Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Don't get stung - an introduction to the OWASP Top 10
1. Don’t get Stung(An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
2. Contents OWASP Top Ten http://www.owasp.org A worldwide free and open community focused on improving the security of application software
3. Introduction Do not try this at home. Or at work. These are not just ASP.NET vulnerabilities If you don’t want to ask public questions ...barryd@idunno.org / http://idunno.org
5. Unvalidated Redirect and Forwards Users don’t check the address bar MVC authentication (pre-3.0) is vulnerable. Check the ReturnUrlparameter – http://weblogs.asp.net/jgalloway/archive/2011/01/25/preventing-open-redirection-attacks-in-asp-net-mvc.aspx
7. Insufficient Transport Layer Protection Use SSL Protection communications between web server and backend systems (SSL, IPSEC etc.) Replay attacks – use time limited tokens
9. Failure to restrict URI access Security by obscurity is useless Restrict via ASP.NET – no rolling your own! Integrated pipeline restricts everything Use [PrincipalPermission] to protect yourself IIS7 replaces file ACLs with a web.config based authorization list.
11. Insecure Cryptographic Storage Symmetric – same key Asymmetric – public/private keys Use safe algorithms –Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7 Encrypt then sign
12. Insecure Cryptographic Storage Use symmetric when All systems are under your control No need to identify who did the encryption Use asymmetric when Talking/accepting from external systems Non-repudiation on who encrypted/signed (X509) All in memory – so no large plain tex! Combine the two for speed and security
13. Insecure Cryptographic Storage Do not reuse keys for different purposes Store keys outside the main database Use CryptGenRandom for random numbers Use & rotate salts Use unique IVs DAPI can provide a key store
19. Cross Site Request Forgery WebForms Lock ViewState using ViewStateUserKey Needs a way to identify user Set in Page_Init Use a CSRF token – http://anticsrf.codeplex.com MVC<%= Html.AntiForgeryToken() %> - in form[ValidateAntiForgeryToken] – on action method Encourage users to log out When is a postback not a postback?
21. Insecure Direct Object Reference Use indirect object references Always check access permissions For MVC don’t allow binding to your ID field[Bind(Exclude="id")]
26. XSS All input is evil Work from white-lists not black-lists. Store un-encoded data in your database Use HttpOnly cookies AntiXSS project http://antixss.codeplex.com Better HTML/URL Encoding Adds HTML Attribute, Javascript, VBScript XSS Cheat Sheet http://ha.ckers.org/xss.html
28. Injection Flaws SQL Use SQL parameters Remove direct SQL table access When building SQL strings within SPs parameterise those too! Xpath Use XsltContext http://mvpxml.codeplex.com/
29. Injection Flaws DECLARE @cmd= 'SELECT * FROM Customer WHERE FirstName LIKE @first OR LastName LIKE @last' EXEC @cmd, N'@firstnvarchar(25), @last nvarchar(25)', @first, @last
30. Changes from 2007 Malicious File Execution Information Leakage / Improper Error Handling Security Misconfiguration Un-validated Redirects and Forwards
31. The OWASP Top Ten A1-Injection A2-Cross Site Scripting (XSS) A3-Broken Authentication and Session Management A4-Insecure Direct Object References A5-Cross Site Request Forgery (CSRF) A6-Security Misconfiguration A7-Insecure Cryptographic Storage A8-Failure to Restrict URL Access A9-Insufficient Transport Layer Protection A10-Unvalidated Redirects and Forwards