Interested in learning more about security?

SANS Institute InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Auditing ASP.NET applications for PCI DSS compliance
According to the 2010 Data Breach Investigation Report published by Verizon Business (2010), 40% of all the data breaches were the result of hacking attacks, out of that 40%, 54% were related to web applications. Application security remains one of the key factors in avoiding a security breach. PCI DSS (Payment Card Industry Data Security Standard) recognizes this and specific requirements have been outlined to ensure that companies have processes in place to ensure that applications are developed, deployed, and mainta...

Copyright SANS Institute Author Retains Full Rights

AD

©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A

© 2 0 1 2 S A N S I n s t i t u t e , A u t h o r r e t a i n s f u l l r i g h t s .
How to Audit ASP.NET Applications for PCI DSS Compliance
GIAC GSSP-NET Gold Certification Author: Christian J. Moldes Christian_moldes@hotmail.com Adviser: Rodney Caudle Accepted: October 23, 2011 Abstract
According to the 2010 Data Breach Investigation Report published by Verizon Business (2010), 40% of all the data breaches were the result of hacking attacks, out of that 40%, 54% were related to web applications. Application security remains one of the key factors in avoiding a security breach. PCI DSS (Payment Card Industry Data Security Standard) recognizes this and specific requirements have been outlined to ensure that companies have processes in place to ensure that applications are developed, deployed, and maintained securely. This paper intends to provide specific guidance to audit ASP.NET applications and verify that they meet PCI DSS requirements.

How to Audit ASP.NET Applications for PCI DSS Compliance

1

©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A

© 2 0 1 2 S A N S I n s t i t u t e , A u t h o r r e t a i n s f u l l r i g h t s .
This paper intends to provide specific guidance on how to audit ASP.NET applications and validate that they meet PCI DSS requirements. It does not intend to provide guidance on how to conduct penetration tests on ASP.NET applications, identify secure coding vulnerabilities, or remediate ASP.NET vulnerabilities. In order to work, applications rely on several other components that are external to the application such as a infrastructure servers, network devices, databases, HTTP servers, and an OS platform. These components are critical to the security of the application; however, directly under the control of the application. they were not included in this paper to limit the scope exclusively to the components that are This paper assumes that the reader is already familiar with ASP.NET coding, web applications’ architecture, web applications vulnerabilities, and the PCI DSS standard. The audience for this paper are QSAs (Qualified Security Assessors), PA-QSAs (Payment Application – Qualified Security Assessors), compliance directors, IT auditors, and anyone responsible for PCI DSS compliance, and is particularly relevant for individuals who need to establish that an ASP.NET application is compliant with PCI DSS.

1.

Scope

2.

Legal Disclaimer

This paper contains many references to online tools and applications that can be used

to conduct a PCI DSS audit. The author does not take responsibility for the contents of the websites mentioned in this paper nor does he provide any assurance that the websites or

tools suggested are free of malware. The reader should make sure those resources are free of malware before browsing to the websites or using the tools on a production environment.

3.

PCI Security Standards Council and PCI DSS

PCI Security Standards Council (PCI SCC) was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. in 2006.

Christian J. Moldes, christian_moldes@hotmail.com

posture by implementing security controls that fit their own individual companies rather than Unfortunately. there is no would have already been discussed for PCI DSS. Moldes. would be secure by just meeting PCI DSS requirements. A u t h o r r e t a i n s f u l l r i g h t s . and the process they have implemented to applications are a subset of PCI DSS and reference its requirements.com . christian_moldes@hotmail. Non-compliant companies are exposed to higher transaction fees imposed by their acquirer banks. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . storing or transmitting cardholder data from any of these payment 4. brands have to comply with PCI DSS (Payment Card Industry Data Security Standard). PCI SCC also published the PA-DSS standard (Payment Application Data Security Standard). a data security standard published and maintained by PCI SCC (PCI SCC. most of the PA-DSS requirements applicable to added benefit to discussing PA-DSS requirements in this paper since most requirements Companies processing. Christian J. fines imposed by the payment card brands. and even risk losing the authorization to process payment card transactions. While PCI DSS is a security standard. As a matter of fact. while PCI DSS allow some flexibility.How to Audit ASP. 2011a). applications or IT infrastructure in general. entities could obtain a less costly security implementing all the controls that are required to be compliant with PCI DSS. which is a standard targeted toward vendors that develop and support payment applications. higher liability in the event of a security breach. its applications. ASP. and what PCI SSC considers would address most of those vulnerabilities and risk.NET Applications security and PCI DSS It would be a mistake to assume that organizations. at its core is a compliance standard that defines the acceptable risk of the council members. In most cases. it does require a company to meet all their requirements as written or to implement compensating controls that go above and beyond what the standard already requires. Hence. This paper is not focused on PA-DSS because this standard only applies to payment application vendors. support their applications.NET Applications for PCI DSS Compliance 2 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . Security controls have been defined based on the most common vulnerabilities that affected companies in the past.

5 to include not only web applications but also all types of applications.2.0 requirements that apply to applications or Christian J. In either case. In An important thing to remember is that OWASP Top 10 is updated every three years and CWE/SANS Top 25 is updated annually. so an individual auditing applications for PCI DSS compliance should track changes on the standards at least annually.0 also expanded requirement 6. As such. on their PCI DSS compliance is the adoption of an industry best practice standard for application security. may benefit by adopting and using a common standard across all their development teams. PCI DSS requires entities to use the most current release of the standards. it has been widely adopted by companies and vulnerability management products and it has become the default standard for web application security. PCI SSC suggested two additional standards: CWE/SANS Top 25 and CERT secure coding. For payment applications. C++. In previous versions of the standard. companies using ASP.2. With the release of PCI DSS v. one of the key security controls that have the most impact 5. OWASP Top 10 was the only recommendation. christian_moldes@hotmail. PCI DSS Requirements that Apply to Web Based Applications The following table lists PCI DSS v. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e .2. References regarding how to audit specific software errors and security risks for each standard are included in the secure coding section. CWE/SANS Top 25 covers specific software errors and could be applied to any type of PCI DSS v.NET Applications for PCI DSS Compliance 3 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .How to Audit ASP. and C. Moldes. CERT secure coding standard only provides guidance for applications developed using Java. The main difference between OWASP Top 10 and CWE/SANS Top 25 is that OWASP Top 10 covers general concepts and is focused exclusively on web applications while software applications. A u t h o r r e t a i n s f u l l r i g h t s . As the date of this paper.NET can only use either OWASP Top 10 Web Application Security Risks or CWE/SANS Top 25 Software Errors for secure coding guidance.com . Companies developing applications using mixed architectures this case CWE/SANS Top 25 may be the best option.0. Hence.

3: 3. They have been grouped .2 6.1 through 3. backup media.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. IPSEC. into categories to facilitate the audit process.) 3. and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads must be securely stored) Design Audit Strong cryptography with associated key-management processes and procedures 3. A u t h o r r e t a i n s f u l l r i g h t s .) to safeguard sensitive cardholder data during transmission over open. web servers. Architecture Audit 2.3. Design Audit Examples of open. etc.2 Do not store sensitive authentication data after authorization (even if encrypted).3 Develop software applications (internal and external. SSL/TLS. and DNS should be implemented on separate servers. and based on industry best practices.3. and including web.com requirements that are directly under the control of the application. database servers.encrypting keys—such key-encrypting keys must be at least as strong as the data-encrypting key. (For example.5 Develop applications based on secure coding guidelines. Prevent common coding Secure Coding Secure Coding Christian J. Moldes. Architecture Audit Design Audit Sensitive authentication data includes the data as cited in the following Requirements 3. public networks.1 thru 6. Incorporate information security throughout the software development life cycle.2. segregated from the DMZ and other untrusted networks. Design Audit 3.2.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).3. Global System for Mobile communications (GSM) General Packet Radio Service (GPRS).2. public networks that are in scope of the PCI DSS include but are not limited to: ! ! ! ! The Internet Wireless technologies. 6. Requirement Category 1. christian_moldes@hotmail. SSH. These processes must include the following: Requirements from 6.based administrative access to applications) in accordance with PCI DSS (for example. 4. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e .7 Place system components that store cardholder data (such as a database) in an internal network zone.How to Audit ASP.5 Protect any keys used to secure cardholder data against disclosure and misuse: Architecture Audit Note: This requirement also applies to key-encrypting keys used to protect data.1 Use strong cryptography and security protocols (for example.NET Applications for PCI DSS Compliance 4 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .4 Render PAN unreadable anywhere it is stored (including on portable digital media. secure authentication and logging).

com . CERT Secure Coding. Moldes. However.5.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.2 Implement automated audit trails for all system components to reconstruct the following events: Requirements from 10.consumer users and administrators on all system components as follows: PCI DSS Requirements from 8. 10.NET Applications for PCI DSS Compliance 5 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .6 Requirement Category Table 1: List of PCI DSS requirements that apply to ASP. at least annually and after any changes Installing a web-application firewall in front of public-facing web applications Secure Coding ! 7.3.4 Design Audit 7. the OWASP Guide.1 through 6.).16 Design Audit 10. This access control system must include the following: Requirements from 7. vulnerabilities in software development processes. christian_moldes@hotmail.2.2.1 thru 10.5. the current best practices must be used for these requirements.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.1 thru 8.How to Audit ASP.3 Record at least the following audit trail entries for all system components for each event: Design Audit Requirements from 10.6 For public-facing web applications.5 Ensure proper user identification and authentication management for non. A u t h o r r e t a i n s f u l l r i g h t s .5. 6. Christian J. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e .1.3 Design Audit 8. Access limitations must include the following: Requirements from 7. address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: ! Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know. to include the following: Note: The vulnerabilities listed at 6.NET applications.2. etc. as industry best practices for vulnerability management are updated (for example. Design Audit 8.1 thru 7.1 thru 10. CWE/SANS Top 25.1.9 were current with industry best practices when this version of PCI DSS was published.1 thru 7.7 Design Audit Design Audit 10.5. and is set to “deny all” unless specifically allowed.3.2.

1. i. per requirement 1. A system hosting different services on the same logical system would not Christian J. a compliant application cannot have a web server and database residing on the same logical system. separated from the DMZ where web servers or other components externally accessed reside. limiting further compromised.2. an issue for an application’s database to be located on a different network segment unless IP In general. applications that use a multi-tier architecture in which presentation.How to Audit ASP. A u t h o r r e t a i n s f u l l r i g h t s . Verifying servers only have one primary role PCI DSS requirement 2. a stricter firewall policy can be applied to all the different tiers.NET Applications for PCI DSS Compliance 6 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .3.7 and 2. as they only accept the past such as SQL Injection and OS Command Injection. Since Microsoft solutions are based on open technologies it should not be addresses and/or hostnames have been hardcoded.e. identify all services running. and data management are processes running on logically separated systems can be more secure than applications that only relay on one or two tiers. by having these tiers running on different logically separated systems. The auditor has to inspect all systems. Moldes. Web applications that directly access the database using SQL queries or that rely on stored procedures may need additional controls applied on the other tiers.2.7 states that databases should be placed in an internal security zone. By using web services. 6. applications can became immune to many vulnerabilities that have affected them in not currently possible to exploit on systems using web services. PCI DSS Requirement 1.3.1 emphasizes the need to implement only one function per server. thus. penetration and escalation of privileges in the event that the most exposed tiers have been In those cases. an attacker would be limited to the web server and the data residing on or being transmitted through the web server. In addition. These types of vulnerabilities are parameterized input. business logic. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Architecture Audit .1. and obtain the IP addresses in use. christian_moldes@hotmail.com 6.

