SlideShare a Scribd company logo

Security .NET.pdf

A
Abhi Jain

Security in .NET OWAS Top 10

Software
1 of 87
Download to read offline
Security .NET -Abhi Jain
Agenda ● Security overview ● Security Mindset ● 4 day training ○ Each day ■ Discuss 2-3 security attacks ■ Learn how to prevent them ■ Hands on exercises ■ Homeworks ● Summary
A few things ● Need lots of participation ● 4 Day program ○ With a few breaks ● My aim for you is: ○ To have a very good understanding of Security in .NET applications ○ Familiarize yourself with various attacks and their prevention ○ Get the confidence of debugging/ fixing any issues ● Ask questions ● If I don’t know ○ I will find the answer for you ○ And send your way ● Add me on LinkedIn ○ To Stay connected
Introductions
About Me ● Lead Dev ● Located in Florida ● Trainer ● Presenter ● .NET Developer ● Youtuber: Coach4Dev ● Husband/ Father
Brain Teaser ● What do web developers say when they have to maintain the legacy SOAP interface? ● "Just give me a REST."
Why Security? ● Hackers always out there ● Looking for ways to extort/ make money ● The more money the company makes ○ The more lucrative it is ● 1 big attack ○ Can bring a company to its knees ● Bad PR
Recent Security attacks ● CAM4 ○ Mar 2020 ○ 10.8 bln records: All users’ info ● LinkedIn ○ June 2021 ○ 700 mln users ● FB ○ Apr 2019 ○ 533 mln users’ data ● Ashley Madison ○ July 2015 ○ 32 mln users ● https://www.upguard.com/blog/biggest-data-breaches
Security Mindset ● Think like a hacker ● How will anyone go about hacking it ● How will they break in ● Rings of security ● Nothing is perfectly secure ○ Neither is our home ● You have to make it just enough ○ So it acts as a deterrent
What is OWASP ● Open Web Application Security Project ● Non profit organization ● Works towards improving security of web
OWASP Top 10 ● Standard awareness document for developers and web application security ● Represents a broad consensus about: ○ Most critical security risks to web applications ● Latest OWASP Top 10 was published in 2021
OWASP Top 10
Broken Access Control
Broken Access Control ● Top most security vulnerability ● Can be in many forms: ○ Violation of principle of least privilege ○ Bypassing access control checks ■ Modify URL/ API request, etc. ○ Elevation of privilege ■ Act as a user/ admin without being logged in ■ Act as admin when logged in as user
Principle of Least Privilege ● Subject should be given only those privileges needed for it to complete its tasks. ● If a subject does not NEED an access right ○ Should not have it
How to remedy ● Follow principle of least privilege ● Except for public resources, deny by default ● Application data access/ manipulation should be enforced (by domain models) ● Log access control failures and alert when needed ● Rate limit API and control access ○ API gateway can help ● Invalidate stateful session identifiers on server upon logout ● Stateless JWT tokens should be short lived
Exercise ● Break the Sample Expenses application ● You have a user: ○ user@user.com ○ He can't Approve an expense ○ Only Admin(s) can ● You need to approve the expense as a user :)
Cryptographic Failures
Brain Teaser ● Why did the cryptographer throw up at McDonalds? ● Because he couldn’t digest a big MAC
Cryptographic Failures ● Failures related to cryptography ○ Or lack of thereof ● Is any data transmitted in clear text? ● Old or weak cryptographic algorithms in use ● Is encryption not enforced? ● Are default crypto keys in use? ○ Are weak keys in use? ○ Is proper key management in place? ○ Is key rotation in place?
How to combat ● Classify your data and set protection standards accordingly ● Configure Https ○ Encrypt all data in transit ● Do not store sensitive data (if not necessary) ● Disable caching for response ○ With sensitive data ● Encrypt all sensitive data at rest ● Store passwords using ○ Strong adaptive and salted hashing functions with a work factor (delay factor) ○ E.g. Argon2, scrypt, bcrypt or PBKDF2. ● Key rotation
