170 likes | 319 Views
Subtle Security flaws: Why you must follow the basic principles of software security. Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India. Agenda. Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation
E N D
Subtle Security flaws: Why you must follow the basic principles of software security. Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India
Agenda • Flaw – 1 Custom Authentication • Flaw – 2 Lack of Rule based Authorization • Flaw – 3 Black list input validation • Flaw – 4 Improper use of Crypto • Flaw – 5 App layer DOS attack
Flaw – 1 Custom Authentication • Site implements custom forms authentication • Buggy code • Demo
Flaw – 1 Custom Authentication • Principles:- • Use well known and time tested, system provided methods for authentication. • Avoid writing custom authentication code.
Flaw – 2 Authorization • Authorization implemented by disabling UI • Rule based authorization not considered • Demo
Flaw – 2 Authorization • Principles:- • Do not rely on UI for authorization • Disabled buttons is not authorization • Consider rule based authorization in your design
Flaw – 3 Black list Input Validation • Only set of bad characters are checked for • Becomes vulnerable in special situations • Demo
Flaw – 3 Black list Input Validation • Principles:- • Validate for valid allowed values (white list) • If white list validation is not possible, • Encode to prevent XSS • Parameterize to prevent SQL Injection…
Flaw – 4 Improper use of Crypto • Not knowing what services are provided by what mechanisms • For example, what services do Digital Signatures provide? • Demo
Flaw – 4 Improper use of Crypto Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Signed XML POST Central Payment Site
Flaw – 4 Improper use of Crypto • Principles:- • Know what service each mechanism provides • Do not implement crypto mechanisms yourself • Use system provided methods
Flaw – 5 App layer Denial of service Book movie ticket Screen 1 for User 1
Flaw – 5 App layer Denial of service Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- …. Click to Book
Flaw – 5 App layer Denial of service Book movie ticket Screen 1 for User 2
Flaw – 5 App layer Denial of service Book movie ticket Screen 1 for User 2 after 7 minutes
Flaw – 5 App layer Denial of service • Principles:- • Use CAPTCHA to avoid automated attacks • Design with security in mind