Don’t get Stung
(An introduction to the OWASP Top Ten Project)

             Barry Dorrans
        MVP – Developer Security
Contents
• OWASP Top Ten
• http://www.owasp.org
• A worldwide free and open community
  focused on improving the security ...
Introduction
• Do not try this at home. Or at work.
• These are not just ASP.NET vulnerabilities
• If you don’t want to as...
10 – Failure to restrict URI access
Failure to restrict URI access
•   Security by obscurity is useless
•   Restrict via ASP.NET
•   Integrated pipeline restr...
9 – Insecure Communications
Insecure Communications
• Use SSL
• Protection communications between web
  server and backend systems (SSL, IPSEC etc.)
•...
8 – Insecure Cryptographic Storage
Insecure Cryptographic Storage
• Symmetric – same key
• Asymmetric – public/private keys
• Use safe algorithms –
  Hashing...
Insecure Cryptographic Storage
• Use symmetric when
  – All systems are under your control
  – No need to identify who did...
Insecure Cryptographic Storage
•   Do not reuse keys for different purposes
•   Store keys outside the main database
•   U...
7 - Broken Authentication/Sessions
Broken Authentication/Sessions
• Don’t roll your own!
• Validate sessions on every request
  Check the browser string
6 – Information Leakage
Information Leakage
•   Don’t show raw errors
•   Catch errors “properly”
•   Don’t upload PDBs or debug assemblies
•   En...
5 – Cross Site Request Forgery
Cross Site Request Forgery
• Lock ViewState using ViewStateUserKey
  – Needs a way to identify user
  – Set in Page_Init
•...
4 – Insecure Direct Object Reference
Insecure Direct Object Reference
• Use indirect objection references
• Always check access permissions
3 – Malicious File Execution
Malicious File Execution
• Remove Scripting IIS permission
• Store outside of application root
• Never believe the MIME ty...
2 – Injection Flaws
Injection Flaws
• SQL
  – Use SQL parameters
  – Remove direct SQL table access
• Xpath
  – Use XsltContext
  – http://mvp...
1 – Cross Site Scripting
XSS
• <IMG SRC=javascript:alert('XSS')>
• <IMG SRC=JaVaScRiPt:alert('XSS')>
• <IMG
  SRC=javasc
  ript:a&#1
  08;ert('X&#
...
XSS
•   All input is evil
•   Work from white-lists not black-lists.
•   Store un-encoded data in your database
•   Use Ht...
The OWASP Top Ten
•   Failure to restrict URL access
•   Insecure Communications
•   Insecure Cryptographic Storage
•   Br...
Resources
• AntiXSS - http://www.codeplex.com/AntiXSS
• AntiCSRF - http://www.codeplex.com/AntiCSRF
• P&P Guidance Explore...
Questions
Upcoming SlideShare
Loading in...5
×

Don't Get Stung

6,443

Published on

An introduction to the OWASP Top Ten Vulnerability List.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
6,443
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Don't Get Stung

  1. 1. Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans MVP – Developer Security
  2. 2. Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software
  3. 3. Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ... barryd@idunno.org / http://idunno.org
  4. 4. 10 – Failure to restrict URI access
  5. 5. Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself
  6. 6. 9 – Insecure Communications
  7. 7. Insecure Communications • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks
  8. 8. 8 – Insecure Cryptographic Storage
  9. 9. Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms – Hashing : SHA256 Symmetric: AES Asymmetric: CMS/PKCS#7 • Encrypt then sign
  10. 10. Insecure Cryptographic Storage • Use symmetric when – All systems are under your control – No need to identify who did the encryption • Use asymmetric when – Talking/accepting from external systems – Non-repudiation on who encrypted/signed (X509) – All in memory! • Combine the two for speed and security
  11. 11. Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store
  12. 12. 7 - Broken Authentication/Sessions
  13. 13. Broken Authentication/Sessions • Don’t roll your own! • Validate sessions on every request Check the browser string
  14. 14. 6 – Information Leakage
  15. 15. Information Leakage • Don’t show raw errors • Catch errors “properly” • Don’t upload PDBs or debug assemblies • Encrypt web.config parts • Encrypt ViewState - • Watch your CSS! • For Ajax UpdatePanels are more secure • Turn off meta data in web services
  16. 16. 5 – Cross Site Request Forgery
  17. 17. Cross Site Request Forgery • Lock ViewState using ViewStateUserKey – Needs a way to identify user – Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • Encourage users to log out • GET requests must be idempotent • When is a postback not a postback?
  18. 18. 4 – Insecure Direct Object Reference
  19. 19. Insecure Direct Object Reference • Use indirect objection references • Always check access permissions
  20. 20. 3 – Malicious File Execution
  21. 21. Malicious File Execution • Remove Scripting IIS permission • Store outside of application root • Never believe the MIME type for uploads
  22. 22. 2 – Injection Flaws
  23. 23. Injection Flaws • SQL – Use SQL parameters – Remove direct SQL table access • Xpath – Use XsltContext – http://mvpxml.codeplex.com/
  24. 24. 1 – Cross Site Scripting
  25. 25. XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=javasc ript:a&#1 08;ert('X&# 83;S')>
  26. 26. XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com – Better HTML/URL Encoding – Adds HTML Attribute,Javascript,JSON,VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html
  27. 27. The OWASP Top Ten • Failure to restrict URL access • Insecure Communications • Insecure Cryptographic Storage • Broken Authentication / Session Management • Information Leakage • Cross Site Request Forgery • Insecure Direct Object Reference • Malicious File Execution • Injection Flaws • Cross Site Scripting
  28. 28. Resources • AntiXSS - http://www.codeplex.com/AntiXSS • AntiCSRF - http://www.codeplex.com/AntiCSRF • P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer • Fiddler – http://www.fiddlertool.com • TamperData – https://addons.mozilla.org/en-US/firefox/addon/966
  29. 29. Questions
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×