Example attack ● A site doesn't use or enforce TLS for all pages ● An attacker monitors network traffic (e.g., at an insecure wireless network) ○ Downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user's session cookie. ○ The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. ○ Instead of the above they could alter all transported data, e.g., the recipient of a money transfer.
Another way to prevent
Exercise ● Understand how to securely save passwords in DB? ● MD5 Hash of common passwords ● https://hashtoolkit.com/common-passwords/
How .NET saves it? ● https://www.blinkingcaret.com/2017/11/29/asp-net-identity-passwordhash/
Injection
Injection ● One of the most common vulnerability ● User supplied data is not validated/ filtered/ sanitized ● Dynamic queries or non parameterized calls ○ Commonly used in SQL injection ● Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
SQL Injection Scenario ● Ref: xkcd
XSS ● An attacker needs to insert ○ And execute malicious content ● E.g. ○ HTML ○ Javascript ○ CSS ● Sample scenario ○ Attacker able to inject Javascript in Amazon website ○ Every user who opens the webpage ■ Is vulnerable
XSS Exercise 1 ● Add Malicious Javascript (disguised as HTML) in the code ● See it getting rendered ● On Expenses List page
Sample Attack ● HTML : ○ In Comments add: ■ </td><script>alert(‘HTML XSS’)</script>
XSS Exercise 2 ● On the Edit expense ○ There is a pop up ○ Takes user input ○ And used in JS ● Using JS injection ○ Get a second pop up msg ○ Displaying “I am a hacker”
Sample Attack ● JS: ○ Edit page ■ Category: ‘);alert(‘Abhi’)//
SQL Injection Attack ● Details page is safe ● There is another page called DetailsVulnerable ● Aim: ○ Use SQL Injection to: ■ Approve all expenses ■ Delete all expenses
SQL Injection Attack ● Setting all expenses to approved ● /Expenses/DetailsVulnerable/2%20UPDATE%20Expense%20SET%20IsAppr oved=1
How to Prevent ● Sanitize/ validate user inputs ● User server side input validation ● Principle of least privilege can help ○ Reduce amount of data exposed ○ Prevent Manipulation of data ● Proper encoding in place prevents XSS ○ HTML Encoding ○ Javascript Encoding ○ URL encoding, etc.
MIME Sniffing ● If you allow users to upload files to your application ● In HTTP response, ○ The server mentions Content-Type (Header) ● Attacker misguides the content type ● If the client browser notices an issue ○ MIME (Multipurpose Internet Mail Extensions) sniffing occurs ○ Tries to rectify the Content type ○ Might execute the script
Example Attack
How to Prevent ● Set X-Content-Type-Options : nosniff ● 2 ways: ● At code level:
Set Header at IIS level ● Open IIS Manager and on the left hand tree, left click the site you would like to manage. ● Double click the “HTTP Response Headers” icon. ● Right click the header list and select “Add” ● For the “name” write “X-Content-Type-Options” and for the value “nosniff”
Insecure Design
Insecure Design ● Broad category ● Missing/Ineffective Control design ● Different from insecure implementation ● Many businesses fail to profile the business risk ○ Data classification ■ Which in turn decides level of security in design ● Lack of security in SDLC
Examples of Insecure Design ● Plaintext Storage of password ● Improper privilege management ● Reliance on Security through obscurity ● Not failing securely ● Improper isolation or Compartmentalization ● Use of Persistent Cookies Containing Sensitive Information ○ Cookies can be manipulated/ stolen, etc. ● Insecure storage in file or disk
Cookie Security ● Cookies get sent to server ● Set cookie to secure ○ Used only on HTTPS ○ https://docs.microsoft.com/en-us/dotnet/api/system.net.cookie.secure?view=net-6.0 ● Set cookie to HTTP only ○ Javascript can’t touch it ○ https://docs.microsoft.com/en-us/dotnet/api/system.net.cookie.httponly?view=net-6.0
