Thursday, August 31, 2006

Canonicalization Attacks

What are canonicalisation attacks?
Unauthorised access of file and directories on the web server machine by tampering file/directory paths that a web site normally allows users to enter as part of its functionality. The attack is typically carried out by entering the path of the file in input field on a web page or by supplying it as part of the URL.

What are the consequences?

Loss of confidentiality, integrity and a denial of service results if files are deleted.

What files can the attacker access?
Any file or folder on the disk(s) of the web server m/c.

Defending applications against canonicalisation attacks
- Administrative Controls
a) Ensure that the web server hosts on a secure file system like NTFS.

b) Set ACL (access control lists) on files and folders. This can be done by setting appropriate permissions in the [Security] tab in the [Properties] tabpage of files and folders. Ensure that only administrators can access sensitive files and folders.

c) Do not keep sensitive files, source code or any such material on the web server machine.

d) Turn-off MS-DOS file name (8.3) convention on the machine by adding the following setting to the HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \FileSystem registry key: NtfsDisable8dot3NameCreation : REG_DWORD : 1.
Note that this option does not remove previously generated 8.3 filenames.

- Programming Controls
a) White-list directories that you would like to have your application access rather than black-list them.
string InputFilePath = GetPathFromUser();
if ( InputFilePath = = "Secret Directory")
Output ("Access Denied")

string InputFilePath = GetPathFromUser();
if ( InputFilePath startsWith "Application-accessible Directory")
allow Further operations...
Output ("Access Denied")

b) If ACLs have been set (Point b in Administrative Controls, above) then turn on Integrated Windows Authentication (in IIS) and impersonate using the WindowsIdentity class in your .NET code.

c) Filter the user input path by subjecting it to MapPath in .NET. MapPath( ), according to MSDN, maps the virtual path in the requested URL to a physical path on the server . To prevent the path from mapping to a path in another application on the same server, set MapPath's third parameter to false.

d) Use regular expressions to control the file\folders that can be accessed. This can be implemented in a) above.

e) Reduce UTF-8 to its canonical form. UTF-8 text can be represented in multiple forms - guard against this.

1 comment:

Deepshikha said...

I think forced browsing is also a kind of a Canonical Attack, if not the same.To add, there are quite a few softwares which work on trying to break into the system and access resources which they otherwise should not. Quite a few softwares of this kind work on the very common Brute Force methodology. For ex. Nikto 1.35 is one such kind.