ASP.NET Vulnerability testing with CAT.NET

CAT.NET is an add-on for Visual Studio to analyze Web Applications projects (sorry, Web Site projects are not supported) for common security flaws.

So lets start a fresh site and look for some potential security risks with CAT.NET. Everyone knows that when we echo the input from a TextBox into a Label we are vulnerable to attacks, but what about dropdowns? Lets make a page with a DropDown with several values, a Label and a Button. In the Button_Click event we copy the DropDownList1.SelectedItem.Value to the Label1.Text.

Now start CAT.NET (from Visual Studio, Tools), and run an analysis on this project:

We have 1 XSS scripting error, because even though the user can only select a value from the dropdown and submit it, an evil user can open up his favorite hacking tool (e.g. Fiddler) and modify the data that’s being submitted. Lucky for us, ASP.NET will stop most of these attacks for us, by filtering on HTML tags, and unicode attacks, but it is always a good practice to encode all output. Encode using the Anti-XSS library, because this does a better job than the regular HttpUtility.HtmlEncode().

However, what if the data is used in for example a LDAP query? Take a look at this LDAP example. CAT.NET will catch this and mark it as an LDAP injection attack. Because in a LDAP attack, the attacker can use normal symbols like: ”  ( * ) cn=” which are allowed by the ASP.NET ValidateRequest mechanism.

We can control which checks occur, CAT.NET supports the following checks:

• Process Command Execution
• File Canonicalization
• Exception information
• LDAP injection
• XPATH injection
• SQL injection
• Redirection to user controlled site
• Cross site scripting

CAT.NET tries to detect as much as possible, but for example will not detect bad data coming from databases.

Get the V1 CTP 32bit version here: http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
and for the 64 bit look here: http://www.microsoft.com/downloads/details.aspx?FamilyId=e0052bba-2d50-4214-b65b-37e5ef44f146&displaylang=en

 Stay tuned for a new release from microsoft, the Web Protection Library. This library is intended to protect EXISTING applications, and will filter incoming and outgoing request to prevent attacks!