Owasp & Asp.Net


Published on

Prepared with the great information that can be found at http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Implicit user input: Request headersConstructed user input: Query string variables
  • Owasp & Asp.Net

    1. 1. OWASP & ASP.NET
    2. 2. OWASP TOP 10• Injection• Cross-Site Scripting (XSS)• Broken Authentication & Session Management• Insecure Direct Object References• Cross-Site Request Forgery• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict Url Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards
    3. 3. Injection• SQL, OS, LDAP injection occur when untrusted data is sent to an interpreter as part of a command query• Untrusted data: – Integrity is not verifiable – Intent may be malicious – Manual user input – Implicit user input – Constructed user input
    4. 4. OWASP Matrix Thread Attack Security Weakness Technical Business Agents Vectors Impacts Impact Exploitability Prevalence Detectability Impact EASY COMMON AVERAGE SEVEREAnyone who Attacker Very prevalent particularly in Can result in Business can send sends simple legacy code, often found in data loss or value of data to text-based SQL, LDAP queries and OS corruption, effected system attacks that commands, program lack of data. exploit the arguments. accountability syntax of the or denial of interpreter. access.
    6. 6. CROSS SITE SCRIPTING• Most commonly exploited vulnerability• WhiteHat Security report: 65% of sites with XSS vulnerability• Sending data to a browser without proper validation and escaping• Allows executing scripts in the victim’s browser – Hijack user sessions – Redirect to malicious sites• Expose an attack vector from database
    7. 7. XSS Matrix Thread Attack Security Weakness Technical Business Agents Vectors Impacts Impact Exploitability Prevalence Detectability Impact AVERAGE WIDESPREAD EASY MODERATEAnyone who Attacker Most prevalent web Attacker can Business can send sends simple application security flaw. 3 execute script value of untrusted text-based types: 1: Stored, 2: Reflected, in victim’s effected data to attacks that 3: Dom Based browser. data. system exploit the Session syntax of the hijacking, interpreter. inserting hostile content, using malware etc.
    8. 8. EncodingEncoding Method Example/PatternHtmlEncode <a href="http://www.contoso.com">Click Here [Untrusted input]</a>HtmlAttributeEncode <hr noshade size=[Untrusted input]>JavaScriptEncode <script type="text/javascript"> … [Untrusted input] … </script>UrlEncode <a href="http://search.msn.com/results.aspx?q=[Untrusted- input]">Click Here!</a>XmlEncode <xml_tag>[Untrusted input]</xml_tag>XmlAttributeEncode <xml_tag attribute=[Untrusted input]>Some Text</xml_tag>
    9. 9. XSS Prevention Rule #0• Never Insert Untrusted Data Except in Allowed Locations<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in ascript<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment<div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name<NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name<style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS
    10. 10. XSS Prevention Rule #1• HTML Escape Before Inserting Untrusted Data into HTML Element Content<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body><div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div>any other normal HTML elements• & --> &amp;• < --> &lt;• > --> &gt;• " --> &quot;• --> '• / --> /
    11. 11. XSS Prevention Rule #2• Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTINGHERE...>content</div> inside UNquoted attribute <div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTINGHERE...>content</div> inside single quotedattribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTINGHERE...">content</div> inside double quotedattribute
    12. 12. XSS Prevention Rule #3• JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values<script>alert(...ESCAPE UNTRUSTED DATA BEFORE PUTTINGHERE...)</script> inside a quoted string <script>x=...ESCAPE UNTRUSTED DATA BEFORE PUTTINGHERE...</script> one side of a quotedexpression <div onmouseover="x=...ESCAPE UNTRUSTED DATA BEFOREPUTTING HERE..."</div> inside quoted event handler
    13. 13. XSS Prevention Rule #4• CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values<style>selector { property : ...ESCAPE UNTRUSTED DATABEFORE PUTTING HERE...; } </style> property value <style>selector { property : "...ESCAPE UNTRUSTED DATABEFORE PUTTING HERE..."; } </style> property value <span style="property : ...ESCAPE UNTRUSTED DATABEFORE PUTTING HERE...">text</style> propertyvalue
    14. 14. XSS Prevention Rule #5• URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values<a href="http://www.somesite.com?test=...ESCAPEUNTRUSTED DATA BEFORE PUTTING HERE...">link</a>
    15. 15. XSS Prevention Rule #6• Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way• AntiXSS
    17. 17. Defining Broken Authentication• Authentication and session management functions not implemented correctly• Allow attackers to compromise passwords, keys, session tokens
