Defensive programming 101 For Dataforening


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • I am Irish
  • But I live in Norway. I am an IT Architect with Laerdalmedical
  • Programmers arethe problem. Theyare not nativelysecurityconcious as it takes longer to write and they dont want to break theircode by testing for securityflaws
  • Mainly applies to web apps. Leaving admin info systems on the server to be accessedYou can use Google to find this infoYou can find password files, office data files (PST) etcOld files are possible especially you rename in the same directory. Then possible to download source code from your site.Sample: intitle:index.of outlook pstAlso leaving trace output with <trace enabled=“true” and localOnly=“false”> .. Allows access to trace.axd
  • Following issue #10Usernames and passwords should be encrypted.Sensitive data should be in encryptedDont write your own Crypto protocols. Can also use google code to find these (especially if you leave personal ones there!!!)
  • One of the easiest ways to get caughtVulnerability is not in your code but on the systemEspecially painful on web serversGoogle can be used to find vulnerable web serversRequires you most of the time to pester the local sys admin
  • Shouldn’t be the only thing that sanitizes your inputConsider you have a javascript function to see if the number is validUser views source page and sends you the variablesDo validation on both sides to be sure, but definately server side at least.
  • Validate all inputs at the server even if client validatedUse a central validation sourceUse white lists rather than blacklistsEscape special charactersValidate against RFC rulesValidate XML against the schema
  • You should never show a detailed error message on a production web site.Use CustomErrors in the web.configEither RemoteOnly or OnAgain also turn off Trace and set Debug=“false”
  • SQL connection using SA or SysAdm level permissionsRequiring Administrator permissions on the web server!!!!!Requiring Admin privileges for a windows app
  • Consider default.aspx?download=filestore/file.exe using BinaryWriteChange the download variableNow default.aspx? download=web.configPage will display the incorrect file and give ideas about what way the machine is configured and possibly access to a lot more.
  • Validate your inputChecking for ../ usually wont work due to URLEncodeStrong checking of inputPlacing web apps on separate partitions to system filesCorrect permissionsWeb server fully patchedUsing scanner tools to validate the web server IIS LockdownURL Scan
  • HTML & Script Injection3 Main typesDOMNon PersistantPersistantNon persistant is the most common, and persistant is the most dangerous.Certain CMS are vuln, as well as pages taking input and displaying that input back.Other variations include HTTP response splitting, HTTP header injection, remote file inclusionParticularly nastyMore common with scripting languages such as ASP and PHPAllows you to insert your own file to be runNot as relevant to .NET but still can cause a problemExamplehttp://server/file.aspx?redir=page.aspxhttp://server/file.aspx?redir=http://badplace/haha.aspx?Imagine that with a login and similar look of your own site
  • Make cookies only accessible to server side code<httpCookies httpOnlyCookies="true">Use cookie based session state to stop session hijacking<sessionState cookieless="UseCookies">Where possible use SSL for authentication cookiesUse unique forms name when using multiple sites with forms auth.Use HtmlEncode to disable special charsMake sure on redirect its only going to where you expect it to be goingSanitize your inputMind your cookies and evaluate web.configs above the web app for vulns
  • Allowing straight input to your databaseConsider SELECT * FROM tbl WHERE (Email=‘RequestData’) AND (PASSWORD=’OtherData’)Now consider the inputs ” ‘ OR ‘1’=‘1’ ”SELECT * FROM tbl WHERE (Email=‘’ OR ‘1’=‘1’) AND (PASSWORD=’’ OR ‘1’=‘1’)Worse UPDATE tbl WHERE ID=RequestDataRequestData = 1;DELETE FROM tbl;Worst!RequestData = 1;DROP tbl;Sanitize your inputDont blindly allow access to the database from the front endUse only the permissions required for the optionConsider two level database accessReaderWriterWith SQL Server reduce your permissions to execute only if you are using stored procs
  • Trusting your users!!!Sanitize your inputIf you don’t check it, be prepared to deal with the consequences. See issues 2 & 3!Famous examples: Amazon & Komplett
  • Defensive programming 101 For Dataforening

    1. 1. ASP.NET Resources• Web session management security -• OWASP Top 10 by Troy Hunt -• ASP.NET Security Guidance -• MSCASI tool -• AntiXSS Toolkit -• ASP.NET Security Guidance -• Advice from SDL -• ASafaWeb -
    2. 2. IIS Resources• Security Guidance for IIS -• IIS Lockdown tool -• URLScan –• IIS Configuring security -• IIS Security Tools -
    3. 3. Image Credits• highscore -• G is for Goggles -
    4. 4. Image credits••••••••••••••••••••••
    5. 5. Contact• Twitter: @nmerrigan• Blog:• Email – via blogResourcesContact Details Twitter