1 / 29

P0wnd! (Or how to redirect your friend's website to katyperry.com)

P0wnd! (Or how to redirect your friend's website to katyperry.com). Barry Dorrans MVP – Developer Security. Contents. OWASP Top Ten http://www.owasp.org A worldwide free and open community focused on improving the security of application software. Introduction.

chaela
Download Presentation

P0wnd! (Or how to redirect your friend's website to katyperry.com)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. P0wnd!(Or how to redirect your friend's website to katyperry.com) Barry Dorrans MVP – Developer Security

  2. Contents • OWASP Top Ten • http://www.owasp.org • A worldwide free and open community focused on improving the security of application software

  3. Introduction • Do not try this at home. Or at work. • These are not just ASP.NET vulnerabilities • If you don’t want to ask public questions ...barryd@idunno.org / http://idunno.org

  4. 10 – Failure to restrict URI access

  5. Failure to restrict URI access • Security by obscurity is useless • Restrict via ASP.NET • Integrated pipeline restricts everything • Use [PrincipalPermission] to protect yourself

  6. 9 – Insecure Communications

  7. Insecure Communications • Use SSL • Protection communications between web server and backend systems (SSL, IPSEC etc.) • Replay attacks

  8. 8 – Insecure Cryptographic Storage

  9. Insecure Cryptographic Storage • Symmetric – same key • Asymmetric – public/private keys • Use safe algorithms –Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7 • Encrypt then sign

  10. Insecure Cryptographic Storage • Use symmetric when • All systems are under your control • No need to identify who did the encryption • Use asymmetric when • Talking/accepting from external systems • Non-repudiation on who encrypted/signed (X509) • All in memory! • Combine the two for speed and security

  11. Insecure Cryptographic Storage • Do not reuse keys for different purposes • Store keys outside the main database • Use CryptGenRandom for random numbers • Use & rotate salts • Use unique IVs • DAPI can provide a key store

  12. 7 - Broken Authentication/Sessions

  13. Broken Authentication/Sessions • Don’t roll your own! • Validate sessions on every requestCheck the browser string

  14. 6 – Information Leakage

  15. Information Leakage • Don’t show raw errors • Catch errors “properly” • Don’t upload PDBs or debug assemblies • Encrypt web.config parts • Encrypt ViewState - • Watch your CSS! • For Ajax UpdatePanels are more secure • Turn off meta data in web services

  16. 5 – Cross Site Request Forgery

  17. Cross Site Request Forgery • Lock ViewState using ViewStateUserKey • Needs a way to identify user • Set in Page_Init • Use a CSRF token – http://anticsrf.codeplex.com • Encourage users to log out • GET requests must be idempotent • When is a postback not a postback?

  18. 4 – Insecure Direct Object Reference

  19. Insecure Direct Object Reference • Use indirect objection references • Always check access permissions

  20. 3 – Malicious File Execution

  21. Malicious File Execution • Remove Scripting IIS permission • Store outside of application root • Never believe the MIME type for uploads

  22. 2 – Injection Flaws

  23. Injection Flaws • SQL • Use SQL parameters • Remove direct SQL table access • Xpath • Use XsltContext • http://mvpxml.codeplex.com/

  24. 1 – Cross Site Scripting

  25. XSS • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

  26. XSS • All input is evil • Work from white-lists not black-lists. • Store un-encoded data in your database • Use HttpOnly cookies • AntiXSS project http://antixss.codeplex.com • Better HTML/URL Encoding • Adds HTML Attribute,Javascript,JSON,VBScript • XSS Cheat Sheet http://ha.ckers.org/xss.html

  27. The OWASP Top Ten • Failure to restrict URL access • Insecure Communications • Insecure Cryptographic Storage • Broken Authentication / Session Management • Information Leakage • Cross Site Request Forgery • Insecure Direct Object Reference • Malicious File Execution • Injection Flaws • Cross Site Scripting

  28. Resources • AntiXSS - http://www.codeplex.com/AntiXSS • AntiCSRF - http://www.codeplex.com/AntiCSRF • P&P Guidance Explorer - http://www.codeplex.com/guidanceExplorer • Fiddler – http://www.fiddlertool.com • TamperData – https://addons.mozilla.org/en-US/firefox/addon/966

  29. Questions

More Related