WinForms应用程序的常见漏洞 [英] Common vulnerabilities for WinForms applications
问题描述
我不确定这里是否是主题,但是它是.NET WinForms特有的,我认为在这里它比在Security Stackexchange网站上更有意义。
I'm not sure if this is on-topic or not here, but it's so specific to .NET WinForms that I believe it makes more sense here than at the Security stackexchange site.
(此外,它与安全编码有严格的关系,我认为它与任何有关普通网站的问题一样具有话题性
(Also, it's related strictly to secure coding, and I think it's as on-topic as any question asking about common website vulnerabilities that I see all over the site.)
多年来,我们的团队一直在对网站项目进行威胁建模。我们的模板的一部分包括 OWASP 前10名以及其他众所周知的漏洞,以便我们正在进行威胁建模,我们始终确保有一个文档化的过程来解决这些常见漏洞。
For years, our team has been doing threat modeling on Website projects. Part of our template includes the OWASP Top 10 plus other well-known vulnerabilities, so that when we're doing threat modeling, we always make sure that we have a documented process to addressing each of those common vulnerabilities.
示例:
SQL注入(Owasp A-1)
- 标准练习
- 在可行的情况下使用存储的参数化过程来访问数据
- 如果存储的过程不可行,请使用参数化查询。 (使用无法修改的第三方数据库)
- 仅在上述选项不可行时才转义单引号
- 必须具有数据库权限按照最小特权原则设计
- 默认情况下,用户/组无访问权限
- 在开发时,记录每个对象所需的访问权限(表/查看/存储过程)和业务访问权限。
- [snip]
- Standard Practice
- Use Stored Parameterized Procedures where feasible for access to data where possible
- Use Parameterized Queries if Stored Procedures are not feasible. (Using a 3rd party DB that we can't modify)
- Escape single quotes only when the above options are not feasible
- Database permissions must be designed with least-privilege principle
- By default, users/groups have no access
- While developing, document the access needed to each object (Table/View/Stored Procedure) and the business need for access.
- [snip]
无论如何,我们使用OWASP Top 10作为特定于网站的常见漏洞的起点。
At any rate, we used the OWASP Top 10 as the starting point for commonly known vulnerabilities specific to websites.
(最后问题)
在极少数情况下,当Web应用程序无法满足需求时,我们会开发WinForms或Windows Service应用程序。我想知道是否存在与WinForms应用程序相同的常见安全漏洞列表。
On rare occasions, we develop WinForms or Windows Service applications when a web app doesn't meet the needs. I'm wondering if there is an equivalent list of commonly known security vulnerabilities for WinForms apps.
我想起来了……
- SQL注入仍然值得关注。
- CLR通常可以防止缓冲区溢出,但是如果将非托管代码与托管代码混合使用,则更有可能。
- .NET代码可以反编译,因此将敏感信息存储在代码中,而不是在app.config中进行加密。 ..
是否存在这样的列表,甚至是该列表的多个版本,我们可以借以创建自己的列表?如果是这样,我在哪里可以找到它?
Is there such a list, or even several versions of such a list, from which we can borrow to create our own? If so, where can I find it?
我找不到它,但是如果有一个,它将对我们以及其他WinForms开发人员有很大帮助。
I haven't been able to find it, but if there is one, it would be a great help to us, and also other WinForms developers.
推荐答案
Web环境和桌面环境之间存在很大差异。开发网站和服务时,您不信任的是用户(用户输入)。运行桌面应用程序时,不受信任的是应用程序本身,或者至少,系统管理员想知道该应用程序本身是否没有任何危害,因为在本地计算机上运行代码会带来风险
There is a big difference between a web environment and a desktop environment. When developing web sites and services, the thing you don't trust is the user (user input). When running a desktop application, the thing that isn't trusted is the application itself, or atleast, a system administrator would like to know whether the application itself doesn't do any harm, since code the runs on the local computer is a risk by itself.
所以从某种意义上说,对于您作为桌面应用程序的开发人员而言,安全规则并不总是适用,因为您运行的应用程序不是黑盒,但是一个白盒子。使用Web服务/站点,您希望攻击无法更改内部状态,但是对于任何桌面应用程序(Java,.NET,本机),在应用程序处于运行状态时更改其状态非常容易运行,尤其是使用Java和.NET,调试和反编译应用程序非常容易。
So in a sense, for you as a developer of a desktop application, security rules not always apply, since the application you run is not a black box, but a white box. With a web service / site, you expect attacks to not be able to change the internal state, but with any desktop app (Java, .NET, native) it is 'quite' easy to change the state of the application while the application is running and especially with Java and .NET, debugging and decompiling an application is quite easy.
换句话说,您必须考虑完全破坏桌面应用程序,如果风险,您必须提取对外部(Web)服务必须安全的所有内容(身份验证,授权,验证)。对于此服务,常规 OWASP规则适用。
In other words, you must consider the desktop application completely compromised, and if this is a risk, you must extract everything that must be secure (authentication, authorization, validation) to an external (web) service. For this service, the 'normal' OWASP rules apply.
您应该注意的是,当桌面应用程序直接连接时,要完全保护数据层确实非常困难。到数据库。例如,在这种情况下,SQL注入对于您的桌面应用程序来说不是问题,因为当应用程序可以直接连接到数据库时,用户也可以。如果用户可以连接到数据库,则可以执行任何任意查询。这是SQL注入的一种极端形式,但是它会完全跳过您的应用程序。
Things you should watch, is that it's really hard to completely secure your data layer, when a desktop application connects directly to a database. For instance, SQL injection is not an issue for your desktop application in this case, since when the application can directly connect to the database, so can the user. And if the user can connect to the database, he can execute any arbitrary query. This is an extreme form of SQL injection, but it completely skips your application.
尝试保护2层应用程序的安全,通常意味着将存储过程用作中间(服务)。 )层(并防止直接访问表)。开发和维护存储过程比开发.NET(网络)服务要昂贵得多。
Trying to secure a 2 tier application, often means the use of stored procedures as intermediate (service) layer (and preventing direct access to tables). Developing and maintaining stored procedures is much more costly than developing a .NET (web) service.
这篇关于WinForms应用程序的常见漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