Local Storage ● Does not get sent to server ● JS only access ● If JS XSS attack is done - data can be stolen ● Server has no control - client can update anything ● Can persist in Client browser ○ Across sessions
Session Storage ● Does not get sent to server ● JS only access ● If JS XSS attack is done - data can be stolen ● Server has no control - client can update anything ● Gets deleted when ○ tab/ browser is closed
Security Misconfiguration
Security Misconfiguration ● Without a concerted, repeatable application security configuration process, systems are at a higher risk ● Default accounts and their passwords are enabled/unchanged ● Unnecessary features are enabled/ installed ○ Unnecessary ports, ○ Services, etc. ● Error handling reveals stack traces or overly informative error messages ● Security settings not set to secure values ○ Application servers, ○ Application frameworks ● Out of date components
How to prevent ● Automate hardening process ○ Verify effectiveness of settings/ configurations ● Use similar settings in all environments (QA/Stage/Prod) ○ With different credentials ● Remove unused features and frameworks ● Stay on top of ○ Updates to components ○ Patches ● Segmented application architecture ○ Provides effective / secure separation b/w components
Developer Exception Page ● Use Developer Exception Page properly ● ASPNETCORE_ENVIRONMENT ○ To Development ○ On local machine for debugging ○ launchSettings.json file ● https://docs.microsoft.com/en-us/aspnet/core/fundamentals/error-handling?vie w=aspnetcore-6.0#developer-exception-page ● https://docs.microsoft.com/en-us/aspnet/core/fundamentals/environments?vie w=aspnetcore-6.0
Funny!
Vulnerable and Outdated Components
Vulnerable and Outdated Components ● OS ● Application/ web server ● Runtime environments ● DBMS ● APIs ● Libraries
Vulnerable and Outdated Components ● Using Third party components ○ With known vulnerabilities ● Not following updates/ patches
How to prevent ● Remove unused ○ Dependencies ○ Components ○ Features, etc. ● Check versions of ○ Client-side components ○ Server-side components ● Monitor sources: ○ Common Vulnerability and Exposures (CVE) ○ National Vulnerability Database (NVD)
How to prevent ● Obtain components from official sources ○ And Secure Links ● Proper plan in place ○ Monitoring, triaging & applying updates
Identification and Authentication Failures
Funny
Identification and Authentication Failures ● Confirm a user’s identity ○ Authentication ○ Session Management ● Vulnerable if: ○ Permitting brute force ○ Allowing weak passwords/ common passwords ○ Exposes session identifier in URL ○ Doesn’t invalidate session Id upon logout
Credential Stuffing ● Use stolen username and passwords ○ On website login forms ● Many users reuse their credentials ○ Could be exposed by data breach ○ Or phishing attacks ● Subset of brute force attack ● How to prevent? ○ MFA ○ Notify users of unusual activity ○ Require unpredictable usernames
Prevention Mechanisms ● Do not ship or deploy with any default credentials ● Have strong password requirements ○ And rotation policies ● Limit /increasingly delay failed login attempts ● Log all failures ○ Alert admins when attacks detected
Sample Attack - Session Timeout ● A user uses a public computer to access an application. ● Instead of selecting "logout," the user simply closes the browser tab and walks away. ● An attacker uses the same browser an hour later, and the user is still authenticated.
ZAP Tool
ZAP Tool ● Zed Attack Proxy ● Web security tool ● Free / Open Source Tool ● https://github.com/zaproxy/zaproxy ● Great tools for ○ Developers ○ Beginners ○ Professionals
How ZAP works?
A nice tutorial ● https://www.softwaretestinghelp.com/owasp-zap-tutorial/
Prisma Cloud https://prisma.pan.dev/docs/cloud/
Software and Data Integrity Failures
