SlideShare a Scribd company logo
Don’t get Stung(An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Contents OWASP Top Ten http://www.owasp.org A worldwide free and open community focused on improving the security of application software
Introduction Do not try this at home. Or at work. These are not just ASP.NET vulnerabilities If you don’t want to ask public questions ...barryd@idunno.org / http://idunno.org
10 – Unvalidated Redirects and Forwards
Unvalidated Redirect and Forwards Users don’t check the address bar MVC authentication (pre-3.0) is vulnerable. Check the ReturnUrlparameter – http://weblogs.asp.net/jgalloway/archive/2011/01/25/preventing-open-redirection-attacks-in-asp-net-mvc.aspx
9 – Insufficient Transport Layer Protection
Insufficient Transport Layer Protection  Use SSL Protection communications between web server and backend systems (SSL, IPSEC etc.) Replay attacks – use time limited tokens
8– Failure to restrict URI access
Failure to restrict URI access Security by obscurity is useless  Restrict via ASP.NET – no rolling your own! Integrated pipeline restricts everything Use [PrincipalPermission] to protect yourself IIS7 replaces file ACLs with a web.config based authorization list.
7– Insecure Cryptographic Storage
Insecure Cryptographic Storage Symmetric – same key Asymmetric – public/private keys Use safe algorithms –Hashing : 	SHA256Symmetric: 	AESAsymmetric:	CMS/PKCS#7 Encrypt then sign
Insecure Cryptographic Storage Use symmetric when All systems are under your control No need to identify who did the encryption Use asymmetric when Talking/accepting from external systems Non-repudiation on who encrypted/signed (X509) All in memory – so no large plain tex! Combine the two for speed and security
Insecure Cryptographic Storage Do not reuse keys for different purposes Store keys outside the main database Use CryptGenRandom for random numbers Use & rotate salts Use unique IVs DAPI can provide a key store
6 – Security Misconfiguration
Security Misconfiguration PATCH PATCHPATCH IIS7 App Pool Isolation –http://learn.iis.net/page.aspx/764/ensure-security-isolation-for-web-sites/ URLScan Security Runtime Engine (CTP) Disable unused modules, accounts etc.
Security Misconfiguration <httpModules>  <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />  <add name="Session" type="System.Web.SessionState.SessionStateModule" />  <add name="WindowsAuthentication"        type="System.Web.Security.WindowsAuthenticationModule" />  <add name="FormsAuthentication"        type="System.Web.Security.FormsAuthenticationModule" />  <add name="PassportAuthentication"        type="System.Web.Security.PassportAuthenticationModule" />  <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />  <add name="UrlAuthorization"        type="System.Web.Security.UrlAuthorizationModule" />  <add name="FileAuthorization"        type="System.Web.Security.FileAuthorizationModule" />  <add name="AnonymousIdentification"       type="System.Web.Security.AnonymousIdentificationModule" />  <add name="Profile" type="System.Web.Profile.ProfileModule" /></httpModules>
Security Misconfiguration <httpModules>  <remove name="PassportAuthentication" />  <remove name="Profile" />  <remove name="AnonymousIdentification" /></httpModules>  NB: Some modules depend on othersForms auth needs caching.There’s no easy way to tell!
5 – Cross Site Request Forgery
Cross Site Request Forgery WebForms Lock ViewState using ViewStateUserKey Needs a way to identify user Set in Page_Init Use a CSRF token – http://anticsrf.codeplex.com MVC<%= Html.AntiForgeryToken() %> - in form[ValidateAntiForgeryToken] – on action method Encourage users to log out When is a postback not a postback?
4 – Insecure Direct Object Reference
Insecure Direct Object Reference Use indirect object references Always check access permissions For MVC don’t allow binding to your ID field[Bind(Exclude="id")]
3 - Broken Authentication/Sessions
Broken Authentication/Sessions Don’t roll your own! If you must validate sessions on every requestcheck the browser string, not the IP
2– Cross Site Scripting
XSS <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
XSS All input is evil Work from white-lists not black-lists. Store un-encoded data in your database Use HttpOnly cookies AntiXSS project http://antixss.codeplex.com Better HTML/URL Encoding Adds HTML Attribute, Javascript, VBScript XSS Cheat Sheet http://ha.ckers.org/xss.html
1– Injection Flaws
Injection Flaws SQL Use SQL parameters Remove direct SQL table access When building SQL strings within SPs parameterise those too! Xpath Use XsltContext http://mvpxml.codeplex.com/
Injection Flaws DECLARE @cmd=  'SELECT * FROM Customer WHERE FirstName LIKE @first OR LastName LIKE @last' EXEC @cmd,  N'@firstnvarchar(25),       @last nvarchar(25)',     @first, @last
Changes from  2007 Malicious File Execution Information Leakage / Improper Error Handling Security Misconfiguration Un-validated Redirects and Forwards
The OWASP Top Ten A1-Injection A2-Cross Site Scripting (XSS) A3-Broken Authentication and Session Management A4-Insecure Direct Object References A5-Cross Site Request Forgery (CSRF) A6-Security Misconfiguration A7-Insecure Cryptographic Storage A8-Failure to Restrict URL Access A9-Insufficient Transport Layer Protection A10-Unvalidated Redirects and Forwards
Mandatory Book Pimping
Questions

