don't get stung
DESCRIPTION
An introduction to the OWASP Top Ten Vulnerability List.TRANSCRIPT
Don’t get Stung(An introduction to the OWASP Top Ten Project)
Barry DorransMVP – Developer Security
Contents
• OWASP Top Ten• http://www.owasp.org• A worldwide free and open community
focused on improving the security of application software
Introduction
• Do not try this at home. Or at work.• These are not just ASP.NET vulnerabilities• If you don’t want to ask public questions ...
[email protected] / http://idunno.org
10 – Failure to restrict URI access
Failure to restrict URI access
• Security by obscurity is useless • Restrict via ASP.NET• Integrated pipeline restricts everything• Use [PrincipalPermission] to protect yourself
9 – Insecure Communications
Insecure Communications
• Use SSL• Protection communications between web
server and backend systems (SSL, IPSEC etc.)• Replay attacks
8 – Insecure Cryptographic Storage
Insecure Cryptographic Storage
• Symmetric – same key• Asymmetric – public/private keys• Use safe algorithms –
Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7
• Encrypt then sign
Insecure Cryptographic Storage
• Use symmetric when– All systems are under your control– No need to identify who did the encryption
• Use asymmetric when– Talking/accepting from external systems– Non-repudiation on who encrypted/signed (X509)– All in memory!
• Combine the two for speed and security
Insecure Cryptographic Storage
• Do not reuse keys for different purposes• Store keys outside the main database• Use CryptGenRandom for random numbers• Use & rotate salts• Use unique IVs• DAPI can provide a key store
7 - Broken Authentication/Sessions
Broken Authentication/Sessions
• Don’t roll your own!• Validate sessions on every request
Check the browser string
6 – Information Leakage
Information Leakage
• Don’t show raw errors• Catch errors “properly”• Don’t upload PDBs or debug assemblies• Encrypt web.config parts• Encrypt ViewState - • Watch your CSS!• For Ajax UpdatePanels are more secure• Turn off meta data in web services
5 – Cross Site Request Forgery
Cross Site Request Forgery
• Lock ViewState using ViewStateUserKey – Needs a way to identify user– Set in Page_Init
• Use a CSRF token – http://anticsrf.codeplex.com
• Encourage users to log out• GET requests must be idempotent• When is a postback not a postback?
4 – Insecure Direct Object Reference
Insecure Direct Object Reference
• Use indirect objection references• Always check access permissions
3 – Malicious File Execution
Malicious File Execution
• Remove Scripting IIS permission• Store outside of application root• Never believe the MIME type for uploads
2 – Injection Flaws
Injection Flaws
• SQL– Use SQL parameters– Remove direct SQL table access
• Xpath– Use XsltContext– http://mvpxml.codeplex.com/
1 – Cross Site Scripting
XSS
• <IMG SRC=javascript:alert('XSS')>• <IMG SRC=JaVaScRiPt:alert('XSS')>• <IMG
SRC=javascript:alert('XSS')>
XSS
• All input is evil• Work from white-lists not black-lists.• Store un-encoded data in your database• Use HttpOnly cookies• AntiXSS project http://antixss.codeplex.com– Better HTML/URL Encoding– Adds HTML Attribute,Javascript,JSON,VBScript
• XSS Cheat Sheet http://ha.ckers.org/xss.html
The OWASP Top Ten
• Failure to restrict URL access• Insecure Communications• Insecure Cryptographic Storage• Broken Authentication / Session Management• Information Leakage• Cross Site Request Forgery• Insecure Direct Object Reference• Malicious File Execution• Injection Flaws• Cross Site Scripting
Resources
• AntiXSS - http://www.codeplex.com/AntiXSS
• AntiCSRF - http://www.codeplex.com/AntiCSRF
• P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer
• Fiddler – http://www.fiddlertool.com
• TamperData – https://addons.mozilla.org/en-US/firefox/addon/966
Questions