OWASP Top 10 No-No's
-
Upload
cdnug -
Category
Technology
-
view
669 -
download
2
description
Transcript of OWASP Top 10 No-No's
OWASP Top 10 No-No’s IOANNIS STAVRINIDES
The speaker
• Currently at Printec (Cyprus) – Senior Technical Analyst
• MCSE (Private Cloud), MCSA (Windows Server), MCPD (Web), MCTS (SQL)
• Security Enthusiast
• @indigocy
• http://dnetexperience.blogspot.com – Development
• http://indigocy.blogspot.com – Security and more
What is OWASP
• Open Web Application Security Project
• www.owasp.org
• Not-For-Profit organization focused on improving the security of software
• Regularly releases the OWASP Top 10 list of most common vulnerabilities in web application.
• Last release 2010. 2013 Release Candidate is available.
The list (2010)
• Injection
• Cross-Site Scripting (XSS)
• Broken Authentication and Session Management
• Insecure Direct Object References
• Cross-Site Request Forgery (CSRF)
• Security Misconfiguration
• Insecure Cryptographic Storage
The list (2010) – cont.
• Failure to Restrict URL Access
• Insufficient Transport Layer Protection
• Unvalidated Redirects and Forwards
Injection
• Allowing untrusted data to be sent to a system
• Demo
Injection – Mitigations
• Input sanitization
• Regular Expressions to create white lists
• Parameterized stored procedures
• Named parameters in queries
• SELECT * FROM Products WHERE Id = @Id
• LINQ
• dc.Products.Where(p => p.Name.Contains(<val>)
• Principle of least priviledge
Cross-Site Scripting (XSS)
• Allow input of untrusted data (through scripting)
• Demo
Cross-Site Scripting (XSS) – Mitigations
• Validate all input
• White lists (but be careful of encoded input!)
• Use ASP.Net request validation
• Do not set validateRequest = “false” in Page directive or web.config
• Encode HTML output
• Server.HtmlEncode
• Anti-XSS library (CodePlex)
• Security Runtime Engine (SRE) – HTTP module
• Map controls to encode automatically
Broken Authentication and Session Mgmt
• Authentication and Session Management is incorrectly configured, exposing the details to an outsider.
• This allows the attacked to steal credentials, session tokens or exploit implementation flaws to gain access to the system.
• Demo
Broken Authentication and Session Mgmt Mitigations
• ASP.Net membership and role providers
• Can handle everything authentication related for a forms based authentication web application
• Encryption
• Passwords should not be sent or stored in the clear
• Password recovery should be done via email using one-time links
• SMTP is not a secure protocol!
Insecure Direct Object Reference
• Exposed references to internal implementation objects (i.e. files, database keys, dictionaries etc) without correct access rules
• Demo
Insecure Direct Object Reference Mitigations
• Access Control
• WCF has a lot of ways to leverage an authorization model
• Indirect Reference Map
• Substitute an internal ID with a safe identifier (i.e. GUID)
• Do not use discoverable references (i.e. sequential identifiers)
Cross-Site Request Forgery (CSRF)
• Authentication information of a user logged on to an application is leveraged to send a forged HTTP request
• Also known as the confused deputy problem.
• Deputy is a compilation service
• Clients can specify input and output file names
• File named BILL contains billing info and access only by deputy
• Demo
Cross-Site Request Forgery (CSRF) Mitigations
• One-Time Synchronized Token
• One time random value to validate a single request
• Claims based authentication can be leveraged
• Secure Token Service (STS)
• CAPTCHA (?)
• Good because it mitigates automated CSRF attacks
• Has issues of its own…
Security Misconfiguration
• All configurations of the application (application configuration, frameworks, web server configurations etc) must be set-up in a secure manner and updated when necessary.
• The tyranny of the default
• Demo
Security Misconfiguration – Mitigations
• Clearly defined update methods
• Non-generic error messages
• Do not expose trace information
• Do not use debug binaries
• Enable request validation
• Principle of least privilege
• …
Insecure Cryptographic Storage
• Sensitive data not properly secured
• Demo
Insecure Cryptographic Storage - Mitigations
• Do not use your own encryption
• Proprietary does not mean secure
• Encryption algorithms are vetted by extremely clever people before use
• Again, if you where that smart, you wouldn’t be developing web applications
• Hashes must be salted
• ASP.Net membership provider
• Good key management
Failure to Restrict URL Access
• Links to access sites rendered after checking for access. The same check must be done on page access also.
• Demo
Failure to restrict URL access - Mitigations
• Access Control on each page
• Just because it is hidden doesn’t mean it is secure
• Apply principal permission to your classes and methods
• Defence-in-depth
• Do not use your own security model
Insufficient Transport Layer Security
• Sensitive traffic must be protected while in transit
• Demo
Insufficient Transport Layer Security Mitigations
• SSL/TLS
• Timeout Authentication
• Don’t mix SSL/non-SSL content
Unvalidated Redirects and Forwards
• Web applications use untrusted sources to determine destination of redirects or forwards
• Demos
Unvalidated Redirects and Forwards Mitigations
• You need to take responsibility
• Use white lists
• Check the referrer page
Resources
• Inspiration from Troy Hunt
• www.troyhunt.com
• OWASP Top 10 for .Net Developers Highly Recommend!
• www.owasp.org
• www.asp.net
Questions?
Thank you