Software and Data Integrity Failures ● Relates to code and infrastructure ○ That does not protect against integrity violations ● If application relies on untrusted sources’ ○ Plugins ○ Libraries ○ Modules ● Insecure CI/CD pipeline can introduce potential of unauthorized access ● Attackers could potentially upload their own updates ○ To be distributed and ○ Run on previously trusted applications
How to Prevent ● Use digital signatures (or similar mechanisms) ○ To verify s/w / data is from the expected source ■ And not altered ● Ensure libraries and dependencies, e.g. npm / Maven ○ Are consuming trusted repositories ● Use S/W supply chain security tool ○ E.g. OWASP Dependency Check ○ OWASP CycloneDX (Currently Work In Progress) ○ Prisma Cloud Supply Chain Security ● Ensure that your CI/CD pipeline has proper: ○ Segregation, ○ Configuration, ○ And access control ● Do not send unencrypted/ unsigned serialized data to untrusted clients
Solarwinds Orion Attack ● Solarwinds ○ Provides system management tools ○ >30k customers - public and private orgs ● Hackers used supply chain attack ○ Inserted malicious code in Orion system ○ Distributed in updates through Sep 2019 - Mar 2020 ● The malicious code creates backdoor access ○ Hackers can impersonate users and accounts
Solarwinds Orion Attack ● https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everyt hing-you-need-to-know ● https://www.techtarget.com/searchsecurity/news/252493841/Microsoft-FireEy e-create-kill-switch-for-SolarWinds-backdoor
Sample Code BinaryFormatter
BinaryFormatter Dangerous ● Deserialization ○ Using BinaryFormatter .NET ● Unwanted Code Execution ● Can create instance of any type on the server ● No restriction ● Any constructor ● Do not use for any user input ● https://www.meziantou.net/deserialization-can-be-dangerous.htm
Security Logging and Monitoring Failures
Security Logging and Monitoring Failures ● Detect, Escalate & respond to active breaches ○ In real time ○ Or near real time ● Always log ○ Logins ○ Failed logins ○ High value transactions ● Penetration testing tools/ scans ○ Should be able to create alerts
How to Prevent ● All login activities logged ● Log files are secure and cannot be deleted ○ Set append-only attribute on files ■ Attackers cannot delete their trail from logs ● Use security log analyzer ○ To detect malicious activity based on logs ○ Various Machine learning algorithms ■ Help detect anomalies ● Have incident response plan in place ○ Should be reviewed every six months/1 year ● https://www.dnsstuff.com/security-log-best-practices
Server Side Request Forgery
Server Side Request Forgery ● Web application fetches remote resource ○ Without validating user supplied URL ● Similar to CSRF ○ But all on server side
Sample workflow ● Ref: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forge ry_Prevention_Cheat_Sheet.html
Example attack ● https://portswigger.net/web-security/ssrf
How to Prevent ● Sanitize & validate all client-supplied input data ● Enforce the URL schema, port, and destination with a positive allow list ● Disable HTTP redirections ● Do not return raw response from any URL ○ As is to the user ○ The hacker might be getting some other resource which they are not supposed to
A good read ● Unfortunate Reality of Insecure Libraries
References ● https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter- security-guide
Summary ● We went through all of OWASP Top 10 ● Now you are closer to making your application more secure ● Security is a journey ○ Not a destination ● As a developer ○ Write more secure code ● As an architect ○ Design with security in mind ● As an organization ○ Have gatekeepers in place
Remember General Tips ● Always have ○ Threat modeling in place ● Keep separate time reserved ○ For security testing ○ Fixing flaws ● Keep Security of high importance ○ Throughout the organization
Connect With Me ● For any questions: ○ https://linkedin.com/in/coach4dev

