SlideShare a Scribd company logo
Don’t get Stung
(An introduction to the OWASP Top Ten Project)

             Barry Dorrans
        MVP – Developer Security
Contents
• OWASP Top Ten
• http://www.owasp.org
• A worldwide free and open community
  focused on improving the security of
  application software
Introduction
• Do not try this at home. Or at work.
• These are not just ASP.NET vulnerabilities
• If you don’t want to ask public questions ...

  barryd@idunno.org / http://idunno.org
10 – Failure to restrict URI access
Failure to restrict URI access
•   Security by obscurity is useless
•   Restrict via ASP.NET
•   Integrated pipeline restricts everything
•   Use [PrincipalPermission] to protect yourself
9 – Insecure Communications
Insecure Communications
• Use SSL
• Protection communications between web
  server and backend systems (SSL, IPSEC etc.)
• Replay attacks
8 – Insecure Cryptographic Storage
Insecure Cryptographic Storage
• Symmetric – same key
• Asymmetric – public/private keys
• Use safe algorithms –
  Hashing :      SHA256
  Symmetric: AES
  Asymmetric: CMS/PKCS#7
• Encrypt then sign
Insecure Cryptographic Storage
• Use symmetric when
  – All systems are under your control
  – No need to identify who did the encryption
• Use asymmetric when
  – Talking/accepting from external systems
  – Non-repudiation on who encrypted/signed (X509)
  – All in memory!
• Combine the two for speed and security
Insecure Cryptographic Storage
•   Do not reuse keys for different purposes
•   Store keys outside the main database
•   Use CryptGenRandom for random numbers
•   Use & rotate salts
•   Use unique IVs
•   DAPI can provide a key store
7 - Broken Authentication/Sessions
Broken Authentication/Sessions
• Don’t roll your own!
• Validate sessions on every request
  Check the browser string
6 – Information Leakage
Information Leakage
•   Don’t show raw errors
•   Catch errors “properly”
•   Don’t upload PDBs or debug assemblies
•   Encrypt web.config parts
•   Encrypt ViewState -
•   Watch your CSS!
•   For Ajax UpdatePanels are more secure
•   Turn off meta data in web services
5 – Cross Site Request Forgery
Cross Site Request Forgery
• Lock ViewState using ViewStateUserKey
  – Needs a way to identify user
  – Set in Page_Init
• Use a CSRF token –
  http://anticsrf.codeplex.com
• Encourage users to log out
• GET requests must be idempotent
• When is a postback not a postback?
4 – Insecure Direct Object Reference
Insecure Direct Object Reference
• Use indirect objection references
• Always check access permissions
3 – Malicious File Execution
Malicious File Execution
• Remove Scripting IIS permission
• Store outside of application root
• Never believe the MIME type for uploads
2 – Injection Flaws
Injection Flaws
• SQL
  – Use SQL parameters
  – Remove direct SQL table access
• Xpath
  – Use XsltContext
  – http://mvpxml.codeplex.com/
1 – Cross Site Scripting
XSS
• <IMG SRC=javascript:alert('XSS')>
• <IMG SRC=JaVaScRiPt:alert('XSS')>
• <IMG
  SRC=&#106;&#97;&#118;&#97;&#115;&#99;
  &#114;&#105;&#112;&#116;&#58;&#97;&#1
  08;&#101;&#114;&#116;&#40;&#39;&#88;&#
  83;&#83;&#39;&#41;>
XSS
•   All input is evil
•   Work from white-lists not black-lists.
•   Store un-encoded data in your database
•   Use HttpOnly cookies
•   AntiXSS project http://antixss.codeplex.com
    – Better HTML/URL Encoding
    – Adds HTML Attribute,Javascript,JSON,VBScript
• XSS Cheat Sheet http://ha.ckers.org/xss.html
The OWASP Top Ten
•   Failure to restrict URL access
•   Insecure Communications
•   Insecure Cryptographic Storage
•   Broken Authentication / Session Management
•   Information Leakage
•   Cross Site Request Forgery
•   Insecure Direct Object Reference
•   Malicious File Execution
•   Injection Flaws
•   Cross Site Scripting
Resources
• AntiXSS - http://www.codeplex.com/AntiXSS
• AntiCSRF - http://www.codeplex.com/AntiCSRF
• P&P Guidance Explorer -
      http://www.codeplex.com/guidanceExplorer
• Fiddler – http://www.fiddlertool.com
• TamperData –
      https://addons.mozilla.org/en-US/firefox/addon/966
Questions

