Securing Your Asp.Net Application Using Microsoft CAT.NET

Monday Apr 9th 2012 by V.N.S Arun
Share:

CAT.NET is a Microsoft tool to identify potential security loop holes in an asp.net framework application. In this article I will be explaining about the some important security issues that CAT.NET reports and the effective ways to resolve them.

As more and more people have started using the online services over the internet to fulfill their needs on a day-to-day basis (paying utility bills, e-shopping, net banking, etc.), there is another community consistently working to hack the websites for personal gains as well as for fun. So for the developers it is mandatory that they not only develop a good performing application but also a secure one.

An application is meant to be a good one when it has a good code, good performance and is secure. If the application has good code and performs well but if it has some security loop holes then it is definitely not a good candidate and will lose the end users trust. Such insecure applications will harm the company owning the website as well as the end user who is using it.

A list of security issues for web application security is listed by the Open Web Application Security Project (OWASP).

Microsoft CAT.NET

In order to help the Asp.Net developers to build highly secure applications, Microsoft has introduced a tool called the Code Analysis Tool for .Net (CAT.NET). This tool analyses the Asp.Net code and reports potential security issues that the code exposes. The good thing is that like FxCop it also points out the code that is causing the issues. CAT.NET V1 can be downloaded from here. Below is a list of issues that the tool is designed to catch.

1. Cross Site Scripting (XSS)
2. SQL Injection
3. Redirection to user controlled site
4. File Canonicalization
5. Information Disclosure through exception
6. Process command execution
7. XPATH injection
8. LDAP injection

Once you install the tool it can be run from Visual Studio directly or through the command line. To run it from Visual Studio, go to Tools --> run CAT.NET Code Analysis. If you want to run CAT.NET from the command line then you can use the command in command prompt as mentioned below.

CATNetCmd.exe /file:"Path of the assembly"

There are a few more command line parameters that are optional and I will leave it for you to explore. Execution through command line also generates a report as an HTML file. I will explain a few of the above mentioned security issues that CAT.NET reports in the following sections.

Cross Site Scripting (XSS)

This is the most common security vulnerability that is exposed by most of the web applications. XSS is a type of vulnerability where some executable client script is injected through an unknown resource like a query string parameter. For example in the code below, on page load the query string value is fetched and the same is written onto the web page. If the hacker passes the query string value as “<script>alert(‘XSS!’);</script>" then the script would execute on the page.

protected void Page_Load(object sender, EventArgs e)
{
        //Fetch the unvalidated input
        string text = Request.QueryString["text"];
        //Write it on the webpage
        Response.Write(text);
}

In order to resolve this issue CAT.NET recommends using AntiXSS library, which exposes more powerful encoding mechanisms than that of the inbuilt Server.UrlEncode or Server.HtmlEncode. Once the injected script is encoded it becomes an inactive script. Below is the code using AntiXSS library.

    protected void Page_Load(object sender, EventArgs e)
    {
        //Fetch the unvalidated input and encode it using AntiXss library
        string text = AntiXss.UrlEncode(Request.QueryString["text"]);
        //Write it on the webpage
        Response.Write(text);
    }

SQL Injection

SQL injection may occur when the value is fetched from a non-trusted resource like a query string parameter and the same is used to build an in-line SQL command. If the hacker sends in a SQL command in place of the value, then when the manipulated in-line SQL query is sent to the database for execution it will be treated as a separate command and will end up executing some malicious commands.

To resolve this CAT.NET recommends passing the value to the database encapsulating it in a SQLParameter object. This will ensure that the passed in value will never be treated as a SQL command by the SQL engine.

Redirection to User Controlled Sites

CAT.NET also warns the developers when the redirection is made to URLs from non-trusted resources. Consider the scenario where the user can manipulate the URL to which the web application should redirect to. This security loop hole will lead you to post a request to the user controlled website along with some important form values that the hacker is seeking. For example if the URL value is fetched from a query string or a text box value as shown in the code below.

    protected void Page_Load(object sender, EventArgs e)
    {
        //Fetch the URL from a non-trusted resource
        string url = Request.QueryString["url"];
        //Perform redirection to the user controlled site say www.websiteofthehacker.com
        Response.Redirect(url);
    }

To resolve this issue CAT.NET recommends the developers not to expose the hooks where the user can specify a redirection URL. The redirection URL should be picked up from our own web application as shown below.

    protected void Page_Load(object sender, EventArgs e)
    {
        string url = "www.trustedwebsite.com";
        Response.Redirect(url);
    }

Information Disclosure Through Exception

Each and every web application would have its own exception handling mechanism. Some developers would end up writing code to disclose the error message along with crucial information like the stack trace, PII data, etc., onto the generic error page. Below is an example of such an issue reported by CAT.NET.

    protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            int i = 0;
            int j = 100;
            int remainder = i / j;
        }
        catch (Exception exception)
        {
            //Exposing the information to the user
            Response.Write(exception.Message);
        }
    }

CAT.NET recommends not to expose any specific information to the user. Change the code as shown below to fix the issue.

    protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            int i = 0;
            int j = 100;
            int remainder = i / j;
        }
        catch (Exception exception)
        {
            Response.Write("An exception has occured");
        }
    }

I will leave the rest for the users to explore. I hope this article was informative and helps you in building secure applications.

Happy Reading!

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved