don't get stung

Don’t get Stung(An introduction to the OWASP Top Ten Project)

Barry DorransMVP – Developer Security

Contents

• OWASP Top Ten• http://www.owasp.org• A worldwide free and open community

focused on improving the security of application software

Introduction

• Do not try this at home. Or at work.• These are not just ASP.NET vulnerabilities• If you don’t want to ask public questions ...

[email protected] / http://idunno.org

10 – Failure to restrict URI access

Failure to restrict URI access

• Security by obscurity is useless • Restrict via ASP.NET• Integrated pipeline restricts everything• Use [PrincipalPermission] to protect yourself

9 – Insecure Communications

Insecure Communications

• Use SSL• Protection communications between web

server and backend systems (SSL, IPSEC etc.)• Replay attacks

8 – Insecure Cryptographic Storage

Insecure Cryptographic Storage

• Symmetric – same key• Asymmetric – public/private keys• Use safe algorithms –

Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7

• Encrypt then sign


• Use symmetric when– All systems are under your control– No need to identify who did the encryption

• Use asymmetric when– Talking/accepting from external systems– Non-repudiation on who encrypted/signed (X509)– All in memory!

• Combine the two for speed and security


• Do not reuse keys for different purposes• Store keys outside the main database• Use CryptGenRandom for random numbers• Use & rotate salts• Use unique IVs• DAPI can provide a key store

7 - Broken Authentication/Sessions

Broken Authentication/Sessions

• Don’t roll your own!• Validate sessions on every request

Check the browser string

6 – Information Leakage

Information Leakage

• Don’t show raw errors• Catch errors “properly”• Don’t upload PDBs or debug assemblies• Encrypt web.config parts• Encrypt ViewState - • Watch your CSS!• For Ajax UpdatePanels are more secure• Turn off meta data in web services

5 – Cross Site Request Forgery

Cross Site Request Forgery

• Lock ViewState using ViewStateUserKey – Needs a way to identify user– Set in Page_Init

• Use a CSRF token – http://anticsrf.codeplex.com

• Encourage users to log out• GET requests must be idempotent• When is a postback not a postback?

4 – Insecure Direct Object Reference

Insecure Direct Object Reference

• Use indirect objection references• Always check access permissions

3 – Malicious File Execution

Malicious File Execution

• Remove Scripting IIS permission• Store outside of application root• Never believe the MIME type for uploads

2 – Injection Flaws

Injection Flaws

• SQL– Use SQL parameters– Remove direct SQL table access

• Xpath– Use XsltContext– http://mvpxml.codeplex.com/

1 – Cross Site Scripting

XSS

• <IMG SRC=javascript:alert('XSS')>• <IMG SRC=JaVaScRiPt:alert('XSS')>• <IMG

SRC=javascript:alert('XSS')>

XSS

• All input is evil• Work from white-lists not black-lists.• Store un-encoded data in your database• Use HttpOnly cookies• AntiXSS project http://antixss.codeplex.com– Better HTML/URL Encoding– Adds HTML Attribute,Javascript,JSON,VBScript

• XSS Cheat Sheet http://ha.ckers.org/xss.html

The OWASP Top Ten

• Failure to restrict URL access• Insecure Communications• Insecure Cryptographic Storage• Broken Authentication / Session Management• Information Leakage• Cross Site Request Forgery• Insecure Direct Object Reference• Malicious File Execution• Injection Flaws• Cross Site Scripting

Resources

• AntiXSS - http://www.codeplex.com/AntiXSS

• AntiCSRF - http://www.codeplex.com/AntiCSRF

• P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer

• Fiddler – http://www.fiddlertool.com

• TamperData – https://addons.mozilla.org/en-US/firefox/addon/966

Questions

don't get stung

Technology