softlogger Latest Articles ::Web-Security

Finding Data in Client Certificates

Nicholas Allens Indigo Blog — 2008-01-29T00:00:00

Can I pass additional user data, such as identity information, in a message secured with a client certificate?

This question looks like an earlier one about Windows credentials but has some subtle differences that make it come out with a different answer. The two key differences are:

We're talking about securing messages rather than transport connections. Message security headers provide a means of tunneling additional information about the caller.

We're talking about passing identity information together with a certificate rather than with Windows credentials. Independent of the particular security protocol, the certificate infrastructure is a way to sign and encrypt data streams so that additional client information can be safely included.

With either approach, client information can be included as supporting tokens on the message (typically as either incoming supporting tokens with the message or with the transport token). The supporting tokens sample gives a rundown of supporting tokens for message security.

Next time: Differences in Guid Serialization

Custom Password Validation for HTTP

Nicholas Allens Indigo Blog — 2008-01-14T00:00:00

Phil Henning has written about creating a custom username/password validator for HTTP, which is another new feature in Orcas. Like getting access to client IP addresses, creating a custom password validator is a feature added as a result of direct customer feedback. In fact, the two features were added during the same week and were among the last features we did in Orcas for messaging. Before Orcas you could only create a custom password validator if you were using message security.

Accessing the Query String

Nicholas Allens Indigo Blog — 2008-01-04T00:00:00

How do I get access to the query string of an HTTP request when processing a message?

The query string isn't one of the properties available on the new WebOperationContext but you can still get access to it through the HTTP request message property.

MessageProperties properties = OperationContext.Current.IncomingMessageProperties;
HttpRequestMessageProperty requestProperty = (HttpRequestMessageProperty)properties[HttpRequestMessageProperty.Name];
string queryString = requestProperty.QueryString;

Next time: Taking Action on Client Close

Hack Google (Maps) URLs for Quick Searching [URL Hacking]

Lifehacker — 2007-12-22T00:00:00

Frequently using Google Maps for directions? Reader Pham writes in with a simple but interesting way to save time when looking up directions.

Basically, the multi-step process of going to Google [Maps], typing in an address, clicking submit, etc., can be avoided by just putting all your info directly into the URL. For example typing this works:
http://maps.google.com/maps?q=1683 Mass Ave, Cambridge, MA

This simple observation can be coupled with Texter to speed up your searching. This kind of URL hacking isn't specific to Google Maps. You can also roll your own AutoHotkey applications to search Google, Google Maps, or any other site that allows robust URL searching. Hit the jump for the AHK code syntax.

To search Google Maps using an AutoHotkey application (start the application with ALT + 1), use the following code:

!1:: InputBox, OutputVar , Enter your location:, if ErrorLevel MsgBox, CANCEL was pressed. else Run http://maps.google.com/maps?q=%OutputVar%

To search standard Google (start the application with ALT + 2), use the following code:

!2:: InputBox, OutputVar , Enter your search criteria:, if ErrorLevel MsgBox, CANCEL was pressed. else Run http://www.google.com/search?q=%OutputVar%

iPhone serial access tutorial

Hack a Day — 2007-12-11T00:00:00

Filed under: cellphones hacks

[TheRain] sent in his tutorial on using the iPhone's serial port. Apparently there's a hardware trick required to enable two way communication. Whatever device is attached to the iPhone needs a secret handshake to get things talking both ways. Once the serial ground has been strobed high to low in the proper order, things will work like normal.

Read | Permalink | Email this | Linking Blogs | Comments

Silent Security Failures

Nicholas Allens Indigo Blog — 2007-12-06T00:00:00

I'm using reliable messaging and getting an exception that the reliable session has faulted. It's the first exception that I see so I don't know why the session faulted. How do I know what went wrong? Here's the full error message:

The underlying secure session has faulted before the reliable session fully completed. The reliable session was faulted.

The reliable messaging channel threw an exception because the reliable session was broken. The reliable session was broken because the security session was broken. In this case, you know that the security session was broken without seeing any other exceptions being thrown. That means the security channel must have faulted without encountering an exceptional event, which triggered all of the other visible results.