2. any situation in which the system faces an insecure network such as the Internet or Extranet is incompatible with the database server role. network interfaces. Some examples of repositories are temporary files. verify that the IP addresses for the web server and other components such as the database firewall rules restrict connections between the web server and other components to only the It is important to understand that by database. DEKs and KEKs should be stored separately. PCI DSS means a data repository.3. Therefore. error logs. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . A good understanding of all the applications inputs and outputs should be gained during interviews and documentation review.How to Audit ASP. An application may use other types of data repositories besides relational databases. As of the date of this paper. PCI Council does not provide specific guidance regarding what defines “stored separately”. identify all the locations where cardholder data is stored. Separately could be understood to mean not located in the same file. Verifying cryptographic keys are adequately protected According to PCI DSS. 6.5 clearly states that both DEKs and KEKs should have the same level of protection. In addition. since DEKs have to be encrypted so do KEKs. file. A u t h o r r e t a i n s f u l l r i g h t s . At least make sure that DEKs and KEKs are not located on the same type of that the most conservative interpretation is to store DEKs and KEKs on separate systems.com qualify as having only one primary role. even if those services are published using different . trace files.3. christian_moldes@hotmail. or not located on the same system. 6. Moldes. and mail data files. the auditor should verify that services and protocols required by the application. or not located in the same type of file. transaction logs (TLOGs). and server are located on different security zones. Keep in mind that the interpretation of this requirement may differ among PCI QSAs and A note on PCI DSS requirement 3. Christian J. Verifying databases are not located on the DMZ Per requirement 1. The auditor has to obtain a dataflow diagram.7. applications should have at least two set of cryptographic keys: Data-Encrypting Keys (DEKs) and Key-Encrypting Keys (KEKs).NET Applications for PCI DSS Compliance 7 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .

as there is no business need for The auditor should find out where cryptographic keys are located by conducting interviews.NET provides functionality to create key containers on which asymmetric keys can be stored. christian_moldes@hotmail. There are two types of key containers: User-level and machine-level RSA key containers. and if possible by inspecting source code. Moldes. as there are many ways to render keys unreadable that do not meet the intent of the standard. keys (DEKs and KEKs). PCI DSS only mentions these two sets of At any rate. administrators’ manuals. This seems like a never-ending cycle. there is no need to encrypt them. The KEK could be stored on a database table encrypted with encryption functionality provided by the database. The latter will be the only way to verify whether cryptographic keys are encrypted using strong cryptography. information is not available. the auditor should review the application’s PA-DSS implementation guide. and/or end-user manuals. The following examples show cases of cryptographic keys Example 1: A DEK can be stored in a configuration file encrypted with the KEK. For commercial applications where source code is not available. DEKs and KEKs should not be hardcoded as this will complicate key rotation and would allow development staff to know the encryption key value. User-level RSA key containers are stored with the Windows user profile for a particular user and can be used to encrypt and decrypt information for applications that run Christian J. obviously affect PCI DSS compliance with requirement 3. so if another set of cryptographic keys are used to protect KEKs.com . Example 2: A DEK can be stored on the application server in a configuration file encrypted with the KEK. The KEK can be stored on a different system and encrypted with the application credentials or with a value hard-coded in the application source code and obfuscated in order to avoid any strings searches.NET Applications for PCI DSS Compliance 8 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .6. Key containers can be created at the machine-level or user-level. the application vendor should be contacted to obtain additional Note that . If the details.How to Audit ASP. A u t h o r r e t a i n s f u l l r i g h t s . that has been deemed compliant in the past. however. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . This would a developer to know cryptographic values on production systems.6.

Applications can use many other key management solutions including homegrown or commercial key management solutions. it is understood that data may be stored temporarily while being in the authorization process. and are the most useful as they can be used to encrypt or decrypt protected configuration sections while logged in with an administrator account. whether machine-level or user-level. they can be (MSDN Library. However.How to Audit ASP.com . User-level RSA key containers can be useful if a developer 7. christian_moldes@hotmail. especially during store-and-forward transactions. Although machine-level RSA key containers are available to all users. want to ensure that the RSA key information is removed when the Windows user profile is will make use of the user-level RSA key container in order to encrypt or decrypt protected configuration sections. or a group of applications on a server that run under the same user identity. A machinelevel RSA key container can be used to protect information for a single application. which are out of scope for this paper. because the user must be logged in with the specific user account that Machine-level RSA key containers are available to all users that can log in to a computer. 2010) version of the application addressing the compromised encryption keys is deployed (PCI under that specific user identity. all the applications on a server. If the application is compromised. The best practice Christian J.NET Applications for PCI DSS Compliance 9 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . secured with NTFS Access Control Lists (ACLs) so that only required users can access them In either case. 2011a). However. Applications applying for PA-DSS compliance should not have hard-coded DEKs or KEKs. they are inconvenient to use (MSDN Library. verify that proper NTFS access controls lists have been set. 2011a). Moldes. A u t h o r r e t a i n s f u l l r i g h t s . all the companies using the same application would be in risk until a new SSC.2. removed. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . PCI SSC published specific guidance about this subject. by default. Design Audit: Data at Rest Sensitive authentication data cannot be stored after authorization as per PCI DSS requirement 3.

the auditor should become familiar with the three parts of this standard.NET Applications for PCI DSS Compliance 10 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . Strong Cryptography PCI SCC (2001b) defines strong cryptography as the cryptography based on industrytested and accepted algorithms. RSA (1024 bits and higher). If that is not an option. Therefore. which are encryption and one-way-hashing. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Moldes. PCI DSS bases its strong cryptography recommendation on NIST Special Publication 800-57.How to Audit ASP. 7.4 using strong cryptography by using any of the following approaches: ! One-way hashes based on strong cryptography (hash must be of the entire PAN) ! Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads must be securely stored) ! ! Strong cryptography with associated key-management processes and procedures Truncated PAN numbers and index tokens are not considered cardholder data. and the applications that only used that type of data and have no access to the original PAN number are considered out of scope. along with strong key lengths and proper key-management practices.1. the same level of security should be applied for sensitive authentication data than the one applied to PANs. if possible. both acceptable if they are based on strong cryptography. This paper will focus on the other two options available. ECC (160 bits and higher). Examples of accepted encryption algorithms include AES (128 bits and higher). Part 1 provides general guidance and best practices for the management of cryptographic Christian J.com for this data is to handle the data only in memory. christian_moldes@hotmail. at least . and ElGamal (1024 bits and higher) TDES (Minimum double-length keys). Primary account numbers (PANs) should be rendered unreadable while at rest per PCI DSS requirement 3. A u t h o r r e t a i n s f u l l r i g h t s .

2007a). 2011). is capable of searching data on text. christian_moldes@hotmail.How to Audit ASP. The current version of dnGrep can search text files. MS Word. and part 3 provides guidance when using the cryptographic features of current systems (NIST. NIST has a new draft version of Special Publication 800-57 Part 1 that has been published for comments and review. 2007b). Finding Cardholder Data in Clear Text One way to ensure that a system does not store cardholder data in clear text is to run a tool that searches the entire file system and identifies files that contain PANs. PowerGrep. 7. 2009). 2011). government agencies (NIST. Is Data Encrypted? Unless source code is inspected. A tool such as dnGrep (Grep for Windows) can be used for that purpose. binary. Use at least a couple of tools. Microsoft Excel. 7. 2007) can also be used to find cardholder data on all accessible files.NET Applications for PCI DSS Compliance 11 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . and conduct controlled tests Goyvaerts’ regular-expressions.2. part 2 provides guidance on policy and security planning . Microsoft Word. Enter regular expressions that matches card numbers and search inside all types of files. archives. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e .. Commercial solutions that have proven to be successful in finding card numbers are also available. Keep track of this publication and take into consideration that guidance regarding key management and strong cryptography may change in the near future.S.3 details how to determine whether strong cryptography is in use.info website details regular expressions that can be used to search for card numbers in clear text (Goyvaerts.com keying material (NIST. it is very difficult to validate that data has been Christian J. requirements for U. Section 7. Spider from Cornell University (Cornell University. A u t h o r r e t a i n s f u l l r i g h t s . Moldes. (Just Great Software Co. and OpenOffice files to validate the tools capabilities and regular expressions used to search card numbers in clear text before using them on a production environment.3. 2011). As the date of this paper. and PDF documents (Google. for example. PDF.

In order to visually recognize whether data is .com and Chilkatsoft. encrypted.com rendered unreadable using strong cryptography. An auditor can use those sites to validate claims that data is encrypted.How to Audit ASP. Some of the techniques are not compliant and applications using them would have to implement compensating controls in order to achieve PCI DSS compliance. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . especially when after visual inspection clues are obtained that the data may not be encrypted. encode.NET Applications for PCI DSS Compliance 12 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . christian_moldes@hotmail. Several websites provide online functionality to encrypt. and hash data for test purposes such as Yellowpipe. encoded data. decrypt. Moldes. A u t h o r r e t a i n s f u l l r i g h t s .com. The following table lists the results of using different techniques to render a test card number unreadable. it is advisable to know how encrypted data. Christian J. and hashed data looks.

Moldes.” (p. The alphabetic characters not necessarily should be stored as lowercase characters.13) PCI SSC only recommends the use of salt. This is not an acceptable technique to store cardholder data. and characters from A to F. however. One characteristic of base 64 are the trailing characters “==” and the use of uppercase and lowercase characters. This is an acceptable technique to render cardholder data unreadable according to PCI SSC. 133A7FED97AFF2 NTQxMjM0NTY3ODkwMTIzNA== CR4m2sG47zvQ2 3e90cee978f4a7aaafadf118449084f9 A MD5 hash produces a string of 32 characters. Hexadecimal is a base 16 encode technique. 0.NET Applications for PCI DSS Compliance 13 Data Format Value Comments 5412345678901234 Card number in clear text. The resulting value should only contain numbers from 1 to 9. strongly not recommended. A u t h o r r e t a i n s f u l l r i g h t s . This is not an acceptable technique to render cardholder data unreadable. DES is no longer deemed strong cryptography and should not be used to render cardholder data unreadable. the use of salt should be strictly required for this technique to be acceptable.com © 2 0 1 2 S A N S I n s t i t u t e . 0. This is not an acceptable technique to render cardholder data unreadable. christian_moldes@hotmail. as it would be very easy to reverse encoded values to card numbers. “Storing of credit card numbers by simply hashing only the card number is unacceptable and can be easily compromised by brute force methods. This is not an acceptable technique to render cardholder data unreadable. The resulting value of hashing data is a hexadecimal string. and characters from A to F. How to Audit ASP.Test Card number Hexadecimal Base 64 Encode DES MD5 (Hash) Christian J. . Compensating controls would have to be implemented to achieve PCI DSS compliance. According to Integrigy (2007). In our opinion. An auditor may infer that a value has been hashed if the value only contains numbers from 1 to 9. as it would be very easy to reverse hexadecimal values to card numbers.

and characters from A to F.com © 2 0 1 2 S A N S I n s t i t u t e . 0. “Storing of credit card numbers by simply hashing only the card number is unacceptable and can be easily compromised by brute force methods. Moldes. The alphabetic characters not necessarily should be stored as uppercase characters as we seen in previous examples. strongly not recommended. The resulting value of hashing data is a hexadecimal string. the use of salt should be strictly required for this technique to be acceptable. The alphabetic characters not necessarily should be stored as uppercase characters as we seen in previous examples. 0. How to Audit ASP. In our opinion. An auditor may infer that a value has been hashed if the value only contains numbers from 1 to 9. This is an acceptable technique to render cardholder data unreadable according to PCI SSC.13) PCI SSC only recommends the use of salt. According to Integrigy (2007). and characters from A to F. According to Integrigy (2007). and characters from A to F. christian_moldes@hotmail. “Storing of credit card numbers by simply hashing only the card number is unacceptable and can be easily compromised by brute force methods.” (p.SHA-1 (Hash) SHA-256 (Hash) SHA-512 (Hash) Christian J. The resulting value of hashing data is a hexadecimal string. An auditor may infer that a value has been hashed if the value only contains numbers from 1 to 9.” (p. The alphabetic characters not necessarily should be stored as lowercase characters.” (p. 1A8D8B311E0DA854A59B31F1148056AE699B0C667B2 EB4CFFB31F5508FCF760D A SHA-256 hash produces a string of 64 characters. however. A u t h o r r e t a i n s f u l l r i g h t s . “Storing of credit card numbers by simply hashing only the card number is unacceptable and can be easily compromised by brute force methods. In our opinion. This is an acceptable technique to render cardholder data unreadable according to PCI SSC. strongly not recommended. the use of salt should be strictly required for this technique to be acceptable.13) PCI SSC only recommends the use of salt. The resulting value of hashing data is a hexadecimal string. AF7822A5F1E4BE8B27B136BB007D6CDAA3C563BB25 92E5702BB0DB60B724BBD8CE127DAC7405B11CACF 404AFBB8D3519BA926F0C458DCDECCF86EF402FFA 2EDE A SHA-512 has produces a string of 128 characters. strongly not recommended.13) .NET Applications for PCI DSS Compliance 14 Data Format Value Comments ea2c3c903f2f47540514c2502d5e016780b28422 A SHA-1 hash produces a string of 40 characters. however. An auditor may infer that a value has been hashed if the value only contains numbers from 1 to 9. According to Integrigy (2007). however. 0. This is an acceptable technique to render cardholder data unreadable according to PCI SSC.