More Related Content

What's hot

installing-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfinstalling-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdf
Marcelo Cunha
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematicianHow to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
Antonio Sanso
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
 
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalComment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Guillaume Marchand
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security session
Pratik Jagdishwala
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
Ömer Çıtak
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
Tinashe Makuti
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
CypSec - Siber Güvenlik Konferansı
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
Francois Marier
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...
wensheng wei
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Slides
SlidesSlides
Slides
vti
 

What's hot (20)

installing-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdfinstalling-and-setting-up-your-zap-environment-slides.pdf
installing-and-setting-up-your-zap-environment-slides.pdf
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematicianHow to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
 
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapitalComment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
Comment se crasher avec classe pendant un pic d'audience, a.k.a #effetcapital
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security session
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...12 Rocking Apache .htaccess Tutorial ...
12 Rocking Apache .htaccess Tutorial ...
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Slides
SlidesSlides
Slides
 

Viewers also liked

Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?
David Wooldridge
 
Presentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterPresentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenter
Raquel1704
 
Progetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5  comuni del Pasubio - scuola VallarsaProgetto 5  comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola Vallarsa
guestf9daa3a
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
AlanRosenblith
 
Unmanned Video citizin services
Unmanned Video citizin servicesUnmanned Video citizin services
Unmanned Video citizin services
ibsis
 
Integrating Social Media With Traditional Media
Integrating Social Media With Traditional MediaIntegrating Social Media With Traditional Media
Integrating Social Media With Traditional Media
parkernow
 
關閉Q9 Ue版九方
關閉Q9 Ue版九方關閉Q9 Ue版九方
關閉Q9 Ue版九方Warren Yip
 
Use Your Library @ Home and Anywhere
Use Your Library @ Home and AnywhereUse Your Library @ Home and Anywhere
Use Your Library @ Home and Anywhere
Ann Owens
 
Element Design Final Presentation3
Element Design Final Presentation3Element Design Final Presentation3
Element Design Final Presentation3
guestdf2bf9
 
濕熱環境之生活感溫概念產品設計
濕熱環境之生活感溫概念產品設計濕熱環境之生活感溫概念產品設計
濕熱環境之生活感溫概念產品設計
開放式概念發表平臺
 
Select Samples of Work
Select Samples of WorkSelect Samples of Work
Select Samples of Work
lizzygreen
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
AlanRosenblith
 
Wereldwinkeliersvandetoekomst
WereldwinkeliersvandetoekomstWereldwinkeliersvandetoekomst
Wereldwinkeliersvandetoekomstfrancienvaneersel
 
Subjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic WebSubjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic Web
Davide Ceolin
 
Complete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft PlatformComplete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft Platform
www.panorama.com
 
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthPricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are Worth
Enthiosys Inc
 
2009成果展-實況報導
2009成果展-實況報導2009成果展-實況報導
2009成果展-實況報導
開放式概念發表平臺
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
AlanRosenblith
 
The people system™ an introduction v.1.2
The people system™   an introduction v.1.2The people system™   an introduction v.1.2
The people system™ an introduction v.1.2
Carol Moxam
 

Viewers also liked (20)

Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?Question 3:- What have you learned from your audience feedback?
Question 3:- What have you learned from your audience feedback?
 
Presentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenterPresentación Programa Superior de #ContactCenter
Presentación Programa Superior de #ContactCenter
 
Wereldwinkeliers
WereldwinkeliersWereldwinkeliers
Wereldwinkeliers
 
Progetto 5 comuni del Pasubio - scuola Vallarsa
Progetto 5  comuni del Pasubio - scuola VallarsaProgetto 5  comuni del Pasubio - scuola Vallarsa
Progetto 5 comuni del Pasubio - scuola Vallarsa
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
Unmanned Video citizin services
Unmanned Video citizin servicesUnmanned Video citizin services
Unmanned Video citizin services
 
Integrating Social Media With Traditional Media
Integrating Social Media With Traditional MediaIntegrating Social Media With Traditional Media
Integrating Social Media With Traditional Media
 
關閉Q9 Ue版九方
關閉Q9 Ue版九方關閉Q9 Ue版九方
關閉Q9 Ue版九方
 
Use Your Library @ Home and Anywhere
Use Your Library @ Home and AnywhereUse Your Library @ Home and Anywhere
Use Your Library @ Home and Anywhere
 
Element Design Final Presentation3
Element Design Final Presentation3Element Design Final Presentation3
Element Design Final Presentation3
 