The easiest way to debug a situation like this is to start removing extraneous pieces. Try removing the reliable messaging channel and see if that allows whatever went wrong with the security session to bubble up. If things immediately fail at startup, then try removing both the reliable messaging and security channels. There may be something basic about your configuration that's incorrect and removing protocol layers will help you find that faster.

Next time: Localhost Common Name

Security Software Moves to Consoles - Web Filtering for PS3

Darknet - The Darkside — 2007-11-29T00:00:00

Ah it seems some companies are having the same idea as me, consoles might well be the next infection vector for zombie style botnets, they have good processing power, the current generation has ample hard-drive space and they are network connected. The difference with consoles is they tend to be turned off when not in use [...]

Read the full post at darknet.org.uk

[Security] Microsoft unveils Code Protection suite of tools

ISerializable - Roy Osheroves Blog — 2007-11-16T00:00:00

about a year ago Microsoft bought a small Israeli Company called Secured Dimensions. They had an interesting solution to the problem of protecting your .NET code. Basically they would help you choose which parts of the code you'd like to protect and then run those parts of hte code in a special virtual machine encrypted environment (in memory).

Recently Microsoft released a set of products that seems to be based on SD's technology, and that's a good thing. There aren't many good solutions to protect .NET code. SD's solution is closer to protecting real IP as it gets as far as I can see.

[via vitaly] - (BTW, Vitaly- you have a configuration bug in your blog. just try accessing a specific post by url and you get a nasty error)

VMware Web Management and IIS7 on Windows Server 2008

AngryPets Blog — 2007-11-06T00:00:00

As I pointed out in a previous post, I wasn't able to find any love on teh intarwebs about how to get the VMware Web Management Interface to work on Windows Longhorn Server/IIS7.

Then I remembered: One of the cool things about IIS7 on Windows Server 2008 is that it provides you with the ability to 'emulate' IIS6's metabase and scripting interfaces.

So, I just made sure to install those components using the

Having installed VMware Server already on Win2k8, I knew that it crashed and burned (unsurprisingly) while trying to create the web site that would be used to allow HTTP management (over ports 8222 and 8333) of VMs and such.

So I added the IIS 6 Management compatability components:

And then proceeded with the install normally.

And, that did it. By giving VMware Server a suitable set of scripting interfaces to manage IIS and create a new site, everything worked flawlessly. (Of course, I had to go into the firewall and open up traffic on 8222, and 8333 for HTTP and HTTPs (as well as for port 902 for authorization/normal VMware traffic).)

Running VMware Server on Windows Server 2008 RC0 - x64
Sadly, I couldn't get VMware server to run on the x64 version of RC0.

During the x32 installation, I got a prompt telling me that some unsigned drivers were detected - should I let them through? I let them on.

With the installation on x64 Windows Server 2008, there was no such warning/prompt. And I simply couldn't log into VMware's Web Interface or via the normal console - as I kept being told that the server "actively refused" the connection. Checking out all of the VMware services on my box, I could see that the Auth Service wasn't running. Starting it just resulted in errors. Happily in the Security Log I could see audit failures at roughly the same time:

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

That's a spiffy error, and it also listed the file in question: vmx86.sys - the same file/component that the VMware Authentication service depended upon.

I tried supressing those warnings/issues by using bcdedit /SET nointegritychecks ON, but there was no love (even after a reboot).

So.. that's when I decided to bail and just switch to Windows Server 2008 Enterprise (to take advantage of my 8GB of RAM). Maybe by the time Longhorn RTMs there will be a good work-around, or someone else will figure out how to pull it off, but I wasted about 2 hours on it and decided that enough was enough...

Ideal Log Management Tool?

OReilly Sysadmin — 2007-11-05T00:00:00

The idea came from Jeremiah Grossman (here) when he described “The Best Web Application Vulnerability Scanner in the World” thus: “Within a few moments of pressing the scan button it’ll find every vulnerability, with zero false positives, generate a pretty looking report, and voila you’re compliant with GLBA, HIPAA, and PCI-DSS. Of course, we all know such a web application scanner is simply not possible to create for a variety of reasons.”

So, let’s imagine the idea log management application.

