control includes options numbered 1, 2, or 3 when the page is rendered, and if a postback request is received specifying option number 4, ASP.NET raises an exception. All event-driven controls in ASP.NET use this feature by default.
[EnableEventValidation] feature reduces the risk of unauthorized or malicious postback requests and callbacks. It is strongly recommended that you do not disable event validation.
A10-Unvalidated - Redirects and Forwards
Adding code such as
Response.Redirect(Request.QueryString["Url"]);
will make your site vulnerable. The attack could be initiated by sending a phishing email to a user containing a link. If the user is vigilant they may have double checked the domain of the URL before clicking. However, as the domain will match your domain which the user trusts, they will click the link unaware that the page will redirect the user to the attacker's domain.
Validation should take place on Url
to ensure that it is either a relative, allowed URL or an absolute URL to one of your own allowed domains and pages. You may want to check someone isn't redirecting your users to /Logout.aspx
for example. Although there may be nothing stopping an attacker from directly linking to http://www.example.com/Logout.aspx
, they could use the redirect to hide the URL so it is harder for a user to understand which page is being accessed (http://www.example.com/Redirect.aspx?Url=%2f%4c%6f%67%6f%75%74%2e%61%73%70%78
).
Others
The other OWASP categories are:
- A9-Using Components with Known Vulnerabilities
of which I can't think of any to mind that are specific to C#/ASP.NET. I'll update my answer if I think of any (if you think they are relevant to your question).
Anything that uses regular expressions (particularly the RegularExpressionValidator). To see this, run a RegularExpressionValidator with the regex ^(\d+)+$
and give it 30 digits and an alpha character to validate against.
Some posts:
- http://msdn.microsoft.com/en-us/magazine/ff646973.aspx
- http://www.abemiester.com/abemiester/post/RegEx-DOS-attack-Regular-Expressions-Now-you-have-3-problems.aspx (this is a blog post from my own blog going into more detail about the MSDN article).
This is called a Regular Expression Denial of Service attack and it can bring a website to its knees.
Process.Start
is the first one to come to mind.
I am sure that WindowsIdentity
and much of System.Security
can also be used for evil.
Of course, there are SQL injection attacks, but I don't think that's what you mean (though remote execution can occur through SQL Server).
Aside from the obvious Process.Start()
already mentioned, I can see a couple of ways of potential indirect exploitation.
- WinAPI calls via PInvoke to
CreateProcess()
and whatnot.
- Any sort of dynamic assembly loading mechanism using
Assembly.Load()
and other such overloads. If a compromised assembly made it to the system and loaded.
- If running in full trust in general.
- With the right permissions, any registry operations could put you at risk.
That's all that comes to mind right now.
IMO: The nr 1 exploitable functions, are innocent looking, but very dangerously when used without thought.
In ASP.Net Response.Write
or the shortcut:
<%= searchTermFromUser %>
In ADO.Net:
- The
string
+
operator:
var sql = "SELECT * FROM table WHERE name = '" + searchTermFromUser + "'"
Any piece of data you get from the user (or any other external source) and pass to another system or another user is a potential exploit.
If you get a string from the user and display it to another user without using HtmlEncode it's a potential exploit.
If you get a string from the user and use it to construct SQL it's a potential SQL injection.
If you get a string from the user and use it to contract a file name for Process.Start or Assembly.Load it's a remote execution vulnerability
You get the point, the danger comes from using unsanitized data, if you never pass user input to external system without sanitizing it (example: HtmlEncode) or using injection-safe interfaces (example: SQL parameters) you are relatively safe - the minute you forget to sanitize something the most innocent-looking method can become a security vulnerability.
Note: cookies, html headers and anything else that passes over a network is also data from the user, in most cases even data in your database is data from the user.
Plenty of things in the System.Net, System.XML, System.IO, (anything that takes a URI and/or file path and actually deals with the resource they identify) System.Reflection, System.Security, System.Web, System.Data and System.Threading namespaces can be dangerous, as in they can be used to do bad things that go further than just messing up the current execution. So much that it would be time consuming to try to identify each.
Of course, every method in all third party assemblies will have to assumed to be dangerous until shown otherwise. More time consuming again.
Nor do I think it's a particularly fruitful approach. Producing a checklist of functions only really works with a limited library, or with a large-language where a lot of what would be in a library with a language like C# is in the language itself.
There are some classically dangerous examples like Process.Start()
or anything that executes another process directly, but they are balanced by being quite obviously dangerous. Even a relatively foolhardy and incompetent coder may take care when they use that, while leaving data that goes to other methods unsanitised.
That sanitation of data is a more fruitful thing to look at than any list of functions. Is data validated to remove obviously incorrect input (which may be due to an attack, or may simply be a mistake) and is it encoded and escaped in the appropriate way for a given layer (there is too much talk about "dangerous" character sequences, '
never hurt anyone, it's '
not correctly escaped for SQL, that can hurt when it is indeed at a SQL layer - the job required to make sure the data gets in there correctly is the same as that to avoid exploits). Are the layers at which communication with something outside of the code solid. Are URIs constructed using unexamined input, for example - if not you can turn some of the more commonly used System.Net and System.XML methods into holes.
Probably half the framework contains very scary functions. I myself think that File.WriteAllText()
is very scary since it can overwrite any file the current user has access to.
A different approach to this question would be how you can manage security. The article at http://ondotnet.com/pub/a/dotnet/2003/02/18/permissions.html contains a basic description concerning the .NET security system, with the System.Security.Permissions namespace containing all permissions .NET makes available. You can also take a look at http://msdn.microsoft.com/en-us/library/5ba4k1c5.aspx for more information.
In short, .NET allows you to limit the permissions a process can have, for example denying methods that change data on disk. You can then check these permissions and act on whether the process has them or not.
even a simple string comparison can be an issue.
If an application makes a trust
decision based on the results of this
String.Compare operation, the result
of that decision could be subverted by
changing the CurrentCulture
Take a look at the example. Fairly easy to miss