Also. This is an acceptable method to render cardholder data unreadable. Note the trailing characters “==” which reveals that the string more than likely is encoded. Encryption produces values that sometimes cannot be stored in databases easily nor rendered easily on the screen. How to Audit ASP. That is why most of the time they are encoded using Base 64. the use of salt should be strictly required for this technique to be acceptable.AES 128 Bits AES / ECB / PKCS5 Padding (Encrypted Text in base 64) AES 128 Bits Christian J. and symbols such as “=”. numbers. Table 2: Different techniques to render cardholder data unreadable .com © 2 0 1 2 S A N S I n s t i t u t e . and “/”. note the use of uppercase and lowercase values. Moldes.NET Applications for PCI DSS Compliance 15 Data Format Value Comments 2VLwiHgQoZEe2/UkS90fEQ== 6XA7orXT+l4zav7TKcAFSXDXAcHi6ubO89E+15xVe+Y= PCI SSC only recommends the use of salt. A u t h o r r e t a i n s f u l l r i g h t s . In our opinion. “+”. Note that encrypted values which in some cases will include characters. christian_moldes@hotmail. This is an acceptable method to render cardholder data unreadable.

data could be logged to the IIS logs files. which is displayed as cs-uriquery on the IIS logs.com 7. potentially an administrator or even an attacker may enable URI query logging once a system has been compromised. select Control Panel. On the Web site button. go to the Start Menu. A u t h o r r e t a i n s f u l l r i g h t s .How to Audit ASP. log files may contain cardholder data in clear text. christian_moldes@hotmail. One way to verify whether this risk exists at all. While the use of HTTP GET instead of HTTP POST methods during posts is not To locate the log files. Log into the web server. Therefore. and select Internet Information Services (IIS). select Administrative Tools. HTTP GET is an issue. Whenever applications use HTTP GET methods for form submissions. Christian J. Inspecting IIS logs . Find the website under the tree on the left. being used.4. and inspect what data is being posted using parameters. tab. there is a box that contains the log file directory and the log file name.NET Applications for PCI DSS Compliance 16 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . would be to interact with the application using a Web Debugging Proxy such as Fiddler or IE Inspector HTTP Analyzer to capture the traffic at the time cardholder data is posted to the web server. If the URL includes a question mark symbol and parameters separated by ampersands symbols. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . depending on the IIS log settings. Even if logging URI Query has not been enabled. IIS logs should be inspected to verify that cardholder data is not logged. Click on the Properties Open the log files and inspect the URI Query column. if cardholder data is being posted using parameters. there is an option near the bottom that says “Active Log Format”. At the bottom of the General Properties tab. start off by verifying the IIS configuration since the location of the log files may have been changed from the default location to a different directory or even a different system. An easy way to identify whether HTTP GET methods are in use is to observe the URL when submitting forms. Right click on the website entry and choose properties. Moldes. HTTP GETs methods should not to be used to post cardholder data.

Inspecting other logs The ASP. Log4net can be configured to send logs not only to a local file but to several different There are no limitations regarding the type of information that can be logged in Log4net logs since they are created programmatically. christian_moldes@hotmail. those logs may potentially contain sensitive data if the application has not been properly designed. Examine the website’s web.XmlConfigurator and inspect the value for the level value local and remote databases as well (Apache Software Foundation. A u t h o r r e t a i n s f u l l r i g h t s . and logs should be inspected after each test. log4net is available for . For an application that process or transmits cardholder data. One of the most common uses of HTTP modules is to implement security features such as authentication and authorization.com 7. Moldes. change it. A similar tool.NET architecture works on a pipeline model. rewrite the URL. which examine the request and can act upon it. Logging behavior can be drastically changed by modifying settings in Log4net configuration files.How to Audit ASP.NET and more developers are incorporating this tool into their ASP. 2010). 2011). log4net. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Inspecting log4net logs . An HTTP request goes through the ASP. HTTP modules are registered in the web. Log4j is a very popular way to generate logs among Java developers. The auditor should verify that even the most verbose log levels such as debug do not log any cardholder data on those logs.NET Applications for PCI DSS Compliance 17 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .NET pipeline passing through HTTP modules.Config.NET applications. attribute.config file located on the website directory and the machine’s web.6. If Log4net is being used.5. Test should be conducted to replicate all possible scenarios with payment card transactions using the most verbose log level. or even throw exceptions. which stops any further progression and returns an error to the user (Dorrans. search the web server file system for the Log4net configuration file. Developers can create HTTP modules to inspect and more importantly log all the requests coming from users.config Christian J.config file for a machine or website. 7.

2011b) 7. A u t h o r r e t a i n s f u l l r i g h t s . MyHttpModule”/> // other modules registered by default </httpModules> For additional information regarding HTTP Modules read “Securely Implement Request Processing. In both cases. the access control systems in place to limit access to full PANs should be reviewed.3. Design Audit: Data in Transit The PCI DSS standard requires applications that transmit cardholder over open or public networks to encrypt the transmission using strong cryptography.0. To verify proper masking the auditor has to identify all application functionality that deals with cardholder data and whether there is any way to enable displaying of full PANs on the screens and/or reports. and Content Redirection with HTTP Pipelines in ASP.LogModule. File-search utilities using regular expression should be run on systems where reports 8. C:Windows\Microsoft. If the application provides such a functionality. christian_moldes@hotmail.NET” (Ewald & Brown.50727\CONFIG file contained in the following directory: The actual log file could be located on a local or remote system. Verifying PAN Masking and Truncation PCI DSS requirement 3. Moldes.com . <httpModules> <add name=”LogModule” Type-“MyHttpModule. Filtering.3 specifies that PANs should be masked when displayed and that a maximum of the first 6 and last 4 digits of the PAN can be displayed. Requirement 3. inspect the httpModules section and request additional information for entries that have been added to the file. For user roles or user IDs that have been granted the capability to see full PANs. a legitimate business need should are generated to find any reports and files that may contain full PANs. For data in transit this Christian J.NET Applications for PCI DSS Compliance 18 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . exists. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e .NET\Framework\v2.7. 2003) and “HTTP Handlers and HTTP Modules Overview” (Microsoft.How to Audit ASP.

the auditor should check the Christian J. PCI DSS Web servers use their digital certificates to establish a SSL/TLS connection with clients. there is no way a client could use an untrusted key or certificate to connections though. and does not support insecure versions or configurations.2. the auditor should review the load balancer or SSL off load device configuration as well. For SSL connections.1. This requirement would apply to SSH or IPSEC Verifying that the protocol is implemented to use only secure configurations. OWASP provides detailed black and white box testing procedures to validate a website only accepts secure versions of SSL/TLS (OWASP. In most production environments. christian_moldes@hotmail. which are out of scope for this paper. therefore. Moldes. If that is the case. IPSEC connections. 8. A u t h o r r e t a i n s f u l l r i g h t s . network and security device reviews are out of Most network vulnerability scanners include features to test whether insecure protocol versions are supported. can be verified by reviewing the firewall or VPN concentrator configurations and ensuring the traffic from the server is routed over those systems. SSL connections end at load balancers or SSL off load devices. Verifying that only trusted keys and/or certificates are accepted. As such. establish a connection to the web server. . 8. SSL connections may end on the load balancer or SSL off load device. the web server may not be the right place to validate secure configuration for SSL connections. As mentioned previously. load device instead. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . The auditor should review the load balancer or SSL off scope for this paper. 2011a) If load balancers or SSL off load devices are not in use. it is necessary to identify whether load balancers and/or SSL off load devices are being used.NET Applications for PCI DSS Compliance 19 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . In those cases. which are obviously external to the application and web server. Network and security device reviews are out of scope for this paper.How to Audit ASP.com implies using SSL/TLS or IPSEC connections.

How to Audit ASP.NET Applications for PCI DSS Compliance

20

©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A

© 2 0 1 2 S A N S I n s t i t u t e , A u t h o r r e t a i n s f u l l r i g h t s .
following registry keys should have a DWORD subkey named “Enabled” with the following value: 00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Protocols\PCT 1.0\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Protocols\SSL 2.0\Server

web server registry keys in order to verify that insecure versions are not supported. The

8.3.

Verifying that proper encryption strength is implemented for the encryption

methodology in use.

As in the previous requirement, the auditor can verify proper encryption strength by

inspecting the web server configuration, if the SSL connections ends at the web server. The devices, is by using tools to attempt to connect to the website using different encryption

best approach to verify proper encryption regardless the use of load balancers or SSL off load algorithms and strengths. Most network vulnerability scanners already include this as part of their vulnerability scanning process. OWASP provides detailed black and white box testing (OWASP, 2011a). procedures to validate a website only accepts connections using proper encryption strength

In order to verify that weak encryption algorithms have been disabled on the web

server, the auditor should check that the following registry keys have a DWORD subkey named “Enabled” with the following value: 00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Ciphers\DES 56/56 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Ciphers\NULL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Ciphers\RC2 40/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Ciphers\RC2 56/128

Christian J. Moldes, christian_moldes@hotmail.com

How to Audit ASP.NET Applications for PCI DSS Compliance

21

©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A

© 2 0 1 2 S A N S I n s t i t u t e , A u t h o r r e t a i n s f u l l r i g h t s .
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Ciphers\RC4 56/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Ciphers\RC4 64/128

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Ciphers\RC4 40/128

8.4.

Verifying cardholder data is encrypted during transit.

There are several approaches to verify that cardholder data is encrypted when

transmitted over public, open networks. It can be verified by observing that HTTPS appears as a part of the browser URL when cardholder data is required. In addition, the auditor can install a network sniffer on their own system, interact with the website and capture packets be inspected to verify that card numbers were not sent in clear text.

while placing an order and/or entering test card data into the website. Packet captures should

Since PCI DSS requires selecting a sample of transactions as they are received, it

may make more sense to capture the packets on the server side of a production environment. Make sure that packets are being captured before the SSL/TLS connection ends. Wireshark, one of the most popular network sniffers, can be used to monitor and save the packet should be run to quickly validate that packets do not contain any full PAN numbers or sensitive authentication data in clear text. captures to a text file. Once the file has been obtained, a tool that uses regular expressions

9.

Design Audit: Authentication, Authorization and Access Controls

9.1.

Verifying password encryption, password policies, and lockout policies

Applications may use two types of credentials, credentials used to control access to

the application features, and credentials used by the application to have access to resources such as databases and files commonly known as service or application accounts. ASP.NET applications can use authentication modes based on Windows, Forms, and

Christian J. Moldes, christian_moldes@hotmail.com

How to Audit ASP.NET Applications for PCI DSS Compliance

22

©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A

© 2 0 1 2 S A N S I n s t i t u t e , A u t h o r r e t a i n s f u l l r i g h t s .
application to authenticate users. Even though these libraries and controls are available, developers may have developed proprietary authentication forms outside of these libraries. If developers did use these features, PCI DSS compliance is greatly facilitated as password and lockout policies can be easily configured by modifying attributes settings on the for the following attributes:
Attribute

Passport. Forms authentication is a set of .NET libraries and ASP.NET controls that allow an

web.config file, membership section. Inspect the web.config file and verify the current setting

Description

PCI DSS Compliance

maxInvalidPasswordAttempts

The number of maximum password attempts allowed before a user account is locked out.

Per PCI DSS req. 8.5.13 the value has to be set to no more than six invalid logon attempts. Not required; however unless regular expressions are used to validate password complexity, it may be the only way to guarantee compliance with PCI DSS req. 8.5.11

minRequiredNonAlphanumeric Characters

The number of special characters that must be present in a password

This would have the unwanted result of requiring a mixture of letter casings as well as nonalphanumeric characters, which obviously goes far beyond what is required. ASP.NET by default set this value to 1.

minRequiredPasswordLength

The minimum length of a valid password.

Per PCI DSS req. 8.5.10 the value has to be set to at least seven characters. ASP.NET by default sets this value to 8 characters. This is the recommended way to enforce PCI DSS Req. 8.5.11, which requires passwords to contain both numeric and alphabetic characters. The other way is to set the minRequiredNonAlphanumeric Characters, although that would go far beyond what is required.

passwordStrengthRegularExpr ess

Specifies a regular expression used to validate password strength.

Christian J. Moldes, christian_moldes@hotmail.com

8. Verify that the regular expression validates that the password has at least one numeric character. Hashed.5. PCI DSS compliance would Christian J.NET by default sets this value to False.12). which is not PCI DSS compliant. This value can bet set to Clear.4 this value should be set to True. Moldes. Attribute Description PCI DSS Compliance Table 3: Membership Provider Attributes ASP.14 to a minimum of 30 minutes or until administrator enables the user ID.5. christian_moldes@hotmail. ASP. Per PCI DSS req. If cookies are not transmitted over a SSL connection. Windows password and lockout policies should be inspected if they are being used for authentication. ASP. 8. requireSSL Specifies whether cookie requires SSL in order to be returned to the server. Encrypted and Hashed compliant with PCI DSS.4. Per PCI DSS req.5. Windows authentication relies on Windows accounts and passwords.NET by default sets this value to Hashed. These features would have to be being met. and authentication is handled by IIS and the browser. passwordAnswerAttemptLocko utDuration Specifies the duration. passwords have to be rendered unreadable using strong cryptography.NET Applications for PCI DSS Compliance 23 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .How to Audit ASP. passwordFormat Specifies the format of the stored password. they could be captured and tampered with while crossing the network. or Encrypted.NET by default sets this value to 30 minutes. that a lockout due to a bad password answer is considered still in effect. Per PCI DSS req. 6. implemented by developers. Interview developers to find out how these requirements are Note that PCI DSS states that password and lockout policies are only required for non- consumer users and administrators. 8.NET does not provide features to implement password aging (PCI DSS Req. It is not intended for these policies to be applied to consumer users since they only enter their own credit card information into the website. in minutes. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . A u t h o r r e t a i n s f u l l r i g h t s .com . ASP.5. 8.9) nor password history (PCI DSS Req.

