Presentation is loading. Please wait.

Presentation is loading. Please wait.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

Published byAllen Burke Modified over 8 years ago

Similar presentations

Presentation on theme: "Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught."— Presentation transcript:

1

2 Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

3

4 do you use the internet? visit forums? use multiple tabs in your browser? use online banking?

5 you are logged into your bank in a separate tab you visit a forum (or a webpage) in the forum/page someone placed a JS code that executes and transfers money out of your account

6 a very unsafe forum site or an evil page allows you to upload the script slightly unsafe bank site allows the script to execute.. but there may not be much the bank can do here code specific to a bank which bank? Bank Of America Chase Key Bank HSBC

7 The Open Web Application Security Project\ www.owasp.org OWASP is a not-for-profit worldwide charitable organization focused on improving the security of application software. OWASP Top 10 “The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.”

8 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Error Leakage (OWASP Top 10 in 2007)

9 untrusted data is sent to an interpreter as part of a command or query hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data many types: SQL OS scripting languages SOAP XPath SMTP LDAP

10 always assume that user input is hostile use a safe API whenever possible if not possible, use a parameterized interface if not possible, canonicalize and validate user input canonicalization (aka c14n) – process of for converting data into a standard/normal representation/encoding validation – use white list validation

11 “select * from users where userID = ‘” + userFromSite + “’” if userFromSite is aaa’ OR ‘1’ = ‘1 if userFromSite is aaa’; DROP TABLE users; -- select * from users where userID = ‘aaa’ OR ‘1’ = ‘1’”

12 “move file1.txt “ + fileNameFromUser if fileNameFromUser is file2.txt & delete c:\*.* \quiet

13

14 application takes untrusted data and sends it to a web browser without proper validation and escaping XSS allows attackers to execute scripts in the victim’s browser can hijack user sessions, deface web sites, or redirect the user to malicious sites “Good morning George”

15 do the following to all input, even if it’s coming from the DB which you trust do c14n validate input w/ a white list encode output (HTTP or URL) do NOT use HttpUtility.HtmlEncode can use AntiXSS/Web Protection Library setup once in web.config, then everything is encoded

16 alert(‘Hello’); alert(document.cookie);

17

18 authentication and session management are often not implemented correctly allows attackers to compromise passwords, keys, session tokens to assume other users’ identities URL session example

19 Weak or improperly implemented Authentication mechanisms username/password transmitted in plain text not restricting URL access Cross-Site Request Forgery (CSRF) (A5) Session Hijacking stealing session cookie Session Fixation getting someone to authenticate into an SID

20 Session ids and user passwords need to be stored and transported securely Session ids should expire at the end of the session and a new session id should be generated at the beginning of each session SSL should be used to transport user passwords and session ids Avoid using session ids in a URL if possible When passing a user password, the client should use SSL to send a non-hashed password to the server. The server should then hash the password and compare it to the stored hashed password Always use existing encryption and hashing routines. Never write your own.

21 store credentials securely usernames and passwords – do NOT store in clear text connection strings allow user to log out force session timeout force reauthentication before allowing a sensitive operation prevent caching

22 developer exposes a reference to an internal implementation object without an access control check or other protection, attackers can manipulate these references to access unauthorized data example: http://myserver2.com/scripts/results.jsp?docid=25

23 recognize: do not use DB keys to reference your data examples: dropdown key/value, GridView/Repeater do not use hidden fields obfuscate references – use an index or a map revalidate permissions validate against a good list

24 logged-on victim’s browser sends a forged HTTP request to a vulnerable web application the attackers forces the victim’s browser to generate requests which the vulnerable application thinks are legitimate requests from the victim

25 create a CSRF token (random, hard to guess) use it when sending data down verify when data comes back regenerate the token for a new page you can use the ASP.NET ViewState with the User’s SessionID as the CSRF token you can even encrypt the ViewState use CSRFGuard -

26 a secure configuration needs to be defined and deployed for the application, frameworks, application server, web server, database server, and platform all of these settings should be defined, implemented, and maintained as many are not shipped with secure defaults this includes keeping all software up to date, including all code libraries used by the application

27 many web applications do not properly protect sensitive data with appropriate encryption or hashing attackers may steal or modify such weakly protected data

28 Do not create cryptographic algorithms. Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing. Do not use weak algorithms, such as MD5 / SHA1. Generate keys offline and store private keys with extreme care. Never transmit private keys over insecure channels. Never store unnecessary data. If you don’t store it, you don’t need to worry about protecting it while it is at rest.

29 Many web applications check URL access rights before rendering protected links and buttons Applications need to perform similar access control checks each time these pages are accessed www.helloworld.com/admin www.helloworld.com/admin/index.aspx www.helloworld.com/admin/default.aspx

30 application must deny access to all resources by default application must confirm that the requester is permitted to access or operate on that resource before processing the request or returning the resource page load any functions that can be called directly application must log invalid access attempts and should log or have an option to log valid access attempts.

31 Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic sending unencrypted sensitive data over the network is a bad idea

32 encrypt sensitive traffic – use SSL or other mechanism

33 Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages

34 never perform redirects or forwards using client-side scripts based on DOM data, since the data is outside the control of the server and cannot be trusted don’t use redirects and forwards use direct links in the page, instead if you have to forward, don’t use user-submitted data in determining the destination

35 applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems

36 display a generic message to the user log necessary details, with the exception of sensitive data ensure that log access is restricted use custom errors

37 least privilege principle consider having multiple accounts user and admin … read only, R/W, admin read only, admin R/W

38 https://wiki.mozilla.org/WebAppSec/Secure_Coding_ Guidelines#Further_Reading

Download ppt "Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught."

Similar presentations

OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March

Similar presentations

Ads by Google