Presentation is loading. Please wait.

Presentation is loading. Please wait.

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Published byKaleb Plock Modified over 9 years ago

Similar presentations

Presentation on theme: "Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!"— Presentation transcript:

1 Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

2 Contents OWASP Top Ten http://www.owasp.org A worldwide free and open community focused on improving the security of application software

3 Introduction Do not try this at home. Or at work. These are not just ASP.NET vulnerabilities If you don’t want to ask public questions... barryd@idunno.org / http://idunno.org

4 10 – Unvalidated Redirects and Forwards

5 Unvalidated Redirect and Forwards Users don’t check the address bar MVC authentication (pre-3.0) is vulnerable. Check the ReturnUrl parameter – http://weblogs.asp.net/jgalloway/archive/201 1/01/25/preventing-open-redirection-attacks- in-asp-net-mvc.aspx

6 9 – Insufficient Transport Layer Protection

7 Insufficient Transport Layer Protection Use SSL Protection communications between web server and backend systems (SSL, IPSEC etc.) Replay attacks – use time limited tokens

8 8 – Failure to restrict URI access

9 Failure to restrict URI access Security by obscurity is useless Restrict via ASP.NET – no rolling your own! Integrated pipeline restricts everything Use [PrincipalPermission] to protect yourself IIS7 replaces file ACLs with a web.config based authorization list.

10 7 – Insecure Cryptographic Storage

11 Insecure Cryptographic Storage Symmetric – same key Asymmetric – public/private keys Use safe algorithms – Hashing : SHA256 Symmetric: AES Asymmetric:CMS/PKCS#7 Encrypt then sign

12 Insecure Cryptographic Storage Use symmetric when – All systems are under your control – No need to identify who did the encryption Use asymmetric when – Talking/accepting from external systems – Non-repudiation on who encrypted/signed (X509) – All in memory – so no large plain tex! Combine the two for speed and security

13 Insecure Cryptographic Storage Do not reuse keys for different purposes Store keys outside the main database Use CryptGenRandom for random numbers Use & rotate salts Use unique IVs DAPI can provide a key store

14 6 – Security Misconfiguration

15 Security Misconfiguration PATCH PATCH PATCH IIS7 App Pool Isolation – http://learn.iis.net/page.aspx/764/ensure- security-isolation-for-web-sites/ URLScan Security Runtime Engine (CTP) Disable unused modules, accounts etc.

16 Security Misconfiguration

17 Security Misconfiguration NB: Some modules depend on others Forms auth needs caching. There’s no easy way to tell!

18 5 – Cross Site Request Forgery

19 Cross Site Request Forgery WebForms – Lock ViewState using ViewStateUserKey Needs a way to identify user Set in Page_Init – Use a CSRF token – http://anticsrf.codeplex.com MVC - in form [ValidateAntiForgeryToken] – on action method Encourage users to log out When is a postback not a postback?

20 4 – Insecure Direct Object Reference

21 Insecure Direct Object Reference Use indirect object references Always check access permissions For MVC don’t allow binding to your ID field [Bind(Exclude="id")]

22 3 - Broken Authentication/Sessions

23 Broken Authentication/Sessions Don’t roll your own! If you must validate sessions on every request check the browser string, not the IP

24 2 – Cross Site Scripting

25 XSS

26 XSS All input is evil Work from white-lists not black-lists. Store un-encoded data in your database Use HttpOnly cookies AntiXSS project http://antixss.codeplex.com – Better HTML/URL Encoding – Adds HTML Attribute, Javascript, VBScript XSS Cheat Sheet http://ha.ckers.org/xss.html

27 1 – Injection Flaws

28 Injection Flaws SQL – Use SQL parameters – Remove direct SQL table access – When building SQL strings within SPs parameterise those too! Xpath – Use XsltContext – http://mvpxml.codeplex.com/

29 Injection Flaws DECLARE @cmd= 'SELECT * FROM Customer WHERE FirstName LIKE @first OR LastName LIKE @last' EXEC @cmd, N'@first nvarchar(25), @last nvarchar(25)', @first, @last

30 Changes from 2007 Malicious File Execution Information Leakage / Improper Error Handling Security Misconfiguration Un-validated Redirects and Forwards

31 The OWASP Top Ten A1-Injection A2-Cross Site Scripting (XSS) A3-Broken Authentication and Session Management A4-Insecure Direct Object References A5-Cross Site Request Forgery (CSRF) A6-Security Misconfiguration A7-Insecure Cryptographic Storage A8-Failure to Restrict URL Access A9-Insufficient Transport Layer Protection A10-Unvalidated Redirects and Forwards

32 Mandatory Book Pimping

33 Questions

Download ppt "Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft.

More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
The OWASP Foundation OWASP Top 10 2010 Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.

The OWASP Foundation OWASP Top Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do

Similar presentations

Ads by Google