Logging configuration: the ideal log app will go and find all possible log sources (systems, devices, applications, etc) and then enable the right kind of logging on them according to a high level policy given to it (required: God-like powers)
Log collection: it will collect all the above logs securely (and without using any risky super-user access ) and with little to no impact to networks and systems (required: God-like powers)
Log storage: it can security store the above logs in the original format for as long as needed and in a manner allowing quick access to them - in both raw and summarized/enriched form (required: plenty of hardware)
Log analysis: this ideal application will be able to look at all kinds of logs, known to it and previously unseen, from standard and custom log sources, and tell the user what they need to know about their environment and based on their needs: what is broken? what is hacked? where? what is in violation of regulations/policies? what will break soon? who is doing this stuff? The analysis will power all of the following: automated actions, real-time notifications, long-term historical analysis as well as compliance relevance analysis (required: AI)
Information presentation: this tool will distill the above data, information and conclusions generated by the analytic components and present then in a manner consistent with the user’s role: from operator to analyst to engineer to executive. Interactive visual and drillable text-based data presentation across all log sources. The users can also customize the data presentation based on their wishes and job needs, as well as information perception styles (required: nothing more than a bunch of daring UI designers)
Automation: the ideal log management tool will be able to take limited automated actions to resolve discovered and confirmed issues as well as generate guidance to users so that they know what actions to take, when full-auto mode is not appropriate. The responses will range from full-auto actions to assisted actions (’click here to fix it’) to issuing detailed remediation guidance. The output will include a TODO-list of discovered items complete with actions suggested, ordered by priority (required: AI + some luck + some user stupidity :-))
Compliance: this tool can also be used directly by auditors to validate or prove compliance with relevant regulations by using regulation-specific content and all the collected data. The tool will also point at gaps in data collection as it applies to specific regulations that the user is interested in complying (required: God-like powers)

In other words, this magic black box will have crap shoveled from one side and will have answers to questions about the meaning of Life :-) coming out the other side…

What? :-) Am I nuts? Well, can I dream for a second? :-)

Technorati tags: logs, log management, logging, future, vision

SOA in the Unification Model

Inside Architecture — 2007-10-27T00:00:00

This is third in a series on the impact of the business operating model on Service Oriented Architecture. (see overview)

What can you get from this series?

My prior post raised a bit of ire with one of my readers, a fellow whom I respect. He felt that my posts were not telling a positive story about SOA.

I believe that SOA is a highly valuable paradigm for enterprise integration. I also believe that the ability to apply SOA to a problem is not uniform. Some problems can be solved with SOA. Others cannot. There is no magic bullet.

I am hopeful that this series helps folks to

identify which situations they are in,
understand the challenges they will face when applying SOA to their situation, and
improve their odds of successfully providing value to their business.

I am not attempting to sell SOA to anyone. I make no money from "Selling SOA." I have no personal or professional stake in the success of the SOA paradigm. That said, I believe strongly that SOA has a value, and if we do a good job of avoiding mistakes, we can demonstrate that value to our respective businesses.

The Unification Operating Model

"When organizational units are tightly integrated around a standardized set of processes, companies benefit from a Unification model. Companies applying this model find little benefit in business unit autonomy. They maximize efficiencies and customer services by presenting integrated data and driving variability out of business processes." (Enterprise Architecture As Strategy, by Ross, Weill, and Robertson)

I illustrate this model as follows. (I described how to read these images in a prior post).

Companies that use a Unification model work very hard to wring out every drop of waste from often-complex processes. Some attributes:

Highly centralized management environment
Company grows through leveraging economies of scale
Process standardization seen as a key element of corporate success
Frequently found in commodity businesses

One example that Ross uses is the core chemicals manufacturing business of Dow Chemical.

IT in the Unification Operating model

As I said before, the operating model is the single largest driver of decisions in your SOA. The impact of the model starts with the business, extends through business funding of IT, and into the architecture, design, and complexity of the IT ecosystem. In a company based on the unification model, the following situations are typical:

Shared enterprise systems - Large IT systems are often used to reinforce the centralized nature of these companies. It is not uncommon to see an ERP system managing a wide array of core functions, including HR, manufacturing, customer relationship management, and financial management. It is also common to see a best-of-breed approach, where large systems from different vendors are implemented to support each function separately. Integration is key to success. However, the data models for the information typically is defined by these applications themselves.
Process owners - In order to get process consistency among the various operating units, a single person is identified to own each key process and they, along with their team, is responsible for insuring that the process is efficient, cost-effective, and productive.
Central IT decision making - Decisions in the IT organization are central. Systems are purchased, and deployed, with the goal of improving the cost effectiveness and efficiency of the company's core business processes. These companies tend to have very tight IT budgets, as IT is frequently not seen as a core contributor to process innovation. Data masters are often centrally mandated.

