Don't Get Stung
Upcoming SlideShare
Loading in...5
×
 

Don't Get Stung

on

  • 1,040 views

An introduction to the OWASP Top Ten Vulnerability List.

An introduction to the OWASP Top Ten Vulnerability List.

Statistics

Views

Total Views
1,040
Views on SlideShare
1,040
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Don't Get Stung Don't Get Stung Presentation Transcript

  • Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans MVP – Developer Security
  • Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software
  • Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ... barryd@idunno.org / http://idunno.org
  • 10 – Failure to restrict URI access
  • Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself
  • 9 – Insecure Communications
  • Insecure Communications • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks
  • 8 – Insecure Cryptographic Storage
  • Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms – Hashing : SHA256 Symmetric: AES Asymmetric: CMS/PKCS#7 • Encrypt then sign
  • Insecure Cryptographic Storage • Use symmetric when – All systems are under your control – No need to identify who did the encryption • Use asymmetric when – Talking/accepting from external systems – Non-repudiation on who encrypted/signed (X509) – All in memory! • Combine the two for speed and security
  • Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store
  • 7 - Broken Authentication/Sessions
  • Broken Authentication/Sessions • Don’t roll your own! • Validate sessions on every request Check the browser string
  • 6 – Information Leakage
  • Information Leakage • Don’t show raw errors • Catch errors “properly” • Don’t upload PDBs or debug assemblies • Encrypt web.config parts • Encrypt ViewState - • Watch your CSS! • For Ajax UpdatePanels are more secure • Turn off meta data in web services
  • 5 – Cross Site Request Forgery
  • Cross Site Request Forgery • Lock ViewState using ViewStateUserKey – Needs a way to identify user – Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • Encourage users to log out • GET requests must be idempotent • When is a postback not a postback?
  • 4 – Insecure Direct Object Reference
  • Insecure Direct Object Reference • Use indirect objection references • Always check access permissions
  • 3 – Malicious File Execution
  • Malicious File Execution • Remove Scripting IIS permission • Store outside of application root • Never believe the MIME type for uploads
  • 2 – Injection Flaws
  • Injection Flaws • SQL – Use SQL parameters – Remove direct SQL table access • Xpath – Use XsltContext – http://mvpxml.codeplex.com/
  • 1 – Cross Site Scripting
  • XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99; &#114;&#105;&#112;&#116;&#58;&#97;&#1 08;&#101;&#114;&#116;&#40;&#39;&#88;&# 83;&#83;&#39;&#41;>
  • XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com – Better HTML/URL Encoding – Adds HTML Attribute,Javascript,JSON,VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html
  • The OWASP Top Ten • Failure to restrict URL access • Insecure Communications • Insecure Cryptographic Storage • Broken Authentication / Session Management • Information Leakage • Cross Site Request Forgery • Insecure Direct Object Reference • Malicious File Execution • Injection Flaws • Cross Site Scripting
  • Resources • AntiXSS - http://www.codeplex.com/AntiXSS • AntiCSRF - http://www.codeplex.com/AntiCSRF • P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer • Fiddler – http://www.fiddlertool.com • TamperData – https://addons.mozilla.org/en-US/firefox/addon/966
  • Questions