CAT.NET is an add-on for Visual Studio to analyze Web Applications projects (sorry, Web Site projects are not supported) for common security flaws.
So lets start a fresh site and look for some potential security risks with CAT.NET. Everyone knows that when we echo the input from a TextBox into a Label we are vulnerable to attacks, but what about dropdowns? Lets make a page with a DropDown with several values, a Label and a Button. In the Button_Click event we copy the DropDownList1.SelectedItem.Value to the Label1.Text.
Now start CAT.NET (from Visual Studio, Tools), and run an analysis on this project:
We have 1 XSS scripting error, because even though the user can only select a value from the dropdown and submit it, an evil user can open up his favorite hacking tool (e.g. Fiddler) and modify the data that’s being submitted. Lucky for us, ASP.NET will stop most of these attacks for us, by filtering on HTML tags, and unicode attacks, but it is always a good practice to encode all output. Encode using the Anti-XSS library, because this does a better job than the regular HttpUtility.HtmlEncode().
However, what if the data is used in for example a LDAP query? Take a look at this LDAP example. CAT.NET will catch this and mark it as an LDAP injection attack. Because in a LDAP attack, the attacker can use normal symbols like: ” ( * ) cn=” which are allowed by the ASP.NET ValidateRequest mechanism.
We can control which checks occur, CAT.NET supports the following checks:
- Process Command Execution
- File Canonicalization
- Exception information
- LDAP injection
- XPATH injection
- SQL injection
- Redirection to user controlled site
- Cross site scripting
CAT.NET tries to detect as much as possible, but for example will not detect bad data coming from databases.
Get the V1 CTP 32bit version here: http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
and for the 64 bit look here: http://www.microsoft.com/downloads/details.aspx?FamilyId=e0052bba-2d50-4214-b65b-37e5ef44f146&displaylang=en
Stay tuned for a new release from microsoft, the Web Protection Library. This library is intended to protect EXISTING applications, and will filter incoming and outgoing request to prevent attacks!
2 comments
I’ve used CAT.Net to analyse some projects in the past and its a great tool for spotting low hanging fruit. It should however be noted that the amount of false positives is quite high in large SAAS applications.
Lucky for us, ASP.NET will stop most of these attacks for
us, by filtering on HTML tags, and unicode attacks, but it is
always a good practice to encode all output
In the default setting ASP 2.0 and higher will filter this. However the filtering isn’t perfect (BID 20753) and there have been some patches to address this (always use a fully updated ASP.net instance). However, I still found people turning this security off (by using ValidateRequest=”false”) because they want another webpart (content editor) to work.
Rolf Huisman
i have been also used cat anlysis for some reasons and project it helps me a lot to lessen my load of works.
cat sneezing