Note that, in the unification model, variation between business units is kept to a minimum. It is common to see the CIO report to the Finance Director or Chief Financial Officer.

SOA and BPM in the Unification Model

The Unification Model is interesting because (a) SOA is expensive and may take years to reap full benefits, and (b) this IT environment is very cost conscious. That said, the environment is already familiar with purchasing large software systems and taking a long period of time to implement them. If you work in an environment like this one, and there is no SOA in place, you may make some traction by framing SOA as a single software package. (Not as large as ERP, but larger than a shipping management system, for example.) On the other hand, you could also get traction by tying SOA to a large system upgrade (see below).

The common data model

Once again, the key to implementing Enterprise SOA is the common data model. While the cost of creating a common data model is far less in this model, the benefit may be difficult to explain. That is because the data model is driven by the central systems that produce or consume the data. The urgency for creating a common data model may not be high.

In this model, SOA provides two benefits. Both require the common data model:

1) Protection from Vendor Lock-in: If the company has taken a "best of breed" approach to technology acquisition, then they have likely purchased different systems from different vendors for key business functions. Integrating these systems is expensive, and there are scars to prove it. This creates a "high barrier to entry and high barrier to exit" for these companies. It costs a lot to put in a system, but even more to leave. SOA can help lower those barriers by creating an abstract layer that processes abstract transactions in a standardized way.

This allows a company to purchase a new Financial system (Microsoft Dynamics AX, for example), and instead of integrating each of the other systems to it, the IT department would simply write adapters to connect the new system to the abstract services layer. Other systems can now directly consume the new system without substantial modification (in theory, anyway. Nothing is perfect.)

2) Process Composition across systems: It can be difficult to track a single transaction, through a complex process, across many systems. The customer doesn't care. You can directly impact customer satisfaction if it is difficult to figure out which system has the information that your customer needs to know, or to make it difficult to retrieve that information readily.

So, if customer satisfaction is important, process composition across many systems is a key capability of your IT infrastructure. To solve for this problem, you need four things: SOA as an integration mechanism, a common information model as a unifier, an enterprise identifier scheme to allow the transaction to be traced from start to finish, and tools to inspect each system for the information related to a unique transaction (using SOA, of course).

Funding SOA

If you get your information model in place, you could implement SOA as a combination of a package install and software adapters that is tied to a larger project, like an ERP replacement. On the other hand, with this operating model, it is possible to build a bottom-up SOA, where the services are produced as part of IT projects without architectural coordination, primarily in areas where the information model is well-understood.

Direct Impacts of the Unification Model on SOA Operations

The following effects would be typical for SOA+BPM in a Coordination model:

Centralized Process Management - Process owners manage a subset of the processes. Processes are often coordinated. Using the same BPM tool and repository is a best-practice, and one that will make immediate sense to the business. The tool must be able to support a wide array of BPM needs, and must leverage standards.

Centralized Governance Model - SOA Governance tools are quite useful in this model, and they should be used. (SOA Software and Amberpoint are two Microsoft partners that I would suggest, for readers interested in this space.)

SOA Service Adoption - Due to centralized decision-making, the decision to consume a service can be tied to project funding. This bit of overhead should pay for itself quite easily, since you would end up with a greater amount of service reuse, and therefore, less code to maintain in the long run. Some organizations have even gone all out, and implemented a set of core SOA services as a single project, then turning to governance to require all new projects to adopt them. (Top-down SOA).

Cross-system process concerns - Getting SOA benefits out of processes that look to a single enterprise system is a fairly quick win. I like quick-wins. You can build credibility for SOA by rolling out a few of these "low-hanging fruit" projects. However, to get real enterprise benefit out of SOA, you need to be able to compose a process across many systems. This can be easy, or this can be hard.

