The Microsoft documentation "Threat mitigation guidance for ASP.NET Core Blazor Server", Section "Events" says:
"Events provide an entry point to a Blazor Server app. The same rules for safeguarding endpoints in web apps apply to event handling in Blazor Server apps. A malicious client can send any data it wishes to send as the payload for an event"
Please help me understand this. Assume we are on Blazor server (NOT webassembly), there is ASP.Net Core Identity in place, and all Blazor pages are secured with either #attribute [Authorize] or <AuthorizeView...> tags. So authentication and authorization are in place, but additionally we need to make sure that certain users only see certain data from the database.
case #1, a Blazor component with a parameter
This parameter is supplied by it's parent page. When loading the component, a database call is made to fetch data based on the parameter:
[Parameter] public Guid companyGuid { get; set; }
protected override async Task OnInitializedAsync()
{
using var context = DataService.CreateDbContext();
var company = await DataService.GetCompanyByGuid(companyGuid, context);
}
case #2, a dropdown shows a selection value to choose from
The datasource is a list prefilled based on the users permissions. When the dropdown change event triggers, data is fetched from the database based on the new selection:
<RadzenDropDown Data=#DataSourceCompanies TValue="Company"
#bind-Value="#selectedCompany"
Change="#(args => CompanySelectionChanged(args as Company))" />
List<Company> DataSourceCompanies = await GetCompaniesAndObserveUserPermissions(userGuid);
async void CompanySelectionChanged(Company c)
{
using var context = DataService.CreateDbContext();
var company = await DataService.GetCompanyByGuid(c.guid, context);
}
Question:
Can a user modify either the [Parameter] in case 1, or the selected item in the dropdown in case 2 in a way it was not intended?
To put it differently, do i need to safeguard the database query "GetCompanyByGuid" additionally by doing something like this:
var authState = await authenticationStateTask;
string? userId = authState.User.FindFirst(c => c.Type.Contains("nameidentifier"))?.Value;
var company = await DataService.GetCompanyByGuid(c.guid, userId, context);
(and then use the userId inside the database query to additionally safeguard the query)
While this sounds "more secure" to me, it feels really cumbersome. There are 100's of places where database calls are made throughout the app. I'd like to confirm if that additional code is actually necessary?
thanks!
I read the Microsoft documentation but i'm not fully clear on what it says. Tried browser debugging mode to inspect the app, i only see HTML/css there (as expected). No internal application data that would allow me to modify the app's behaviour is visible, e.g. the company guids. But i'm too new to SignalR so there is probably still a way to abuse this. Hence my question.
Question: Can a user modify either the [Parameter] in case 1
The user's state is held in the server's memory in a circuit. Examples of user state held in a circuit include:
The hierarchy of component instances and their most recent render output in the rendered UI.
The values of fields and properties in component instances.
Therefore, to change the user information, you must have access to the server's RAM, and you should not worry about this.
For transient data that the user is actively creating, a commonly used storage location is the browser's localStorage and sessionStorage collections:
localStorage is scoped to the browser's window. If the user reloads the page or closes and re-opens the browser, the state persists. If the user opens multiple browser tabs, the state is shared across the tabs. Data persists in localStorage until explicitly cleared.
sessionStorage is scoped to the browser tab. If the user reloads the tab, the state persists. If the user closes the tab or the browser, the state is lost. If the user opens multiple browser tabs, each tab has its own independent version of the data.
Third-party NuGet packages provide APIs for working with localStorage and sessionStorage. It's worth considering choosing a package that transparently uses ASP.NET Core Data Protection. Data Protection encrypts stored data and reduces the potential risk of tampering with stored data.
For more info, you can refer to ASP.NET Core Blazor state management and also Browser storage (localStorage/sessionStorage)
In general, If you'd like to have a very secure application, then you have to add a lot of such overheads like what you yourself gave an example.
I'm going to answer my own question after asking a professional web pen tester for help. I think the best summarization to my question is "it depends".
Let's take the dropdown example, and analyze it step-by-step:
Assume we have a list of 5 companies in the database, identified by a Guid. 3 companies should be visible to the user in the UI.
Define the dropdown selector for the 3 companies with the following Blazor code snippet:
This results in the following HTML code (and should already give an idea how this can be abused)
When one of the dropdown items is selected by the user, the "CompanySelectionCallback" is triggered in c# code.
So how can this be abused? By opening F12 dev-tools in the browser and replacing one of the option values to a Guid of one of the hidden companies:
Analyzing this in a proxy tool, we can now see the modified Guid sent to the server:
Therefore, in this case the code needs to be additionally safeguarded against malicious modification.
Now consider the same example, but instead of using a select, use the RadzenDropDown Component from the Radzen Blazor library. The generated html looks different:
There is no Guid to be found that can be modified, the only thing we see in our proxy tool is an eventHandlerId:
Deep inside the AspNetCore internals this eventHandlerId is mapped to the actual Company guid:
Since only those companies that are presented to the user are in this internal mapping list, it is not possible to maliciously access data from other company objects.
