Varun Sharma

Application Consulting and Engineering (ACE) Team,

Microsoft India

Flaw – 1 Custom AuthenticationFlaw – 2 Lack of Rule based AuthorizationFlaw – 3 Black list input validationFlaw – 4 Improper use of CryptoFlaw – 5 App layer DOS attack

Site implements custom forms authenticationBuggy codeDemo

Principles:-Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.

Authorization implemented by disabling UIRule based authorization not consideredDemo

Principles:-Do not rely on UI for authorizationDisabled buttons is not authorizationConsider rule based authorization in your design

Only set of bad characters are checked forBecomes vulnerable in special situationsDemo

Principles:-Validate for valid allowed values (white list)If white list validation is not possible,

Encode to prevent XSSParameterize to prevent SQL Injection…

Not knowing what services are provided by what mechanisms

For example, what services do Digital Signatures provide?

Demo

Product 1 ‘s Site

Product 2 ‘s Site

Product 3 ‘s Site

Central Payment Site

Signed XML POST

Principles:-Know what service each mechanism providesDo not implement crypto mechanisms yourselfUse system provided methods

Book movie ticket Screen 1 for User 1

Book movie ticket Screen 2 for User 1

You have 7 minutes left

Enter Payment details:-

Name:-Credit Card Number:-Address:-….

Click to Book

Book movie ticket Screen 1 for User 2

Book movie ticket Screen 1 for User 2 after 7 minutes

Principles:-Use CAPTCHA to avoid automated attacksDesign with security in mind