2011c) and IIS Authentication (Microsoft.NET authentication (Microsoft.com depend on the IIS authentication method selected since there are some authentication . christian_moldes@hotmail.How to Audit ASP. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Follow these steps to check the authentication scheme 1. methods that are not compliant. 2011d). Once the XML file is open. Moldes.NET.NET is configured to inside IIS. Passport authentication has been deprecated. allow IIS to handle the authentication. Navigate to the Authentication properties of the web-site ! Expand the tree titled “Sites” on the left-hand side Click on the web site in question ! ! ! The right-hand pane should be populated with a series of icons Click on the icon labeled “Authentication” The following two tables lists the different authentication providers and authentication schemes supported by ASP.config files for a machine and the ones located in the website directory. A value of “Windows” indicates that . inspect the web. Do not expect this to be used as deprecated technologies are usually no longer supported by the vendor. A u t h o r r e t a i n s f u l l r i g h t s . search for the attribute “authentication mode”. Launch the IIS management application ! ! ! ! Click “Start” button Click “Run” Click “OK” Type in “inetmgr” 2. Pro and cons columns were populated using information from Microsoft MSDN Library for ASP.NET Applications for PCI DSS Compliance 24 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . Christian J. To verify which authentication mode is being used.

Inspect the web. christian_moldes@hotmail.5. If the application authenticates the client. consult the IIS Authentication Scheme Table in order to identify which schemes are compliant. Forms The Forms authentication provider is an authentication scheme that makes it possible for the application to collect credentials using an HTML form directly from the client. ! Is subject to replay attacks for the lifetime of the cookie. ! Authenticates using ! May require the use Windows accounts. it passes a security token to ASP.15 (Session timeout) For example if requireSSL has been set to False. Microsoft provides additional information regarding ASP. These attributes have the potential to affect requirements 8.NET. unless using SSL/TLS.5 and later provides a membership management service. so and management of developers do not individual Windows need to write any user accounts. How to Audit ASP.NET 3. 8. timeout.4 (passwords unreadable during transmission and storage). minRequiredPasswordLenght. ASP. passwords would be transmitted in clear text. The client submits credentials directly to the application code for authentication.NET Applications for PCI DSS Compliance 25 Description Pro Con The Windows authentication provider relies upon IIS to perform the required authentication of a client.10 (Minimum password length). it issues a cookie to the client that the client presents on subsequent requests. the application can store credentials in a number of ways. A u t h o r r e t a i n s f u l l r i g h t s . ! Makes it possible for custom authentication schemes using arbitrary criteria. passwordFormat. PCI DSS Compliance There are several types of Windows Authentication. passwords would be stored in clear text.Authentication Provider Windows Christian J. If passwordFormat has been set to ’Clear’. ! Can be used for authentication or personalization. Passport Uses Microsoft Passport for the authentication process. ! None.dll. Compliant if properly implemented. custom authentication code. .5. ! Does not require corresponding Windows accounts. 2011e) Do not expect this one to be in use as it has been deprecated.config file and verify the values for the following attributes: protection.com © 2 0 1 2 S A N S I n s t i t u t e . requireSSL. and 8. such as a configuration file or a SQL Server database.NET membership management service on MSDN website (MSDN. ! Is only applicable for resources mapped to Aspnet_isapi. When authenticating credentials. After IIS authenticates a client. Moldes. ! Deprecated. This setting is deprecated.

! Offers the best performance because Anonymous authentication imposes no appreciable overhead. ! If IIS does not control the password. ! Does not authenticate clients on an individual basis. IIS provides stored credentials to Windows using a special user account. A thorough review of the implementation would be required to verify that the authentication scheme meets all applicable PCI DSS requirements. Table 3 . ! Provides the highest performance if you do not implement an authentication method. How to Audit ASP. ! Requires extra work to custom-build an authentication scheme. .NET Applications for PCI DSS Compliance 26 None Specify "None" as the authentication provider when users are not authenticated at all or if the developer plans to develop custom authentication code. It would not meet PCI DSS requirement 8.2 ! Does not require management of individual user accounts. Although listed as an authentication scheme. Instead. ! Offers total control of the authentication process providing the greatest flexibility.ASP. A u t h o r r e t a i n s f u l l r i g h t s . IIS controls the password for this account. Not compliant if the application is used to access cardholder data. christian_moldes@hotmail. Compliant if a custom-built authentication scheme has been properly implemented. By default. ! If IIS does not control the password. IUSR_machinename. it is not technically performing any client authentication because the client is not required to supply any credentials. This mode is not recommended. ! Custom-built authentication schemes are seldom as secure as those provided by the operating system.Authentication Scheme Anonymous Christian J.com © 2 0 1 2 S A N S I n s t i t u t e . can access network resources. account must have local logon ability. Moldes.NET Authentication Modes Description Pro Con PCI DSS Compliance Anonymous authentication gives users access to the public areas of a Web site without prompting them for a user name or password.

! Can authenticate through a proxy server. ! Works with proxy servers and firewalls.com © 2 0 1 2 S A N S I n s t i t u t e . Without SSL/TLS. if user account has local logon rights on the Web server. A u t h o r r e t a i n s f u l l r i g h t s . christian_moldes@hotmail. ! Requires the creation of individual Windows accounts for each user. ! Requires storing of passwords in clear text using reversible encryption.5. Basic authentication is essentially sending the password as plain text. OWASP Top 10 ! Does not require SSL/TLS for the sake of password protection. it is inherently insecure. ! Requires the creation CWE/SANS Top 25 PCI DSS Compliance Not compliant unless SSL/TLS is used. ! Is only supported by Internet Explorer 5. Because it is easy to decode Base64 encoded data. Digest Digest authentication addresses the primary weaknesses of basic authentication: sending passwords in plain text. ! Is inherently insecure unless using SSL/TLS. resulting in not being compliant with PCI DSS requirement 6. proxy servers. When a client attempts to access a resource requiring Digest authentication. it would not meet OWASP Top 10 A3 and/or OWASP Top 10 A9. it would not meet PCI DSS requirement 8. enabling delegation of security credentials. Without SSL/TLS. When using Basic authentication. which is part of the HTTP 1.0 and later.0 specification. Although most Web servers.0 specification. Moldes. ! Makes it possible to track individual users. The fixedsize depends upon the level of encryption. ! Is subject to replay attacks unless SSL/TLS is used. ! Can be used in conjunction with Kerberos. ! Cannot delegate security credentials. IIS send a challenge ! Sends a digest over the network instead of a password. This information is then transmitted across HTTP where it is encoded using Base64 encoding. ! Can access network resources. using Windows user accounts. which sends a digest (also known as a hash) instead of a password over the network. it would not .4 Not compliant unless SSL/TLS is used. A digest is a fixed-size result obtained by applying a mathematical function (called a hash function or digest algorithm) to an arbitrary amount of data. which may affect performance. the browser prompts the user for a user name and password. ! Because it is part of the HTTP 1. Basic is the most widely supported user authentication scheme. and Web browsers support Basic authentication.Authentication Scheme Basic Christian J.NET Applications for PCI DSS Compliance 27 Description Pro Con IIS implements Basic authentication. Without SSL/TLS. Digest authentication is a challenge/response mechanism. How to Audit ASP.

com © 2 0 1 2 S A N S I n s t i t u t e . The server uses the same process as the client to create a digest using a copy of the client's password it obtains from Active Directory.0 digest authentication. especially and later. the browser will return information for both NTLM and Kerberos. How to Audit ASP. Integrated Windows ! Kerberos is only authentication. unless used over a PPTP connection. . resulting in PCI DSS requirement 2. where the password is stored using reversible encryption. A u t h o r r e t a i n s f u l l r i g h t s . like supported by IIS 5.0 accounts. Moldes. christian_moldes@hotmail.5. IIS authenticates the client. ! If Internet Explorer recognizes the Negotiate header. The client concatenates the password with data known to both the server and the client. Integrated Windows Authentication Integrated Windows authentication (formerly known as NTLM authentication and Windows NT Challenge/Response authentication) can use either NTLM or Kerberos V5 authentication and only works with Internet Explorer 2. The client sends the resulting digest to the server as the response to the challenge. Instead. Not compliant when using NTLM authentication since it has been deemed insecure.0 and later. The client then applies a digest algorithm (specified by the server) to the combined data. of domain accounts for each user in Active Directory. this scheme could be compliant. IIS sends two WWW-Authenticate headers.Authentication Scheme Christian J.NET Applications for PCI DSS Compliance 28 Description Pro Con to the client to create a digest and send it to the server. if NTLM is an intranet environment chosen. At the server. IIS ! Integrated Windows ! Does not support authentication is the best delegation to other authentication scheme in servers. ! Can be used in conjunction with Kerberos. a PCI DSS Compliance meet CWE-311. and later. resulting in not being compliant with PCI DSS requirement 6. enabling delegation of security credentials. When Internet Explorer attempts to access a protected resource. when using Kerberos. where users have ! It is only supported by Windows domain Internet Explorer 2. Negotiate and NTLM. it will choose it because it is listed first. If the digest created by the server matches the digest created by the client. When using Negotiate.2 not being met. When using Kerberos V5 and properly implemented. does not pass the user's password across the network. ! Cannot authenticate through a firewall via a proxy.

Moldes.NET Applications for PCI DSS Compliance 29 Description Pro Con will use Kerberos if both the client (Internet Explorer 5. hashed value is exchanged. many-to-one can be easier than one-toone. the server will default to using NTLM. . IIS authenticates the user ! Includes strong authentication scheme. ! Provides two-way authentication of server and client.com © 2 0 1 2 S A N S I n s t i t u t e . it sends a copy of that certificate to the server for verification. ! Does not work with all browsers. and both are members of the same domain or trusted domains. Otherwise. christian_moldes@hotmail. If the certificate is valid.0 and later) and server (IIS 5. How to Audit ASP. IIS uses SSL/TLS to authenticate a server and provide an encrypted HTTP session.Authentication Scheme Client Certificate Mapping Christian J. Delegation enables remote access of resources on behalf of the delegated user. When used in conjunction with Kerberos v5 authentication. When requesting a client certificate. which mechanism is used depends upon a negotiation between Internet Explorer and IIS. If the client possesses a certificate issued by a CA from the CTL. ! Requires SSL/TLS. A u t h o r r e t a i n s f u l l r i g h t s . PCI DSS Compliance Not compliant when using many-to-one mappings as it will not meet PCI DSS requirement 8. ! Can access network resources. Therefore.0 and later) are running Windows 2000 and later. ! Cannot delegate security credentials. IIS can delegate security credentials among computers running Windows 2000 and later that are trusted and configured for delegation. ! If Internet Explorer does not understand Negotiate. IIS can also use SSL/TLS to authenticate the client by requiring the client to provide a certificate. however. the server provides the client with a list of CAs that the server trusts. it will use NTLM. This list is derived from the server's Certificate Trust List (CTL). ! Is cumbersome to configure.1 One-to-one mappings could be compliant if properly implemented.