Therefore, in this case the code is sufficiently safeguarded against modification through outside interaction.
Hope this analysis is correct and helps others.
I am setting up a website as a volunteer for a scout charity. As part of the web functionality we will be storing email addresses and names in a database with password hashes and some other info such as creation date and site roles.
Is this something that would be covered by GDPR? I have tried to do some reading online but can't seem to find something definitive that covers this use case.
Yes Norman it is personal data and hence processing it (which includes storing it) comes under GDPR ambit, You may want to mention it in your privacy notice stating the high level purpose it is used for and just to ease the users let the users know, the data is not being passed to other third parties.
IAPP is good authoritative and credible site for all such queries. You may want to read this series.
https://iapp.org/news/a/business-impacts-of-the-general-data-protection-regulation-part-three/
In my new job at a community hall in the Netherlands, we work with databases that contain privacy-sensitive data (e.g. citizen service numbers). They also recently started working with Azure, which i'm getting familiar with as we speak. So this might be a beginners question but I hope someone can lead me in the right direction: Is there a way, to retrieve data through a direct connection with a database and make it 'anonymous' for example by hashing or using a key-file of some sorts somewhere in the pipeline?
I know that the pipelines are .JSON files and that it's possible to do some transformations. I'm curious about the possibilities for doing this in Azure!
** EDIT **
To be more clear: I want to write a piece of code preferably in the pipeline, that does something like this:
citizen service number person 1
102541220
#generate key/hash somewhere in pipeline of loading in data in azure
anonymous citizen service number, that is specific for person 1
0x10325476
Later, I want to add columns to this database, for example what kind of value the house has this person lives in. I want to be able to 'couple' the databases by using the
anonymous citizen service number 1
0x10325476
It sounds like you'd be interested in Azure SQL Database dynamic data masking.
SQL Database dynamic data masking limits sensitive data exposure by
masking it to non-privileged users.
Dynamic data masking helps prevent unauthorized access to sensitive
data by enabling customers to designate how much of the sensitive data
to reveal with minimal impact on the application layer. It’s a
policy-based security feature that hides the sensitive data in the
result set of a query over designated database fields, while the data
in the database is not changed.
For example, a service representative at a call center may identify
callers by several digits of their credit card number, but those data
items should not be fully exposed to the service representative. A
masking rule can be defined that masks all but the last four digits of
any credit card number in the result set of any query. As another
example, an appropriate data mask can be defined to protect personally
identifiable information (PII) data, so that a developer can query
production environments for troubleshooting purposes without violating
compliance regulations.
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started
This won't anonymise data irreversibly, in terms of it can be re-personalised by those who have the permissions in SQL server.
It will however allow you to do joins inside of SQL server but not expose the personal data back out.
I wanna write a WAF which detects attacks with signature-based method. for example, for SQL injection, I collect a blacklist contains words such "select", "drop" and etc. when an attacker inputs these strings to query field, then the attack is detected. Now, my question is how to separate these words from valid inputs that a regular user enters (such his username contains "select" word)? (Note that this is a WAF and I don't know what are the fields in the web app to check the best security and write a specific code for every field. I can just check common security and the rest must check by developers of the web app).
There is no use for WAF in regard of SQL injection. Because
There will be too much false positives that will be driving users mad. If such a silly approach were used on this site of Stack Overflow, you were just unable to post your question.
Like any other black-listing based approach it will be always incomplete and thus will not offer 100% protection
There are specific measures to prevent an SQL injection that offer 100% protection
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I'm pretty green still when it comes to web programming, I've spent most of my time on client applications. So I'm curious about the common exploits I should fear/test for in my site.
I'm posting the OWASP Top 2007 abbreviated list here so people don't have to look through to another link and in case the source goes down.
Cross Site Scripting (XSS)
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
Injection Flaws
Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
Malicious File Execution
Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
Insecure Direct Object Reference
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
Cross Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
Information Leakage and Improper Error Handling
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.
Broken Authentication and Session Management
Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
Insecure Cryptographic Storage
Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
Insecure Communications
Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
Failure to Restrict URL Access
Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.
The Open Web Application Security Project
-Adam
OWASP keeps a list of the Top 10 web attacks to watch our for, in addition to a ton of other useful security information for web development.
These three are the most important:
Cross Site Request Forgery
Cross Site Scripting
SQL injection
Everyone's going to say "SQL Injection", because it's the scariest-sounding vulnerability and the easiest one to get your head around. Cross-Site Scripting (XSS) is going to come in second place, because it's also easy to understand. "Poor input validation" isn't a vulnerability, but rather an evaluation of a security best practice.