Recommended

Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseRiskIQ, Inc.
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Mark Niebergall
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application SecurityTuenti
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application SecurityGuille -bisho-
 

Recommended

Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseRiskIQ, Inc.
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Mark Niebergall
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application SecurityTuenti
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application SecurityGuille -bisho-
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing AppAndreas Schranzhofer
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Mike Tetreault
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software securityDavid Klassen
 
Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsExove
 
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Icinga
 
Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)apidays
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
SaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesSaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesMalinda Kapuruge
 
Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.techStuart Gunter
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 

More Related Content

Similar to Security .NET.pdf

Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Mike Tetreault
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software securityDavid Klassen
 
Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsExove
 
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Icinga
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)apidays
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
SaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesSaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesMalinda Kapuruge
 
Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.techStuart Gunter
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 

Similar to Security .NET.pdf (20)

Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing App
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software security
 
Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
 
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
 
Year Zero
Year ZeroYear Zero
Year Zero
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarin
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
SaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering ChallengesSaaS startups - Software Engineering Challenges
SaaS startups - Software Engineering Challenges
 
Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.tech
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 

Recently uploaded

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 

Recently uploaded (20)

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 

Security .NET.pdf

  • 2. Agenda ● Security overview ● Security Mindset ● 4 day training ○ Each day ■ Discuss 2-3 security attacks ■ Learn how to prevent them ■ Hands on exercises ■ Homeworks ● Summary
  • 3. A few things ● Need lots of participation ● 4 Day program ○ With a few breaks ● My aim for you is: ○ To have a very good understanding of Security in .NET applications ○ Familiarize yourself with various attacks and their prevention ○ Get the confidence of debugging/ fixing any issues ● Ask questions ● If I don’t know ○ I will find the answer for you ○ And send your way ● Add me on LinkedIn ○ To Stay connected
  • 5. About Me ● Lead Dev ● Located in Florida ● Trainer ● Presenter ● .NET Developer ● Youtuber: Coach4Dev ● Husband/ Father
  • 6. Brain Teaser ● What do web developers say when they have to maintain the legacy SOAP interface? ● "Just give me a REST."
  • 7. Why Security? ● Hackers always out there ● Looking for ways to extort/ make money ● The more money the company makes ○ The more lucrative it is ● 1 big attack ○ Can bring a company to its knees ● Bad PR
  • 8. Recent Security attacks ● CAM4 ○ Mar 2020 ○ 10.8 bln records: All users’ info ● LinkedIn ○ June 2021 ○ 700 mln users ● FB ○ Apr 2019 ○ 533 mln users’ data ● Ashley Madison ○ July 2015 ○ 32 mln users ● https://www.upguard.com/blog/biggest-data-breaches
  • 9. Security Mindset ● Think like a hacker ● How will anyone go about hacking it ● How will they break in ● Rings of security ● Nothing is perfectly secure ○ Neither is our home ● You have to make it just enough ○ So it acts as a deterrent