    18. 18. Broken Authentication Matrix Thread Attack Security Weakness Technical Business Agents Vectors Impacts Impact Exploitability Prevalence Detectability Impact AVERAGE COMMON AVERAGE SEVERE External Attackers Custom authentication and Allow some Business attackers, uses leaks or session management schemes. or all value ofinternal users flaws in the Hard to find flaws. accounts to effected trying to auth or be attacked. data. steal session accounts management from others functions
    19. 19. Anatomy of Broken Authentication• Session IDs in the url – Cookieless session state• Can still occur without IDs in the url (via executed XSS flaws)• HttpOnly Cookies• Use ASP.NET Membership & Role Providers
    20. 20. Session Fixation• Do not accept session identifiers from GET / POST variables• Use identity confirmation• Store session identifiers in cookies• Regenerate SID on each request• Accept only server-generated SIDs• Logout function• Time-out old SIDs• Destroy session if Referrer is suspicious• Verify that additional information is consistent – User Agent
    22. 22. Defining insecure direct object reference• Data being unintentionally disclosed• Exposing a reference to an internal object, file, directory or database key
    23. 23. IDOR Matrix Thread Attack Security Weakness Technical Business Agents Vectors Impacts Impact Exploitability Prevalence Detectability Impact AVERAGE COMMON AVERAGE SEVERE Users of the Simple Applications use actual name Compromise Business system, parameter or key value of an object. all data that value ofhaving partial modification Authorization is not verified. can be effected access to referenced. data.system data.
    25. 25. Defining Cross Site Request Forgery• Tricking the user into inadvertently issuing an HTTP request to a site – Confused deputy problem• Sends: – Session cookie – Authentication information• Victim needs to be logged on
    26. 26. CSRF Matrix Thread Attack Security Weakness Technical Business Agents Vectors Impacts Impact Exploitability Prevalence Detectability Impact AVERAGE COMMON AVERAGE SEVERE Anyone who Creates Browsers send credentials like Attackers can Businesscan trick your forged HTTP authentication cookies change any value of users request via automatically, attackers can data the effected submitting a image tags, create malicious web pages victim is data. request to XSS that generate forged requests. allowed to your site change
    27. 27. CSRF Prevention• Prevention measured that don’t work: – Using a secret cookie – Only accepting POST requests – Multi-step transactions – URL Rewriting
    28. 28. CSRF Prevention• Synchronizer Token Pattern• ViewState – ViewStateUserKey = Session.SessionID• Double submit cookies – Header – Hidden form value• .NET CSRF Guard
    30. 30. Defining Insecure Cyptographic Storage • Protection of sensitive data Thread Attack Security Weakness Technical Business Agents Vectors Impacts Impact Exploitability Prevalence Detectability Impact DIFFICULT UNCOMMON DIFFICULT SEVEREUsers of the Attackers Common flaw is not encrypting Compromises Business system don’t break data. Unsafe key generation, that all data value of the crypto. storage of keys, weak should have effected They find algorithms. been data. keys, get encrypted. clear text copies of data.
    31. 31. Questions• Is the right data encrypted?• Are the keys protected?• Is the source data exposed by other interfaces?• Is the hashing week?
    32. 32. Encryption, hashing, salting• Encryption: Transforming text into an illegible format that can only be deciphered with a ‘key’• Hashing: Creating a one way digest that cannot be converted back.• Salting: Adding a random string to input text before hashing to add unpredictability to the process.
    33. 33. MD5, SHA, DES, AES• MD5: Common, not collision resistant.• SHA: Secure Has Algorithm, most popular, not most secure)• DES: Data Encryption Standard, insecure.• AES: Advanced Encryption Standart, common.
    34. 34. Symmetric / Asymmetric Encryption• Symmetric Encryption – Uses same key to both encrypt and decrypt. – Same algorithm can be applied to reverse encryption• Asymmetric Encryption – Different keys for encryption / decryption
    35. 35. Key Management• Keep keys unique• Protect the keys• Always store keys away from data• Keys should have a defined lifecycle
    36. 36. Cryptographic Cheat Sheet• Only store sensitive data you need• Only use strong crypto algorithms (AES, RSA)• Ensure that random numbers are cryptographically strong• Only use widely accepted implementations of cryptographic algorithms• Store the hashed and salted value of passwords• Ensure that any secret key is protected from unauthorized access
    38. 38. Defining failure to restrict url access• Users are able to access a resource they should not because appropriate controls do not exist
    39. 39. Matrix Thread Attack Security Weakness Technical Business Agents Vectors Impacts Impact Exploitability Prevalence Detectability Impact EASY UNCOMMON AVERAGE MODERATEAnyone with Attacker Misconfigured urls, improper Allows Business network (already code checks attackers to value of access can authorized), access effected send the changes to unauthorized data.application a url to a functionality request privileged page.
    40. 40. Suggestions• Leverage roles in preference to individual users• Apply principal permissions – [PrincipalPermission] attribute• Protect web services and async calls• Leverage IIS 7 Integrated pipeline• Do not roll your own security model