1 / 33

Don’t get Stung (An introduction to the OWASP Top Ten Project)

NEW AND IMPROVED!. Don’t get Stung (An introduction to the OWASP Top Ten Project). Barry Dorrans Microsoft Information Security Tools. Contents. OWASP Top Ten http://www.owasp.org A worldwide free and open community focused on improving the security of application software. Introduction.

graham
Download Presentation

Don’t get Stung (An introduction to the OWASP Top Ten Project)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NEW AND IMPROVED! Don’t get Stung(An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools

  2. Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software

  3. Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ...barryd@idunno.org / http://idunno.org

  4. 10 – Unvalidated Redirects and Forwards

  5. Unvalidated Redirect and Forwards • Users don’t check the address bar • MVC authentication (pre-3.0) is vulnerable. • Check the ReturnUrlparameter – http://weblogs.asp.net/jgalloway/archive/2011/01/25/preventing-open-redirection-attacks-in-asp-net-mvc.aspx

  6. 9 – Insufficient Transport Layer Protection

  7. Insufficient Transport Layer Protection • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks – use time limited tokens

  8. 8– Failure to restrict URI access

  9. Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET – no rolling your own! • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself • IIS7 replaces file ACLs with a web.config based authorization list.

  10. 7– Insecure Cryptographic Storage

  11. Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms –Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7 • Encrypt then sign

  12. Insecure Cryptographic Storage • Use symmetric when • All systems are under your control • No need to identify who did the encryption • Use asymmetric when • Talking/accepting from external systems • Non-repudiation on who encrypted/signed (X509) • All in memory – so no large plain tex! • Combine the two for speed and security

  13. Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store

  14. 6 – Security Misconfiguration

  15. Security Misconfiguration • PATCH PATCHPATCH • IIS7 App Pool Isolation –http://learn.iis.net/page.aspx/764/ensure-security-isolation-for-web-sites/ • URLScan • Security Runtime Engine (CTP) • Disable unused modules, accounts etc.

  16. Security Misconfiguration <httpModules>  <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />  <add name="Session" type="System.Web.SessionState.SessionStateModule" />  <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />  <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />  <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" />  <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />  <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />  <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" />  <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />  <add name="Profile" type="System.Web.Profile.ProfileModule" /></httpModules>

  17. Security Misconfiguration <httpModules>  <remove name="PassportAuthentication" />  <remove name="Profile" />  <remove name="AnonymousIdentification" /></httpModules> • NB: Some modules depend on othersForms auth needs caching.There’s no easy way to tell!

  18. 5 – Cross Site Request Forgery

  19. Cross Site Request Forgery • WebForms • Lock ViewState using ViewStateUserKey • Needs a way to identify user • Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • MVC<%= Html.AntiForgeryToken() %> - in form[ValidateAntiForgeryToken] – on action method • Encourage users to log out • When is a postback not a postback?

  20. 4 – Insecure Direct Object Reference

  21. Insecure Direct Object Reference • Use indirect object references • Always check access permissions • For MVC don’t allow binding to your ID field[Bind(Exclude="id")]

  22. 3 - Broken Authentication/Sessions

  23. Broken Authentication/Sessions • Don’t roll your own! • If you must validate sessions on every requestcheck the browser string, not the IP

  24. 2– Cross Site Scripting

  25. XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

  26. XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com • Better HTML/URL Encoding • Adds HTML Attribute, Javascript, VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html

  27. 1– Injection Flaws

  28. Injection Flaws • SQL • Use SQL parameters • Remove direct SQL table access • When building SQL strings within SPs parameterise those too! • Xpath • Use XsltContext • http://mvpxml.codeplex.com/

  29. Injection Flaws DECLARE @cmd= 'SELECT * FROM Customer WHERE FirstName LIKE @first OR LastName LIKE @last' EXEC @cmd, N'@firstnvarchar(25), @last nvarchar(25)', @first, @last

  30. Changes from 2007 • Malicious File Execution • Information Leakage / Improper Error Handling • Security Misconfiguration • Un-validated Redirects and Forwards

  31. The OWASP Top Ten • A1-Injection • A2-Cross Site Scripting (XSS) • A3-Broken Authentication and Session Management • A4-Insecure Direct Object References • A5-Cross Site Request Forgery (CSRF) • A6-Security Misconfiguration • A7-Insecure Cryptographic Storage • A8-Failure to Restrict URL Access • A9-Insufficient Transport Layer Protection • A10-Unvalidated Redirects and Forwards

  32. Mandatory Book Pimping

  33. Questions

More Related