OWASP Top 10 No-No’s IOANNIS STAVRINIDES

The speaker

• Currently at Printec (Cyprus) – Senior Technical Analyst

• MCSE (Private Cloud), MCSA (Windows Server), MCPD (Web), MCTS (SQL)

• Security Enthusiast

• @indigocy

• http://dnetexperience.blogspot.com – Development

• http://indigocy.blogspot.com – Security and more

What is OWASP

• Open Web Application Security Project

• www.owasp.org

• Not-For-Profit organization focused on improving the security of software

• Regularly releases the OWASP Top 10 list of most common vulnerabilities in web application.

• Last release 2010. 2013 Release Candidate is available.

The list (2010)

• Injection

• Cross-Site Scripting (XSS)

• Broken Authentication and Session Management

• Insecure Direct Object References

• Cross-Site Request Forgery (CSRF)

• Security Misconfiguration

• Insecure Cryptographic Storage

The list (2010) – cont.

• Failure to Restrict URL Access

• Insufficient Transport Layer Protection

• Unvalidated Redirects and Forwards

Injection

• Allowing untrusted data to be sent to a system

• Demo

Injection – Mitigations

• Input sanitization

• Regular Expressions to create white lists

• Parameterized stored procedures

• Named parameters in queries

• SELECT * FROM Products WHERE Id = @Id

• LINQ

• dc.Products.Where(p => p.Name.Contains(<val>)

• Principle of least priviledge

Cross-Site Scripting (XSS)

• Allow input of untrusted data (through scripting)

• Demo

Cross-Site Scripting (XSS) – Mitigations

• Validate all input

• White lists (but be careful of encoded input!)

• Use ASP.Net request validation

• Do not set validateRequest = “false” in Page directive or web.config

• Encode HTML output

• Server.HtmlEncode

• Anti-XSS library (CodePlex)

• Security Runtime Engine (SRE) – HTTP module

• Map controls to encode automatically

Broken Authentication and Session Mgmt

• Authentication and Session Management is incorrectly configured, exposing the details to an outsider.

• This allows the attacked to steal credentials, session tokens or exploit implementation flaws to gain access to the system.

• Demo

Broken Authentication and Session Mgmt Mitigations

• ASP.Net membership and role providers

• Can handle everything authentication related for a forms based authentication web application

• Encryption

• Passwords should not be sent or stored in the clear

• Password recovery should be done via email using one-time links

• SMTP is not a secure protocol!

Insecure Direct Object Reference

• Exposed references to internal implementation objects (i.e. files, database keys, dictionaries etc) without correct access rules

• Demo

Insecure Direct Object Reference Mitigations

• Access Control

• WCF has a lot of ways to leverage an authorization model

• Indirect Reference Map

• Substitute an internal ID with a safe identifier (i.e. GUID)

• Do not use discoverable references (i.e. sequential identifiers)

Cross-Site Request Forgery (CSRF)

• Authentication information of a user logged on to an application is leveraged to send a forged HTTP request

• Also known as the confused deputy problem.

• Deputy is a compilation service

• Clients can specify input and output file names

• File named BILL contains billing info and access only by deputy

• Demo

Cross-Site Request Forgery (CSRF) Mitigations

• One-Time Synchronized Token

• One time random value to validate a single request

• Claims based authentication can be leveraged

• Secure Token Service (STS)

• CAPTCHA (?)

• Good because it mitigates automated CSRF attacks

• Has issues of its own…

Security Misconfiguration

• All configurations of the application (application configuration, frameworks, web server configurations etc) must be set-up in a secure manner and updated when necessary.

• The tyranny of the default

• Demo

Security Misconfiguration – Mitigations

• Clearly defined update methods

• Non-generic error messages

• Do not expose trace information

• Do not use debug binaries

• Enable request validation

• Principle of least privilege

• …

Insecure Cryptographic Storage

• Sensitive data not properly secured

• Demo

Insecure Cryptographic Storage - Mitigations

• Do not use your own encryption

• Proprietary does not mean secure

• Encryption algorithms are vetted by extremely clever people before use

• Again, if you where that smart, you wouldn’t be developing web applications

• Hashes must be salted

• ASP.Net membership provider

• Good key management

Failure to Restrict URL Access

• Links to access sites rendered after checking for access. The same check must be done on page access also.

• Demo

Failure to restrict URL access - Mitigations

• Access Control on each page

• Just because it is hidden doesn’t mean it is secure

• Apply principal permission to your classes and methods

• Defence-in-depth

• Do not use your own security model

Insufficient Transport Layer Security

• Sensitive traffic must be protected while in transit

• Demo

Insufficient Transport Layer Security Mitigations

• SSL/TLS

• Timeout Authentication

• Don’t mix SSL/non-SSL content

Unvalidated Redirects and Forwards

• Web applications use untrusted sources to determine destination of redirects or forwards

• Demos

Unvalidated Redirects and Forwards Mitigations

• You need to take responsibility

• Use white lists

• Check the referrer page

Resources

• Inspiration from Troy Hunt

• www.troyhunt.com

• OWASP Top 10 for .Net Developers Highly Recommend!

• www.owasp.org

• www.asp.net

Questions?

Thank you