  • 10. What is OWASP ● Open Web Application Security Project ● Non profit organization ● Works towards improving security of web
  • 11. OWASP Top 10 ● Standard awareness document for developers and web application security ● Represents a broad consensus about: ○ Most critical security risks to web applications ● Latest OWASP Top 10 was published in 2021
  • 14. Broken Access Control ● Top most security vulnerability ● Can be in many forms: ○ Violation of principle of least privilege ○ Bypassing access control checks ■ Modify URL/ API request, etc. ○ Elevation of privilege ■ Act as a user/ admin without being logged in ■ Act as admin when logged in as user
  • 15. Principle of Least Privilege ● Subject should be given only those privileges needed for it to complete its tasks. ● If a subject does not NEED an access right ○ Should not have it
  • 16. How to remedy ● Follow principle of least privilege ● Except for public resources, deny by default ● Application data access/ manipulation should be enforced (by domain models) ● Log access control failures and alert when needed ● Rate limit API and control access ○ API gateway can help ● Invalidate stateful session identifiers on server upon logout ● Stateless JWT tokens should be short lived
  • 17. Exercise ● Break the Sample Expenses application ● You have a user: ○ user@user.com ○ He can't Approve an expense ○ Only Admin(s) can ● You need to approve the expense as a user :)
  • 19. Brain Teaser ● Why did the cryptographer throw up at McDonalds? ● Because he couldn’t digest a big MAC
  • 20. Cryptographic Failures ● Failures related to cryptography ○ Or lack of thereof ● Is any data transmitted in clear text? ● Old or weak cryptographic algorithms in use ● Is encryption not enforced? ● Are default crypto keys in use? ○ Are weak keys in use? ○ Is proper key management in place? ○ Is key rotation in place?
  • 21. How to combat ● Classify your data and set protection standards accordingly ● Configure Https ○ Encrypt all data in transit ● Do not store sensitive data (if not necessary) ● Disable caching for response ○ With sensitive data ● Encrypt all sensitive data at rest ● Store passwords using ○ Strong adaptive and salted hashing functions with a work factor (delay factor) ○ E.g. Argon2, scrypt, bcrypt or PBKDF2. ● Key rotation
  • 22. Example attack ● A site doesn't use or enforce TLS for all pages ● An attacker monitors network traffic (e.g., at an insecure wireless network) ○ Downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user's session cookie. ○ The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. ○ Instead of the above they could alter all transported data, e.g., the recipient of a money transfer.
  • 23. Another way to prevent
  • 24. Exercise ● Understand how to securely save passwords in DB? ● MD5 Hash of common passwords ● https://hashtoolkit.com/common-passwords/
  • 25. How .NET saves it? ● https://www.blinkingcaret.com/2017/11/29/asp-net-identity-passwordhash/
  • 27. Injection ● One of the most common vulnerability ● User supplied data is not validated/ filtered/ sanitized ● Dynamic queries or non parameterized calls ○ Commonly used in SQL injection ● Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
  • 29. XSS ● An attacker needs to insert ○ And execute malicious content ● E.g. ○ HTML ○ Javascript ○ CSS ● Sample scenario ○ Attacker able to inject Javascript in Amazon website ○ Every user who opens the webpage ■ Is vulnerable
  • 30. XSS Exercise 1 ● Add Malicious Javascript (disguised as HTML) in the code ● See it getting rendered ● On Expenses List page
  • 31. Sample Attack ● HTML : ○ In Comments add: ■ </td><script>alert(‘HTML XSS’)</script>
  • 32. XSS Exercise 2 ● On the Edit expense ○ There is a pop up ○ Takes user input ○ And used in JS ● Using JS injection ○ Get a second pop up msg ○ Displaying “I am a hacker”
  • 33. Sample Attack ● JS: ○ Edit page ■ Category: ‘);alert(‘Abhi’)//
  • 34. SQL Injection Attack ● Details page is safe ● There is another page called DetailsVulnerable ● Aim: ○ Use SQL Injection to: ■ Approve all expenses ■ Delete all expenses
  • 35. SQL Injection Attack ● Setting all expenses to approved ● /Expenses/DetailsVulnerable/2%20UPDATE%20Expense%20SET%20IsAppr oved=1
  • 36. How to Prevent ● Sanitize/ validate user inputs ● User server side input validation ● Principle of least privilege can help ○ Reduce amount of data exposed ○ Prevent Manipulation of data ● Proper encoding in place prevents XSS ○ HTML Encoding ○ Javascript Encoding ○ URL encoding, etc.
