Your SlideShare is downloading. ×
0
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security of Web Applications: Top 6 Risks To Avoid

3,225

Published on

A modest Web application security introduction to .NET developers.

A modest Web application security introduction to .NET developers.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,225
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security ofWeb Applications TOP 6 RISKS TO AVOID
  • 2. Console.WriteLine(“Hello World”); Im Audrius Kovalenko .NET Developer Hack for fun @slicklash http://www.notreallycode.com
  • 3. Forecasts for Upcoming Years VERY CLOUDY SaaS GROWTHWEB APPLICATIONS IN HIGH-DEMAND
  • 4. Web Application Security Today Distribution of Attack Methods in 2011Source: Web Hacking Incident Database (WHID)
  • 5. PuzzleHow to pour all liquid into the glass?
  • 6. IMPOSSIBLEEveryone knows it
  • 7. How to deliver secure product knowing little about application security?If thats my bag Whos bag is it then? CSRF ruce B r Agile Steve an XSS Schneie Martin Freem Troy HD M r Fowle TDD Ken Hunt oo t REST Design re Bec Patt erns k Mi ring Za cha Refacto l ew ł SQLi DI sk i Builder vs Breaker
  • 8. ProblemWe dont know what we dont know
  • 9. The Unknowns WHAT TO LOOK FOR? WHAT ARE THE MAJOR RISKS?WHAT ARE THE COUNTERMEASURES?
  • 10. CWE/SANS Top 25Most Dangerous Software Errors https://cwe.mitre.org/top25
  • 11. Open Web Application Security Project OWASP https://www.owasp.org
  • 12. What is a risk anyway?
  • 13. The OWASP Top 10 6 Web RisksA1 INJECTIONA2 CROSS SITE SCRIPTING (XSS)A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENTA4 INSECURE DIRECT OBJECT REFERENCESA5 CROSS SITE REQUEST FORGERY (CSRF)A6 SECURITY MISCONFIGURATION
  • 14. InjectionsBreaking out of a data context into a code context Why is SQLi still around?
  • 15. Injections (2)var catId = Request.QueryString["Category"];var sql = "SELECT * FROM Products WHERE [CategoryId] = " + catId;
  • 16. Anti-Injection ORMPARAMETERIZED QUERIES DONT BE LAZY
  • 17. Cross Site Scripting (XSS) Injection of client-side code into Web pages viewed by other userspublic static MvcHtmlString DeviceInfoEvil(this HtmlHelper helper){ string s = "<span>" + helper.ViewContext.HttpContext.Request.UserAgent + "</span>"; return MvcHtmlString.Create(s);}[...]Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5;)<script>alert(1);</script>[...]public static MvcHtmlString DeviceInfoGood(this HtmlHelper helper){ TagBuilder userAgent = new TagBuilder("span"); userAgent.SetInnerText(helper.ViewContext.HttpContext.Request.UserAgent); return MvcHtmlString.Create(userAgent.ToString());}
  • 18. Cross Site Request Forgery (CSRF) Forged requests executed by tricking authenticated victim <img src="https://bank.com/smth?param=1" /> <iframe src="https://bank.com/smth?param=1" /> <body onload="document.forms[0].submit"> <form method="post" action="https://bank.com/smth"> <input type="hidden" name="param" value="1" /> </form> </body>
  • 19. Anti-XSS INPUT FILTERING OUTPUT FILTERING MICROSOFT AntiXSSANTIFORGERY TOKENS
  • 20. Broken Authentication and Session Management Poor implementation of authentication and session management6.5 MILLION HASHES 450 000 PASSWORDS PLAIN SHA1 PLAIN TEXT June 2012 July 2012
  • 21. Be carefulDONT REINVENT THE WHEELNO HARDCODED “SHORTCUTS” OUTPUT FILTERING Use #if DEBUG HASH + SALT + STRECHING bcrypt/scrypt TLS https://www.cookiecadger.com
  • 22. Insecure Direct Object References Unauthorized access of exposed reference to an internal implementation MASS ASSIGNMENT VULNERABILITY
  • 23. Insecure Direct Object References (2) public class User { public string UserName { get; set; } public bool IsAdmin { get; set; } } [Authorize] [AcceptVerbs(HttpVerbs.Post)] public ActionResult UpdateUser(User model) { if (ModelState.IsValid) { var user = db.Users.Single(u => u.UserName == model.UserName); if (TryUpdateModel(user)) { db.SaveChanges(); } } return View(); }
  • 24. Insecure Direct Object References (3)public ActionResult UpdateUser([Bind(Exclude="IsAdmin")] User model) //Black Listing - NO[...]public ActionResult UpdateUser([Bind(Include="UserName")] User model) //White Listing – OK[...]public class UserViewModel //Secure by Design - BEST{ public string UserName { get; set; }}
  • 25. Countermeasures NO COPY-PASTE ACCESS CHECKS CODE REVIEWS
  • 26. Security MisconfigurationImproper application configuration
  • 27. Web.Config Security Analyzer https://sourceforge.net/projects/wcsa
  • 28. Introducing in development ? DEDICATED PERSON SPECIAL TRAINING SELF TRAINING LEARN PRACTICE UNDERSTAND
  • 29. Common ExcusesNO ONE WILL HACK US Ignorance TIGHT DEADLINESS Budget
  • 30. The Real IssueWRONG PERSON IN WRONG PLACE Architect Manager Lazy Co-Worker
  • 31. Security is hard but possible when you know
  • 32. Dont forgetDrowning is your personal problem
  • 33. Further Reading
  • 34. Highly RecommendedACADEMIC HACKER ENTERPRISE
  • 35. Learning From The Breakers Hacking Illustrated Video from Security Conferences http://www.irongeek.com

×