Security ofWeb Applications   TOP 6 RISKS TO AVOID
Console.WriteLine(“Hello World”); Im Audrius Kovalenko .NET Developer Hack for fun @slicklash http://www.notreallycode.com
Forecasts for Upcoming Years         VERY CLOUDY         SaaS GROWTHWEB APPLICATIONS IN HIGH-DEMAND
Web Application Security Today                                 Distribution of Attack Methods in 2011Source: Web Hacking I...
PuzzleHow to pour all liquid into the glass?
IMPOSSIBLEEveryone knows it
How to deliver secure product knowing   little about application security?If thats my bag                           Whos b...
ProblemWe dont know what we dont know
The Unknowns      WHAT TO LOOK FOR?  WHAT ARE THE MAJOR RISKS?WHAT ARE THE COUNTERMEASURES?
CWE/SANS Top 25Most Dangerous Software Errors       https://cwe.mitre.org/top25
Open Web Application Security Project             OWASP              https://www.owasp.org
What is a risk anyway?
The OWASP Top 10 6 Web RisksA1 INJECTIONA2 CROSS SITE SCRIPTING (XSS)A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENTA4 INS...
InjectionsBreaking out of a data context into a code context       Why is SQLi still around?
Injections (2)var catId = Request.QueryString["Category"];var sql = "SELECT * FROM Products WHERE [CategoryId] = " + catId;
Anti-Injection        ORMPARAMETERIZED QUERIES    DONT BE LAZY
Cross Site Scripting (XSS)   Injection of client-side code into Web pages               viewed by other userspublic static...
Cross Site Request Forgery (CSRF)    Forged requests executed by tricking            authenticated victim   <img src="http...
Anti-XSS  INPUT FILTERING OUTPUT FILTERING MICROSOFT AntiXSSANTIFORGERY TOKENS
Broken Authentication and       Session Management         Poor implementation of authentication and session management6.5...
Be carefulDONT REINVENT THE WHEELNO HARDCODED “SHORTCUTS”     OUTPUT FILTERING      Use #if DEBUG HASH + SALT + STRECHING ...
Insecure Direct Object References Unauthorized access of exposed reference       to an internal implementation         MAS...
Insecure Direct Object References (2)  public class User  {      public string UserName { get; set; }      public bool IsA...
Insecure Direct Object References (3)public ActionResult UpdateUser([Bind(Exclude="IsAdmin")] User model) //Black Listing ...
Countermeasures    NO COPY-PASTE   ACCESS CHECKS    CODE REVIEWS
Security MisconfigurationImproper application configuration
Web.Config Security Analyzer  https://sourceforge.net/projects/wcsa
Introducing in development                            ?     DEDICATED PERSON     SPECIAL TRAINING       SELF TRAINING     ...
Common ExcusesNO ONE WILL HACK US   Ignorance TIGHT DEADLINESS      Budget
The Real IssueWRONG PERSON IN WRONG PLACE      Architect                                 Manager                          ...
Security is hard but possible      when you know
Dont forgetDrowning is your personal problem
Further Reading
Highly RecommendedACADEMIC                         HACKER       ENTERPRISE
Learning From The Breakers       Hacking Illustrated        Video from Security Conferences        http://www.irongeek.com
Upcoming SlideShare
Loading in …5
×

Security of Web Applications: Top 6 Risks To Avoid

3,635 views

Published on

A modest Web application security introduction to .NET developers.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,635
On SlideShare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
33
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security of Web Applications: Top 6 Risks To Avoid