  • 37. MIME Sniffing ● If you allow users to upload files to your application ● In HTTP response, ○ The server mentions Content-Type (Header) ● Attacker misguides the content type ● If the client browser notices an issue ○ MIME (Multipurpose Internet Mail Extensions) sniffing occurs ○ Tries to rectify the Content type ○ Might execute the script
  • 39. How to Prevent ● Set X-Content-Type-Options : nosniff ● 2 ways: ● At code level:
  • 40. Set Header at IIS level ● Open IIS Manager and on the left hand tree, left click the site you would like to manage. ● Double click the “HTTP Response Headers” icon. ● Right click the header list and select “Add” ● For the “name” write “X-Content-Type-Options” and for the value “nosniff”
  • 42. Insecure Design ● Broad category ● Missing/Ineffective Control design ● Different from insecure implementation ● Many businesses fail to profile the business risk ○ Data classification ■ Which in turn decides level of security in design ● Lack of security in SDLC
  • 43. Examples of Insecure Design ● Plaintext Storage of password ● Improper privilege management ● Reliance on Security through obscurity ● Not failing securely ● Improper isolation or Compartmentalization ● Use of Persistent Cookies Containing Sensitive Information ○ Cookies can be manipulated/ stolen, etc. ● Insecure storage in file or disk
  • 44. Cookie Security ● Cookies get sent to server ● Set cookie to secure ○ Used only on HTTPS ○ https://docs.microsoft.com/en-us/dotnet/api/system.net.cookie.secure?view=net-6.0 ● Set cookie to HTTP only ○ Javascript can’t touch it ○ https://docs.microsoft.com/en-us/dotnet/api/system.net.cookie.httponly?view=net-6.0
  • 45. Local Storage ● Does not get sent to server ● JS only access ● If JS XSS attack is done - data can be stolen ● Server has no control - client can update anything ● Can persist in Client browser ○ Across sessions
  • 46. Session Storage ● Does not get sent to server ● JS only access ● If JS XSS attack is done - data can be stolen ● Server has no control - client can update anything ● Gets deleted when ○ tab/ browser is closed
  • 48. Security Misconfiguration ● Without a concerted, repeatable application security configuration process, systems are at a higher risk ● Default accounts and their passwords are enabled/unchanged ● Unnecessary features are enabled/ installed ○ Unnecessary ports, ○ Services, etc. ● Error handling reveals stack traces or overly informative error messages ● Security settings not set to secure values ○ Application servers, ○ Application frameworks ● Out of date components
  • 49. How to prevent ● Automate hardening process ○ Verify effectiveness of settings/ configurations ● Use similar settings in all environments (QA/Stage/Prod) ○ With different credentials ● Remove unused features and frameworks ● Stay on top of ○ Updates to components ○ Patches ● Segmented application architecture ○ Provides effective / secure separation b/w components
  • 50. Developer Exception Page ● Use Developer Exception Page properly ● ASPNETCORE_ENVIRONMENT ○ To Development ○ On local machine for debugging ○ launchSettings.json file ● https://docs.microsoft.com/en-us/aspnet/core/fundamentals/error-handling?vie w=aspnetcore-6.0#developer-exception-page ● https://docs.microsoft.com/en-us/aspnet/core/fundamentals/environments?vie w=aspnetcore-6.0
  • 53. Vulnerable and Outdated Components ● OS ● Application/ web server ● Runtime environments ● DBMS ● APIs ● Libraries
  • 54. Vulnerable and Outdated Components ● Using Third party components ○ With known vulnerabilities ● Not following updates/ patches
  • 55. How to prevent ● Remove unused ○ Dependencies ○ Components ○ Features, etc. ● Check versions of ○ Client-side components ○ Server-side components ● Monitor sources: ○ Common Vulnerability and Exposures (CVE) ○ National Vulnerability Database (NVD)
  • 56. How to prevent ● Obtain components from official sources ○ And Secure Links ● Proper plan in place ○ Monitoring, triaging & applying updates
  • 58. Funny
  • 59. Identification and Authentication Failures ● Confirm a user’s identity ○ Authentication ○ Session Management ● Vulnerable if: ○ Permitting brute force ○ Allowing weak passwords/ common passwords ○ Exposes session identifier in URL ○ Doesn’t invalidate session Id upon logout
  • 60. Credential Stuffing ● Use stolen username and passwords ○ On website login forms ● Many users reuse their credentials ○ Could be exposed by data breach ○ Or phishing attacks ● Subset of brute force attack ● How to prevent? ○ MFA ○ Notify users of unusual activity ○ Require unpredictable usernames