A u t h o r r e t a i n s f u l l r i g h t s . Moldes. Operating systems such as Windows still require the notion of a user account. PCI DSS Compliance Table 4 . to a user account.IIS Authentication Schemes . or multiple certificates (many-to-one). Certificate mapping makes it possible for administrators to associate a single certificate (one-toone mapping). christian_moldes@hotmail. How to Audit ASP. Many-to-one mapping uses rules to define certificate criteria for mapping.Authentication Scheme Christian J.NET Applications for PCI DSS Compliance 30 Description Pro Con that maps to the provided certificate.com © 2 0 1 2 S A N S I n s t i t u t e .

web. meet PCI DSS requirement 8. For additional information on DPAPI.com The other type of credentials an application may use are service or application . Ademan) algorithm. 2007).How to Audit ASP. registry. This approach or similar based on the information on how to use aspnet_setreg.NET provides functionality to encrypt sections of a web. While this is useful to render credentials unreadable and able to decrypt these sections by using the same command. For additional web. databases tables. It is not a good practice because developers will then have credentials to access the production environment. a section in the web. which may be stored in configuration files such as machine. In many assessments. credentials. 2001). Aspnet_regiis meets requirement 8. Aspnet_setreg uses DPAPI and 3DES to encrypt data. or the system ASP. consult MSDN Library. christian_moldes@hotmail.NET Applications for PCI DSS Compliance 31 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . 2011f). e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . “Windows Data Protection” (Microsoft.XmlConfigurator (if Log4net is being used). therefore.4. it was Christian J. log4net. By using the aspnet_regiis.config. Credentials can also be stored on database records. it meets PCI DSS requirement 8.NET utility to encrypt credentials and session state connection strings” (Microsoft. Credentials should not be hardcoded. A discussion of database security is out of scope for this paper. This command was used as a workaround for sensitive data stored on the same concept can still be used to store sensitive data in the registry. Credentials can be stored on the registry securely by using the aspnet_setreg command.4 as it renders passwords unreadable using strong cryptography. Microsoft provides detailed information on how to protect configuration files on the MSDN website (Microsoft.config file can be encrypted.4.config file before the release of aspnet_regiis. Moldes. “How to use the ASP.Config. anyone with local system access will therefore potentially be Nevertheless. Shamir. through the RSA (Rivest.config configuration file and automatically decrypt them when needed. consult the Microsoft Support Site. A u t h o r r e t a i n s f u l l r i g h t s .config.

8. It inherits all the privileges the specified account offers.NET to run under the system account (ASPNET or Network Service) It is the most secure setting as it forces ASP. found that developers were using application and service accounts to support the application. Table 5 – Identities Christian J. A u t h o r r e t a i n s f u l l r i g h t s . It has considerable more privileges to access networking and files than the privileges granted to machine. however. Moldes.NET to run under the local SYSTEM account. specific developer accessed the production environment. Not all databases encrypt communication between the clients and the database by default. credentials could be transmitted in clear text. this could have been changed to provide an application higher privileges.5.2.config file and the values for the identity attributes in the processModel section. this does not provide any accountability as it would be difficult to track down which meet PCI DSS requirement 8. PCI DSS does not provide any specific guidance regarding this.com . ASP. this practice would not There are several tools that can extract strings from executables and compiled code. it should not affect PCI DSS compliance. Other Value It uses the account and password provided in the configuration file. so it would be very easy for an attacker to find out hardcoded credentials. Database security is out of scope for this paper. 9. Not compliant if the password is not encrypted.NET Applications for PCI DSS Compliance 32 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . The following table lists possible values for the userName attribute: Values Description PCI DSS Compliance machine It forces ASP. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Inspect the machine. Verifying the use of Identities and Impersonation By default. shared or generic accounts for individuals. system It forces ASP. so technically as long as credentials are encrypted using strong encryption. Furthermore. christian_moldes@hotmail.NET account to run under the fewest number of privileges possible.How to Audit ASP. otherwise. which prohibits the use of group. Auditors should verify that encryption has been properly configured.NET runs under an account that has limited privileges. Obviously.

NET applications can use impersonation to execute the application with the Windows account of the user making the request or under a specified account that it is declared using the <identity> element in the web. which facilitates the implementation of roles and access controls.NET provides a role management service.NET impersonation on the MSDN Library website (Microsoft. Follow these steps to check whether 1. Click on the icon labeled “.How to Audit ASP.NET Authorization Rules” for the authorization rules Christian J.NET user accounts.NET Users. Moldes.config file. .NET Roles” for ASP.NET roles are being used: functionality has to be implemented programmatically. Click on the icon labeled “. christian_moldes@hotmail. most of this ASP. ASP.NET Roles. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e .config file. Inspect the . However.3. A u t h o r r e t a i n s f u l l r i g h t s .NET Users” for ASP. Inspect the web.NET roles. and . Launch the Internet Information Services (IIS) Manager application ! ! ! ! Click “Start” button Click “Run” Click “OK” Type in “inetmgr” 2. passwords are encrypted as detailed in pervious sections. Microsoft provides detailed information regarding ASP. 2011f). and verify that if impersonation is being used.NET Authorization Rules settings for the web-site ! Expand the tree titled “Sites” on the left-hand side Click on the web site in question ! ! ! ! ! The right-hand pane should be populated with a series of icons Click on the icon labeled “.com . Verifying authorization and access controls In addition to the membership service.NET Applications for PCI DSS Compliance 33 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . 9. ASP.

In order to audit authorization and access controls.com . christian_moldes@hotmail. using WMI (Windows Management Interface) Events. In all cases.NET Applications for PCI DSS Compliance 34 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . logs should be programmatically created for the events PCI DSS requires to be logged. PCI DSS Requirements for Logging The following table lists the PCI DSS requirements that apply to logging: Christian J. a deep understanding of a company’s business processes and the application’s role and functionality is needed. 10. part of the required logs will be kept in the Windows event log. Since some of the requirements are very specific. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . sending logs by e-mail. 10. assigned to rules and accounts. Design Audit: Logging ASP. logging to a database. Moldes. or using a framework such as log4net.1.How to Audit ASP.NET provides several ways to log errors including logging to the Windows Event Log. If Windows authentication is used. a good understanding of PCI DSS log requirements is critical. logging to a file. A u t h o r r e t a i n s f u l l r i g h t s .

In those cases. audit trails should be enabled to reconstruct who accessed specific data. 10. This requirement is addressed externally to the application. usually by enabling logging on the system hosting the application. An audit trail entry should be created every time an individual access audit trails entries.NET Applications for PCI DSS Compliance 35 PCI DSS Description Audit Procedures Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.2 Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges Inspect logs entries to verify that this requirement has been addressed. How to Audit ASP.com © 2 0 1 2 S A N S I n s t i t u t e . Applications may have settings that if changed.4 Implement automated audit trails for all system components to reconstruct invalid logical access attempts Inspect logs entries to verify that this requirement has been addressed. or allowing unauthenticated access to the application.2. etc.1 Implement automated audit trails for all system components to reconstruct all individual accesses to cardholder data 10. Requirement 10.3 details the information that each log entry should have. 10.2. A u t h o r r e t a i n s f u l l r i g h t s .3 Implement automated audit trails for all system components to reconstruct access to all audit trails Inspect logs entries to verify that this requirement has been addressed. For example. Inspect logs entries to verify that this requirement has been addressed and that logs entries contain all the information detailed in requirement 10. An audit trail entry should be created every time an invalid logical access attempts occurs.3 This requirement is addressed externally to the application. 10. usually by enabling logging on the system hosting the application.2.Requirement 10. would change the security behavior of the application.1 Christian J.2. christian_moldes@hotmail. the application should also have audit trails to log any actions taken by an administrator. . Moldes. disabling masking for PANs. No action required from an application audit’s perspective. If the application provides access to cardholder data.

2. If that requirement is met by forwarding logs continuously.NET Applications for PCI DSS Compliance 36 PCI DSS Description Audit Procedures Implement automated audit trails for all system components to reconstruct use of identification and authentication mechanisms Implement automated audit trails for all system components to reconstruct initialization of the audit logs 10. Additional security controls would be needed if the log file were kept outside the application’s control.2.5. Per requirement 10. verify the audit trails enabled for that file on Windows or within the application.6 could be implemented on the centralized log repository. The application or the operating system should be able to detect any changes to the external local file.2.6 10.3. It would be very easy to replace the file with a null file or with an altered copy of the file after purging audit trails. How to Audit ASP. PCI DSS requirement 10.7 Implement automated audit trails for all system components to reconstruct creation and deletion of system-level objects Audit trail entries should be created not only for invalid logical access attempts but also when someone successfully passed the authentication process.2. leaving the application unaware of the change. logs should be promptly backed up to a centralized log server or media that is difficult to alter.com © 2 0 1 2 S A N S I n s t i t u t e . If this has not been implemented it will be very difficult to demonstrate that this requirement has been met. No action required from an application audit’s perspective. So. no further action is required from an application audit’s perspective. In the event that external files to the application are used. .Requirement 10. See comments on requirement 10.2 as well. Inspect logs entries to verify that this requirement has been addressed by showing the use of identification and authentication mechanisms used during a successful authentication attempt. A u t h o r r e t a i n s f u l l r i g h t s . Moldes.5 Christian J. Inspect logs entries to verify that this requirement has been addressed. christian_moldes@hotmail.2. This requirement is addressed externally to the application. If that is not the case. an audit trail entry should be generated every time someone initializes the log. usually by enabling logging on the system hosting the application.

If the application is responsible for detecting changes to logs. It is very difficult to implement this requirement if the log is managed by the application on an external file to the application. otherwise. One other way to meet this requirement is keeping a Hash value of the audit trail entries.Requirement 10.com © 2 0 1 2 S A N S I n s t i t u t e . A process should be implemented to periodically recalculate hashes and detect unauthorized changes. where the hash record is obtained from the values of the current audit trail entry plus some values of the previous entry. A u t h o r r e t a i n s f u l l r i g h t s . it would be possible to detect that a previous entry has been deleted or changed. How to Audit ASP. Even if audit trail entries are inserted into a database. This requirement is usually met by implementing a process to forward audit logs continuously as they are generated to a centralized log repository.NET Applications for PCI DSS Compliance 37 PCI DSS Description Audit Procedures Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). Table 6 – Audit Procedures for PCI DSS Log Requirements . A file integrity monitoring solution will not be able to work properly on a file that is changing continuously. By doing this.5. the application would have all the functionality to detect unauthorized changes but the process to report the changes would never be run. Moldes. christian_moldes@hotmail.5 Christian J. and implementing change-detection on that repository. observe audit trails and alerts entries after an attempt to tamper with the log files. it is difficult to detect that an individual entry is missing from the audit trail table. unless database triggers are enabled to detect any alteration or deletions on the audit trail table.

.NET provides the following customer error modes off. In order to verify that this does not occur.com .web> Not all errors would be raised at the page-level. 10..2.aspx”> <error statusCode=”404” redirect=”~/PageNotFound.NET Applications for PCI DSS Compliance 38 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . On Specifies that custom errors are enabled. christian_moldes@hotmail.How to Audit ASP.config excerpt shows custom errors properly configured: <system. </customErrors> </system. A u t h o r r e t a i n s f u l l r i g h t s . application-level errors can also occur and they will not be handled by this custom error functionality.aspx” /> // Other Status Codes.web> <CustomErrors mode=”RemoteOnly” defaultRedirect=”~/DefaultRedirectErrorPage. For local users accessing the site from the web server itself a detailed error page is displayed. for attackers as well. Compliant if implemented properly. Not compliant as this would provide potentially compromising information about a website to anyone who can cause an error to occur on the website. Moldes. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . inspect the web. and remoteOnly. RemoteOnly Specified that custom errors should be used for any external user accessing the website.config file and verify that customErrors have been defined. Error Handling Table 7 – CustomErrors Mode Settings The following web. Description PCI DSS Compliance Setting CustomErrrors Mode Off Specifies that custom errors are not enabled and that a page with detailed error information should be displayed in all cases. Microsoft provides detailed Christian J. Error pages can provide useful information for developers and. Compliant if implemented properly. ASP. unfortunately. on.

the auditor should have enough evidence to confirm that the application is free of application security risks (OWASP) and dangerous software errors (CWE/SANS Top 25). 6.4).6.com information regarding how to manage error handling on the MSDN website (Microsoft. 6. Christian J.NET Applications for PCI DSS Compliance 39 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .3. auditors besides interviewing developers and observing documentation may need to conduct a quick check to validate that the code reviews. Moldes. security assessments. or CERT Secure Coding. CWE/SANS Top 25.2). 11.How to Audit ASP. A u t h o r r e t a i n s f u l l r i g h t s . code by individuals other than the author (PCI DSS req.2). In addition. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e .5 requires organizations to develop software applications using secure coding best practices such as OWASP. PCI DSS requires and annual network and application penetration testing (PCI DSS req. The first table lists all the applicable PCI DSS requirements. The intent of the following sections is to provide basic guidelines and links to resources where to obtain additional information in the event that the auditor may need it. Nevertheless. vulnerability scans. Secure Coding Audit PCI DSS requirement 6. It is not the intent for the QSA or internal assessor to validate what should have already been validated during these previous tasks.3. a formal change management assessment at least annually if web application firewalls have not been deployed (PCI DSS For an organization meeting all these requirements. 11. PCI DSS section 6 also requires formal processes to review all custom process (PCI DSS req. 6. and a manual or automated application vulnerability securityreq. a reference to OWASP if that requirement is currently listed as one of the top 10 security risks. a brief description of what it is being required. christian_moldes@hotmail. and penetration tests have been able to uncover most of the security flaws and vulnerabilities listed on those standards. 2011h) . In addition. and a basic procedure to verify that applications compliant with that requirement.

