Presentation is loading. Please wait.

Presentation is loading. Please wait.

Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.

Similar presentations


Presentation on theme: "Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India."— Presentation transcript:

1 Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India

2 Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation Flaw – 4 Improper use of Crypto Flaw – 5 App layer DOS attack

3 Site implements custom forms authentication Buggy code Demo

4 Principles:- Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.

5 Authorization implemented by disabling UI Rule based authorization not considered Demo

6 Principles:- Do not rely on UI for authorization Disabled buttons is not authorization Consider rule based authorization in your design

7 Only set of bad characters are checked for Becomes vulnerable in special situations Demo

8 Principles:- Validate for valid allowed values (white list) If white list validation is not possible, Encode to prevent XSS Parameterize to prevent SQL Injection…

9 Not knowing what services are provided by what mechanisms For example, what services do Digital Signatures provide? Demo

10 Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Central Payment Site Signed XML POST

11 Principles:- Know what service each mechanism provides Do not implement crypto mechanisms yourself Use system provided methods

12 Book movie ticket Screen 1 for User 1

13 Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- …. Click to Book

14 Book movie ticket Screen 1 for User 2

15 Book movie ticket Screen 1 for User 2 after 7 minutes

16 Principles:- Use CAPTCHA to avoid automated attacks Design with security in mind

17


Download ppt "Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India."

Similar presentations


Ads by Google