  • 61. Prevention Mechanisms ● Do not ship or deploy with any default credentials ● Have strong password requirements ○ And rotation policies ● Limit /increasingly delay failed login attempts ● Log all failures ○ Alert admins when attacks detected
  • 62. Sample Attack - Session Timeout ● A user uses a public computer to access an application. ● Instead of selecting "logout," the user simply closes the browser tab and walks away. ● An attacker uses the same browser an hour later, and the user is still authenticated.
  • 64. ZAP Tool ● Zed Attack Proxy ● Web security tool ● Free / Open Source Tool ● https://github.com/zaproxy/zaproxy ● Great tools for ○ Developers ○ Beginners ○ Professionals
  • 66. A nice tutorial ● https://www.softwaretestinghelp.com/owasp-zap-tutorial/
  • 68. Software and Data Integrity Failures
  • 69. Software and Data Integrity Failures ● Relates to code and infrastructure ○ That does not protect against integrity violations ● If application relies on untrusted sources’ ○ Plugins ○ Libraries ○ Modules ● Insecure CI/CD pipeline can introduce potential of unauthorized access ● Attackers could potentially upload their own updates ○ To be distributed and ○ Run on previously trusted applications
  • 70. How to Prevent ● Use digital signatures (or similar mechanisms) ○ To verify s/w / data is from the expected source ■ And not altered ● Ensure libraries and dependencies, e.g. npm / Maven ○ Are consuming trusted repositories ● Use S/W supply chain security tool ○ E.g. OWASP Dependency Check ○ OWASP CycloneDX (Currently Work In Progress) ○ Prisma Cloud Supply Chain Security ● Ensure that your CI/CD pipeline has proper: ○ Segregation, ○ Configuration, ○ And access control ● Do not send unencrypted/ unsigned serialized data to untrusted clients
  • 71. Solarwinds Orion Attack ● Solarwinds ○ Provides system management tools ○ >30k customers - public and private orgs ● Hackers used supply chain attack ○ Inserted malicious code in Orion system ○ Distributed in updates through Sep 2019 - Mar 2020 ● The malicious code creates backdoor access ○ Hackers can impersonate users and accounts
  • 72. Solarwinds Orion Attack ● https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everyt hing-you-need-to-know ● https://www.techtarget.com/searchsecurity/news/252493841/Microsoft-FireEy e-create-kill-switch-for-SolarWinds-backdoor
  • 74. BinaryFormatter Dangerous ● Deserialization ○ Using BinaryFormatter .NET ● Unwanted Code Execution ● Can create instance of any type on the server ● No restriction ● Any constructor ● Do not use for any user input ● https://www.meziantou.net/deserialization-can-be-dangerous.htm
  • 75. Security Logging and Monitoring Failures
  • 76. Security Logging and Monitoring Failures ● Detect, Escalate & respond to active breaches ○ In real time ○ Or near real time ● Always log ○ Logins ○ Failed logins ○ High value transactions ● Penetration testing tools/ scans ○ Should be able to create alerts
  • 77. How to Prevent ● All login activities logged ● Log files are secure and cannot be deleted ○ Set append-only attribute on files ■ Attackers cannot delete their trail from logs ● Use security log analyzer ○ To detect malicious activity based on logs ○ Various Machine learning algorithms ■ Help detect anomalies ● Have incident response plan in place ○ Should be reviewed every six months/1 year ● https://www.dnsstuff.com/security-log-best-practices
  • 79. Server Side Request Forgery ● Web application fetches remote resource ○ Without validating user supplied URL ● Similar to CSRF ○ But all on server side
  • 82. How to Prevent ● Sanitize & validate all client-supplied input data ● Enforce the URL schema, port, and destination with a positive allow list ● Disable HTTP redirections ● Do not return raw response from any URL ○ As is to the user ○ The hacker might be getting some other resource which they are not supposed to
  • 83. A good read ● Unfortunate Reality of Insecure Libraries
  • 85. Summary ● We went through all of OWASP Top 10 ● Now you are closer to making your application more secure ● Security is a journey ○ Not a destination ● As a developer ○ Write more secure code ● As an architect ○ Design with security in mind ● As an organization ○ Have gatekeepers in place
  • 86. Remember General Tips ● Always have ○ Threat modeling in place ● Keep separate time reserved ○ For security testing ○ Fixing flaws ● Keep Security of high importance ○ Throughout the organization
  • 87. Connect With Me ● For any questions: ○ https://linkedin.com/in/coach4dev