1 / 39

Top 5 Web Application Security bugs in custom code

Top 5 Web Application Security bugs in custom code. Varun Sharma Security Engineer | ACE Team | Microsoft Information Security varun.sharma@microsoft.com . Top 5 Web App Security bugs.

hector
Download Presentation

Top 5 Web Application Security bugs in custom code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Top 5 Web Application Security bugs in custom code Varun Sharma Security Engineer | ACE Team | Microsoft Information Security varun.sharma@microsoft.com

  2. Top 5 Web App Security bugs Relative percentage of the Top 5 Web Application Security vulnerabilities found by Microsoft ACE Team since 1st Jan 08

  3. Agenda • Cross-Site Scripting • Clear Text Secrets • Authorization Issues • Disabling Controls in the Web site to enforce authorization • Direct Object Reference • Missing Authorization controls in web services • SQL Injection • Verbose Error messages

  4. Cross-Site Scripting • User controlled input is rendered back to browser without sufficient input validation or output encoding • Leads to execution of script (controlled by the attacker) under the context of the victim

  5. Cross-Site Scripting • Normal execution

  6. Cross-Site Scripting • What attacker does

  7. Cross-Site Scripting • Common Buggy Code • Some ASP.NET Controls encode and some do not

  8. Cross-Site Scripting • Common Buggy Code • Some ASP.NET Controls encode and some do not

  9. Cross-Site Scripting • User input going in attribute context • User input going in JavaScript context

  10. Cross-Site Scripting • Countermeasures • Validate all input and encode all output • Perform context specific encoding • Use the AntiXss Library

  11. Clear Text Secrets • The application may need to store credentials to connect to SQL Server, SMTP Server etc • May need to store symmetric keys to perform encryption of application data • May be storing user passwords or other secret information in the database

  12. Clear Text Secrets • Common bugs

  13. Clear Text Secrets • Common bugs

  14. Clear Text Secrets • Countermeasures • Do not store secrets (passwords/ keys) in code • Use the aspnet_regiis tool to encrypt configuration settings • For application specific data, consider using SQL Server 2005/ 2008 Native Encryption

  15. Authorization Issues • Disabling Controls in the Web site to enforce authorization (Normal execution)

  16. Authorization Issues • Disabling Controls in the Web site to enforce authorization (What attacker does)

  17. Authorization Issues • Disabling HTML text boxes, buttons in only a visual indication, not a security control • Need to perform explicit authorization checks on the server side

  18. Authorization Issues • Common Buggy Code

  19. Authorization Issues • Direct Object Reference (Normal execution)

  20. Authorization Issues • Direct Object Reference (What attacker does)

  21. Authorization Issues • Direct Object Reference • Unique identifier is used to retrieve and update data for an object. This unique identifier is an incrementing integer (or easily available). • No explicit authorization check is performed to ensure current user has access to the object.

  22. Authorization Issues • Missing authorization in web services in multi- tier applications Web Server SQL Server Web Server (Website) (Web service) (Database)

  23. Authorization Issues • Countermeasures:- • Perform server side authorization • Use a platform provided authorization mechanism • URL Authorization • Declarative and Imperative checks • Implement authorization controls in middle tiers

  24. SQL Injection • User input without sufficient validation is used to create and execute a dynamic SQL statement • User can manipulate the SQL statement that gets executed

  25. SQL Injection • Normal execution

  26. SQL Injection • What attacker does

  27. SQL Injection • Common buggy code

  28. SQL Injection • Common buggy code

  29. SQL Injection • Countermeasures:- • Validate all input • Use parameterized SQL statements (in stored procedures as well, using sp_executesql) • Configure SQL server with least privilege for defense in depth

  30. Verbose Error messages • Detailed error messages reveal inner workings of an application and make an attackers job easier

  31. Verbose Error messages • Common Buggy Code:-

  32. Verbose Error messages • Common Buggy Code:- • Missing exception handling in ASMX web services

  33. Verbose Error messages • Leads to…

  34. Verbose Error messages • Common Bad Configuration:-

  35. Verbose Error messages • Leads to…

  36. References • AntiXss Library http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-bfaf-e11625130c25&displaylang=en • ASP.NET IIS Registration Tool (Aspnet_regiis) http://msdn.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx • ASP.NET Authorization http://msdn.microsoft.com/en-us/library/wce3kxhd(VS.80).aspx • Using sp_executesql http://msdn.microsoft.com/en-us/library/ms175170.aspx

  37. Feedback / QnA • Your Feedback is Important! Please take a few moments to fill out our online feedback form • Use the Question Manager on LiveMeeting to ask your questions now!

  38. Contact • Blog http://blogs.msdn.com/varun_sharma • Email Address varun.sharma@microsoft.com

More Related