Successfully reported this slideshow.

OWASP Top 10 No-No's


Published on

The Open Web Application Security Project (OWASP) periodically publishes, amongst other, a top 10 awareness document, containing the top 10 most commonly found web application vulnerabilities that are code-related. In this session, Ioannis Stavrinides (MCTS, MCPD, MCITP, MCSA and MCSE) introduces and briefly explains these top 10 vulnerabilities, with simple code samples and best practices on how to avoid such issues.

This presentation was delivered in one of the Cyprus .NET User Group's offline events. For more info please visit:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

OWASP Top 10 No-No's

  2. 2. The speaker• Currently at Printec (Cyprus) – Senior Technical Analyst• MCSE (Private Cloud), MCSA (Windows Server), MCPD (Web), MCTS (SQL)• Security Enthusiast• @indigocy• – Development• – Security and more
  3. 3. What is OWASP• Open Web Application Security Project•• Not-For-Profit organization focused on improving the security of software• Regularly releases the OWASP Top 10 list of most common vulnerabilities in web application.• Last release 2010. 2013 Release Candidate is available.
  4. 4. The list (2010)• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage
  5. 5. The list (2010) – cont.• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards
  6. 6. Injection• Allowing untrusted data to be sent to a system• Demo
  7. 7. Injection – Mitigations• Input sanitization • Regular Expressions to create white lists• Parameterized stored procedures• Named parameters in queries • SELECT * FROM Products WHERE Id = @Id• LINQ • dc.Products.Where(p => p.Name.Contains(<val>)• Principle of least priviledge
  8. 8. Cross-Site Scripting (XSS)• Allow input of untrusted data (through scripting)• Demo
  9. 9. Cross-Site Scripting (XSS) – Mitigations• Validate all input • White lists (but be careful of encoded input!)• Use ASP.Net request validation • Do not set validateRequest = “false” in Page directive or web.config• Encode HTML output • Server.HtmlEncode• Anti-XSS library (CodePlex)• Security Runtime Engine (SRE) – HTTP module • Map controls to encode automatically
  10. 10. Broken Authentication and Session Mgmt• Authentication and Session Management is incorrectly configured, exposing the details to an outsider.• This allows the attacked to steal credentials, session tokens or exploit implementation flaws to gain access to the system.• Demo
  11. 11. Broken Authentication and Session MgmtMitigations• ASP.Net membership and role providers • Can handle everything authentication related for a forms based authentication web application• Encryption • Passwords should not be sent or stored in the clear• Password recovery should be done via email using one-time links • SMTP is not a secure protocol!
  12. 12. Insecure Direct Object Reference• Exposed references to internal implementation objects (i.e. files, database keys, dictionaries etc) without correct access rules• Demo
  13. 13. Insecure Direct Object ReferenceMitigations• Access Control • WCF has a lot of ways to leverage an authorization model• Indirect Reference Map • Substitute an internal ID with a safe identifier (i.e. GUID) • Do not use discoverable references (i.e. sequential identifiers)
  14. 14. Cross-Site Request Forgery (CSRF)• Authentication information of a user logged on to an application is leveraged to send a forged HTTP request• Also known as the confused deputy problem. • Deputy is a compilation service • Clients can specify input and output file names • File named BILL contains billing info and access only by deputy• Demo
  15. 15. Cross-Site Request Forgery (CSRF)Mitigations• One-Time Synchronized Token • One time random value to validate a single request• Claims based authentication can be leveraged • Secure Token Service (STS)• CAPTCHA (?) • Good because it mitigates automated CSRF attacks • Has issues of its own…
  16. 16. Security Misconfiguration• All configurations of the application (application configuration, frameworks, web server configurations etc) must be set-up in a secure manner and updated when necessary.• The tyranny of the default• Demo
  17. 17. Security Misconfiguration – Mitigations• Clearly defined update methods• Non-generic error messages• Do not expose trace information• Do not use debug binaries• Enable request validation• Principle of least privilege•…
  18. 18. Insecure Cryptographic Storage• Sensitive data not properly secured• Demo
  19. 19. Insecure Cryptographic Storage - Mitigations• Do not use your own encryption • Proprietary does not mean secure • Encryption algorithms are vetted by extremely clever people before use • Again, if you where that smart, you wouldn’t be developing web applications• Hashes must be salted• ASP.Net membership provider• Good key management
  20. 20. Failure to Restrict URL Access• Links to access sites rendered after checking for access. The same check must be done on page access also.• Demo
  21. 21. Failure to restrict URL access - Mitigations• Access Control on each page • Just because it is hidden doesn’t mean it is secure• Apply principal permission to your classes and methods • Defence-in-depth• Do not use your own security model
  22. 22. Insufficient Transport Layer Security• Sensitive traffic must be protected while in transit• Demo
  23. 23. Insufficient Transport Layer SecurityMitigations• SSL/TLS• Timeout Authentication• Don’t mix SSL/non-SSL content
  24. 24. Unvalidated Redirects and Forwards• Web applications use untrusted sources to determine destination of redirects or forwards• Demos
  25. 25. Unvalidated Redirects and ForwardsMitigations• You need to take responsibility • Use white lists• Check the referrer page
  26. 26. Resources• Inspiration from Troy Hunt • • OWASP Top 10 for .Net Developers  Highly Recommend!••
  27. 27. Questions?
  28. 28. Thank you