To make it simple, repeatable, and adaptable, you need to create your common information model. That model must contain not only information entities, but also a notion of what business documents you will communicate with, and what events occur on each document.

SOA Readiness - While a central group may decide to implement SOA, each of the IT teams that surround the major systems will have different levels of understanding of the concept of event-driven services. You will need to build a common understanding, and common standards, to make sure that these different groups, using different technologies, can reduce the friction that could occur when a process consumes many different services.

Centralized Service Catalog - You are likely to end up with a single catalog, but it may be a good idea to consider splitting the catalog into layers, with the upper layer of services oriented towards the business process areas that the organization cares about, and the lower layer of services to makes the information available. Services in the upper layer consume services in the lower one. By separating services in this manner, you can simplify the SOA composition process.

Conclusion

The Service Oriented Architecture for the unification operating model should take a cost-focused approach to delivering business value, orienting the services towards both process and information.

Best Practice: Always open WCF client proxy explicitly when it is shared

Wenlong Dongs Blog — 2007-10-26T00:00:00

In order to provide symmetric programming model for the client-side as for the server-side, WCF leverages .NET Remoting transparent proxy technique so that the service contract interface can be used seamlessly as on the server-side. The svcutil.exe tool can generate WCF client proxy code for you. If you take a closer look at the generated code, you will find out that the proxy class is a subclass of ClientBase<T>. By using ChannelFactory<T>, you can create your proxy (or called channel) directly without going through ClientBase<T>.

Creating a WCF proxy is quite a heavy-weighted operation. So sometimes, you would want to create a single proxy and let multiple threads to use it. This works quite well if you don’t want the proxy to keep specific context (such as security credential) on each call.

The best practice in this case is that: you should always open WCF client proxy explicitly before you are making any calls. Here is the sample code if you use auto-generated proxy from svcutil.exe:

MyHelloServiceClient proxy = new MyHelloServiceClient();

proxy.Open();

// Make a call with the proxy

proxy.Hello("Hello world!");

Here is the sample code if you use ChannelFactory<T> to create a proxy:

ISimpleContract proxy = factory.CreateChannel();

((IClientChannel)proxy).Open();

// Make a call with the proxy

proxy.Hello("Hello world!");

If you don’t call the “Open” method first, the proxy would be opened internally when the first call is made on the proxy. This is called auto-open.

Why? When the first message is sent through the auto-opened proxy, it will cause the proxy to be opened automatically. You can use .NET Reflector to open the method System.ServiceModel.Channels.ServiceChannel.Call and see the following code:

if (!this.explicitlyOpened)

{

this.EnsureDisplayUI();

this.EnsureOpened(rpc.TimeoutHelper.RemainingTime());

}

When you drill down into EnsureOpened, you will see that it calls CallOnceManager.CallOnce. For non-first calls, you would hit SyncWait.Wait which waits for the first request to complete. This mechanism is to ensure that all requests wait for the proxy to be opened and it also ensures the correct execution order. Thus all requests are serialized into a single execution sequence until all requests are drained out from the queue. This is not a desired behavior in most cases.

To avoid such “serializing” artifact, the best practice is to open the proxy explicitly as above. Once you get to this point, you will be able to share the same proxy object among multiple threads.

XSSDETECT: Analyzing Large Applications

ACE Team - Security, Performance & Privacy — 2007-10-24T00:00:00

XSSDetect is a static binary analysis tool. In the first step of analysis it reads target binaries to create a directed graph where nodes represent statements while the edges represent flow of data. This graph can get huge for large applications and users can sometimes run into the “out of memory exception.” Read this blog if you are experiencing this issue and would like to resolve it.

First of all, having lots of RAM and swap space does not help in this particular scenario. In a 32 bit Windows operating system, a process can address only 4GB of memory address space, 2GB of which is used by the kernel. In practice, a process will throw an out of memory exception after having used a little over 1GB because it fails to allocate anymore contiguous memory. In the case of XSSDetect, we found two successful ways of overcoming this limitation.

One solution is to analyze the large application on a 64bit Windows OS. A version of XSSDetect especially compiled for this platform is also required. The XSSDetect Beta 1.0 that is available on the Internet, however, does not currently support 64bit processing. Please look for support for analyzing large applications to become available very soon.