濕熱環境之生活感溫概念產品設計
濕熱環境之生活感溫概念產品設計濕熱環境之生活感溫概念產品設計
濕熱環境之生活感溫概念產品設計
 
Select Samples of Work
Select Samples of WorkSelect Samples of Work
Select Samples of Work
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
Wereldwinkeliersvandetoekomst
WereldwinkeliersvandetoekomstWereldwinkeliersvandetoekomst
Wereldwinkeliersvandetoekomst
 
Subjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic WebSubjective Logic Extensions for the Web and the Semantic Web
Subjective Logic Extensions for the Web and the Semantic Web
 
Complete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft PlatformComplete Business Intelligence Solution for Your Microsoft Platform
Complete Business Intelligence Solution for Your Microsoft Platform
 
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthPricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are Worth
 
2009成果展-實況報導
2009成果展-實況報導2009成果展-實況報導
2009成果展-實況報導
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
The people system™ an introduction v.1.2
The people system™   an introduction v.1.2The people system™   an introduction v.1.2
The people system™ an introduction v.1.2
 

Similar to Don't Get Stung

Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
Pablo Gazmuri
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Brent Shaffer
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
syrinxtech
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Mark Stanton
 
Web Security
Web SecurityWeb Security
Web Security
KHOANGUYNNGANH
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
Nate Lawson
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web App
elliando dias
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
Stephan Steynfaardt
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3
jweiland
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring Security
Mike Wiesner
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 

Similar to Don't Get Stung (20)

Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Web Security
Web SecurityWeb Security
Web Security
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web App
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring Security
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 

Recently uploaded

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 

Recently uploaded (20)

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 

Don't Get Stung

  • 1. Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans MVP – Developer Security
  • 2. Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software
  • 3. Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ... barryd@idunno.org / http://idunno.org
  • 4. 10 – Failure to restrict URI access
  • 5. Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself
  • 6. 9 – Insecure Communications
  • 7. Insecure Communications • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks
  • 8. 8 – Insecure Cryptographic Storage
  • 9. Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms – Hashing : SHA256 Symmetric: AES Asymmetric: CMS/PKCS#7 • Encrypt then sign
  • 10. Insecure Cryptographic Storage • Use symmetric when – All systems are under your control – No need to identify who did the encryption • Use asymmetric when – Talking/accepting from external systems – Non-repudiation on who encrypted/signed (X509) – All in memory! • Combine the two for speed and security
  • 11. Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store
  • 12. 7 - Broken Authentication/Sessions
  • 13. Broken Authentication/Sessions • Don’t roll your own! • Validate sessions on every request Check the browser string
  • 14. 6 – Information Leakage
  • 15. Information Leakage • Don’t show raw errors • Catch errors “properly” • Don’t upload PDBs or debug assemblies • Encrypt web.config parts • Encrypt ViewState - • Watch your CSS! • For Ajax UpdatePanels are more secure • Turn off meta data in web services
  • 16. 5 – Cross Site Request Forgery
  • 17. Cross Site Request Forgery • Lock ViewState using ViewStateUserKey – Needs a way to identify user – Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • Encourage users to log out • GET requests must be idempotent • When is a postback not a postback?
  • 18. 4 – Insecure Direct Object Reference
  • 19. Insecure Direct Object Reference • Use indirect objection references • Always check access permissions
  • 20. 3 – Malicious File Execution
  • 21. Malicious File Execution • Remove Scripting IIS permission • Store outside of application root • Never believe the MIME type for uploads
  • 23. Injection Flaws • SQL – Use SQL parameters – Remove direct SQL table access • Xpath – Use XsltContext – http://mvpxml.codeplex.com/
  • 24. 1 – Cross Site Scripting
  • 25. XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99; &#114;&#105;&#112;&#116;&#58;&#97;&#1 08;&#101;&#114;&#116;&#40;&#39;&#88;&# 83;&#83;&#39;&#41;>
  • 26. XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com – Better HTML/URL Encoding – Adds HTML Attribute,Javascript,JSON,VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html
  • 27. The OWASP Top Ten • Failure to restrict URL access • Insecure Communications • Insecure Cryptographic Storage • Broken Authentication / Session Management • Information Leakage • Cross Site Request Forgery • Insecure Direct Object Reference • Malicious File Execution • Injection Flaws • Cross Site Scripting
  • 28. Resources • AntiXSS - http://www.codeplex.com/AntiXSS • AntiCSRF - http://www.codeplex.com/AntiCSRF • P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer • Fiddler – http://www.fiddlertool.com • TamperData – https://addons.mozilla.org/en-US/firefox/addon/966