LDAP and XPath injection flaws as well as other injection flaws. buffer overflows could affect the platforms on which web applications run. and IBM AppScan can detect these type of vulnerabilities. C or C++). This is due to the Common Language Runtime (CLR) handling the effects of the numeric overflow gracefully. However. Moldes. 2011c) In managed code such as VB or C#.. OWASP’s WebScarab can also be helpful to test this and other requirements (OWASP Foundation.NET Applications for PCI DSS Compliance 40 Description Standards Reference OWASP Top 10 – A1 Audit Procedure Injection flaws. Commercial web vulnerability scanners such as Acunetix WBS. SPI Dynamics WebInspect. A u t h o r r e t a i n s f u l l r i g h t s .5. numeric overflows cannot lead to buffer overflows as they can in unmanaged code (e.g. Developers may be using one or more of the following options to protect applications against injection attacks. particularly SQL injection. such as the use of P/Invoke or COM Interop. christian_moldes@hotmail.1 Christian J. Network vulnerability scans and penetration tests reports should be clean of any buffer overflows vulnerabilities to pass this requirement.5. as long as unsafe or unmanaged code is not invoked. 2008) .com © 2 0 1 2 S A N S I n s t i t u t e . Ferruh Mavituna’s website lists several samples of injection attacks the auditor may use to test an application (Mavituna. OWASP provides test procedures for buffer overflow vulnerabilities (OWASP Foundation. How to Audit ASP. Also consider OS Command Injection. Therefore. 1) 2) 3) 4) 5) Prepared statements (Parameterized queries) Stored procedures Escaping all user supplied input Using LINQ Using web services 6. 6. an ASP. 2007).NET application is not vulnerable to this type of security flaws.PCI DSS Req. 2011b). OWASP Top 10 – A1 audit procedures provides detailed steps on how to test for this vulnerability (OWASP Foundation. In the event that P/Invoke or COM Interop are used.2 Buffer overflow - Interview developers to identify the security controls implemented in the application to deal with injection vulnerabilities.

2011d) Audit procedure for this requirement were discussed in section 8 of this paper.5.6 - Audit procedures for this requirement were discussed in section 6. An organization could become aware of newly security vulnerabilities through network vulnerability scans.3 and sections 7 and 8 of this paper.5. A u t h o r r e t a i n s f u l l r i g h t s . How to Audit ASP. for this requirement both network vulnerability scans and penetration tests should be clean of high vulnerabilities. 6. In order to verify compliance.1 of this paper. In section 9. it was discussed the need to have requireSSL set to True. and security newsletters.5 Improper error handling All “High” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.4 Insecure communications OWASP Top 10 – A9 6.2 of this paper.2).3 Christian J.NET Applications for PCI DSS Compliance 41 Description Standards Reference OWASP Top 10 – A7 Audit Procedure Insecure cryptographic storage 6. Moldes. 6. penetration tests.5. 2011e) Audit procedures for this requirement were discussed in section 10. OWASP Top 10 – A9 audit procedures provides detailed steps on how to test for this vulnerability (OWASP Foundation. OWASP Top 10 – A7 audit procedures provides detailed steps on how to test for this vulnerability (OWASP Foundation.PCI DSS Req.5. christian_moldes@hotmail. .com © 2 0 1 2 S A N S I n s t i t u t e .

and permissions is needed. 2011f) In order to verify that this vulnerability does not exist. Examples of cross-site scripting attacks that can be copied and pasted into the application being tested are available on RSnake’s website (RSnake. failure to restrict URL access. 2011i). at worst.7 Christian J. According to Mitre (2011). Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be . or WebScarab can be used to inspect POST and GET commands. christian_moldes@hotmail. 2008). “Automated techniques can find areas where path traversal weaknesses exist.5. a web proxy such as Burp Suite.com © 2 0 1 2 S A N S I n s t i t u t e .and thus potentially valid behavior or.PCI DSS Req.or other privileged users . That does not mean that the application is not vulnerable to that type of attack. a bug instead of a vulnerability. and tamper with parameters and values as they are posted to the web site. tests should include all most popular browsers.8 Improper Access Control (such as insecure direct object references. A u t h o r r e t a i n s f u l l r i g h t s . Interview developers to verify that the library is being used. and directory traversal) OWASP Top 10 – A4 OWASP Top 10 – A8 Insecure Direct Object References Failure to Restrict URL Access Directory Traversal / Path Traversal Microsoft provides a library to deals with Cross-site Scripting (XSS). Moldes. However. therefore. the Microsoft Anti-XSS Library. Paros. How to Audit ASP. A good understanding of the application functionality. One important thing to remember is that some web browsers may not be vulnerable to some types of attacks due to the implementation of anti crosssite scripting features. Microsoft provides additional details regarding the Anti-Cross Site Scripting Library on the MSDN website (Microsoft. OWASP Top 10 – A2 audit procedures provides detailed steps on how to test for this vulnerability (OWASP Foundation. roles. tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the software's administrator . 6.NET Applications for PCI DSS Compliance 42 Description Standards Reference OWASP Top 10 – A2 Audit Procedure Cross-site scripting (XSS) 6. Using unauthenticated and authenticated access and the website directory structure validate that critical URL and resources cannot be accessed directly.5. and that it has been properly implemented.

ViewStateEncryptionMode has been set to Always or Auto if the . 2011b).5. Commercial web vulnerability scanners such as Acunetix WBS. Christian J. which is now included in the BackTrack penetration testing Linux distro (Chr1x. however. How to Audit ASP.9 Cross-site request forgery (CSRF) OWASP Top 10 – A5 1) 2) 3) The following automated tools may be helpful validating this requirement: DotDotPwn – The Directory Traversal Fuzzer. 2010) OWASP’s WebScarab can also be helpful to test this and other requirements (OWASP Foundation. In order to verify that CSRF risks have been adequately treated.” ! ! ! 6. that may not be sufficient to deal with CSRF.NET Applications for PCI DSS Compliance 43 Description Standards Reference Audit Procedure assessed within limited time constraints. A u t h o r r e t a i n s f u l l r i g h t s . which is enabled by default. 2011g) and OWASP Top 10 A8 (OWASP Foundation.NET anti-CSRF features do not work for non post-backs. SPI Dynamics WebInsPect. ViewSateUserKey is being used programmatically with a unique value per user/session. verify the following: ViewState is enabled and that has not been disabled on the web. 2011h).PCI DSS Req.config files (site or directory) or programmatically for specific pages. 2011i) Developers may state that they are using ViewState. christian_moldes@hotmail. OWASP published a tool to test Cross-Site Request Forgery (CSRF) named CSRFTester. which could be very useful to test an application for this type of vulnerability (OWASP Foundation.com © 2 0 1 2 S A N S I n s t i t u t e . Smolen (2008) discovered that ASP. Moldes. and IBM AppScan can detect these type of vulnerabilities OWASP published testing procedures for OWASP Top 10 A4 (OWASP Foundation.

Therefore. 2010). seven have been addressed in Description Audit Procedure Broken Authentication and Session Management Security Misconfiguration Follow OWASP audit procedures for testing authentication (OWASP Foundation. Moldes. How to Audit ASP. These flaws are listed in the following table. a specific requirement by the current version of the PCI DSS Standard. In version 2010 of OWASP Top 10 security flaws there are still three security flaws that have not been addressed by PCI DSS directly. it is outside the scope for this paper. 2009) . 2011k) Table 8 – Audit Procedures for PCI DSS section 6 Out of the OWASP Top 10 list of most critical web application security flaws. 2011j) Captcha Controls (Wumpus1. christian_moldes@hotmail. Developers may be using customized modules to manage this risk. and specifically for OWASP Top 10 – A3 (OWASP Foundation. per PCI DSS requirement 6. Solutions that would successfully deal with this vulnerability are: OWASP Top 10 – A5 audit procedures provides detailed steps on how to test for this vulnerability (OWASP Foundation. the current version of the best practices document should be used. However. A u t h o r r e t a i n s f u l l r i g h t s .5. However. 2011l) This requirement is mostly related with the platform on which the application runs.com © 2 0 1 2 S A N S I n s t i t u t e . 2007) most critical pages have controls that have request encryption. the following resources may be helpful to deploy a secure platform on which applications can run: A6 . OWASP Top 10 Security Flaw A3 Christian J.PCI DSS Req.NET Applications for PCI DSS Compliance 44 Description Standards Reference Audit Procedure ! ! ! AntiCSRF (Blowdart.Net CSRF Guard (OWASP Foundation.

5. 6. christian_moldes@hotmail.0. How to Audit ASP.Securing Web Sites and Applications (Microsoft.0. A u t h o r r e t a i n s f u l l r i g h t s . but test case coverage is a factor. a description of the software error and a Christian J. 2011) As part of the IIS 6. OWASP Top 10 – A10 audit procedures provides detailed steps on how to test for this vulnerability (OWASP Foundation.0 emphasized other standards besides OWASP Top 10.NET Applications for PCI DSS Compliance 45 OWASP Top 10 Security Flaw Description Audit Procedure OWASP Top 10 – A6 audit procedures provides detailed steps on how to test for this vulnerability (OWASP Foundation.2. PCI DSS v. a reference to OWASP Top 10 if the . refer to Chapter 3 .0 configuration.com © 2 0 1 2 S A N S I n s t i t u t e . Moldes. which is important for reducing false positives.organizations may have decided that CWE/SANS Top 25 Most Dangerous Software Errors may fit their needs better than OWASP. and Windows OS 2003 and 2008 (Center for Internet Security. 2011m) A10 Unvalidated Redirects and Forwards CIS (Center for Internet Security) provides secure configuration standards for Microsoft IIS web servers v. 2011n) Table 9 – OWASP Top 10 Security Flaws not Included in PCI DSS Requirements As mentioned previously.0. Microsoft published specific guidance on how to lock down an IIS 6. automated static analysis tools may not be able to determine whether input influences the beginning of a URL.0 Resource Kit. Automated black box tools that supply URLs to every input may be able to spot Location header modifications. and 7. 2011j) According to Mitre (2011). error is covered in some way by an entry on the OWASP Top 10 list. Some The following table lists all the CWE/SANS Top 25 software errors. Using white box techniques may be the best approach to validate compliance for this security flaw. and custom redirects may not be detected.

5.7 and OWASP Top 10 Security Flaw A2 above.5. A u t h o r r e t a i n s f u l l r i g h t s . 6. Christian J.basic procedure to validate applications are not vulnerable to those software errors. Mitre list several other related CWEs that should be included as part of a review of CWE-862. 2010 A1 Description Audit Procedure Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-78 A1 CWE-120 CWE-79 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Refer to the audit procedure for PCI DSS Req.5.8 and OWASP Top 10 Security Flaw A4 and A8 above.5. OWASP Top 10 Security Flaw A4 and A8. 6. 6.5.NET Applications for PCI DSS Compliance 46 CWE/SANS Top 25 Most Dangerous Software Error CWE-89 OWASP Top 10 Security Flaw v.2 of this paper.5. A2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-306 A4 A8 A4 Missing Authentication for Critical Function CWE-862 Missing Authorization Refer to the audit procedure for PCI DSS Req. . How to Audit ASP.8.1 and OWASP Top 10 Security Flaw A1 above.1 and OWASP Top 10 Security Flaw A1 above. 6. Refer to the audit procedure for PCI DSS Req.com © 2 0 1 2 S A N S I n s t i t u t e . 6. and the review of access controls as detailed in section 9. Refer to the audit procedure for PCI DSS Req.2 above. This should have been partly verified during the review of PCI DSS Req. 6. christian_moldes@hotmail. such as direct requests (forced browsing). Moldes. Refer to the audit procedure for PCI DSS Req.

