Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India
<ul><li>Flaw – 1  Custom Authentication </li></ul><ul><li>Flaw – 2  Lack of Rule based Authorization </li></ul><ul><li>Fla...
<ul><li>Site implements custom forms authentication </li></ul><ul><li>Buggy code </li></ul><ul><li>Demo </li></ul>
<ul><li>Principles:- </li></ul><ul><ul><li>Use well known and time tested, system provided methods for authentication.  </...
<ul><li>Authorization implemented by disabling UI </li></ul><ul><li>Rule based authorization not considered </li></ul><ul>...
<ul><li>Principles:- </li></ul><ul><ul><li>Do not rely on UI for authorization </li></ul></ul><ul><ul><li>Disabled buttons...
<ul><li>Only set of bad characters are checked for </li></ul><ul><li>Becomes vulnerable in special situations </li></ul><u...
<ul><li>Principles:- </li></ul><ul><ul><li>Validate for valid allowed values (white list) </li></ul></ul><ul><ul><li>If wh...
<ul><li>Not knowing what services are provided by what mechanisms </li></ul><ul><ul><li>For example, what services do Digi...
Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Central Payment Site Signed XML POST
<ul><li>Principles:- </li></ul><ul><ul><li>Know what service each mechanism provides </li></ul></ul><ul><ul><li>Do not imp...
Book movie ticket Screen 1 for User 1
Book movie ticket  Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address...
Book movie ticket  Screen 1 for User 2
Book movie ticket  Screen 1 for User 2 after  7 minutes
<ul><li>Principles:- </li></ul><ul><ul><li>Use CAPTCHA to avoid automated attacks </li></ul></ul><ul><ul><li>Design with s...
 
Upcoming SlideShare
Loading in...5
×

Varun - Subtle Security Flaws - ClubHack2007

462

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
462
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • I will be presenting five subtle and interesting flaws in applications.
  • Sites that do not have knowledge of IT and do not want to create e-commerce apps, rely on Central payment sites.
  • Varun - Subtle Security Flaws - ClubHack2007

    1. 1. Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India
    2. 2. <ul><li>Flaw – 1 Custom Authentication </li></ul><ul><li>Flaw – 2 Lack of Rule based Authorization </li></ul><ul><li>Flaw – 3 Black list input validation </li></ul><ul><li>Flaw – 4 Improper use of Crypto </li></ul><ul><li>Flaw – 5 App layer DOS attack </li></ul>
    3. 3. <ul><li>Site implements custom forms authentication </li></ul><ul><li>Buggy code </li></ul><ul><li>Demo </li></ul>
    4. 4. <ul><li>Principles:- </li></ul><ul><ul><li>Use well known and time tested, system provided methods for authentication. </li></ul></ul><ul><ul><li>Avoid writing custom authentication code. </li></ul></ul>
    5. 5. <ul><li>Authorization implemented by disabling UI </li></ul><ul><li>Rule based authorization not considered </li></ul><ul><li>Demo </li></ul>
    6. 6. <ul><li>Principles:- </li></ul><ul><ul><li>Do not rely on UI for authorization </li></ul></ul><ul><ul><li>Disabled buttons is not authorization </li></ul></ul><ul><ul><li>Consider rule based authorization in your design </li></ul></ul>
    7. 7. <ul><li>Only set of bad characters are checked for </li></ul><ul><li>Becomes vulnerable in special situations </li></ul><ul><li>Demo </li></ul>
    8. 8. <ul><li>Principles:- </li></ul><ul><ul><li>Validate for valid allowed values (white list) </li></ul></ul><ul><ul><li>If white list validation is not possible, </li></ul></ul><ul><ul><ul><li>Encode to prevent XSS </li></ul></ul></ul><ul><ul><ul><li>Parameterize to prevent SQL Injection… </li></ul></ul></ul>
    9. 9. <ul><li>Not knowing what services are provided by what mechanisms </li></ul><ul><ul><li>For example, what services do Digital Signatures provide? </li></ul></ul><ul><li>Demo </li></ul>
    10. 10. Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Central Payment Site Signed XML POST
    11. 11. <ul><li>Principles:- </li></ul><ul><ul><li>Know what service each mechanism provides </li></ul></ul><ul><ul><li>Do not implement crypto mechanisms yourself </li></ul></ul><ul><ul><li>Use system provided methods </li></ul></ul>
    12. 12. Book movie ticket Screen 1 for User 1
    13. 13. Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- … . Click to Book
    14. 14. Book movie ticket Screen 1 for User 2
    15. 15. Book movie ticket Screen 1 for User 2 after 7 minutes
    16. 16. <ul><li>Principles:- </li></ul><ul><ul><li>Use CAPTCHA to avoid automated attacks </li></ul></ul><ul><ul><li>Design with security in mind </li></ul></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×