  1. 1. Security ofWeb Applications TOP 6 RISKS TO AVOID
  2. 2. Console.WriteLine(“Hello World”); Im Audrius Kovalenko .NET Developer Hack for fun @slicklash http://www.notreallycode.com
  3. 3. Forecasts for Upcoming Years VERY CLOUDY SaaS GROWTHWEB APPLICATIONS IN HIGH-DEMAND
  4. 4. Web Application Security Today Distribution of Attack Methods in 2011Source: Web Hacking Incident Database (WHID)
  5. 5. PuzzleHow to pour all liquid into the glass?
  6. 6. IMPOSSIBLEEveryone knows it
  7. 7. How to deliver secure product knowing little about application security?If thats my bag Whos bag is it then? CSRF ruce B r Agile Steve an XSS Schneie Martin Freem Troy HD M r Fowle TDD Ken Hunt oo t REST Design re Bec Patt erns k Mi ring Za cha Refacto l ew ł SQLi DI sk i Builder vs Breaker
  8. 8. ProblemWe dont know what we dont know
  9. 9. The Unknowns WHAT TO LOOK FOR? WHAT ARE THE MAJOR RISKS?WHAT ARE THE COUNTERMEASURES?
  10. 10. CWE/SANS Top 25Most Dangerous Software Errors https://cwe.mitre.org/top25
  11. 11. Open Web Application Security Project OWASP https://www.owasp.org
  12. 12. What is a risk anyway?
  13. 13. The OWASP Top 10 6 Web RisksA1 INJECTIONA2 CROSS SITE SCRIPTING (XSS)A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENTA4 INSECURE DIRECT OBJECT REFERENCESA5 CROSS SITE REQUEST FORGERY (CSRF)A6 SECURITY MISCONFIGURATION
  14. 14. InjectionsBreaking out of a data context into a code context Why is SQLi still around?
  15. 15. Injections (2)var catId = Request.QueryString["Category"];var sql = "SELECT * FROM Products WHERE [CategoryId] = " + catId;
  16. 16. Anti-Injection ORMPARAMETERIZED QUERIES DONT BE LAZY
  17. 17. Cross Site Scripting (XSS) Injection of client-side code into Web pages viewed by other userspublic static MvcHtmlString DeviceInfoEvil(this HtmlHelper helper){ string s = "<span>" + helper.ViewContext.HttpContext.Request.UserAgent + "</span>"; return MvcHtmlString.Create(s);}[...]Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5;)<script>alert(1);</script>[...]public static MvcHtmlString DeviceInfoGood(this HtmlHelper helper){ TagBuilder userAgent = new TagBuilder("span"); userAgent.SetInnerText(helper.ViewContext.HttpContext.Request.UserAgent); return MvcHtmlString.Create(userAgent.ToString());}
  18. 18. Cross Site Request Forgery (CSRF) Forged requests executed by tricking authenticated victim <img src="https://bank.com/smth?param=1" /> <iframe src="https://bank.com/smth?param=1" /> <body onload="document.forms[0].submit"> <form method="post" action="https://bank.com/smth"> <input type="hidden" name="param" value="1" /> </form> </body>
  19. 19. Anti-XSS INPUT FILTERING OUTPUT FILTERING MICROSOFT AntiXSSANTIFORGERY TOKENS
  20. 20. Broken Authentication and Session Management Poor implementation of authentication and session management6.5 MILLION HASHES 450 000 PASSWORDS PLAIN SHA1 PLAIN TEXT June 2012 July 2012
  21. 21. Be carefulDONT REINVENT THE WHEELNO HARDCODED “SHORTCUTS” OUTPUT FILTERING Use #if DEBUG HASH + SALT + STRECHING bcrypt/scrypt TLS https://www.cookiecadger.com
  22. 22. Insecure Direct Object References Unauthorized access of exposed reference to an internal implementation MASS ASSIGNMENT VULNERABILITY
  23. 23. Insecure Direct Object References (2) public class User { public string UserName { get; set; } public bool IsAdmin { get; set; } } [Authorize] [AcceptVerbs(HttpVerbs.Post)] public ActionResult UpdateUser(User model) { if (ModelState.IsValid) { var user = db.Users.Single(u => u.UserName == model.UserName); if (TryUpdateModel(user)) { db.SaveChanges(); } } return View(); }
  24. 24. Insecure Direct Object References (3)public ActionResult UpdateUser([Bind(Exclude="IsAdmin")] User model) //Black Listing - NO[...]public ActionResult UpdateUser([Bind(Include="UserName")] User model) //White Listing – OK[...]public class UserViewModel //Secure by Design - BEST{ public string UserName { get; set; }}
  25. 25. Countermeasures NO COPY-PASTE ACCESS CHECKS CODE REVIEWS
  26. 26. Security MisconfigurationImproper application configuration
  27. 27. Web.Config Security Analyzer https://sourceforge.net/projects/wcsa
  28. 28. Introducing in development ? DEDICATED PERSON SPECIAL TRAINING SELF TRAINING LEARN PRACTICE UNDERSTAND
  29. 29. Common ExcusesNO ONE WILL HACK US Ignorance TIGHT DEADLINESS Budget
  30. 30. The Real IssueWRONG PERSON IN WRONG PLACE Architect Manager Lazy Co-Worker
  31. 31. Security is hard but possible when you know
  32. 32. Dont forgetDrowning is your personal problem
  33. 33. Further Reading
  34. 34. Highly RecommendedACADEMIC HACKER ENTERPRISE
  35. 35. Learning From The Breakers Hacking Illustrated Video from Security Conferences http://www.irongeek.com

×