A u t h o r r e t a i n s f u l l r i g h t s . Refer to MITRE CWE-862 for additional information (Mitre. This software error is indirectly addressed by PCI DSS. How to Audit ASP.3 above. 2011b). Refer to MITRE CWE-434 for additional information (Mitre.5. This software error is indirectly addressed by PCI DSS Section 2 requirements.Christian J.1 above. 2011a). CWE0311 CWE-434 A7 Missing Encryption of Sensitive Data Unrestricted Upload of File with Dangerous Type CWE-807 Reliance on Untrusted Inputs in a Security Decision CWE-250 Execution with Unnecessary Privileges authorization bypass through user-controlled keys. . 2010 Description Audit Procedure CWE-798 Use of Hard-coded Credentials Refer to the audit procedure described in section 9.NET Applications for PCI DSS Compliance 47 CWE/SANS Top 25 Most Dangerous Software Error OWASP Top 10 Security Flaw v. christian_moldes@hotmail. Refer to the audit procedure for PCI DSS Req. This type of security flaw should be detected during application penetration testing.com © 2 0 1 2 S A N S I n s t i t u t e . Refer to MITRE CWE-807 for additional information (Mitre. In order to verify that this security flaw does not exist. References and resources listed for OWASP Top 10 A6 may be helpful to address this security flaw. 2011c). incorrect permission assignment for critical resources and exposed dangerous method or function. 6. though. an inventory of all the roles and accounts used by the application is needed. This type of security flaw should be detected during application penetration testing. though. Moldes. Refer to A6 – Security Misconfiguration above. This software error is indirectly addressed by OWASP Top 10 and PCI DSS. Each role and account permissions and privileges should be reviewed to determine whether they are necessary or not.

2010). This software error is not addressed by either the current version of OWASP Top 10 or PCI DSS. authorization bypass through user-controlled keys.5. christian_moldes@hotmail.7. How to Audit ASP. Refer to A6 – Security Misconfiguration above. 6. how it was obtained. OWASP Top 10 Security Flaw A4 and A8.NET Applications for PCI DSS Compliance 48 CWE/SANS Top 25 Most Dangerous Software Error OWASP Top 10 Security Flaw v.NET site has useful information regarding IIS accounts and their rights on the OS for ISS v. 2010 Description Audit Procedure CWE-352 CWE-22 A5 Cross-Site Request Forgery (CSRF) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Refer to the audit procedure for PCI DSS Req. Mitre list several other related CWEs that should be included as part of a review of CWE-863. and the review of access controls as detailed in section 9.0 (Microsoft. Interview developers to find out whether third party code is being used. A8 Refer to the audit procedure for PCI DSS Req. Refer to MITRE CWE-250 for additional information (Mitre.2 of this paper.8. 6.8 above.5. 2011d). A u t h o r r e t a i n s f u l l r i g h t s . incorrect permission .Christian J. This should have been partly verified during the review of PCI DSS Req.com © 2 0 1 2 S A N S I n s t i t u t e . CWE-494 Download of Code Without Integrity Check CWE-863 A4 A8 Incorrect Authorization Microsoft’s IIS. Moldes. 2011e).9 above. and how integrity check verified. such as direct requests (forced browsing). Refer to MITRE CWE-494 for additional information (Mitre. 6. References and resources listed for OWASP Top 10 A6 may be helpful to address this security flaw.5.

if there is functionality to assign permissions to critical resources. For the application. This software error is not addressed by either the current version of OWASP Top 10 or PCI DSS. Refer to MITRE CWE-829 for additional information (Mitre. Moldes. . For the platform. Refer to MITRE CWE-863 for additional information (Mitre. all the roles and accounts with permissions and privileges should be reviewed. How to Audit ASP. refer to the audit procedure for OWASP Top 10 Security Flaw A6 above. 2010 Description Audit Procedure CWE-829 Inclusion of Functionality from Untrusted Control Sphere CWE-732 A4 A8 Incorrect Permission Assignment for Critical Resource assignment for critical resources and exposed dangerous method or function. This requirement is mostly related with the platform on which the application runs. A u t h o r r e t a i n s f u l l r i g h t s . christian_moldes@hotmail. However.Christian J.com © 2 0 1 2 S A N S I n s t i t u t e . 2011g).NET Applications for PCI DSS Compliance 49 CWE/SANS Top 25 Most Dangerous Software Error OWASP Top 10 Security Flaw v. Interview developers to find out whether functionality from untrusted control sphere is being used and what security controls are in place to minimize risks from that third party. 2011f). it may apply to resources within the application as well.

NET Applications for PCI DSS Compliance 50 CWE/SANS Top 25 Most Dangerous Software Error CWE0676 OWASP Top 10 Security Flaw v. Refer to MITRE CWE-676 for additional information (Mitre. files. This software error is not addressed by either the current version of OWASP Top 10 or PCI DSS. A u t h o r r e t a i n s f u l l r i g h t s . Refer to the audit procedure described in section 9. . Moldes. and directories as potential dangerous functions. 6. 2011h). services.2 above. 2010 Description Audit Procedure Use of Potentially Dangerous Function CWE-327 CWE-131 CWE-307 A7 Use of a Broken or Risky Cryptographic Algorithm Incorrect Calculation of Buffer Size Improper Restriction of Excessive Authentication Attempts Refer to the audit procedure for PCI DSS Req. A thorough discussion of these functions fall into operating system and database security. Consider functions that interact with the operating system accounts. Interview developers and find out whether functions such as XP_CMDSHELL are being used.1 above.3 and 7 of this paper.5.com © 2 0 1 2 S A N S I n s t i t u t e . Refer to the audit procedure for sections 6. which for the purpose of this paper is out of scope. How to Audit ASP. registry. christian_moldes@hotmail.Christian J.

5. Automated black box tools that supply URLs to every input may be able to spot Location header modifications.NET Applications for PCI DSS Compliance 51 CWE/SANS Top 25 Most Dangerous Software Error CWE-601 OWASP Top 10 Security Flaw v. Refer to MITRE CWE-601 for additional information (Mitre.5. automated static analysis tools may not be able to determine whether input influences the beginning of a URL.2 above. Refer to the audit procedure for PCI DSS Req. PCI Council recommends the use of Salt. 6. “Are hashed Primary Account Numbers (PAN) considered cardholder data that must be protected in accordance with PCI DSS? (PCI SSC. and custom redirects may not be detected. 6. however is not a requirement. 2010 A10 Description Audit Procedure URL Redirection to Untrusted Site ('Open Redirect') CWE-134 CWE-190 CWE-759 Uncontrolled Format String Refer to the audit procedure for PCI DSS Req. Integer Overflow or Wraparound Use of a One-Way Hash without a Salt According to Mitre (2011). How to Audit ASP. 2011i).2 above. Using white box techniques may be the best approach to validate compliance for this security flaw.com © 2 0 1 2 S A N S I n s t i t u t e . 2011c) Table 10 – CWE/SANS Top 25 Most Dangerous Software Errors . A u t h o r r e t a i n s f u l l r i g h t s . christian_moldes@hotmail. Moldes. but test case coverage is a factor. For additional information go to PCI SSC FAQ 8718. which is important for reducing false positives.Christian J.

christian_moldes@hotmail. hopefully. coding. this paper may facilitate conducting an audit by providing guidance and references to resources that can be used during the audit process. implementation and deployment.com 12. Ensuring that an application is secure is a complex and daunting task as it involves many different areas and it requires a good understanding of platform security.NET Applications for PCI DSS Compliance 52 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . secure design. Conclusion . A u t h o r r e t a i n s f u l l r i g h t s . e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e .How to Audit ASP. Christian J. It is no surprise that web applications are one of the causes for a significant number of security breaches. Moldes.

! Rodney Caudle.NET Applications for PCI DSS Compliance 53 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . ! Charles D. Special thanks to the following members of the Verizon Business professional services practice: ! Mark Goudie. for reviewing the document and ensuring that it met SANS paper submission requirements. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Acknowledgments .How to Audit ASP. ! Markus Feichtner. christian_moldes@hotmail. Moldes.com 13. Christian J. for providing technical and content review. SANS advisor. Risk Intelligence Team in United States for providing technical and content review. Managing Principal Investigative Response Team in Australia. Principal Consultant in Germany for suggesting additional content for the paper. Hylender. A u t h o r r e t a i n s f u l l r i g h t s .

regular-expressions.aspx Redirection with HTTP Pipelines in ASP. United Kingdom: John Wiley & Sons. (2011).google. Retrieved July 20. B.html Dorran. (2009).2011 from benchmarks..asp Chr1x. 2011 from ferruh.microsoft.org Website: http://logging.html Blowdart.cit. (2007).mavituna.0) [Software]. Retrieved July 20. “Using Spider (Windows Version)”.codeplex.mavituna.browse.com Website: http://anticsrf.com/p/dngrep/ Goyvaerts.com Website: http://ferruh.edu Website: http://www2.5.NET Applications for PCI DSS Compliance 54 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .info Website: http://www. (2007). Online Tools for Programmers. Filtering. References . Retrieved July 20.NET”. Available from code. Beginning ASP. (2007). (2011). IE Inspector HTTP Analyzer v.apache. West Sussex.com Website: http://code. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Retrieved from logging.cisecurity. Retrieved July 20. Retrieved October 2. F.NET security. 2011 from dotdotpwn. Inc. (2011). 2011.cornell.com/ Chilkat Software.org Website: http://benchmarks. J.ieinspector. (2003).blogspot. (2007).6.cit. from msdn. 2011 from chilkatsoft.google. 2011 from www2.com/ Center for Internet Security. 2011 from www. (2010). “Securely Implement Request Processing. A u t h o r r e t a i n s f u l l r i g h t s .html IEInspector Software.com Website: http://chilkatsoft.ieinspector. (2011). Retrieved October 2. 2011 from www.com/httpanalyzer/ Integrigy. T.category.com/online-tools.edu/security/tools/spider-windows.How to Audit ASP. K. page 34.com/sql-injection-cheatsheet-oku/ Google. & Brown.benchmarks Cornell University.microsoft. Retrieved July 20. “SQL Injection Cheat Sheet”. Apache Software Foundation.regular-expressions.apache. LLC.com/en-us/magazine/cc188942.com Mavituna. Retrieved July 20. dodotpwn.org/enus/?route=downloads.blogspot. Retrieved October 2. 2011 from anticsrf.cisecurity. “Finding or Verifying Credit Card Numbers”.com 14. Ltd. and Content Website: http://msdn. “Apache log4net™ Features”.codeplex. (2010). christian_moldes@hotmail. (2011).com Website: http://dotdotpwn.org/log4net/release/features. Ewald. AntiCSRF.cornell. Retrieved July 20. Moldes.info/creditcard. Security Benchmarks. Christian J.com Website: http://www. dnGrep (Version 2. “Hashing Credit Card Numbers: Unsafe Application Practices”.

com Website: http://msdn. (2001). 2011 from support. Retrieved October 19. E. Retrieved October 19.microsoft.com/en-us/library/aa292114%28v=VS.com Website: http://www. 2011 from msdn. 2011 from www.integrigy. 2011 from support.com/enus/library/f5cs0acs. Retrieved October 20. (2011d).net/page. “ASP.com/fiddler2/ Microsoft. (2011e). christian_moldes@hotmail. “HTTP Handlers and HTTP Modules Overview”.com Website: http://msdn.microsoft. PowerGrep (Version 4.microsoft. 2011 from msdn.aspx Microsoft. 2011 from msdn. (2011a). 2011 from msdn. (2011c). resources/whitepapers/Integrigy_Hashing_Credit_Card_Numbers_Unsafe_Practices.com/kb/329290 Microsoft.microsoft. (2011b).com Website: http://msdn. Retrieved July 20.powergrep. Retrieved July 20.aspx Microsoft.microsoft.fiddler2. Retrieved July 23. 2011 from www.com Website: http://www.aspx Microsoft.microsoft. “Understanding Built-In User and Group Accounts in IIS 7”. “How to use the ASP.aspx Microsoft.microsoft.com Website: http://msdn.com Christian J.powergrep.com/en-us/library/bb398986.4) [Software].aspx Microsoft.How to Audit ASP.aspx/140/understanding-built-in-userand-group-accounts-in-iis/ Microsoft.NET Applications for PCI DSS Compliance 55 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . “IIS Authentication”. (2011g).com/en-us/library/aa291347%28v=vs.com Website: http://msdn.microsoft. (2011f). “Implementing a Membership provider”.microsoft.com Website: http://learn.microsoft. 2011 from msdn.microsoft. 2011 from msdn. (2007). (2011). Retrieved October 19.microsoft.pdf Just Great Software Co.com/en-us/library/f1kyba5e.com/ Lawrence. “Windows Data Protection”. 2011 from msdn. Retrieved July 23. 2011 from msdn.com/security- .2. Retrieved October 19.com/enus/library/dtkwfdky.com Website: http://msdn. A u t h o r r e t a i n s f u l l r i g h t s .aspx Microsoft.fiddler2. Fiddler Web Debugger.NET Impersonation”.microsoft.microsoft.microsoft. (2010).71%29. “Walkthrough: Encrypting Configuration Information Using Protected Configuration”. Retrieved October 19. Moldes.com Website: http://www.com/en-us/library/ms995355 Microsoft.71%29. (2011).microsoft. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Retrieved October 19.integrigy.microsoft.NET utility to encrypt credentials and session state connection strings”. “ASP.NET Authentication”. “Understanding Machine-Level and User-Level RSA Key Containers”.iis.com 2011 from www.com Website: http://support. Retrieved October 19.microsoft.com Website: http://msdn.