The other solution is to choose the target analysis binaries intelligently. When you open a solution, XSSDetect adds all managed binaries built by the solution to the targets list by default. However, a user can choose to run analysis on only one or few projects at a time. In order to remove some of the binaries from this list, hit the ‘Target Assemblies’ button in the XSSDetect toolbar and then click Add/Remove button to go to Advanced Targets Settings.

In the Advanced targets Settings dialog box, a user can select each target and click ‘Read’ assembly to view the approximate memory required for analysis and also view its dependencies. Using this information a user can decide which projects to analyze in one go. It is important to realize that if data flows from one project assembly to another and the two assemblies are not analyzed together then vulnerabilities can get missed. Therefore, while it is not necessary to add .NET framework dependencies like mscorelib.dll to the target assemblies list, a user should attempt to select solution projects that reference each other and then keep repeating the process until all binaries have been analyzed.

64Bit machines are still not very common in Microsoft which is why the last work around is used extensively by all our application teams. However, if the target assemblies are chosen carefully the results can be as accurate as running the analysis on the entire solution together. XSSDetect's UI is especially designed to make this step easier.

Please keep using this tool and giving us feedback.

Create Custom RoleProvider for ASP.NET Role Permissions and Security

David Hayden - Florida .NET Developer - C# and SQL Server — 2007-10-17T00:00:00

Just as with a Custom MembershipProvider, one can create a Custom RoleProvider in ASP.NET to handle role-based permissions and security. In this 5 minute tutorial I am going to create a custom roleprovider, called SimpleRoleProvider, that only allows users in the "Admin" role to view a page. Read more...

Re-enable request validation in ASP.NET

.NET slave — 2007-10-14T00:00:00

Request validation is enabled by default in ASP.NET and it basically stops people from submitting a form with HTML in any of the input fields. It’s a little more sophisticated than that, but basically it just looks for HTML tags and if it finds any, it throws an exception and the form is prevented from being posted.

However, you often want people to be able to write HTML tags in your forms. That’s why most people turn it off either globally in web.config or on the individual pages hosting a form and then just HTML encodes the values. I’ve done it reluctantly myself many times, but there is a smarter way to allow HTML input without turning request validation off.

What if we could just HTML encode all input fields just before the form is submitted? That way we could benefit from request validation and the security it offers out of the box. By having request validation enabled, you also make it impossible for spambots to post links in your form.

The easiest way of doing this is to create a custom server control that inherits from System.Web.UI.WebControls.TextBox and add a little JavaScript magic. I’ve written a SafeTextBox class that HTML encodes its value client-side and then HTML decodes the value again server-side. That way it can be treated just like a normal TextBox.

public class SafeTextBox : System.Web.UI.WebControls.TextBox
{
protected override void OnLoad(System.EventArgs e)
{
  base.OnLoad(e);
  if (!Page.ClientScript.IsClientScriptBlockRegistered(Page.GetType(), "TextBoxEncode"))
  {
   System.Text.StringBuilder sb = new System.Text.StringBuilder();
   sb.Append("function TextBoxEncode(id)");
   sb.Append("{");
   sb.Append("var tb = document.getElementById(id);");
   sb.Append("tb.value = tb.value.replace(new RegExp('<', 'g'), '<');");
   sb.Append("tb.value = tb.value.replace(new RegExp('>', 'g'), '>');");
   sb.Append("}");
   Page.ClientScript.RegisterClientScriptBlock(Page.GetType(), "TextBoxEncode", sb.ToString(), true);
  }

  // Adds the function call after the form validation is called.
  if (!Page.IsPostBack)
   Page.Form.Attributes["onsubmit"] += "TextBoxEncode('" + ClientID + "');";
}

public override string Text
{
  get { return base.Text; }
  set
  {
   if (!string.IsNullOrEmpty(value))
    base.Text = value.Replace("<", "<").Replace(">", ">");
   else
    base.Text = value;
  }
}
}

The way the SafeTextBox HTML encodes/decodes is not very sophisticated but it works. You can add your own logic to the encoding/decoding if you feel the need.

To roll this out on your own website, just dump the SafeTextBox class in the App_Code folder and hook it up using tag mapping.