More Related Content

What's hot

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
Mindfire Solutions
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
Joe McCray
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
Bug bounty
Bug bountyBug bounty
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser Exploitation
Michele Orru'
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
Deepu S Nath
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
Juho Nurminen
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
Elsner Technologies Pvt Ltd
 
Security fundamentals
Security fundamentals Security fundamentals
Security fundamentals
ABDEL RAHMAN KARIM
 

What's hot (20)

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser Exploitation
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
 
Security fundamentals
Security fundamentals Security fundamentals
Security fundamentals
 

Viewers also liked

Usshahni term 2
Usshahni term 2Usshahni term 2
Prospero 2010
Prospero 2010Prospero 2010
Prospero 2010
graciela27
 
Intext webdistilled elezioni 2011, aggiornamento del 5 Maggio
Intext webdistilled elezioni 2011, aggiornamento del 5 MaggioIntext webdistilled elezioni 2011, aggiornamento del 5 Maggio
Intext webdistilled elezioni 2011, aggiornamento del 5 Maggio
Maurizio Pontremoli
 
Kscope11 recap
Kscope11 recapKscope11 recap
Kscope11 recap
Sander Mak (@Sander_Mak)
 
Altitude #Users meeting in Spain ASES2015
Altitude #Users meeting in Spain ASES2015Altitude #Users meeting in Spain ASES2015
Altitude #Users meeting in Spain ASES2015
Raquel1704
 
The Jordan Edge
The Jordan EdgeThe Jordan Edge
The Jordan Edge
Bayan Waleed Shadaideh
 
Final (For Web) Presentation To Council Of Great City Schools Houston
Final   (For Web) Presentation To Council Of Great City Schools   HoustonFinal   (For Web) Presentation To Council Of Great City Schools   Houston
Final (For Web) Presentation To Council Of Great City Schools Houston
biferguson
 
mele's Eport-folio
mele's Eport-foliomele's Eport-folio
mele's Eport-folio
waikirikiri bilingual school
 
Teenager
TeenagerTeenager
Teenager
ericboy20032003
 
Halloween
HalloweenHalloween
Halloween
guestae06ba
 
Jack Eport Term 4
Jack Eport Term 4Jack Eport Term 4
Jack Eport Term 4
waikirikiri bilingual school
 
Travel Nov09
Travel Nov09Travel Nov09
Travel Nov09
Ann Owens
 
Prioritas Diklat
Prioritas DiklatPrioritas Diklat
Prioritas Diklat
su7as
 
Aim Presentation
Aim PresentationAim Presentation
Aim Presentation
sandeep jain
 
Question 2
Question 2Question 2
Question 2
David Wooldridge
 
The Ultimate Dependency Manager Shootout (QCon NY 2014)
The Ultimate Dependency Manager Shootout (QCon NY 2014)The Ultimate Dependency Manager Shootout (QCon NY 2014)
The Ultimate Dependency Manager Shootout (QCon NY 2014)
Sander Mak (@Sander_Mak)
 
Personal Portfolio work
Personal  Portfolio workPersonal  Portfolio work
Personal Portfolio work
stephengreeff
 