(2011b). “CWE-807: Reliance on Untrusted Inputs in a Security Decision”. Retrieved October 21. Retrieved October 21. (2011a). Retrieved October 21.com Website: http://msdn.com/en-us/security/aa973814 Microsoft. “CWE-494: Download of Code Without Integrity Check”. 2011 from cwe. “CWE-601: URL Redirection to Untrusted Site ('Open Redirect')”. 2011 from cwe.org Website: http://cwe.org Website: http://cwe.org/top25/#CWE-250 Mitre. Retrieved October 21.mitre.org Website: http://cwe. 2011 from cwe. christian_moldes@hotmail. Microsoft. Retrieved October 19. “CWE-250: Execution with Unnecessary Privileges”.org/top25/#CWE-807 Mitre. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Retrieved October 21.html NIST. 2011 from cwe.mitre.mitre.org/data/definitions/601.nist.com/en-us/library/w16865z6. (2011d).NET Applications for PCI DSS Compliance 56 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .org Website: http://cwe. Retrieved October 19.mitre.nist. (2011h).How to Audit ASP. “CWE-829: Inclusion of Functionality from Untrusted Control Sphere”.mitre. 2011 from cwe. 2011 from msdn.org/top25/#CWE-862 Mitre.aspx Microsoft.com Website: http://www.mitre.com Website: http://msdn. 2011 from cwe. (2011i). (2011f). “Internet Information Services (IIS) 6.com Website: http://msdn.org Website: http://cwe. Retrieved October 21.org/top25/#CWE-863 Mitre.mitre.org/top25/#CWE-434 Mitre.mitre.microsoft. Retrieved October 21.org/top25/#CWE-494 Mitre. 2011 from msdn.pdf Christian J.com/download/en/details. “Error Handling in ASP.mitre.mitre.com/en-us/library/xh507fc5. “CWE-863: Incorrect Authorization”. 2011 from cwe. Moldes. (2011h). 2011 from cwe.mitre. A u t h o r r e t a i n s f u l l r i g h t s . (2011e).org/top25/#CWE-676 Mitre. (2007a).org Website: http://cwe. Retrieved October 19.org Website: http://cwe.org Website: http://cwe. 2011 from cwe.microsoft.microsoft. (2011i).microsoft. Retrieved October 21.microsoft. 2011 from csrc. “Anti-Cross Site Scripting Library”.mitre.microsoft.NET Pages and Applications”. “CWE-862: Missing Authorization”.mitre.gov/publications/nistpubs/800-57/sp800-57-Part1revised2_Mar08-2007. “CWE-676: Use of Potentially Dangerous Function”. 2011 from www. (2011c).mitre.0 Resource Kit”.mitre. “Recommendation for Key Management – Part 1: General”.mitre. “CWE-434: Unrestricted Upload of File with Dangerous Type”.org/top25/#CWE-829 Mitre.aspx .aspx?DisplayLang=en&id=5135 Mitre.org Website: http://cwe. Retrieved October 21. Retrieved October 19.microsoft. (2011j).gov Website: http://csrc.mitre.mitre. (2011g).

org Website: https://www.org Website: https://www. “OWASP Testing Guide”.owasp.How to Audit ASP. A u t h o r r e t a i n s f u l l r i g h t s . Retrieved July 20. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . (2011a).owasp. Retrieved October 19.gov Website: http://csrc.php/Top_10_2010-A8 OWASP Foundation. Retrieved July 20. christian_moldes@hotmail. (2007b).org/index.owasp. 2011 from csrc. 2011 from www.com NIST. 2011 from www.owasp.php/Top_10_2010-A9 OWASP Foundation.owasp.gov/publications/nistpubs/800-57/SP800-57-Part2.owasp.org Website: https://www.php/Category:OWASP_WebScarab_Project OWASP Foundation.owasp. 2011 from www.org Website: https://www.php/Top_10_2010-A2 OWASP Foundation.org/index.owasp. Retrieved July 20. 2011 from 001%29 www. 2011 from www. “Top 10 2010-A2-Cross-Site Scripting (XSS)”. “Top 10 2010-A4-Insecure Direct Object References”. (2011b).owasp.php/Testing_for_SSL-TLS_%28OWASP-CMOWASP Foundation.org/index. “Recommendation for Key Management – Part 2: Best Practices for Key Management . “Top 10 2010-A9-Insufficient Transport Layer Protection”.nist. OWASP Foundation. (2011e).nist.owasp. 2011 from www. “Top 10 2010-A8-Failure to Restrict URL Access”.gov Website: http://csrc. (2010).NET Applications for PCI DSS Compliance 57 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s .owasp. “CSRFTester Usage”.owasp. (2011d).owasp. “Testing for SSL-TLS (OWASP-CM-001)”.org Website: https://www. (2011i). (2009).org/index. Retrieved July 20.php/Top_10_2010-A4 OWASP Foundation. Retrieved July 20. Organization”. “Top 10 2010-A7-Insecure Cryptographic Storage”. 2011 from www. “Testing for Authentication”. “Top 10 2010-A1-Injection”.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009. Retrieved July 20.owasp. Moldes. 2011 from csrc. (2011g).owasp. 2011 from www.php/Top_10_2010-A1 OWASP Foundation. (2008). 2011 from www.org/index. Retrieved July 20.php/Testing_for_authentication OWASP Foundation. “OWASP WebScarab Project”.php/CSRFTester_Usage Christian J.org/index. Page 264.php/Top_10_2010-A7 OWASP Foundation. (2011h).owasp.org/index.org Website: https://www.owasp.pdf NIST.pdf OWASP Foundation. “Recommendation for Key Management – Part 3: Application-Specific Key Management Guidance”. Retrieved July 20. 2011 from www.org/index.org/images/5/56/OWASP_Testing_Guide_v3.org Website: https://www. (2011c).org/index.pdf. (2011f).owasp.nist. Retrieved October 19.org/index.org Website: https://www.org Website: https://www.owasp. 2011 from www. Retrieved July 20. Retrieved July 20.owasp.org Website: https://www.owasp.owasp.nist.org Website: https://www. Retrieved July 20.

owasp.owasp.pcisecuritystandards.org Website: https://www. “Top 10 2010-A10-Unvalidated Redirects and Forwards”. 2011 from www. https://www. Retrieved October 21.owasp. (2011a). 2011 from www.com/blog/?p=21 Verizon. (2011b).org/index.pcisecuritystandards. (2011n).verizonbusiness. and Acronyms”. Retrieved July 20.php/.pcisecuritystandards. Retrieved July 20. 2011 from selfservice. 2011 from www. “.org/documents/pci_glossary_v20.aspx?article=8718&p=81 RSnake.org Website: http://ha. (2011c). Retrieved from October 21. “Top 10 2010-A3-Broken Authentication and Session Management”.owasp. Retrieved from www. “Top 10 2010-A5-Cross-Site Request Forgery (CSRF)”.kb. (2011k).php PCI SSC. A u t h o r r e t a i n s f u l l r i g h t s .org Website: https://www.org/index.owasp. Moldes. 2011 from www. Abbreviations.owasp.com Website: http://www. A.net Website: http://selfservice. christian_moldes@hotmail. Retrieved July 20.owasp.org/organization_info/index. (2011m).net/article.aspx?article=11938&p=81 PCI SSC.org/index. (2008). (2011j). Retrieved July 20. Retrieved July 20.kb.php/Top_10_2010-A10 PCI SSC.pcisecuritystandards.org Website: https://www.kb. “XSS (Cross Site Scripting) Cheat Sheet Esp: for filter evasion”.owasp.org Website: http://selfservice.NET CSRF Guard”. 2011 www. 2011 from www.ckers.org Website: .com/resources/reports/rp_2010-databreach-report_en_xg.org Website: https://www.org/xss.html Smolen.php/Top_10_2010-A3 OWASP Foundation.Net_CSRF_Guard OWASP Foundation.ckers. “Can a payment application that uses cryptographic keys hard-coded by the vendor be PA-DSS compliant if they cannot be changed by the customer?”.org/index. (2008).owasp. Retrieved from www.How to Audit ASP.org/index. 2011 from alexsmolen. “About the PCI Security Standards Council”.pdf Christian J. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . Retrieved from ha.owasp.org Website: https://www. 2011 from www.com Website: http://alexsmolen.pcisecuritystandards.verizonbusiness. Retrieved October 21. “Top 10 2010-A6-Security Misconfiguration”. Retrieved July 20.com OWASP Foundation. (2010).NET Applications for PCI DSS Compliance 58 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . “2010 Data Breach Investigations Report”. “ViewStateUserKey Doesn’t Prevent Cross-Site Request Forgery”. “Are hashed Primary Account Numbers (PAN) considered cardholder data that must be protected in accordance with PCI DSS?”.php/Top_10_2010-A6 OWASP Foundation.org Website: https://www. (2010). (2011l).net/article.php/Top_10_2010-A5 OWASP Foundation. “Glossary of Terms.pdf PCI SSC.

http://www. (2007). Wireshark. Retrieved July 20.com Wireshark Foundation. e y f i n g e r p r i n t =A F 1 9 F A 2 7 2 F 9 4 9 9 8 DF D B 5 D E 3 DF 8 B 5 0 6 E 4 A 1 6 9 4 E 4 6 A © 2 0 1 2 S A N S I n s t i t u t e . 2011 from www.wireshark.com/KB/custom-controls/CaptchaControl. Retrieved July 20. A u t h o r r e t a i n s f u l l r i g h t s . christian_moldes@hotmail.com Website: http://www. “A CAPTCHA Server Control for ASP.wireshark. (2011).How to Audit ASP.yellowpipe.org/ Wumpus1.codeproject.php Christian J. (2007).yellowpipe.org Website: . 2011 from www. 2011 from www.NET Applications for PCI DSS Compliance 59 ©2 0 1 2 T h e S A N SI n s t i t u t e K u t h o r r e t a i n s f u l l r i g h t s . Encrypter/Decoder.com/yis/tools/encrypter/index. Retrieved July 20.codeproject. Moldes.aspx Yellowpipe Internet Services.NET”.com Website: http://www.

2013 May 07.Jul 13. 2013 Jul 09.Jun 16.Jun 08. DCUS Austin. 2013 .Jun 06. 2013 Apr 22. 2013 . 2013 Anytime Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Live Event Self Paced . IN San Diego.Apr 20. 2013 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Secure Europe 2013 Management 442.Jun 06. DE Cyberjaya.Apr 27. 2013 . AU London.May 18. TXUS OnlineMDUS Books & MP3s OnlyUS Apr 15. 2013 May 13.Apr 27. 2013 May 13.Jul 16. NL Washington. 2013 . 2013 . 2013 . TXUS Anaheim. 2013 . 2013 . 2013 Jun 10. ZA Brisbane. 2013 Jun 14.May 02. 2013 . 2013 Jun 03. 2013 Apr 15. 2013 Apr 29.May 16. 2013 Apr 22. 2013 . 2013 Apr 26.Last Updated: April 10th. 2013 . 2013 . CAUS Johannesburg. 2013 Apr 19. DCUS Canberra.May 25. 2013 Jun 14. ZA Arlington.Apr 27. AU Austin.Jun 22.Jul 16. 2013 . VAUS London. CAUS Anaheim.May 10. MY Houston. 2013 . DCUS Washington. 2013 . 2013 .May 10.Apr 20. 2013 . 2013 .May 04.Jun 08.Jun 15. 2013 Jul 09. 2013 May 09. 2013 May 30. 2013 May 09. TXUS Online. 2013 . CAUS Berlin.May 24. 2013 Jun 03. 2013 Jul 01. GB Bangalore. 2013 May 30. TXUS Washington. 2013 . 2013 May 19. GB Austin. 2013 . VAUS Johannesburg. 2013 . 2013 .BETA AppSec 2013 SANS CyberCon 2013 Critical Security Controls International Summit SANS Secure India @Bangalore 2013 SANS Security West 2013 SANS at IT Web Security Summit 2013 (ISC)2 CyberSecureGov 2013 SANS South Africa May 2013 SANS Brisbane 2013 SANS Austin 2013 Mobile Device Security Summit 2013 Security Analytics Summit 2013 SANS Pen Test Berlin 2013 SANS Malaysia @ MCMC 2013 ICS Security Training Houston 2013 Security Impact of IPv6 Summit 2013 SANSFIRE 2013 SANS Canberra 2013 SANS London Summer 2013 Digital Forensics & Incident Response Summit 2013 SANS Cyber Guardian 2013 SANS OnDemand Amsterdam.

Sign up to vote on this title
UsefulNot useful