Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Don't Get Stung

6,857 views

Published on

An introduction to the OWASP Top Ten Vulnerability List.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Don't Get Stung

  1. 1. Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans MVP – Developer Security
  2. 2. Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software
  3. 3. Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ... barryd@idunno.org / http://idunno.org
  4. 4. 10 – Failure to restrict URI access
  5. 5. Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself
  6. 6. 9 – Insecure Communications
  7. 7. Insecure Communications • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks
  8. 8. 8 – Insecure Cryptographic Storage
  9. 9. Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms – Hashing : SHA256 Symmetric: AES Asymmetric: CMS/PKCS#7 • Encrypt then sign
  10. 10. Insecure Cryptographic Storage • Use symmetric when – All systems are under your control – No need to identify who did the encryption • Use asymmetric when – Talking/accepting from external systems – Non-repudiation on who encrypted/signed (X509) – All in memory! • Combine the two for speed and security
  11. 11. Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store
  12. 12. 7 - Broken Authentication/Sessions
  13. 13. Broken Authentication/Sessions • Don’t roll your own! • Validate sessions on every request Check the browser string
  14. 14. 6 – Information Leakage
  15. 15. Information Leakage • Don’t show raw errors • Catch errors “properly” • Don’t upload PDBs or debug assemblies • Encrypt web.config parts • Encrypt ViewState - • Watch your CSS! • For Ajax UpdatePanels are more secure • Turn off meta data in web services
  16. 16. 5 – Cross Site Request Forgery
  17. 17. Cross Site Request Forgery • Lock ViewState using ViewStateUserKey – Needs a way to identify user – Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • Encourage users to log out • GET requests must be idempotent • When is a postback not a postback?
  18. 18. 4 – Insecure Direct Object Reference
  19. 19. Insecure Direct Object Reference • Use indirect objection references • Always check access permissions
  20. 20. 3 – Malicious File Execution
  21. 21. Malicious File Execution • Remove Scripting IIS permission • Store outside of application root • Never believe the MIME type for uploads
  22. 22. 2 – Injection Flaws
  23. 23. Injection Flaws • SQL – Use SQL parameters – Remove direct SQL table access • Xpath – Use XsltContext – http://mvpxml.codeplex.com/
  24. 24. 1 – Cross Site Scripting
  25. 25. XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=javasc ript:a&#1 08;ert('X&# 83;S')>
  26. 26. XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com – Better HTML/URL Encoding – Adds HTML Attribute,Javascript,JSON,VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html
  27. 27. The OWASP Top Ten • Failure to restrict URL access • Insecure Communications • Insecure Cryptographic Storage • Broken Authentication / Session Management • Information Leakage • Cross Site Request Forgery • Insecure Direct Object Reference • Malicious File Execution • Injection Flaws • Cross Site Scripting
  28. 28. Resources • AntiXSS - http://www.codeplex.com/AntiXSS • AntiCSRF - http://www.codeplex.com/AntiCSRF • P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer • Fiddler – http://www.fiddlertool.com • TamperData – https://addons.mozilla.org/en-US/firefox/addon/966
  29. 29. Questions

×