Viewers also liked (20)

Usshahni term 2
Usshahni term 2Usshahni term 2
Usshahni term 2
 
Prospero 2010
Prospero 2010Prospero 2010
Prospero 2010
 
漢字對話
漢字對話漢字對話
漢字對話
 
Intext webdistilled elezioni 2011, aggiornamento del 5 Maggio
Intext webdistilled elezioni 2011, aggiornamento del 5 MaggioIntext webdistilled elezioni 2011, aggiornamento del 5 Maggio
Intext webdistilled elezioni 2011, aggiornamento del 5 Maggio
 
Sr tekst
Sr tekstSr tekst
Sr tekst
 
Kscope11 recap
Kscope11 recapKscope11 recap
Kscope11 recap
 
Altitude #Users meeting in Spain ASES2015
Altitude #Users meeting in Spain ASES2015Altitude #Users meeting in Spain ASES2015
Altitude #Users meeting in Spain ASES2015
 
The Jordan Edge
The Jordan EdgeThe Jordan Edge
The Jordan Edge
 
Final (For Web) Presentation To Council Of Great City Schools Houston
Final   (For Web) Presentation To Council Of Great City Schools   HoustonFinal   (For Web) Presentation To Council Of Great City Schools   Houston
Final (For Web) Presentation To Council Of Great City Schools Houston
 
漢字對話
漢字對話漢字對話
漢字對話
 
mele's Eport-folio
mele's Eport-foliomele's Eport-folio
mele's Eport-folio
 
Teenager
TeenagerTeenager
Teenager
 
Halloween
HalloweenHalloween
Halloween
 
Jack Eport Term 4
Jack Eport Term 4Jack Eport Term 4
Jack Eport Term 4
 
Travel Nov09
Travel Nov09Travel Nov09
Travel Nov09
 
Prioritas Diklat
Prioritas DiklatPrioritas Diklat
Prioritas Diklat
 
Aim Presentation
Aim PresentationAim Presentation
Aim Presentation
 
Question 2
Question 2Question 2
Question 2
 
The Ultimate Dependency Manager Shootout (QCon NY 2014)
The Ultimate Dependency Manager Shootout (QCon NY 2014)The Ultimate Dependency Manager Shootout (QCon NY 2014)
The Ultimate Dependency Manager Shootout (QCon NY 2014)
 
Personal Portfolio work
Personal  Portfolio workPersonal  Portfolio work
Personal Portfolio work
 

Similar to Don't get stung - an introduction to the OWASP Top 10

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
PHP Security
PHP SecurityPHP Security
PHP Security
Mindfire Solutions
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
Joe McCray
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
Oleksandr Kovalchuk
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
ThreatReel Podcast
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
alsmola
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
ERPScan
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
ThreatReel Podcast
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
LogeekNightUkraine
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
ThreatReel Podcast
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
Victor Bucutea
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
Paul Lemon
 

Similar to Don't get stung - an introduction to the OWASP Top 10 (20)

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
PwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIsPwnSchool: Exploiting Web APIs
PwnSchool: Exploiting Web APIs
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
CiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful APICiNPA Security SIG - Exploiting the Tiredful API
CiNPA Security SIG - Exploiting the Tiredful API
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 

Recently uploaded

Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
Mydbops
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ortus Solutions, Corp
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
manji sharman06
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 

Recently uploaded (20)

Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 

Don't get stung - an introduction to the OWASP Top 10

  • 1. Don’t get Stung(An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
  • 2. Contents OWASP Top Ten http://www.owasp.org A worldwide free and open community focused on improving the security of application software
  • 3. Introduction Do not try this at home. Or at work. These are not just ASP.NET vulnerabilities If you don’t want to ask public questions ...barryd@idunno.org / http://idunno.org
  • 4. 10 – Unvalidated Redirects and Forwards
  • 5. Unvalidated Redirect and Forwards Users don’t check the address bar MVC authentication (pre-3.0) is vulnerable. Check the ReturnUrlparameter – http://weblogs.asp.net/jgalloway/archive/2011/01/25/preventing-open-redirection-attacks-in-asp-net-mvc.aspx
  • 6. 9 – Insufficient Transport Layer Protection
  • 7. Insufficient Transport Layer Protection Use SSL Protection communications between web server and backend systems (SSL, IPSEC etc.) Replay attacks – use time limited tokens
  • 8. 8– Failure to restrict URI access
  • 9. Failure to restrict URI access Security by obscurity is useless Restrict via ASP.NET – no rolling your own! Integrated pipeline restricts everything Use [PrincipalPermission] to protect yourself IIS7 replaces file ACLs with a web.config based authorization list.
  • 11. Insecure Cryptographic Storage Symmetric – same key Asymmetric – public/private keys Use safe algorithms –Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7 Encrypt then sign
  • 12. Insecure Cryptographic Storage Use symmetric when All systems are under your control No need to identify who did the encryption Use asymmetric when Talking/accepting from external systems Non-repudiation on who encrypted/signed (X509) All in memory – so no large plain tex! Combine the two for speed and security
  • 13. Insecure Cryptographic Storage Do not reuse keys for different purposes Store keys outside the main database Use CryptGenRandom for random numbers Use & rotate salts Use unique IVs DAPI can provide a key store
  • 14. 6 – Security Misconfiguration
  • 15. Security Misconfiguration PATCH PATCHPATCH IIS7 App Pool Isolation –http://learn.iis.net/page.aspx/764/ensure-security-isolation-for-web-sites/ URLScan Security Runtime Engine (CTP) Disable unused modules, accounts etc.
  • 16. Security Misconfiguration <httpModules>  <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />  <add name="Session" type="System.Web.SessionState.SessionStateModule" />  <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />  <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />  <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" />  <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />  <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />  <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" />  <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />  <add name="Profile" type="System.Web.Profile.ProfileModule" /></httpModules>
  • 17. Security Misconfiguration <httpModules>  <remove name="PassportAuthentication" />  <remove name="Profile" />  <remove name="AnonymousIdentification" /></httpModules> NB: Some modules depend on othersForms auth needs caching.There’s no easy way to tell!
  • 18. 5 – Cross Site Request Forgery
  • 19. Cross Site Request Forgery WebForms Lock ViewState using ViewStateUserKey Needs a way to identify user Set in Page_Init Use a CSRF token – http://anticsrf.codeplex.com MVC<%= Html.AntiForgeryToken() %> - in form[ValidateAntiForgeryToken] – on action method Encourage users to log out When is a postback not a postback?
  • 20. 4 – Insecure Direct Object Reference
  • 21. Insecure Direct Object Reference Use indirect object references Always check access permissions For MVC don’t allow binding to your ID field[Bind(Exclude="id")]
  • 22. 3 - Broken Authentication/Sessions
  • 23. Broken Authentication/Sessions Don’t roll your own! If you must validate sessions on every requestcheck the browser string, not the IP
  • 24. 2– Cross Site Scripting
  • 25. XSS <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  • 26. XSS All input is evil Work from white-lists not black-lists. Store un-encoded data in your database Use HttpOnly cookies AntiXSS project http://antixss.codeplex.com Better HTML/URL Encoding Adds HTML Attribute, Javascript, VBScript XSS Cheat Sheet http://ha.ckers.org/xss.html
  • 28. Injection Flaws SQL Use SQL parameters Remove direct SQL table access When building SQL strings within SPs parameterise those too! Xpath Use XsltContext http://mvpxml.codeplex.com/
  • 29. Injection Flaws DECLARE @cmd= 'SELECT * FROM Customer WHERE FirstName LIKE @first OR LastName LIKE @last' EXEC @cmd, N'@firstnvarchar(25), @last nvarchar(25)', @first, @last
  • 30. Changes from 2007 Malicious File Execution Information Leakage / Improper Error Handling Security Misconfiguration Un-validated Redirects and Forwards
  • 31. The OWASP Top Ten A1-Injection A2-Cross Site Scripting (XSS) A3-Broken Authentication and Session Management A4-Insecure Direct Object References A5-Cross Site Request Forgery (CSRF) A6-Security Misconfiguration A7-Insecure Cryptographic Storage A8-Failure to Restrict URL Access A9-Insufficient Transport Layer Protection A10-Unvalidated Redirects and Forwards