Let's try this from a different perspective. Here are features that, when implemented in a web application, are likely to mess you up:
Dynamic SQL (for instance, UI query builders). By now, you probably know that the only reliably safe way to use SQL in a web app is to use parameterized queries, where you explicitly bind each parameter in the query to a variable. The places where I see web apps most frequently break this rule is when the malicious input isn't an obvious parameter (like a name), but rather a query attribute. An obvious example are the iTunes-like "Smart Playlist" query builders you see on search sites, where things like where-clause operators are passed directly to the backend. Another great rock to turn over are table column sorts, where you'll see things like DESC exposed in HTTP parameters.
File upload. File upload messes people up because file pathnames look suspiciously like URL pathnames, and because web servers make it easy to implement the "download" part just by aiming URLs at directories on the filesystem. 7 out of 10 upload handlers we test allow attackers to access arbitrary files on the server, because the app developers assumed the same permissions were applied to the filesystem "open()" call as are applied to queries.
Password storage. If your application can mail me back my raw password when I lose it, you fail. There's a single safe reliable answer for password storage, which is bcrypt; if you're using PHP, you probably want PHPpass.
Random number generation. A classic attack on web apps: reset another user's password, and, because the app is using the system's "rand()" function, which is not crypto-strong, the password is predictable. This also applies anywhere you're doing cryptography. Which, by the way, you shouldn't be doing: if you're relying on crypto anywhere, you're very likely vulnerable.
Dynamic output. People put too much faith in input validation. Your chances of scrubbing user inputs of all possible metacharacters, especially in the real world, where metacharacters are necessary parts of user input, are low. A much better approach is to have a consistent regime of filtering database outputs and transforming them into HTML entities, like quot, gt, and lt. Rails will do this for you automatically.
Email. Plenty of applications implement some sort of outbound mail capability that enable an attacker to either create an anonymous account, or use no account at all, to send attacker-controlled email to arbitrary email addresses.
Beyond these features, the #1 mistake you are likely to make in your application is to expose a database row ID somewhere, so that user X can see data for user Y simply by changing a number from "5" to "6".
bool UserCredentialsOK(User user)
{
if (user.Name == "modesty")
return false;
else
// perform other checks
}
SQL INJECTION ATTACKS. They are easy to avoid but all too common.
NEVER EVER EVER EVER (did I mention "ever"?) trust user information passed to you from form elements. If your data is not vetted before being passed into other logical layers of your application, you might as well give the keys to your site to a stranger on the street.
You do not mention what platform you are on but if on ASP.NET get a start with good ol' Scott Guthrie and his article "Tip/Trick: Guard Against SQL Injection Attacks".
After that you need to consider what type of data you will permit users to submit into and eventually out of your database. If you permit HTML to be inserted and then later presented you are wide-open for Cross Site Scripting attacks (known as XSS).
Those are the two that come to mind for me, but our very own Jeff Atwood had a good article at Coding Horror with a review of the book "19 Deadly Sins of Software Security".
Most people here have mentioned SQL Injection and XSS, which is kind of correct, but don't be fooled - the most important things you need to worry about as a web developer is INPUT VALIDATION, which is where XSS and SQL Injection stem from.
For instance, if you have a form field that will only ever accept integers, make sure you're implementing something at both the client-side AND the server-side to sanitise the data.
Check and double check any input data especially if it's going to end up in an SQL query. I suggest building an escaper function and wrap it around anything going into a query. For instance:
$query = "SELECT field1, field2 FROM table1 WHERE field1 = '" . myescapefunc($userinput) . "'";
Likewise, if you're going to display any user-inputted information onto a webpage, make sure you've stripped any <script> tags or anything else that might result in Javascript execution (such as onLoad= onMouseOver= etc. attributes on tags).
This is also a short little presentation on security by one of wordpress's core developers.
Security in wordpress
it covers all of the basic security problems in web apps.
The most common are probably database injection attacks and cross-site scripting attacks; mainly because those are the easiest to accomplish (that's likely because those are the ones programmers are laziest about).
You can see even on this site that the most damaging things you'll be looking after involve code injection into your application, so XSS (Cross Site Scripting) and SQL injection (#Patrick's suggestions) are your biggest concerns.
Basically you're going to want to make sure that if your application allows for a user to inject any code whatsoever, it's regulated and tested to be sure that only things you're sure you want to allow (an html link, image, etc) are passed, and nothing else is executed.
SQL Injection. Cross Site Scripting.
Using stored procedures and/or parameterized queries will go a long way in protecting you from sql injection. Also do NOT have your web app access the database as sa or dbo - set a up a standard user account and set the permissions.
AS for XSS (cross site scripting) ASP.NET has some built in protections. The best thing is to filter input using validation controls and Regex.
I'm no expert, but from what I learned so far the golden rule is not to trust any user data (GET, POST, COOKIE). Common attack types and how to save yourself:
SQL Injection Attack: Use prepared queries
Cross Site Scripting: Send no user data to browser without filtering/escaping first. This also includes user data stored in database, which originally came from users.