(Not an official OWASP) Top Ten Web Services Security Issues
Don’t get Stung (An introduction to the OWASP Top Ten Project)
description
Transcript of Don’t get Stung (An introduction to the OWASP Top Ten Project)
![Page 1: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/1.jpg)
Don’t get Stung(An introduction to the OWASP Top Ten Project)
Barry DorransMicrosoft Information Security Tools
NEW AND IMPROVED!
![Page 2: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/2.jpg)
Contents
• OWASP Top Ten• http://www.owasp.org• A worldwide free and open community
focused on improving the security of application software
![Page 3: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/3.jpg)
Introduction
• Do not try this at home. Or at work.• These are not just ASP.NET vulnerabilities• If you don’t want to ask public questions ...
[email protected] / http://idunno.org
![Page 4: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/4.jpg)
10 – Unvalidated Redirects and Forwards
![Page 5: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/5.jpg)
Unvalidated Redirect and Forwards
• Users don’t check the address bar• MVC authentication (pre-3.0) is vulnerable.• Check the ReturnUrl parameter –
http://weblogs.asp.net/jgalloway/archive/2011/01/25/preventing-open-redirection-attacks-in-asp-net-mvc.aspx
![Page 6: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/6.jpg)
9 – Insufficient Transport Layer Protection
![Page 7: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/7.jpg)
Insufficient Transport Layer Protection
• Use SSL• Protection communications between web
server and backend systems (SSL, IPSEC etc.)• Replay attacks – use time limited tokens
![Page 8: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/8.jpg)
8 – Failure to restrict URI access
![Page 9: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/9.jpg)
Failure to restrict URI access
• Security by obscurity is useless • Restrict via ASP.NET – no rolling your own!• Integrated pipeline restricts everything• Use [PrincipalPermission] to protect yourself• IIS7 replaces file ACLs with a web.config based
authorization list.
![Page 10: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/10.jpg)
7 – Insecure Cryptographic Storage
![Page 11: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/11.jpg)
Insecure Cryptographic Storage
• Symmetric – same key• Asymmetric – public/private keys• Use safe algorithms –
Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7
• Encrypt then sign
![Page 12: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/12.jpg)
Insecure Cryptographic Storage
• Use symmetric when– All systems are under your control– No need to identify who did the encryption
• Use asymmetric when– Talking/accepting from external systems– Non-repudiation on who encrypted/signed (X509)– All in memory – so no large plain tex!
• Combine the two for speed and security
![Page 13: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/13.jpg)
Insecure Cryptographic Storage
• Do not reuse keys for different purposes• Store keys outside the main database• Use CryptGenRandom for random numbers• Use & rotate salts• Use unique IVs• DAPI can provide a key store
![Page 14: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/14.jpg)
6 – Security Misconfiguration
![Page 15: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/15.jpg)
Security Misconfiguration
• PATCH PATCH PATCH• IIS7 App Pool Isolation –
http://learn.iis.net/page.aspx/764/ensure-security-isolation-for-web-sites/
• URLScan• Security Runtime Engine (CTP)• Disable unused modules, accounts etc.
![Page 16: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/16.jpg)
Security Misconfiguration<httpModules> <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" /> <add name="Session" type="System.Web.SessionState.SessionStateModule" /> <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" /> <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" /> <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" /> <add name="RoleManager" type="System.Web.Security.RoleManagerModule" /> <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" /> <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" /> <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" /> <add name="Profile" type="System.Web.Profile.ProfileModule" /></httpModules>
![Page 17: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/17.jpg)
Security Misconfiguration<httpModules> <remove name="PassportAuthentication" /> <remove name="Profile" /> <remove name="AnonymousIdentification" /></httpModules>
• NB: Some modules depend on othersForms auth needs caching.There’s no easy way to tell!
![Page 18: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/18.jpg)
5 – Cross Site Request Forgery
![Page 19: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/19.jpg)
Cross Site Request Forgery
• WebForms– Lock ViewState using ViewStateUserKey
• Needs a way to identify user• Set in Page_Init
– Use a CSRF token – http://anticsrf.codeplex.com• MVC
<%= Html.AntiForgeryToken() %> - in form[ValidateAntiForgeryToken] – on action method
• Encourage users to log out• When is a postback not a postback?
![Page 20: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/20.jpg)
4 – Insecure Direct Object Reference
![Page 21: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/21.jpg)
Insecure Direct Object Reference
• Use indirect object references• Always check access permissions• For MVC don’t allow binding to your ID field
[Bind(Exclude="id")]
![Page 22: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/22.jpg)
3 - Broken Authentication/Sessions
![Page 23: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/23.jpg)
Broken Authentication/Sessions
• Don’t roll your own!• If you must validate sessions on every request
check the browser string, not the IP
![Page 24: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/24.jpg)
2 – Cross Site Scripting
![Page 25: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/25.jpg)
XSS
• <IMG SRC=javascript:alert('XSS')>• <IMG SRC=JaVaScRiPt:alert('XSS')>• <IMG
SRC=javascript:alert('XSS')>
![Page 26: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/26.jpg)
XSS
• All input is evil• Work from white-lists not black-lists.• Store un-encoded data in your database• Use HttpOnly cookies• AntiXSS project http://antixss.codeplex.com– Better HTML/URL Encoding– Adds HTML Attribute, Javascript, VBScript
• XSS Cheat Sheet http://ha.ckers.org/xss.html
![Page 27: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/27.jpg)
1 – Injection Flaws
![Page 28: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/28.jpg)
Injection Flaws
• SQL– Use SQL parameters– Remove direct SQL table access– When building SQL strings within SPs
parameterise those too!• Xpath– Use XsltContext– http://mvpxml.codeplex.com/
![Page 29: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/29.jpg)
Injection Flaws
DECLARE @cmd= 'SELECT * FROM Customer WHERE FirstName LIKE @first OR LastName LIKE @last'EXEC @cmd, N'@first nvarchar(25), @last nvarchar(25)', @first, @last
![Page 30: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/30.jpg)
Changes from 2007
• Malicious File Execution• Information Leakage / Improper Error
Handling• Security Misconfiguration• Un-validated Redirects and Forwards
![Page 31: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/31.jpg)
The OWASP Top Ten
• A1-Injection• A2-Cross Site Scripting (XSS)• A3-Broken Authentication and Session Management• A4-Insecure Direct Object References• A5-Cross Site Request Forgery (CSRF)• A6-Security Misconfiguration• A7-Insecure Cryptographic Storage• A8-Failure to Restrict URL Access• A9-Insufficient Transport Layer Protection• A10-Unvalidated Redirects and Forwards
![Page 32: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/32.jpg)
Mandatory Book Pimping
![Page 33: Don’t get Stung (An introduction to the OWASP Top Ten Project)](https://reader036.fdocuments.us/reader036/viewer/2022062501/568168d7550346895ddfcc35/html5/thumbnails/33.jpg)
Questions