1 / 47

Hack-Ed: Develop your Security Spidey Senses

Hack-Ed: Develop your Security Spidey Senses. Kirk Jackson Andy Prow. ARC305. Intro. Kirk Jackson Security Officer Xero. Andy Prow Managing Director Aura Information Security Ltd. Case Study:. C # ASP.NET MVC Hosted on Amazon Windows VM’s running IIS 7

mea
Download Presentation

Hack-Ed: Develop your Security Spidey Senses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hack-Ed: Develop your Security Spidey Senses Kirk Jackson Andy Prow ARC305

  2. Intro Kirk Jackson Security Officer Xero • Andy Prow • Managing Director • Aura Information Security Ltd

  3. Case Study: C# ASP.NET MVC Hosted on Amazon Windows VM’s running IIS 7 Data is stored in SQL Server 2008 and in S3. Mobile / tablet apps Create learning stories on the web & mobile devices www.educa.co.nz

  4. By epSos.de

  5. Spidey Senses “A vague but strong sense of something being wrong, dangerous or suspicious” Should trigger almost immediately. Suggests there is something to be wary of or something that needs investigating Good hackers have great ones. If smart users have one, they run…

  6. Bad smells Unlocked Vault – Fishy Too Trusting – Sickly sweet Spilling your secrets – Vomit Back door is open – Garbage DIY – Oily rag Dodgy foundations – Sewers Risky Business - Fear

  7. The Unlocked Vault By Falashad

  8. Something Smells Fishy… Our Casino-vault contains rotten fish (and heaps of cash) but I shouldn’t be able to smell it outside... Senses tell me: Basic security steps are missing entirely.

  9. Examples Site mixes HTTP and HTTPS Length and character limits for passwords Missing security HTTP headers Files that expose content (robots.txt, sitemap.xml, VCS etc) Cached search engine results

  10. What Would EducaDo?

  11. HTTPS Only Redirect from HTTP to HTTPS for whole site Only send cookies over HTTPS Set-Cookie: .ASPXAUTH=794…9DB; domain=.educa.co.nz; path=/; HttpOnly; secure Add Strict Transport Security header Strict-Transport-Security: max-age=30758400 chrome://net-internals/#hsts

  12. Password entry and storage No limit to password length or characters Password ‘stored’ as a salted hash ASP.NET Membership Provider

  13. Too Trusting By Old Shoe Woman

  14. Something Smells Too Sickly Sweet… My Casino-vault security guard is way too smiley and seems to think his job is let everyone in… Senses tell me: Information and actions going into the system are being trusted too openly.

  15. Examples Entering [10] invalid passwords, can still log in Change password without entering existing password Certain characters give errors, or display incorrectly: < ' " ; ☺ Client side validation of user input User content displays directly on screen (e.g. reflected XSS) Request contains SQL  "select x from y where z” No random tokens in the form data (CSRF) URLs are in the query string

  16. What Would EducaDo?

  17. Brute force prevention Brute-force detection built into ASP.NET Membership Provider maxInvalidPasswordAttempts="5” passwordAttemptWindow="30” Same protections in the API that the mobile app uses

  18. Use an ORM Mindscape LightSpeed

  19. Spilling your secrets By rixban

  20. Something Smells of Vomit… The Casino-vault manager has spilt his guts… Senses tell me: Information is being leaked out of the system.

  21. Examples Signup or password reset email contains a password Change password form shows current password Site lists characters that are banned in text fields Customer id (or similar object reference) in the URL A number in the URL that increases by one (or is an obvious format) You can tell the underlying technology (e.g. LDAP, SQL, XML)

  22. What Would EducaDo?

  23. Signup email One-time URL

  24. Back door is open By JD Austin

  25. Something Smells of Garbage… I’ve been to the back of the Casino, and the security stinks… Senses tell me: Front-door is good but someone’s left alternative avenues into the system.

  26. Examples Sensitive data is unencrypted Authorisation - by URL or menu Admin site available to the world Production data in a test environment

  27. What Would EducaDo?

  28. Separate Admin system No “God” mode within the application Role checks When displaying menus Also on url GET and POST

  29. D.I.Y. By Let Ideas Compete

  30. Something Smells of Oily Rags… This does not smell like a professional job… Senses tell me: Some core security features are not using proven techniques but have been home-grown.

  31. Examples Doesn't use out of the box forms authentication Custom single-sign-on Homebuilt encryption Cookie flags, scope (domain + path), expiration

  32. What Would EducaDo?

  33. Leverage existing features Login timeout settings Session abandoning on login Multi-tenant model on ASP.NET Membership

  34. Dodgy Foundations By Capt’ Gorgeous

  35. Something Smells of Sewers… The Casino-vault looks great, but it’s built on a crumbling sewer. Senses tell me: There is a poor underlying architecture or technology beneath this system.

  36. Examples Multiple apps, including third party A mix of technologies (e.g. PHP + ASP.NET) Cross-domain javascript / CSS Rich Client component (e.g. Flash, Silverlight, JS) Old OS, server, ASP.NET version Built using Webforms Writing directly to disk

  37. What Would EducaDo?

  38. Look at all requests Which third-party providers do you trust? Don’t forget AJAX posts

  39. Storing files Where will you store the files? Validate filenames, MIME, content GET /dashboard/image?filename=58543eec-5203-4dbd-bef1-917f6d2ebd9f.jpg Check out our File Uploads Considerations whitepaper: http://www.hack-ed.com/2011/07/file-uploads.html

  40. Risky Business By Lynn Friedman

  41. Something Smells of Fear… Smells like someone’s taken a risk and implemented something dangerous. Senses tell me: Features requiring strong security have not been implemented securely enough.

  42. Examples Application accepts file uploads Parsing XML, HTML or other file formats Credit card payments Mobile app talking to API

  43. Bad smells Unlocked Vault – Fishy Too Trusting – Sickly sweet Spilling your secrets – Vomit Back door is open – Garbage DIY – Oily rag Dodgy foundations – Sewers Risky Business - Fear

  44. OWASP Top 10 – updated for 2013

  45. Summary Develop your own Spidey-Senses OWASP Top 10 2013 owasp.org www.aurainfosec.com/publications View our other talks at hack-ed.com

  46. Q&A…

More Related